Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
java_update.exe

Overview

General Information

Sample name:java_update.exe
Analysis ID:1465837
MD5:bc4206081a6f4206dc5b63948b05ef4b
SHA1:4e48607de38ccb23ed81c1d19c8884fec2863ce9
SHA256:b771a64bbfce8232710851ea13f5408cc28133ac0537ff1309c749ce85f42633
Infos:

Detection

AsyncRAT, Neshta, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
Yara detected Neshta
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Classes Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • java_update.exe (PID: 6624 cmdline: "C:\Users\user\Desktop\java_update.exe" MD5: BC4206081A6F4206DC5B63948B05EF4B)
    • java_update.exe (PID: 1800 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe" MD5: F3B2776EE93CFCAAFC72385378A22B31)
      • svchost.com (PID: 6748 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe' MD5: ED452C704A8E8F1F9926340D4E79C150)
        • powershell.exe (PID: 4412 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • svchost.com (PID: 7692 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe' MD5: ED452C704A8E8F1F9926340D4E79C150)
        • powershell.exe (PID: 7708 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • svchost.com (PID: 7804 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe' MD5: ED452C704A8E8F1F9926340D4E79C150)
        • powershell.exe (PID: 7828 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • svchost.com (PID: 7892 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe' MD5: ED452C704A8E8F1F9926340D4E79C150)
        • powershell.exe (PID: 7904 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
neshtaNeshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.neshta
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.232"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
java_update.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    java_update.exeJoeSecurity_XWormYara detected XWormJoe Security
      java_update.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x12fd5:$s6: VirtualBox
      • 0x12f33:$s8: Win32_ComputerSystem
      • 0x13983:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x13a20:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x13b35:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x13631:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Java Update Checker (64 bit).exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        C:\ProgramData\Java Update Checker (64 bit).exeJoeSecurity_XWormYara detected XWormJoe Security
          C:\ProgramData\Java Update Checker (64 bit).exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            C:\ProgramData\Java Update Checker (64 bit).exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x81d5:$s6: VirtualBox
            • 0x8133:$s8: Win32_ComputerSystem
            • 0x8b83:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x8c20:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x8d35:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x8831:$cnc4: POST / HTTP/1.1
            C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              Click to see the 3 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                  00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0x7fd5:$s6: VirtualBox
                  • 0x7f33:$s8: Win32_ComputerSystem
                  • 0x8983:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x8a20:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x8b35:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x8631:$cnc4: POST / HTTP/1.1
                  00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_NeshtaYara detected NeshtaJoe Security
                    00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                      Click to see the 3 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      1.0.java_update.exe.e60000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                        1.0.java_update.exe.e60000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                          1.0.java_update.exe.e60000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            1.0.java_update.exe.e60000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                            • 0x81d5:$s6: VirtualBox
                            • 0x8133:$s8: Win32_ComputerSystem
                            • 0x8b83:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                            • 0x8c20:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                            • 0x8d35:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                            • 0x8831:$cnc4: POST / HTTP/1.1

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, ParentProcessId: 1800, ParentProcessName: java_update.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', ProcessId: 6748, ProcessName: svchost.com
                            Sigma detected: Script Interpreter Execution From Suspicious Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, ParentProcessId: 1800, ParentProcessName: java_update.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', ProcessId: 6748, ProcessName: svchost.com
                            Sigma detected: Suspicious Script Execution From Temp Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', ParentImage: C:\Windows\svchost.com, ParentProcessId: 6748, ParentProcessName: svchost.com, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', ProcessId: 4412, ProcessName: powershell.exe
                            Sigma detected: Change PowerShell Policies to an Insecure Level
                            Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', ParentImage: C:\Windows\svchost.com, ParentProcessId: 6748, ParentProcessName: svchost.com, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', ProcessId: 4412, ProcessName: powershell.exe
                            Sigma detected: Classes Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\java_update.exe, ProcessId: 6624, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, ParentProcessId: 1800, ParentProcessName: java_update.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', ProcessId: 6748, ProcessName: svchost.com
                            Sigma detected: Startup Folder File Write
                            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, ProcessId: 1800, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', ParentImage: C:\Windows\svchost.com, ParentProcessId: 6748, ParentProcessName: svchost.com, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe', ProcessId: 4412, ProcessName: powershell.exe

                            Snort Signatures

                            No Snort rule has matched

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: java_update.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Delf.I
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Delf.I
                            Found malware configuration
                            Source: 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["45.141.26.232"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeReversingLabs: Detection: 97%
                            Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeReversingLabs: Detection: 93%
                            Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeVirustotal: Detection: 83%Perma Link
                            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeReversingLabs: Detection: 100%
                            Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeReversingLabs: Detection: 100%
                            Multi AV Scanner detection for submitted file
                            Source: java_update.exeReversingLabs: Detection: 97%
                            Source: java_update.exeVirustotal: Detection: 89%Perma Link
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: java_update.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 1.0.java_update.exe.e60000.0.unpackString decryptor: 45.141.26.232
                            Source: 1.0.java_update.exe.e60000.0.unpackString decryptor: 6666
                            Source: 1.0.java_update.exe.e60000.0.unpackString decryptor: <123456789>
                            Source: 1.0.java_update.exe.e60000.0.unpackString decryptor: <Xwormmm>
                            Source: 1.0.java_update.exe.e60000.0.unpackString decryptor: ddos
                            Source: 1.0.java_update.exe.e60000.0.unpackString decryptor: USB.exe
                            Source: 1.0.java_update.exe.e60000.0.unpackString decryptor: %ProgramData%
                            Source: 1.0.java_update.exe.e60000.0.unpackString decryptor: Java Update Checker (64 bit).exe
                            Source: java_update.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
                            Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
                            Source: Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.2.dr
                            Source: Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
                            Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
                            Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.2.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.2.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.2.dr
                            Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
                            Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe.2.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.2.dr
                            Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
                            Source: Binary string: in32.pdb source: officeappguardwin32.exe.2.dr
                            Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
                            Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
                            Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.2.dr
                            Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
                            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
                            Source: Binary string: r.pdb source: AppSharingHookController.exe.0.dr
                            Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.2.dr
                            Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe.2.dr
                            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
                            Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
                            Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.2.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.2.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.2.dr

                            Spreading

                            barindex
                            Yara detected Neshta
                            Source: Yara matchFile source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\Jump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Jump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Jump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\Jump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\Jump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Jump to behavior

                            Networking

                            barindex
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 45.141.26.232
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.4:49737 -> 45.141.26.232:6666
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                            Source: Joe Sandbox ViewASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: ip-api.com
                            Source: integrator.exe.0.drString found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
                            Source: Uninstall.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                            Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                            Source: Uninstall.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                            Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                            Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                            Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                            Source: powershell.exe, 0000000B.00000002.2358182918.000000000889C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.me
                            Source: powershell.exe, 00000003.00000002.1900839755.0000000003371000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1923339892.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1935367351.00000000088FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                            Source: powershell.exe, 00000011.00000002.2361460775.0000000008962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microK
                            Source: powershell.exe, 00000011.00000002.2361460775.000000000897D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2361460775.00000000089A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                            Source: powershell.exe, 0000000B.00000002.2358182918.000000000889C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft/
                            Source: powershell.exe, 0000000E.00000002.2356534559.00000000077F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftI
                            Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                            Source: Uninstall.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                            Source: Uninstall.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                            Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                            Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                            Source: unpack200.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                            Source: Uninstall.exe.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                            Source: Uninstall.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                            Source: Uninstall.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                            Source: GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                            Source: armsvc.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                            Source: Uninstall.exe.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                            Source: java_update.exe, Java Update Checker (64 bit).exe.1.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                            Source: svchost.com, 00000002.00000002.2231810961.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                            Source: powershell.exe, 00000003.00000002.1919244563.000000000637A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324521202.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2334742070.00000000064D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                            Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                            Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                            Source: Uninstall.exe.2.drString found in binary or memory: http://ocsp.digicert.com0N
                            Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                            Source: powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR
                            Source: powershell.exe, 00000003.00000002.1910750935.0000000005466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.00000000055C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: java_update.exe, 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1910750935.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.0000000005471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.00000000052B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000003.00000002.1910750935.0000000005466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.00000000055C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUser
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUserResponse
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUser
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUserResponse
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfigResponse
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettings
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettings
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse
                            Source: officeappguardwin32.exe.2.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R
                            Source: powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/
                            Source: Aut2exe.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/8
                            Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                            Source: powershell.exe, 00000003.00000002.1910750935.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.0000000005471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.00000000052B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBfq
                            Source: powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
                            Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
                            Source: Uninstall.exe.2.drString found in binary or memory: https://mozilla.org0/
                            Source: integrator.exe.0.drString found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
                            Source: powershell.exe, 00000003.00000002.1919244563.000000000637A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324521202.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2334742070.00000000064D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: integrator.exe.0.drString found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
                            Source: Aut2exe.exe.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                            Source: Uninstall.exe.2.drString found in binary or memory: https://www.digicert.com/CPS0
                            Source: Aut2exe.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: java_update.exe, type: SAMPLE
                            Source: Yara matchFile source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED
                            Contains functionality to log keystrokes (.Net Source)
                            Source: java_update.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                            Source: Java Update Checker (64 bit).exe.1.dr, XLogger.cs.Net Code: KeyboardLayout
                            Source: integrator.exe.0.drBinary or memory string: RegisterRawInputDevicesmemstr_f703ff8d-9

                            Operating System Destruction

                            barindex
                            Protects its processes via BreakOnTermination flag
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: 01 00 00 00 Jump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: java_update.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Windows\svchost.comFile created: C:\Windows\directx.sysJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Windows\svchost.comJump to behavior
                            Source: C:\Windows\svchost.comFile created: C:\Windows\directx.sysJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeCode function: 1_2_00007FFD9B8917711_2_00007FFD9B891771
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeCode function: 1_2_00007FFD9B8966621_2_00007FFD9B896662
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeCode function: 1_2_00007FFD9B8906101_2_00007FFD9B890610
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeCode function: 1_2_00007FFD9B8958B61_2_00007FFD9B8958B6
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_051DB4903_2_051DB490
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_051DB4703_2_051DB470
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_08D93E983_2_08D93E98
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_050FB49011_2_050FB490
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_050FB47011_2_050FB470
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08D33E9811_2_08D33E98
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0521B4A014_2_0521B4A0
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0521B49014_2_0521B490
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_08C13A9814_2_08C13A98
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0521B49017_2_0521B490
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0521B47017_2_0521B470
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08E73E9817_2_08E73E98
                            Source: java_update.exe, 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamewdsa.exe4 vs java_update.exe
                            Source: java_update.exe, 00000001.00000002.2980468023.000000001C17E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs java_update.exe
                            Source: java_update.exeBinary or memory string: OriginalFilenamewdsa.exe4 vs java_update.exe
                            Source: java_update.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                            Source: java_update.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: java_update.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: java_update.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: java_update.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Java Update Checker (64 bit).exe.1.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Java Update Checker (64 bit).exe.1.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Java Update Checker (64 bit).exe.1.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: java_update.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: java_update.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: Java Update Checker (64 bit).exe.1.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: Java Update Checker (64 bit).exe.1.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@23/183@1/2
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnkJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeMutant created: \Sessions\1\BaseNamedObjects\omb7mZjvAq0auoSy
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
                            Source: C:\Windows\svchost.comMutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush*.* svchost.com n X . t N t h ` T 5 @
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490Jump to behavior
                            Source: java_update.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.29%
                            Source: C:\Users\user\Desktop\java_update.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: integrator.exe.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                            Source: integrator.exe.0.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                            Source: integrator.exe.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                            Source: integrator.exe.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                            Source: java_update.exeReversingLabs: Detection: 97%
                            Source: java_update.exeVirustotal: Detection: 89%
                            Source: C:\Users\user\Desktop\java_update.exeFile read: C:\Users\user\Desktop\java_update.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\java_update.exe "C:\Users\user\Desktop\java_update.exe"
                            Source: C:\Users\user\Desktop\java_update.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe"
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\java_update.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'Jump to behavior
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'Jump to behavior
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: acgenral.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: msacm32.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: dwmapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: winmmbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: winmmbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: aclayers.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: sfc.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: avicap32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: msvfw32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Windows\svchost.comSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\svchost.comSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\Desktop\java_update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
                            Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
                            Source: Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.2.dr
                            Source: Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
                            Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
                            Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.2.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.2.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.2.dr
                            Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
                            Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe.2.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.2.dr
                            Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
                            Source: Binary string: in32.pdb source: officeappguardwin32.exe.2.dr
                            Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
                            Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
                            Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.2.dr
                            Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
                            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
                            Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
                            Source: Binary string: r.pdb source: AppSharingHookController.exe.0.dr
                            Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.2.dr
                            Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe.2.dr
                            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
                            Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
                            Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.2.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.2.dr
                            Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.2.dr

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: java_update.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: java_update.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: java_update.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: java_update.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: java_update.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: java_update.exe.0.dr, Messages.cs.Net Code: Memory
                            Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs.Net Code: Memory
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_051D504D pushfd ; ret 3_2_051D5062
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_051D5098 pushfd ; ret 3_2_051D5062
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_051D50B8 pushfd ; ret 3_2_051D5062
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_051D6348 push eax; ret 3_2_051D6351
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_051D4277 push esi; ret 3_2_051D42E2
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_051D42A8 push esi; ret 3_2_051D42E2
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_08D98BD8 push eax; ret 3_2_08D98BD3
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_050F2520 push esp; retf 11_2_050F252D
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_050F21ED push eax; retf 11_2_050F21F1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_050F6338 push eax; ret 11_2_050F6341
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_050F4200 push ebx; ret 11_2_050F42DA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_050F2D95 pushfd ; retf 11_2_050F2DD2
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_050F2DCD pushfd ; retf 11_2_050F2DE2
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_050F3A9D push ebx; retf 11_2_050F3ADA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_050F3ADD push ebx; retf 11_2_050F3ADA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08D35281 push 95E8C88Bh; ret 11_2_08D35288
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_05212C70 push 04B807B9h; retf 14_2_05212D0E
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_05210E85 push esi; ret 14_2_05210E9A
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_08C17A04 push eax; iretd 14_2_08C17A0A
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_08C187EE push eax; ret 14_2_08C187F3
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_05216338 push eax; ret 17_2_05216341
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_05214277 push ebx; ret 17_2_052142DA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_05213ACD push ebx; retf 17_2_05213ADA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_07CA5785 push edi; retf 0007h17_2_07CA5786
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_07CA569D push esi; retf 0007h17_2_07CA569E
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_07CA4E90 push eax; retf 0007h17_2_07CA500E
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_07CA0CE8 push cs; retf 0007h17_2_07CA0E0E
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_07CA0488 push es; retf 0007h17_2_07CA06A6
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_07CA528D push edx; retf 0007h17_2_07CA528E
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_07CA5001 push eax; retf 0007h17_2_07CA500E
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08E77800 push eax; retf 17_2_08E77801

                            Persistence and Installation Behavior

                            barindex
                            Yara detected Neshta
                            Source: Yara matchFile source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR
                            Drops PE files with a suspicious file extension
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Windows\svchost.comJump to dropped file
                            Drops executable to a common third party application directory
                            Source: C:\Users\user\Desktop\java_update.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                            Drops executables to the windows directory (C:\Windows) and starts them
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeExecutable created and started: C:\Windows\svchost.comJump to behavior
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                            Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to behavior
                            Sample is not signed and drops a device driver
                            Source: C:\Windows\svchost.comFile created: C:\Windows\directx.sysJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Windows\svchost.comJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile created: C:\ProgramData\Java Update Checker (64 bit).exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                            Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile created: C:\ProgramData\Java Update Checker (64 bit).exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\Windows\svchost.comJump to dropped file

                            Boot Survival

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: java_update.exe, type: SAMPLE
                            Source: Yara matchFile source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED
                            Yara detected Neshta
                            Source: Yara matchFile source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR
                            Creates an undocumented autostart registry key
                            Source: C:\Users\user\Desktop\java_update.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnkJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnkJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: java_update.exe, type: SAMPLE
                            Source: Yara matchFile source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED
                            Check if machine is in data center or colocation facility
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: java_update.exe, 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                            Source: java_update.exe, Java Update Checker (64 bit).exe.1.drBinary or memory string: SBIEDLL.DLLINFO
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeMemory allocated: 15A0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeMemory allocated: 1B350000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWindow / User API: threadDelayed 3929Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWindow / User API: threadDelayed 5609Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3236
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 669
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2371
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2352
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3905
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                            Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe TID: 8176Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4048Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8108Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8060Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8088Thread sleep count: 3905 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8120Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\Jump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Jump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Jump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\Jump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\Jump to behavior
                            Source: C:\Users\user\Desktop\java_update.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Jump to behavior
                            Source: Java Update Checker (64 bit).exe.1.drBinary or memory string: vmware
                            Source: java_update.exe, 00000001.00000002.2980468023.000000001C120000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeCode function: 1_2_00007FFD9B896E61 CheckRemoteDebuggerPresent,1_2_00007FFD9B896E61
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'Jump to behavior
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'Jump to behavior
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                            Bypasses PowerShell execution policy
                            Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
                            Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
                            Source: C:\Users\user\Desktop\java_update.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                            Source: C:\Users\user\Desktop\java_update.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: java_update.exe, type: SAMPLE
                            Source: Yara matchFile source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED
                            Source: java_update.exe, 00000001.00000002.2980468023.000000001C1F8000.00000004.00000020.00020000.00000000.sdmp, java_update.exe, 00000001.00000002.2961382992.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, java_update.exe, 00000001.00000002.2980468023.000000001C1B1000.00000004.00000020.00020000.00000000.sdmp, java_update.exe, 00000001.00000002.2980468023.000000001C120000.00000004.00000020.00020000.00000000.sdmp, java_update.exe, 00000001.00000002.2980468023.000000001C17E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Neshta
                            Source: Yara matchFile source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR
                            Yara detected XWorm
                            Source: Yara matchFile source: java_update.exe, type: SAMPLE
                            Source: Yara matchFile source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected XWorm
                            Source: Yara matchFile source: java_update.exe, type: SAMPLE
                            Source: Yara matchFile source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		21
                            Disable or Modify Tools                            		111
                            Input Capture                            		2
                            File and Directory Discovery                            		1
                            Taint Shared Content                            		11
                            Archive Collected Data                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Scheduled Task/Job                            		1
                            Windows Service                            		1
                            Windows Service                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory23
                            System Information Discovery                            		Remote Desktop Protocol111
                            Input Capture                            		1
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            PowerShell                            		1
                            Scheduled Task/Job                            		11
                            Process Injection                            		11
                            Obfuscated Files or Information                            		Security Account Manager541
                            Security Software Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCron12
                            Registry Run Keys / Startup Folder                            		1
                            Scheduled Task/Job                            		2
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput Capture2
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                            Registry Run Keys / Startup Folder                            		1
                            DLL Side-Loading                            		LSA Secrets151
                            Virtualization/Sandbox Evasion                            		SSHKeylogging12
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts321
                            Masquerading                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                            Virtualization/Sandbox Evasion                            		DCSync1
                            System Network Configuration Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                            Process Injection                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465837 Sample: java_update.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 64 ip-api.com 2->64 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for dropped file 2->82 84 20 other signatures 2->84 10 java_update.exe 19 2->10         started        signatures3 process4 file5 54 C:\Windows\svchost.com, PE32 10->54 dropped 56 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 10->56 dropped 58 C:\Users\user\AppData\...\java_update.exe, PE32 10->58 dropped 60 122 other malicious files 10->60 dropped 94 Creates an undocumented autostart registry key 10->94 96 Drops PE files with a suspicious file extension 10->96 98 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 10->98 100 2 other signatures 10->100 14 java_update.exe 20 6 10->14         started        signatures6 process7 dnsIp8 66 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 14->66 68 45.141.26.232, 49737, 49739, 49740 SPECTRAIPSpectraIPBVNL Netherlands 14->68 62 C:\...\Java Update Checker (64 bit).exe, PE32 14->62 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->70 72 Protects its processes via BreakOnTermination flag 14->72 74 Drops executables to the windows directory (C:\Windows) and starts them 14->74 76 3 other signatures 14->76 19 svchost.com 2 14->19         started        23 svchost.com 14->23         started        25 svchost.com 14->25         started        27 svchost.com 14->27         started        file9 signatures10 process11 file12 46 C:\Program Files (x86)\...\Uninstall.exe, PE32 19->46 dropped 48 C:\Program Files (x86)\...\misc.exe, PE32 19->48 dropped 50 C:\Program Files (x86)\...\misc.exe, PE32 19->50 dropped 52 26 other malicious files 19->52 dropped 86 Bypasses PowerShell execution policy 19->86 88 Adds a directory exclusion to Windows Defender 19->88 90 Sample is not signed and drops a device driver 19->90 92 Infects executable files (exe, dll, sys, html) 19->92 29 powershell.exe 19->29         started        32 powershell.exe 23->32         started        34 powershell.exe 25->34         started        36 powershell.exe 27->36         started        signatures13 process14 signatures15 102 Loading BitLocker PowerShell Module 29->102 38 conhost.exe 29->38         started        40 conhost.exe 32->40         started        42 conhost.exe 34->42         started        44 conhost.exe 36->44         started        process16

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            java_update.exe97%ReversingLabsWin32.Virus.Neshuta
                            java_update.exe89%VirustotalBrowse
                            java_update.exe100%AviraW32/Delf.I
                            java_update.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\AutoIt3\Uninstall.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE100%AviraW32/Delf.I
                            C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%AviraW32/Delf.I
                            C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\Uninstall.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\Au3Check.exe97%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe94%ReversingLabsWin32.Virus.Neshta
                            C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe83%VirustotalBrowse
                            C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Java\jre-1.8\bin\java.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe100%ReversingLabsWin32.Virus.Neshuta
                            C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe100%ReversingLabsWin32.Virus.Neshuta

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            SourceDetectionScannerLabelLink
                            ip-api.com0%VirustotalBrowse

                            URLs

                            SourceDetectionScannerLabelLink
                            http://nuget.org/NuGet.exe0%URL Reputationsafe
                            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                            https://contoso.com/License0%URL Reputationsafe
                            https://contoso.com/Icon0%URL Reputationsafe
                            http://tempuri.org/0%URL Reputationsafe
                            http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                            https://contoso.com/0%URL Reputationsafe
                            https://nuget.org/nuget.exe0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                            http://tempuri.org/IRoamingSettingsService/WriteSettings0%Avira URL Cloudsafe
                            http://crl.microsoftI0%Avira URL Cloudsafe
                            http://crl.microK0%Avira URL Cloudsafe
                            https://mozilla.org0/0%Avira URL Cloudsafe
                            http://crl.microsoft0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/DisableUserResponse0%Avira URL Cloudsafe
                            http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service0%Avira URL Cloudsafe
                            http://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
                            http://crl.microsoft0%VirustotalBrowse
                            https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
                            http://crl.me0%Avira URL Cloudsafe
                            https://github.com/Pester/Pester0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/WriteSettings0%VirustotalBrowse
                            https://www.autoitscript.com/autoit3/0%VirustotalBrowse
                            http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service0%VirustotalBrowse
                            http://crl.microsoft/0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/DisableUserResponse0%VirustotalBrowse
                            http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/ReadSettings0%Avira URL Cloudsafe
                            http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR0%Avira URL Cloudsafe
                            https://github.com/Pester/Pester1%VirustotalBrowse
                            http://crl.me0%VirustotalBrowse
                            https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse0%VirustotalBrowse
                            http://crl.micro0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/ReadSettings1%VirustotalBrowse
                            http://tempuri.org/IRoamingSettingsService/GetConfig0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/GetConfigResponse0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R0%Avira URL Cloudsafe
                            https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith0%VirustotalBrowse
                            http://crl.microsoft/0%VirustotalBrowse
                            http://tempuri.org/IRoamingSettingsService/DisableUser0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/GetConfig0%VirustotalBrowse
                            https://aka.ms/pscore6lBfq0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R1%VirustotalBrowse
                            http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR0%VirustotalBrowse
                            http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/DisableUser0%VirustotalBrowse
                            http://www.autoitscript.com/autoit3/80%Avira URL Cloudsafe
                            http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects0%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/EnableUser0%Avira URL Cloudsafe
                            http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte0%VirustotalBrowse
                            http://tempuri.org/IRoamingSettingsService/GetConfigResponse2%VirustotalBrowse
                            http://tempuri.org/IRoamingSettingsService/EnableUserResponse0%Avira URL Cloudsafe
                            http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects0%VirustotalBrowse
                            http://tempuri.org/IRoamingSettingsService/EnableUser1%VirustotalBrowse
                            http://www.autoitscript.com/autoit3/0%VirustotalBrowse
                            http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse1%VirustotalBrowse
                            https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff0%Avira URL Cloudsafe
                            45.141.26.2320%Avira URL Cloudsafe
                            http://tempuri.org/IRoamingSettingsService/EnableUserResponse0%VirustotalBrowse
                            http://www.autoitscript.com/autoit3/80%VirustotalBrowse
                            https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff0%VirustotalBrowse
                            45.141.26.2323%VirustotalBrowse

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ip-api.com
                            		208.95.112.1
                            		truetrueunknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://ip-api.com/line/?fields=hostingfalse
                            • URL Reputation: safe
                            		unknown
                            45.141.26.232true
                            • 3%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://tempuri.org/IRoamingSettingsService/WriteSettingsofficeappguardwin32.exe.2.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1919244563.000000000637A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324521202.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2334742070.00000000064D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://mozilla.org0/Uninstall.exe.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.microsoftIpowershell.exe, 0000000E.00000002.2356534559.00000000077F3000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.microKpowershell.exe, 00000011.00000002.2361460775.0000000008962000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1910750935.0000000005466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.00000000055C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.microsoftpowershell.exe, 00000011.00000002.2361460775.000000000897D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2361460775.00000000089A7000.00000004.00000020.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Serviceofficeappguardwin32.exe.2.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/officeappguardwin32.exe.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/IRoamingSettingsService/DisableUserResponseofficeappguardwin32.exe.2.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://nsis.sf.net/NSIS_ErrorErrorsvchost.com, 00000002.00000002.2231810961.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.autoitscript.com/autoit3/Aut2exe.exe.0.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.autoitscript.com/autoit3/Aut2exe.exe.0.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.mepowershell.exe, 0000000B.00000002.2358182918.000000000889C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.microsoft/powershell.exe, 0000000B.00000002.2358182918.000000000889C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/IRoamingSettingsService/WriteSettingsResponseofficeappguardwin32.exe.2.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/IRoamingSettingsService/ReadSettingsofficeappguardwin32.exe.2.drfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfRofficeappguardwin32.exe.2.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithmsedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.micropowershell.exe, 00000003.00000002.1900839755.0000000003371000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1923339892.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1935367351.00000000088FF000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/IRoamingSettingsService/GetConfigofficeappguardwin32.exe.2.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/IRoamingSettingsService/GetConfigResponseofficeappguardwin32.exe.2.drfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/Rofficeappguardwin32.exe.2.drfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/IRoamingSettingsService/DisableUserofficeappguardwin32.exe.2.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore6lBfqpowershell.exe, 00000003.00000002.1910750935.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.0000000005471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.00000000052B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1910750935.0000000005466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.00000000055C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1919244563.000000000637A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324521202.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2334742070.00000000064D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/IRoamingSettingsService/ReadSettingsResponseofficeappguardwin32.exe.2.drfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporteintegrator.exe.0.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.autoitscript.com/autoit3/8Aut2exe.exe.0.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsofficeappguardwin32.exe.2.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/IRoamingSettingsService/EnableUserofficeappguardwin32.exe.2.drfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejava_update.exe, 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1910750935.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.0000000005471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.00000000052B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/IRoamingSettingsService/EnableUserResponseofficeappguardwin32.exe.2.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffmsedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.95.112.1
                            		ip-api.comUnited States
                            		53334TUT-ASUStrue
                            45.141.26.232
                            		unknownNetherlands
                            		62068SPECTRAIPSpectraIPBVNLtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1465837
                            Start date and time:2024-07-02 06:50:16 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 8m 18s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:20
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:java_update.exe
                            Detection:MAL
                            Classification:mal100.spre.troj.spyw.evad.winEXE@23/183@1/2
                            EGA Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 282
                            • Number of non-executed functions: 38
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenFile calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            00:51:19API Interceptor86x Sleep call for process: powershell.exe modified
                            00:52:05API Interceptor493257x Sleep call for process: java_update.exe modified
                            05:52:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.95.112.1Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                            • ip-api.com/json/
                            x433.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            DriverUpdt.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • ip-api.com/line/?fields=hosting
                            rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • ip-api.com/line/?fields=hosting
                            v31TgVEtHi.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            yVtOz1fD5G.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ip-api.comRoblox Account Manager.exeGet hashmaliciousUnknownBrowse
                            • 208.95.112.1
                            x433.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            DriverUpdt.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            v31TgVEtHi.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            yVtOz1fD5G.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SPECTRAIPSpectraIPBVNLoniCmGMx16.exeGet hashmaliciousUnknownBrowse
                            • 45.144.167.158
                            zbRmQrzaHY.dllGet hashmaliciousWannacryBrowse
                            • 45.139.167.2
                            e9d0af516a8d65649c6850b69ff15e65cba280f8d44dbc505882dd16cf922320_dump.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                            • 45.138.16.219
                            filedoc3720001.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                            • 45.138.16.219
                            DND3243676432.exeGet hashmaliciousRemcosBrowse
                            • 45.141.215.89
                            Inventory-List.exeGet hashmaliciousRemcosBrowse
                            • 45.141.215.89
                            nv6mqExGOo.exeGet hashmaliciousAsyncRAT, XWormBrowse
                            • 45.141.27.41
                            y9vR6M5sU6.exeGet hashmaliciousAsyncRAT, XWormBrowse
                            • 45.141.26.119
                            84I4L4SXB5.exeGet hashmaliciousAveMaria, UACMeBrowse
                            • 45.138.16.138
                            0Yj49F0I3q.elfGet hashmaliciousUnknownBrowse
                            • 45.137.207.137
                            TUT-ASUSRoblox Account Manager.exeGet hashmaliciousUnknownBrowse
                            • 208.95.112.1
                            x433.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            DriverUpdt.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            v31TgVEtHi.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            yVtOz1fD5G.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Program Files (x86)\AutoIt3\Au3Check.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):275560
                            Entropy (8bit):6.292868175467042
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCoP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvO9:Puo4VQjVsxyItKQNhigibKCM
                            MD5:5BFFBD5E0AC5D8C8E8F7257912599415
                            SHA1:5A9F6AB857410BB9F3108A5A6ACF8A7EBA58361F
                            SHA-256:A3C4641D4CB4608AF18CD06E4C01339C65C25B9289F0AA01CABE0E5C250A0E15
                            SHA-512:D576DEE2BF7C66293758F07B2A19B8659BA5A65D2FA9C05BA254008F30B46447871FC66B7DED6AD6796B34FB91406F17536DF6E8E2465723138A31A9C8DA5B36
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 97%
                            Reputation:low
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\AutoIt3\Au3Info.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):217704
                            Entropy (8bit):6.601006983838455
                            Encrypted:false
                            SSDEEP:3072:zr8WDrC7xFVaK4T6fWSlXe0lJQafeyrR0kr/yh5DEU/Pk13TfwqiTP0McBUNnUxW:PuV2K4TSFo5Y683TdiQMcGNUl4N
                            MD5:633E57697FE20B13A19E565EFB15550B
                            SHA1:4D789F99FD6D9E3024E2E1A35922E875E5F3F113
                            SHA-256:55075BDACF914AF03AD6CD417AFFC3A604A73AFD3D06A2256A1835CBF0F39B5E
                            SHA-512:8C49A2C57A51C209E1B032C554AB2251F3DB6FA8FE0609B9EFE9A60412C9018A90B22F61D9027895432FC3615DB54A25DCD55CF5210BFAD7C73B3CF5906A15DB
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Reputation:low
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):237160
                            Entropy (8bit):6.436536629191244
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCIyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:Pu7l3wdYtcH9b5Y651zU77Ea
                            MD5:80D5957764641A059A246ACC3B876FD8
                            SHA1:379F4A825CF3B9EA2CBF96D0AFAA6F5192BE25A0
                            SHA-256:B904C8888CD019FAD590E1135E917D944BC16340757BC90DDD3511359766B8BB
                            SHA-512:4FE0AECD7F5B44FA5AC52165C566EEE57145AAA2AF59FBB449B7629511C3A727F09E3A91082DE7845490329619C90CA4ACAF4094CFD7888A97B7FBE1F70A7EAB
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Reputation:low
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1675872
                            Entropy (8bit):7.454506618256521
                            Encrypted:false
                            SSDEEP:24576:PC51xB6B9YNgqe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+l:YK0eqkSR7Xgo4TiRPnLWvJY
                            MD5:14FA88A275AB539403725314719128FA
                            SHA1:2008F40C314CAE10B55206801AA1B1610F0A872F
                            SHA-256:15D3823B1CB8C10E2F0A0882BC273093742E957F0E7DB05B98B8FF020897559D
                            SHA-512:61CB80AD2D4D2E7AC85AADA0E97C5E9596F9AB26473EBDBB911D139BCD7E5EFA60F67B0D7EDAD98E9BBAD9C3E460082D06EBFBC045F536C786F3E98E53C28E23
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Reputation:low
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1841760
                            Entropy (8bit):7.347582112627405
                            Encrypted:false
                            SSDEEP:24576:tEeK2NocwiN/jc41p3qp11JsqbhOUe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+i:PfYP1JsEDkSR7Xgo4TiRPnLWvJD
                            MD5:B7EAC627FCC70BC9F0368BA3D63DCCFC
                            SHA1:553FEDAA430E83E64650D0BEE5062D4DA2CBF07D
                            SHA-256:1DC472EF534923F12EFCA5AE928CC3E8545D1E468F905E693DF88D241C614A46
                            SHA-512:1556951F835F60830738084CB17639BAC7F1E9DF6592F0F4D3D66365924C0395164CA76DC8F8D8E1AE0847E316D702D96D2D6152B62B69D29ADE3681566102D7
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):346624
                            Entropy (8bit):7.902529878602557
                            Encrypted:false
                            SSDEEP:6144:PuEpXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZV:59zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
                            MD5:49D006F81FC856B0ED3A6744396C6E82
                            SHA1:9285A78391AA44520B5134F5EA46BD7FC4E01A2E
                            SHA-256:FE301BD4EE2124BA25B1CE60C9BC9A7604089514C8A5CFE72F6E1AB2A17A8F1D
                            SHA-512:3EB2D67DD36230C6468D2810E13EE7FCF25D84E5D099612F803C4F2AF309724FCC1896034A124DDFDA35FBB401DBC5D1030D87F4BF4F08FFDCD1682F0BA1A634
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 94%
                            • Antivirus: Virustotal, Detection: 83%, Browse
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):165976
                            Entropy (8bit):6.135299341821214
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCovkvQ4gXIRSG+7IJqC3CJyoDjpBnjkP0XGx2SYg+b/Q+y1s3:PugnGZLknnj1X62SYdb4I
                            MD5:BA8EA53268BDE311893484210DB5D175
                            SHA1:CED5F2D8D56A2E35FC12722ADA4B6F89D2D18987
                            SHA-256:11B0A81DF6BB3DF63262042E1D7ACC55B057B44C9264B60F5F145A98E0FB966D
                            SHA-512:B8708FB369CAD49A0B1A804C3D0E098CBD1E3B67A37D5249D84F95A29CD07381BEBEE5E81D6AC9E3B4125A784550DBE2292540CD8561321D70B3C5514AEF87C3
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1113176
                            Entropy (8bit):6.446467711397749
                            Encrypted:false
                            SSDEEP:24576:kTC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBg:k+6AqSPyC+NltpScpzbtvpJoMQSq/jrL
                            MD5:7EED01A3E7667D1DC5E9A8F19C31A4D3
                            SHA1:ABD806F0580C5B56BE794BFE44650D7641A6D71A
                            SHA-256:31F7CDBC86FF5CBB03CB43D30F13DC8280997AB285BDACA68BE731BC82C5C1FC
                            SHA-512:00949C67DA8561B33FD6D7B83FDDAB5B2340604FDA26737F9F24858A29D1DD54984B67EE4F25505477C4E30150EF62192515656EB70F4430E9B82E08358CFBE8
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):2414080
                            Entropy (8bit):6.728757078944773
                            Encrypted:false
                            SSDEEP:49152:G1GSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL8:s4OEtwiICvYMpfc
                            MD5:8CD88B0C755A7E8D9E072BE4DAF2BE25
                            SHA1:0AE0551EBC89A6B88515B12F2AD4171FFDA9ACC4
                            SHA-256:6BE9791EF08C87545F7EDD41B70880640C568EA1A5DD2EE76CDE400D6F722552
                            SHA-512:84041FFA70DB1A3057B423D4F693E165C6B8F927C2FA9AE58323C5B3D887EDE5E4EFEC3E49784C19C410D58EFF77F4F04F69468A7D941AAE68599034654C821E
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\AutoIt3\Uninstall.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):113233
                            Entropy (8bit):6.7789810493984115
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCFCrMGEtajbefY/TU9fE9PEtuGCrK:PuFCrfEt+cYa6YCrK
                            MD5:0FF71A744E70F7F7E1CE56FC4298E688
                            SHA1:939DEB068D6BCB5BAB11AF96CF6040F26B5EDB8B
                            SHA-256:3214538D265FB6BFB3A0620229FCD979A0225C0477F0FE0578FB443AE7EC4FDA
                            SHA-512:0037311257AFC9CFC0E6C1439AFC8E9B9BC83CF19D7E9FF7D24292A37917F56CC95071ACF4909D4FD869C2FB4D596FBABB9CF97C7591DB079549A401132372DB
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):409608
                            Entropy (8bit):6.460025563791325
                            Encrypted:false
                            SSDEEP:6144:PuTvqF1Ged2RYbguEuFuTkdj+zRGa7JkjrXyPyMMWvpBVOaqahUqjAGT:TbgvuFuQdj+zRTJkX8yMhB3jhBAi
                            MD5:83769C80EE264331DD46FBBBDB682CC9
                            SHA1:F3921FFA18C7B93A262A79C1C7A1A60A88D0CBC1
                            SHA-256:4D81853DFC97E32B2F03E4C1F75F41C91FD3DF73FB80B23A59484E2EEB9C264F
                            SHA-512:BADED7629C0D0C40AA785AE0FFCD8D0D7037B050199B517F5BC230C6954FE7ED52E911414CB829A509966AB82CC2CD5DD8868449D2EC9E567141E9A3138C3AF4
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):214512
                            Entropy (8bit):6.488889881948425
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCDGnUI/9FXK4+PoSZSb5qURwubvvnzdl1CkTlxAenDl3SoxceC76JNKjzc:PuDGUcsvZZvUmubv7hTHA8l3yROJyDI5
                            MD5:F085722D23BDED9EB6D55AE1232725CC
                            SHA1:19C09DFC582FE436B06B536DAC110E26F596FCC2
                            SHA-256:60EAEFFA9F5182AAFAD9D945DC601590A92782AA102AEF9AE10E19088E7C6179
                            SHA-512:5BDDCC02CB2D9B0B7270D3D1F1387F94A14047CCAC7810CEEBDE8357A7B2C4D5F79BDA3902CDA2BB5E25558D0D0FA44AFF3DD5846D45AD380FC58CAB364DDDD1
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):568400
                            Entropy (8bit):6.67219335276453
                            Encrypted:false
                            SSDEEP:12288:lyvTCXdXikLj2jR7trg6Qi3vYsKTU00vq:lyyLj8trn3wsq0vq
                            MD5:B41B153CA4DFE9D557899142C6FDD767
                            SHA1:D7310F560839E21A7968DA46E27231290B25A312
                            SHA-256:FC1577451D4743DBE1B27A1828EA536522CF5C9CBE952A48F58345F53A85D72A
                            SHA-512:8CE84911CA279CCB86E8D4398CEC16B00E9E29FDF25F766FC0792E71154B2A8FBC22CC8F69387A6F5EC5992AC264556A39C1B9AD940F2AA674538DC4F50502D6
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1252432
                            Entropy (8bit):6.763252873451025
                            Encrypted:false
                            SSDEEP:24576:d0n7Ubxk/uRvJqLGJLQ4a56duA/85RkV4l7/ZeoMOp:m4iwwGJra0uAUfkVy7/ZX
                            MD5:9F7E59075683E964E4D6DF66A92AAF0B
                            SHA1:60EE788C42034ECE4FDB47C325E4EC2BC9DF67AA
                            SHA-256:D5759CFE49A74CAA1A6A7FA8DB17DE9D570F1BE8DA9FE75AB48E67076ECFF8E1
                            SHA-512:077D5D9FE8102144D458283ED099DC5C2F51F90B0ECE7DABB0BDA66E9B97F6D12A83527067877A802C0AD46DA974C494DD5EF954AC494D0838DAC87ACF06BADD
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):790096
                            Entropy (8bit):6.745221507787877
                            Encrypted:false
                            SSDEEP:12288:bMvcR0D0B6PyxoxIlZwM+R6R4uFjs1Z7FMN0TzJqccvbXkN58AuimIh:/R0gB6axoCfyR6RLQRF/TzJqe58BimIh
                            MD5:ECF5236F6653F2D0F55FB26B2ABE3D4F
                            SHA1:60AC40919543275E088CE78F063DBA998964DFF7
                            SHA-256:273F4F789C6DAB5593C5273845020DC3E172C98833E38729C9DA159C53AE5623
                            SHA-512:06F844A46C9AE9B4588C167F809A1023DC88CE7853C61D1DE92841ADC7128C91CB0EC5B5F32E7E6E86C5B81D3161915767F98CF090AF19F6BE680FC1347255DC
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):562776
                            Entropy (8bit):6.433164069541556
                            Encrypted:false
                            SSDEEP:6144:PuJ0dzerObMhDGJ9UM3sunrXj9BMHmD1tYFLqY/W5R02qO7VKCy7KCzDSEBPj:BeqbWqB3sunrT9+aYFLq3ny7JSEBPj
                            MD5:8DA8BD2BDE4B0EEAA83DD9B17289F169
                            SHA1:284502E7ABD3A84AF988CC6D2F4EA87D08D027B6
                            SHA-256:794C922912321E663916EBF1B11646CE10DBC0842E0FF68571770672FCFAB214
                            SHA-512:63EEE0EEFC46141F7B94DA48F420326630C9182E4C9CEB44104CE7302832A7219D361F2F61D52CD83B9E1E81CAC1ED86C8C44C8CE805299ABA74A7FA81D235D9
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):127512
                            Entropy (8bit):6.330981765539028
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCsPo10JOSdnvEhEyr1hg9uCRFRzsxeZ:Pusg1MOc81hmRFJs0Z
                            MD5:A70C749F32B95B9C01A9919E8F96205D
                            SHA1:7A43A28D2FCDBF663B4D61E969CD6160F1A444AC
                            SHA-256:39C83EC2727FFCC589106D1AD4C7BE154C7752382C958252FF510A61F65E24C2
                            SHA-512:1341ADCD4FEDA85A9425348310A2FA86A1D9AFA705ABFF7FCA2C39FDDFA9C3176239BB87553216743DCBB662211DB0E3C90B644A3CC8DEBE80CD38BBE7ACBAE7
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):299136
                            Entropy (8bit):6.7881128883409
                            Encrypted:false
                            SSDEEP:6144:PuGXLYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:xXEbH0j4x7R6SvyCMqn
                            MD5:BB745A9E59BFDC3FED3D6ACC5EB1969E
                            SHA1:B569EF5567BF533C49F4C59441D1881726DEA540
                            SHA-256:5C257F423AFD510D6EE9EAB80273CC673995F966932466C9AD74EB2AA613A892
                            SHA-512:B43198FC36F9DECB3767E6888B632093550394DF5D5826540A0BBDAE711931F595B398CE59C5F4676C1FDA7953C0702D57CC98D3E18309DEA517C536AB63CCCD
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):299136
                            Entropy (8bit):6.790537251287294
                            Encrypted:false
                            SSDEEP:6144:PuGkXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:xkXCs/YAh/elvhI7Wd
                            MD5:57150329C07A1CCA1C715687BBD681A0
                            SHA1:EA1805323441B728107A98C5C88EB1609116F70E
                            SHA-256:AFB4A253B3CFEFB7FA8C8AAB7FE10060AF5A33C10147EDBA4501C5089F407023
                            SHA-512:2BD0008D28BDBBBDB0F6A8D01121FFCF9A6AD18147110F100D1EB3CD7B93EC3481F8D0358E427F94D53F01764B246C54FC49F57CFDBAB1831672218197DFC444
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):437888
                            Entropy (8bit):6.42435194722595
                            Encrypted:false
                            SSDEEP:12288:xXNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:hKiBLZ05jNTmJWExixM
                            MD5:E96B5A5F7432CF95AC667CC32CAB7CE1
                            SHA1:F5729409A0AD909360DD9938FE05681E8C98BEA7
                            SHA-256:22345B680E235E582820160A73A5221A98550D7947DC1F22FE768C51788B3614
                            SHA-512:BF03F48889EA86C4C39B32B32760FE57293D85C5E6A88D3695CF4D7F7AB23B3F4ED07588987619B084AFFB51A61B3C7404E2D8177A29EC4AF343FCBD66F7C560
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):343328
                            Entropy (8bit):6.643174471027498
                            Encrypted:false
                            SSDEEP:6144:PutkTpB8HHvBjruphfgesnAhAOQp2EwckjQx+m8zhPLlZp3:GklinJruphfg26p2Ewix+m8Nln3
                            MD5:C6DCB652B36FD0F69EF1C6C28C3F3D3E
                            SHA1:B9FA38B704D6BDDA1E203422207E09D2FB49C216
                            SHA-256:A2D68D17A3E61E41CD6E9389058D6A36036BEC91AFD4CF6A2F587FAF0CDCDD5B
                            SHA-512:1B184AC17FDD6F28956F619CD772697EEA6684C70B4E74222BD75C58ACFF62C1BF66D9AFB840A9735A0BACD3792405E063701AA29C909EFB5F3B6DF5AF284FB3
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):443680
                            Entropy (8bit):6.396943856678141
                            Encrypted:false
                            SSDEEP:12288:z3gaHC2zUM2WJoROZVXk8hbodzbaw8x0Cx+wnx:zx5k8hb0Haw+x5x
                            MD5:689EC8C9ABDBA5399058B31A494353E7
                            SHA1:2940C3D9852341884ED269B06804C0383F9A6056
                            SHA-256:B168963DD38A08EE00E540180FF0BB2480E72D6439C6F3E386BFDEACCC725F95
                            SHA-512:AE28934023D46D5D36A894F31A0A2232DF9D968B20D7176BCD37058C13FE9B1BA41387CEBBE824BC6FAFF0ECB35354C1A69C585BC39A4468B713B9F458CCB107
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):203552
                            Entropy (8bit):6.1311659126541285
                            Encrypted:false
                            SSDEEP:3072:zr8WDrC6aKavT/DvbEvK9aobNI2B+Nl4jz+b0atWH1TmFtotpcat8iKdlVST31Oa:Pu6aK2h9H/B+rEtiPC
                            MD5:5C85C6CF32D2443AE5A7E4FAD8CB7CCF
                            SHA1:D23CB4A5961CD7B7C4DA100EBE98E5A4CB8B2FCF
                            SHA-256:4EBA2A6D96466D63B206E0760B4E9319D26B4458A8F030460DDE896AAF227682
                            SHA-512:FBC3D48FCF80DBAA328DCDF326638C57CEF445A31FA269AF6D47BFC03E112BCD0143721C78F041A3D1C7AEAF44BE135484B33D170AA1EA550CFE5AB15242F694
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):149792
                            Entropy (8bit):6.503976503009816
                            Encrypted:false
                            SSDEEP:3072:zr8WDrC/4vzT+PjZpsB+2h+EOXkMxJ7Rfp8K172YPrp:PulpsB+09zMH7cCxPd
                            MD5:EAAD727FE492030433EBADE57325EA69
                            SHA1:6008DE3C0DD2203E737A68ADB562A81DE1BD4349
                            SHA-256:8294521F6F0C2936F76C92743BF193937619C13FC0CFCBE2DA1238605D07F79B
                            SHA-512:803E85A412536591F05DC3C6065B84919B11460AD08DD8F5833E47C9FFA00E1D33DE6092658D219C819220B867CEFFFBED8BAF822E372E95CBD8D48AD9351DE7
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):227104
                            Entropy (8bit):6.2330769171298925
                            Encrypted:false
                            SSDEEP:6144:PuKWt9h8QlLISZWVRohcq7dvni3F8QrBA/:by9hdFIdRoGUxi35rBU
                            MD5:19E917EB830D0429C0E2E8F64114212B
                            SHA1:5351AA18D019E6ED9123460431B4B28A0187A065
                            SHA-256:6133D3AF6F4C30C1337C63B71947056FB3A46E2A269EB4F2E996E53DD8E95754
                            SHA-512:A5CFFE837ADAC6B05C3D4F413C9461BD368A7CAFC3142DD5472BE292F1D17FB74571BC05FC8204F0781138016D76085DB843EEFC787033984FB42546F8DF24D3
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):264480
                            Entropy (8bit):6.638998317491867
                            Encrypted:false
                            SSDEEP:6144:PumwCtJmRqyFmB6AOKmiMGwIAfx+iQ+FfFyLgG1da6edo:tw6JmRI6Bitwpx+iQafFykG1da6edo
                            MD5:CC6410226CC9A5A311864C905A41F69D
                            SHA1:C2E9C75DC6382238B2D7697576C5BB47A09AA1EF
                            SHA-256:6118343C2990A8414501F08A6FC70E2888E8CDC193054E0410D5B5FF3EF63898
                            SHA-512:DAE7626F1BFADCE4E9108CC20FBF84D5F86D1E9EBF7AA58B6386613C52718AF2C91ABFDD539F87297DBC2A5FB486619F4048FC831B96DC4AD924C61785AFA6AB
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):149792
                            Entropy (8bit):6.504334063798769
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCz4qR8vSZksB+2hdqecER5AhC48S1m2YPrZ:Pu5ksB+0YlEXAe6QPt
                            MD5:3782AA85B64BBBFD331D8170B86BCB0A
                            SHA1:2FE109D8CDDC028910DC40DF789B90D8997B1557
                            SHA-256:390F98A5B31D514641DFB13DDBCA0C071F4D8FD4F094C25859C98A672572B0C1
                            SHA-512:D1DEBFF36BB931F544B48D611E0D513FFE7BA5A36650932F007B2C6198BDF8E4E1F253D0CCF24A25AF9066C5278EEEDA568EBA6FEE20B404377D4BB1A68253DF
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):299136
                            Entropy (8bit):6.7881128883409
                            Encrypted:false
                            SSDEEP:6144:PuGXLYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:xXEbH0j4x7R6SvyCMqn
                            MD5:BB745A9E59BFDC3FED3D6ACC5EB1969E
                            SHA1:B569EF5567BF533C49F4C59441D1881726DEA540
                            SHA-256:5C257F423AFD510D6EE9EAB80273CC673995F966932466C9AD74EB2AA613A892
                            SHA-512:B43198FC36F9DECB3767E6888B632093550394DF5D5826540A0BBDAE711931F595B398CE59C5F4676C1FDA7953C0702D57CC98D3E18309DEA517C536AB63CCCD
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):135808
                            Entropy (8bit):6.38873877226639
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCGrmKJGyeVK7qjh3rmKPNbS7cZPxyqPEoCW/ids8nBs+s8nK:zr8WDrCGqzyutjZqMNbSgxbFrj8m
                            MD5:3DFB05D09AB50A01B467398603BEADB5
                            SHA1:D8A8AD789717B3E83608AE510FBFF096861DC271
                            SHA-256:A4844081CA91828B55104253A954E3B073D6E762D66A4EFA8F22AF9C4D995833
                            SHA-512:D6FD943FA97432F80CD81621D5186D7D6CB8F7622604278BE31CFEEBF98A46A9007E3C71F6E392B9B41563CA5BC6BD9B86AAA3D6A4CF1B148179D7692F7A9A99
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):299136
                            Entropy (8bit):6.790537251287294
                            Encrypted:false
                            SSDEEP:6144:PuGkXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:xkXCs/YAh/elvhI7Wd
                            MD5:57150329C07A1CCA1C715687BBD681A0
                            SHA1:EA1805323441B728107A98C5C88EB1609116F70E
                            SHA-256:AFB4A253B3CFEFB7FA8C8AAB7FE10060AF5A33C10147EDBA4501C5089F407023
                            SHA-512:2BD0008D28BDBBBDB0F6A8D01121FFCF9A6AD18147110F100D1EB3CD7B93EC3481F8D0358E427F94D53F01764B246C54FC49F57CFDBAB1831672218197DFC444
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):437888
                            Entropy (8bit):6.42435194722595
                            Encrypted:false
                            SSDEEP:12288:xXNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:hKiBLZ05jNTmJWExixM
                            MD5:E96B5A5F7432CF95AC667CC32CAB7CE1
                            SHA1:F5729409A0AD909360DD9938FE05681E8C98BEA7
                            SHA-256:22345B680E235E582820160A73A5221A98550D7947DC1F22FE768C51788B3614
                            SHA-512:BF03F48889EA86C4C39B32B32760FE57293D85C5E6A88D3695CF4D7F7AB23B3F4ED07588987619B084AFFB51A61B3C7404E2D8177A29EC4AF343FCBD66F7C560
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):163456
                            Entropy (8bit):6.2758220261788
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCm446dewltB2mNd/HOrveW1dexk834fRZ5Nyc:Pum446d7T/H4X
                            MD5:51117D59430CF4C0EA72319AD8930BED
                            SHA1:0A7AB6E54B1F62D9FEE7F48A594AFD0E3F7ED846
                            SHA-256:CE688EDA6A1F081C10E862422F2C13F24797F21D2DA248E85C0CC81D96BF3010
                            SHA-512:E05E6DA3D9728F5E04F5F4D2BF9B875BEA8CCD287BA207B2469D83F49BB6AA759C608B29A107D33BF8460F71840EADAB34CB1924DA3EE8F9E5DE741FB45045BF
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):127104
                            Entropy (8bit):6.059161475634893
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCds8nBs5s8nBskEsz2zy77hPxIAbBsnzA3QDkrDW8Kq5ns8w:zr8WDrCwUkEsqzy7pxI8BszFJqkb
                            MD5:EF3C7B1D99C49F679F1DE40119454E82
                            SHA1:E3869B9D17411A1DFB49630E8E9D0A379CCA1599
                            SHA-256:4ECF5FCDD95ABA50DF6137D45EDB89467D33A31347525B422AA2A9B36809233B
                            SHA-512:71D00F7B07E909CE5C54FBD85DDAAC2752B6B2AE2ED76EDADB4AA07AB1F7BDF25ECD77CB1742EEBAFBFA98087A4582879D4A2D277965D3D39F9E6ADEBA9170F5
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):223360
                            Entropy (8bit):6.084515656741608
                            Encrypted:false
                            SSDEEP:3072:zr8WDrC+ySSyyXC2BZC5vHa2L8jv+UII6qS2AroAxYN35gwxcPXtxdTsVcCXFzlb:PuuSyMZOy406qS2AroAxnw6f9JCXN1
                            MD5:278E935C540125EB737FF60459E06954
                            SHA1:3F2F868109AB1BE159D75FE1FCB78D5AB0F39A29
                            SHA-256:7DD8239708026320DC7B738BF5B1F90117475EBF88BE8DA06B99E6A3E860596F
                            SHA-512:21E3181E34FCC0D304F5A8EEFA0B92B676DF815BE984792D034FEB61E3189D73020AD5B6D82A5DF2434CD97AB2D1F48AD223B7007695F0673A2ECA8803D2C825
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):203264
                            Entropy (8bit):6.625450286768847
                            Encrypted:false
                            SSDEEP:3072:zr8WDrC6wl0hzyfN7T34oshWGrAUdaz2w9Lf0M/RHym:Pu3iFIf34hcUsz225/
                            MD5:241380ED43DD374CF6415E50B83CD0BD
                            SHA1:5F4F79F4DBEB1201DFC3D3A83BB1D5400D11F045
                            SHA-256:D3CA30B886E1F07EC6AC3989C091EBD5E97F1196D9BD554A2546EF3B4DF61EA4
                            SHA-512:D4BF86E17996171B67900847372EFECDC41E7F87621F831FD882E8DEAE49F5A45B218E375AE2347E862C438C11906E2CC67E062A0BC2D1265C968789FA8F68E4
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):209912
                            Entropy (8bit):6.335658991643739
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCUfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:PuUfSoD7q/fji2SUKz7VHwmmtj
                            MD5:0DB388DA73178AB846638C787D1DD91E
                            SHA1:64D79EC424EF95DE05D484C3BDC446642552879B
                            SHA-256:E71DDCCD4996D121D5C7901A367E024266727C4C713635A25B74EB0C132CD59F
                            SHA-512:94288DB9B2615FDA0BD27A46EEDBDB3F8FE3E8C2B2985D2B69244B47A7369AD5F357D060DE52FD4C5E9746CF7A3343417A77476A153F49058D8F8C2E61EBFB11
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):209912
                            Entropy (8bit):6.335658991643739
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCUfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:PuUfSoD7q/fji2SUKz7VHwmmtj
                            MD5:0DB388DA73178AB846638C787D1DD91E
                            SHA1:64D79EC424EF95DE05D484C3BDC446642552879B
                            SHA-256:E71DDCCD4996D121D5C7901A367E024266727C4C713635A25B74EB0C132CD59F
                            SHA-512:94288DB9B2615FDA0BD27A46EEDBDB3F8FE3E8C2B2985D2B69244B47A7369AD5F357D060DE52FD4C5E9746CF7A3343417A77476A153F49058D8F8C2E61EBFB11
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):264144
                            Entropy (8bit):5.859978790158535
                            Encrypted:false
                            SSDEEP:3072:zr8WDrC2PEGT3EB2e1aWGNU6ITL85x0HRerzJ0YF6OYLy0PPDq29BA+7891:Pu2PEC0QjWGNU6ITL1H0zvjkBA+7891
                            MD5:B2A0013F6770F98CD5D22419C506CD32
                            SHA1:D1B9E2EBBE6255A386AFE69A9523B7D2BE1E05EA
                            SHA-256:87C62BFBF6609662EE24C1B9FD1AB2CF261F68E5F1402CB7E2F6755023A29841
                            SHA-512:3302A6D3AB1DC7CB725F4E0DA1A82ECEC7207C7CDF2050410625AFF4E51C17B3A38DB8630ED34E111344C66BC603C3939A46E52A3EE6E1EF282DB1E93E61036F
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):430680
                            Entropy (8bit):6.625803592345581
                            Encrypted:false
                            SSDEEP:6144:Puvmmt0fSoD7ZAOhPiURg/4KAaxZTTlvIfaUcuI4hWxBP9SGO0zyqEL:Pmt0LDdOUO42ZdocuI4kxBgGONqEL
                            MD5:2463BF0CFD3790EACDB9BFCCA012D2D2
                            SHA1:B3EAED3711C1A369A3359BD6ECEF26DDB824B9D2
                            SHA-256:FD879B6629EBDFB190FAB80B29DEA52997A75FC44845749552815DA18EA07532
                            SHA-512:494FAECC19D7B59548E04CA1CDDE618B9636ED3FC159D526ECC9E4F05DBDF0A96F3C0ABECD4B90BCC1ED7ACA57A9E38400CDCF06C19936D3407D3D5A10B9CC6B
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4473576
                            Entropy (8bit):6.5697251244545924
                            Encrypted:false
                            SSDEEP:98304:9kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:9kkCqaE68eV+0y8E6L1
                            MD5:A0E84CEDA4163F189BE5349FD432B1CB
                            SHA1:204335080CD8BA8D46E52DFB29F1461D7BF84CA1
                            SHA-256:9A8C97840B4745ABA6BE44CAE7DE9EC0E7960AE31E52DFDE4ACCB1C24B6C4DA7
                            SHA-512:BE941C507F9A607087E96CDBA94358F4882BA231CC08E6AAE8480301A5FF82940630134F9DB780B9527F43DD83ABE5D4868759854D2517A6D6A87A26903FCC9F
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4316096
                            Entropy (8bit):3.9254629343592016
                            Encrypted:false
                            SSDEEP:98304:jPNLniBaEJhRELqS/rhwov59SRZ5Vb9sybbsK+0rnsQ:TNLniBPJhRELqS/rhb59SRZ5Vb9sybb9
                            MD5:AB9C308CB62C689AEC4171AF74B99607
                            SHA1:2AFBE3B52505B17653C30E8C51A8A434BB83433D
                            SHA-256:5B23BCB1EB5124A1FA7160014A7BE5A546CAFE00AE7FFFCFB19C237552281499
                            SHA-512:688D62C8CC8B7E699D379FE5FDA6DC808787E11C369C5CBDFA3559E2B61B607C0AF252232775BA04C2AD082C21DBA2224E6C34E131381EDD52EF0C2539C70484
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):94600
                            Entropy (8bit):6.430762305801649
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCuELjOzHKd1XI/etzCJQx0cxnIO/IOmOe:zr8WDrCuE/OTKXI/etG8ICILJ
                            MD5:29065F4177E1DFFC20CF409E15644D07
                            SHA1:2A506101526624DF3C693E3F9501E7FD0332A5F3
                            SHA-256:A572BFF875EA91F7324C87C4966ED38AE29C87A3B999E9EEDCF82730921F1AEA
                            SHA-512:611B4D7DF2C4D2B37E6C152B0416A047166B78C999B1C7A6B39D11FE73CB80BA55F4822B9503642CB289730D90A608FA08DC909A845F77A8A13C967689A3C00B
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):101496
                            Entropy (8bit):6.2393274170193935
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCcvpz3ktxGvpzvy5ZWGalHFmMTK0KRTS8bOzc:zr8WDrCKToATzvmN0KRm8bOzc
                            MD5:16918B2CAE1E6169BB9725597CB7383D
                            SHA1:F7539B44190222E9917B3D404A1BBAE7D32D9925
                            SHA-256:CB2DFD05D0EFDBEE9DA0E844020762C3124C9BDEEE868534F5E6A383FE312DD1
                            SHA-512:A4DF06513B73244A4F04B1F9F38DABB1045B7D4539B0E3D7AE88304EB0554BCC7F38A4B93CDA67C538D49242AA7F3B0524A39B395DBA74E372A754DFB26E803D
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):455760
                            Entropy (8bit):5.9316971297219085
                            Encrypted:false
                            SSDEEP:6144:Pu5wACThwS0vn9IdRsLGEJTdPA6lDfZNAGVx:SwACThwSSn2dRANtlF3j
                            MD5:EE123EC97226518C7A526A514A7EA08D
                            SHA1:8D53600BF398A582227F4B1B1DF6F815CC5CA046
                            SHA-256:767FE1BDB52D43DB570CA6AFD1E86FA00868FE36C8B4BD69A7BEF79876D7D04E
                            SHA-512:4B6E4B0EE7E22276CC638531A4151717E965E10B54874B499026383F290B4D66C48E7761C94E336B62A53972E148CD22B4AAC04B6F265BA7889EF52137CA4A7F
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):225704
                            Entropy (8bit):6.245888252421863
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCNLqB8edYkIrv6TXRw9xwqazULDjkAJZo0RAjUIqXfkRC:PuRjilq8OPwRzso6AQ5yC
                            MD5:58FCC2021F6669D332B12379F34E6ABA
                            SHA1:C261CF77942748482EA6423B2816071BAC404855
                            SHA-256:099D81B808C4A1507092974E4C79187470FC4D5BC1049DE99B7D87D68FFD8A8D
                            SHA-512:2637E583059CA760EACB66649519751191FC96FD3589DE8E17D0AC73C957D9256A50105D03727D19A1193DFB61FF1450AD65DEEA8692EF2D947051D85062E8C1
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):84928
                            Entropy (8bit):6.484542699354416
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCh67wZClMML07MiapFmPRHyzMwzobtM+zf:zr8WDrCh67wZClMMQ7MiawHyzMwsL
                            MD5:6E3355F8734F6DA5FAC15DF47A197B0F
                            SHA1:C933D5E414F6594D61E56FEC641373E33AD3C3ED
                            SHA-256:052C62D09235DDD70A3C52C7071D20711F2D4F1F7F653AEA54FB023EC2626B12
                            SHA-512:1B108643E2DF6476B167E233B7A3E249A2BCB89006B3C87FEEB90FC96214B52E0BC466C010AE03ED6BECF18864F96B0D5EED6F4720A1CDA70829B4631D3917FD
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):83816
                            Entropy (8bit):6.536836051910162
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrC+0s7wZClMML072apFmPcnGzLHyxz5pOEtmwxz5E:zr8WDrC+t7wZClMMQ72ahnGzextQyxtE
                            MD5:D713C72B72F2554BC5F57573AD79C596
                            SHA1:82F518A57C167F1CFE80D7D43ED28084C2D57933
                            SHA-256:22CC2A1543DC27CC8F1925ACB173E34141C4FF9E1A012C572E932BB6FD91B4C1
                            SHA-512:D0DCB842E46D1F372DBFF6CF1D3DEF6BA5461770400DE2BB7DFD9CB0DB35E80DC721C779E2CF8F852BA9B9EA9E5937D6C4DA31989D399107B6075C6771928486
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):233832
                            Entropy (8bit):6.440520521123031
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCqW32GhNvMQ/58sl2U2Gszlz4SNBZCgMWku:Puf2GhN0lsdspzPgg1
                            MD5:605C2C89F9F2A47F991EF737877F2FB6
                            SHA1:14E316AFBCA1D6590C6105B7BF76A72339C3ADEF
                            SHA-256:E96F113D251169D2B4DB5F51BFBF5F20609702F7B0BEA5FEA55CD4DF71A70682
                            SHA-512:506E962224D44478E14FDA6A093E861E225745E36A3B32B7BC98E337F1B492A3664AD84497ECBFB427A967D3CA0390CED92D11FD9E8EF3D7887D2D9415243D5B
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):502632
                            Entropy (8bit):6.717621615137878
                            Encrypted:false
                            SSDEEP:6144:PuyWDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:0MxCvm7JK6JAB/6N30xpI
                            MD5:A18560DD287C61996F6C3498FF2B6F8F
                            SHA1:B81EF528445CCE2BA94A933385FAF56DA526CC25
                            SHA-256:551C24CB52C55EB77300FAE5F77A9EE565848DA83A5CEBC4587C5912C94C0A92
                            SHA-512:2B94CA43D2F41EE88A81121889DBCFF7B014622FFA2B3048DB7CCA1C6FB7CB3D18CCCB9F4791002E166040A658FA317E42B520D44929973E034B56B7ED9C62C9
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):352704
                            Entropy (8bit):6.382223038880705
                            Encrypted:false
                            SSDEEP:6144:PuoEshacHeGXduZtZ9zHVcI3uv7FgR3FTzWQ/ZZyp1:6sHHrtuZtPvh3FuQ/jyp1
                            MD5:E517FFDADC37CBB8E4DF9D8C4595BAEB
                            SHA1:CAC4F749D83EFAE571B6A581F0579F5EF0F5CFA1
                            SHA-256:6B837B2B22A40521E234CE3B11A961C631927951B443DD47EF5E37E54390D907
                            SHA-512:500B9C4AABEDAA1D430AE07651C65CABB226B482426960307F457B665686FB846C740B7F26EDE1C4607D8F294467547DAB8590E3C017EDDE4855F3C4934914F7
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4395184
                            Entropy (8bit):5.936769631564012
                            Encrypted:false
                            SSDEEP:98304:eXuo5RMru45b5dZlAj0sqW7YDKMzVwgBWMTwLe7G:gR345NRAgsr7QH6h93
                            MD5:79B2B70DAC7CA2C9EB315575E068755C
                            SHA1:CF384F4ED6E51DC0C61853DF080F4CB38738FEA5
                            SHA-256:76E95029FD569C640C864AF19AE98DFA5DEA2C6162B0BDA0137EB283A3DFA496
                            SHA-512:4EEE60388342062701C05C633C1820E8A46836DFAEAEB5EEEBFC4B4104885D3A9219DFDD7012B815F66A45DF6BBE8C3EC9C1AC27E7EE56B1EFE08A6D9149DD8E
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):603928
                            Entropy (8bit):6.5283708663431606
                            Encrypted:false
                            SSDEEP:12288:/zKRgqBDxoiPCLXHLuk/Wg4Reh2mbeF+IGboJdx:rKgMxoiPoXruPi/++IvJdx
                            MD5:C05D4CEB93DF5A97C92332C30BFBBEFE
                            SHA1:756FE7D0F337C9434F289D4210C1FDD8AEFE3D5D
                            SHA-256:C896D6442442C7A1254A64A9C1934CCD4D26A2776E8B89231F22B0E09D086A40
                            SHA-512:06ED302B61C0DA6C490ADFB097A25F4C6F9D03085828CDEAE8A7AEB69769B3A41149A7645C9D198BEF862B18047B99606B5891064A0BD09C36178AFB3017EC7A
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):507024
                            Entropy (8bit):6.142966147544941
                            Encrypted:false
                            SSDEEP:6144:Pu3yrmBq0RYSv3A5DhW15yChMFt2XTNJWLgCWzzYhPRt+:BrmBjYuALWJMn2XTmL7hPH+
                            MD5:28AD0BC8CBF0F937FA0793A069EEE72C
                            SHA1:190CEF5090018E9BE02DCB8D80193323449BD938
                            SHA-256:2A9FBCE0BF953A54CFA2124AE4E699B981D4CB9485543F40B28CD952C65D8744
                            SHA-512:478EFDF0D097B6977495FFBA953D7494FD72E98DFBFF4C70808378F2EE3FD90C79722E70698081E20540242FA005DF756857BE18BDA3EBEE5BE952BBC61A3254
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):251560
                            Entropy (8bit):6.617081143188022
                            Encrypted:false
                            SSDEEP:6144:PuDomAAOwPcPIqk4Vsvt0uews+qZP9zOPBxGiryKI:0sAETlVsKzZPixGBKI
                            MD5:6ED3FDB228C401F308ADA52D82C6A2AC
                            SHA1:D5AFF2386B2708D10F68515D0D010E83CABA20E6
                            SHA-256:D5A201D9C7373DD91395EA5B24985E9984F3ADA0CBAD869248EC975B80707184
                            SHA-512:5431E81924400874EA1173F02B2404BB7C43E8BC158E092C43F4FA071810472E845AC76DEB7716A265A79F357BB07106D2574E3E6F5D2448761BE74F8A694493
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):751720
                            Entropy (8bit):6.630099780481392
                            Encrypted:false
                            SSDEEP:12288:vdI8PdgELg6eaBlnjlZcTerWv+xdeFhvCs9TukINOW:va8PWELTBlZ+erw+xdeFUsUkEh
                            MD5:7503967B649C070ECF4324AD7B82C67D
                            SHA1:BA5AA539F9AFF806A5B83417290BF1251D24490A
                            SHA-256:2C336BF005CD201043984D768114341FB8B0E8C626A11465A60DF854EF0B2984
                            SHA-512:EEABBA2E510054D3A93E9EAE0563CAF46474757E9AD72F79D2D254C783345067D6D0FB46E85A631030A0242789FA3F3B918EDECC8DCC953EDF0283447C19565B
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):161968
                            Entropy (8bit):6.521602439211849
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCmNDS5lSkjITI1FeBT77NDS5lS3j+Wzy6oUSA7hZ:PumNDS5lSyFeBTfNDS5lS7zUrsZ
                            MD5:B3E7C226A4A331C7E684E40A5EA2F167
                            SHA1:A2DAF5332D21746897EEC7B131374026FC0A6F4E
                            SHA-256:8D819080F7EF8DCD45E539C64026D93F09C51C80DBC86BE86843D09A6B5FAFA5
                            SHA-512:2D2DE9E732D6E63BFB666BA7B80F6A36BF85FC56E43F6064C62BCC557D1372F29C97510304201BC3AEBF6B6FF821F3226BFFA11457D868D5430566CE260499D5
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):159560
                            Entropy (8bit):6.570907498262082
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCGklWPsom9TiWWWWWWWQM+FtWAzhIwaeENinkf8xw3xUFv2tGPrtPmF:Pukb5zPaNQnBxw34Oita
                            MD5:C59DC4806618B251A7D2DF183DC2F424
                            SHA1:F1DC673B63BAA54B719167BAFDB33FF6C31BA67C
                            SHA-256:A4817EA9A097D7F66D25BE68972A63E0C5BA7B6FF75FEA4A962C848CAFAB35B8
                            SHA-512:71E9945E2E097640D4143198C13C5DBEC8340F8278306A34E017C3DE4A9BD0E88FB2C8DCF3A074935ACA32F329C440760980D1E8D47612F77958B108AE5581D0
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):2233240
                            Entropy (8bit):6.296579565439519
                            Encrypted:false
                            SSDEEP:24576:HDZgOA74U4o//sbtwvZTqFDk9sg71SmY90gh/G7QJoma+9duNGeVG29H:jqHVhTr5UmY90sGE5dIDG29H
                            MD5:F1DE18FEED22A8E7630AEC79D099A8D4
                            SHA1:7F500779BD5900802BE6378DDC6914D865823614
                            SHA-256:34A7FBF7E86EED217C78BEB3D623DA57628EBFA8C5BC9EE2565BDAA51538A696
                            SHA-512:C1EF91874D23626BAD6BB799ED2F1ED238429FA147F5EAEB955EDC51CAAD7F6325CEB6C554E3D15D598E4A54C77EF077D903FCC3DA093F0375765E68E6B40A75
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):214432
                            Entropy (8bit):5.989123271366133
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCeVFptXofXXXXXXuh9gLzltw6Q1hqOJHrtTh:PuytXofXXXXXXASLzb9uhqK
                            MD5:9F2A347123D639951FEE07457AAF9843
                            SHA1:7519B79067F897D426E58DB4904F02ACEF2593A8
                            SHA-256:C3AA5CFB1C2128BDD9A182170F993EA252CC57A69F2568B9BE61107AFD5CB512
                            SHA-512:0402D3741F1C4A22835C59CD5A944D7762C0568E836CBDE8BC7BC389C7CF784D0A0C9F8A03B44A4241F6CE2545334222046B847A2B56AD5E4E182C959AA0A090
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):620840
                            Entropy (8bit):6.5831228635669286
                            Encrypted:false
                            SSDEEP:12288:moBdI/BUQtsfBCegl2eccL1q/xRyye7BfcwqEhDe:moM/BB0Bml2m1q/xRPCcwFC
                            MD5:6892F37A015DB48C0CA5FA54DF6D7CB2
                            SHA1:65B2ABD3F0868D94F913387DD198336E9EAA2B57
                            SHA-256:9E7D2DCF0E2B775911356828FCD8A6DC3217031ED3E746D31DE5855238D7289B
                            SHA-512:6A7222CECE8289A43290E90F118CFD452F81023420491933FEDEA439D3D6AB7FF7488F41FE99F339B51A775AA27F1A717FBBAF08FCF29DDECE0CCA459139BC6E
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1568248
                            Entropy (8bit):5.675085165215227
                            Encrypted:false
                            SSDEEP:12288:uwF+k53zCG2tIuQ6DtJQSZDhLOhkZzV5i9w/lmd+jrcUiACW:rFXG6uQ6D9L2uV50AlmsjYUiAB
                            MD5:F2FEC0ED0FCF36092C073FC597FD1C55
                            SHA1:42C48161899442B2DB934156B56F971ABF1E2038
                            SHA-256:9A3AEEE8B7D73C4F99C36B0039840B748F0AC01B9A4A3C4B5FA2B092636C0B88
                            SHA-512:A7FBA18577A07B30F7E1417B318A5904CA355F2D126A8120E22466B4FA9D028E24E03B79D661D361B6DD38DFABA1A5096634E0E36E63A7D27C396D3625A22FA0
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):634800
                            Entropy (8bit):6.707249248874713
                            Encrypted:false
                            SSDEEP:12288:ff/4sOdw+RfEB6tuAlnWhGZco6ijmn5jFTSt7yCPUkazi7JThVoSZeR6aQTJ:X/4Vdw+Ra6V6g2kazidN6SoEVF
                            MD5:566DCF1D1A91B81E2353CAD864F7C959
                            SHA1:A8A04AD99971D86C04C154B62AB309DD114FDC3E
                            SHA-256:B1C16EA839550EAE959FDECA318372B0FE11613F581445BB4CFB0AEA77D0FADC
                            SHA-512:3D233B07750A27792370E553B03A9479390A589942FAE8A0447A2CA08C27EFC719DFC4BF51051531C605F7E247430471F38C2FB2F603C4299494136EFF0C8A82
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):748192
                            Entropy (8bit):6.7117628320084215
                            Encrypted:false
                            SSDEEP:12288:mKxLM1deLycUTc1kZi7zb1QRHhhj7WGvF5PYcdTFtZ3G97aSDGGHrbTwqFwydBf6:myY14evTc1kZi7zb1KHL8vbTlwOBC
                            MD5:A51DD395B5FF4E05F08B338BBDFAF609
                            SHA1:660F1465BB464AEC6C3E6D7D1D3336DB6D5D9CF3
                            SHA-256:EB23B91782FCFEB4CE7032F285E6DA040C68000CA460A7FBBE161978125EC349
                            SHA-512:2370CAA42CB55AE3414ED2CC5ED8AD47BB077A581055891836C74A237FE467960AFDB78DC21B0B9461D6FAA1E27EF6F584886113D5D6CDD188B41266E47D54B5
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1917048
                            Entropy (8bit):3.839578576312592
                            Encrypted:false
                            SSDEEP:6144:PuoBeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTOMzwMwZ:TKs78A5UcyOPexxPcUcMeyvZ
                            MD5:451A02B8E292FBD664B654C28C31F8B9
                            SHA1:7FFA3FE4C28716A3BC2D80779BDD7F23C54F5327
                            SHA-256:0C7DECF13C25A15488EF9E271A1181BBE8A36A183250997ABB1BD21D7BF097F4
                            SHA-512:DB59EEFBEFD8734F2B80E314B0F4DE21EBDAA23042226FDEE4671B04A7292F0ABFD6A8E20BDFF977C39EA6FDE37FA02BE69EB2342D65A335E53748314374CDE2
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4099520
                            Entropy (8bit):3.7214924488610253
                            Encrypted:false
                            SSDEEP:12288:jyKs7cvZIFpCYVIUN2mGsb8HtkLaHLH04cLbUBRjLmP29DyZbT9oc/m06aCzE6hE:jyKsY+dy0ZScIBqBT11S0
                            MD5:2D199B2128DB10FAB5D5B9E42012C0C3
                            SHA1:B62D19530CE4FE15B51617B1E3A2B7049BFB0A6F
                            SHA-256:A121D7A3A63D19B05BE33BA7C2391F206E47681FA284E7CA291A5431661B67FB
                            SHA-512:022EF54CDCF41E1C8FF0511D9E5AF928394213321571B1C9BF1E6B3AA1D5FB1E29061E5C191B7669F7E2A739B9746312C091D7DDD7F8882145F09FD8B346F4B3
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):452120
                            Entropy (8bit):6.064959023307563
                            Encrypted:false
                            SSDEEP:6144:Pu7vhCpFviM0OKAOVf3m+2fCz29fx8/eAeTu:CEpFVKj3mFn9q
                            MD5:34D25D2E6B58568411FAD456684772FD
                            SHA1:5D9146208EBD9CD2AB1A7B83D90A60205AA2EE9E
                            SHA-256:1273B781FF6EE61A3C58A43AF145B03E36274A6B16297BB8A2E13164349242B2
                            SHA-512:87DCB3986A415E45C274F2855EB7DA68AA3C36D7A71AC77DAE3E027018003D47BC330B2587AEE4DF7F62BEAE7B4ABB0BA5F0A672D8E0DA23CB6B066AF75BA234
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):116664
                            Entropy (8bit):6.585821757768255
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCtuGaz7jFQ68ICP5q0WISDr34W+wst:PutRazrA5q0WISDrZS
                            MD5:40A8D5EE6521EA8FC13C48C47C9B57B6
                            SHA1:5FB8A2379097B79DBB9B165F7C487D20DC1625F2
                            SHA-256:AC909FA0CFE8E16CB2A414A4B0F0B44E0D10085ECAE1D9F53A8C202DC054154C
                            SHA-512:333184A3A961A38C6F09B279B7BF1A31FA4FBB0405CD4D39075A52554ECB8A1C23454D02CA63698327C70C5AE1C32340561C0C6F33A88ABDEF544F65AD42F35E
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):167392
                            Entropy (8bit):6.5469411407981974
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCcWKZbTKeR3Tzp+8IxR8jYYrjHaVLIPSL1CgNX:PucWK11Rp+8II5SLUgp
                            MD5:67496215F23C3D121C3716927553975E
                            SHA1:3FB19B3855F6FEDCFCEAE694DC5C28683E3653F4
                            SHA-256:D0C2DF02E3DED17200DC56B693F52B47E7D960D05C6B6B5F7716997419303ECB
                            SHA-512:0EB0D378F109604C568C732A197D9412A65221A4AD36889873EA3652D5D0382D40C9D5B38BD51F501E4BD55BFE2A326AE4D06F485D3129C9A2AC1C11CAFC0567
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):712400
                            Entropy (8bit):6.045734661911484
                            Encrypted:false
                            SSDEEP:12288:+wbRB+ZRhFfGNpzX5PtiPWRnTLtx5eq4/RnYRoS2Ds+2EYR1XLlShtg7ksyST2Ro:+wbT+ZR3fGrzX5PtiPWRnTLtx5eq4/RV
                            MD5:CABB9381BF251A59E6F5A31C7F505220
                            SHA1:8823B336B342D79D76B6ADE82E253605A9057456
                            SHA-256:69F0F5A81B819BE0FCC1FCB9E8B6AB07D2D4FFE5B4A13B57169C2C0D9FA9AE6E
                            SHA-512:3A3120ECC5A6484D6E9D10A25F8FB1ED6E1D0CC8A339D5031FAC1BB40C1C3B42E5F591FD6161C1B37CE1990F103FA9E5A7678B64CA2025363F1B1A3B9173D6FE
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):115920
                            Entropy (8bit):6.214080793399046
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCiwyK75Rp1Ukkz2zct/rzdaBotnMuvWM6TUaE:zr8WDrCiwyK1Fiz2ir+o5vWM6TUaE
                            MD5:851430DBF73C5925ED0C0AB46B4704FF
                            SHA1:794C0FF390BE93A23BF28DDBE9DD26B81604BF5E
                            SHA-256:F6F47F6D0027988B9DD6171C72257050C195ABDA9CE45346C01D000AD35998B1
                            SHA-512:A8A081DFEB1D4491392013A1C14F95A40AB8DEF526294DD47B5F289ECC5C232D7437E4E0AA0E21A817F049F5FCD9EC7859E8A32FECE58749F89A34F6FCF83882
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):137776
                            Entropy (8bit):6.525052332322423
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrC1LS+I1HtQdiHN4zbyezltnzGd1XuDxhkrTJwNZ5wmW1aHba:zr8WDrC2Mi+zWeXdswvqiHm
                            MD5:27361BE6CB3788839CD6DF5A0A636A6E
                            SHA1:A8D3D9E774B7D76F00D10AB28DE26BBCCBC676DB
                            SHA-256:A92037FDB4FE25E454D66D24177DD12FE89FAA6F11D0CEEADC687EF824CC3DE1
                            SHA-512:3E8E821A4419C45FFA5F15AE574673684B25BDF310D48ED143D2EE6DE19F32F75C7DA0B9AFAFD3C4B27136E0C8632C092E365101E31E559AF731802D38B180F9
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1206680
                            Entropy (8bit):4.882283973567494
                            Encrypted:false
                            SSDEEP:12288:Y61ZFViRpx5tuwZl4asd/arEISgX0IkEMhTy:Y61jViRTfVINdCr6gX0hEl
                            MD5:F0692573BEC940B10989FB076CF592CF
                            SHA1:767783B45CB33834116997839FD3FE8CC197A906
                            SHA-256:5ACCAE35532575F704C11E35DE05F5EC6C3A30D56AF91C2D22510157FC131607
                            SHA-512:8F0F2881459C49C2F4F2A2E74D463871C157610ACF4FDBBE48FBD14B1798FEE8820822B4A5ED32F7FE871429E91A94859EAA7FD2798062723E594CDBA1364644
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):400336
                            Entropy (8bit):6.659452867927771
                            Encrypted:false
                            SSDEEP:12288:w1rOCPapfd5bhooUBuFiExw/LXa20Dj6EzfJ:8rfIbbhooUBu3wzXa/Dj64
                            MD5:3F124E3F206A45B5250F2C1F482B2352
                            SHA1:2F23D83DC65BDEE9E726FB20052F01AA53D693F0
                            SHA-256:D9D8BDCD8F5BBC87F755DBD7D8D0C7EF52C98A0E3539C8D27C08D3C45888C2C0
                            SHA-512:C186E181EEAB666FA4E97FA5B750394421832221B5DF740BA6985AE8EBC49EF67969FD6F429C8F6094CC94EC548CBB3E10A473EE8A2FD52FA00110B6DA44B214
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1662344
                            Entropy (8bit):4.281575468495792
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCPK2OKsuWoZEsVK2OKsuWoZEckAQckAIDpAPfKrss1yyKrss1yAZDvYbNs:PulztkAzkAZqrEdrEAZUCwFjNNYEzcL
                            MD5:0861465FD197D10AC5A8C37CE7B6AA62
                            SHA1:2D76D722FD6806A45ABB733FD1E54288DFD3A05C
                            SHA-256:7812FB1CD726D81ACC193605C5C9EEDF84FCB4A3A912FD5B9012A1A0DD27D5A2
                            SHA-512:C019C0EB50A41C009E5878FA4AD38EDA155F79573C9755F2E334BAB3D75B480BB2C20988A560C1CAEAD8198A1AD60A0A4FECC74EEC2EE016CC37D2300B72BBFD
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3531712
                            Entropy (8bit):3.7839855914258114
                            Encrypted:false
                            SSDEEP:6144:Pu/gSRJQYKV++VYwjatvsDVpDsehRAKzYM:yQYZTWbDj5
                            MD5:ACFE1EB24D010D197779C47023305858
                            SHA1:5EF31BA99319ED468EC9DCB8BF43C888B5A8B48F
                            SHA-256:D937B616BB6403C2D0AA39C3BDEFC7A07023C18B2FE1F4AFBB9400AFF2CBEB1F
                            SHA-512:048FEEE926AD593265180CE8E07858E28BDB2876A6A41250B9AEDA024429CA89D9A17C1C7FFA2ED73E0349B3F681A92F22730CEE69F411D3698FD5557A5CD027
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):83880
                            Entropy (8bit):6.544402115664437
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCSKfEBr3fHT4nAzHGkYJ+ziw6+zb:zr8WDrCSPh3IAzHGEJn
                            MD5:9A1EAF11C3B1BEE44C0D97E873DB00C9
                            SHA1:BD3A58C465171616D344DA00D97D5D49D4097FDC
                            SHA-256:A1C8367E088D3CC9FD2D7428A2A220AA76E64096155932A6622023DE677CF804
                            SHA-512:6A4A27DFF5939A527C9BE720FDEB7F65558D1A948AF175CD3244E87D9EFCA085B6A51D93E09D5178F05B29DC1334644E9532066C5A47F5C65BC60D27509C14D2
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4319112
                            Entropy (8bit):3.816408890865793
                            Encrypted:false
                            SSDEEP:6144:PuXUh82lTMY/C3uuQyMyquNlBXYJ7M444IB:okyIgG47B
                            MD5:0DF102A9ED5DDD0C490485998934BED6
                            SHA1:B973807A3692668055A35A29C53C7F38669C8856
                            SHA-256:9B42DD935106C8B407E7C607D3CD0AF533DFA3076576AC7EA2D838901CC6B4E2
                            SHA-512:497E2C814A5B8B412540018D9BB5B3A47E0545FC7C280DB710052C8F77FF593E58881348B237FA892F7E208B632921D0962266E60CC5797389DA0122525AD496
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):785448
                            Entropy (8bit):3.938581251810774
                            Encrypted:false
                            SSDEEP:6144:PurWSXeSC+hBMdNRneNMToeGYeneqjpGtBlmF:2LevUEcLe9l2
                            MD5:B3C5F9613FB03A2AA578C29371295F77
                            SHA1:32F9D3D1BF7BA8F34742900B9DA4A0FCF0F975CF
                            SHA-256:08320B97919246079B98A5BFD40A67B5DA1452B166F2B9859E21D339998162D1
                            SHA-512:5037960BC459159BA3D534B7585D6CD172A5563E075FE98EF1932EBA2BD65BCA37B99D782B1EAB5C33ADBA30DC63E8627140D60BD9028112D01BB9EE5A02EF15
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1081280
                            Entropy (8bit):3.77728660153312
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCqyTUawK12P04ti0o5gmQNJDJnJG20FxPlJPJSS12Zzwww6G:Puqs4wqmQN59wtSS2zwmG
                            MD5:1D272485264476CF04C454866CFB49BA
                            SHA1:9D13F47B98D36D3A64AFF45A9A04B17925898F5C
                            SHA-256:F66B02E79D6DE29DBA8C76616B3F47DF597B386AB58DB30FA7E805E36FA7982E
                            SHA-512:797B422388439BC78DA413ECC6749945ED4EA94D354ECEB21C1BEC10C5FA9A955DD02EC79626EB8996CEB36A82FD9D0EBB2F43EA1DF7CE94E8B0CD2D75A1A69C
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1722808
                            Entropy (8bit):6.4866587360850705
                            Encrypted:false
                            SSDEEP:49152:Ruoh1EWXRkd+h9y6NsRZ9MtL4kD5G5LVuhqITJemL9SQM3:RuohO2km9PNsRZ9MtL4ktG5LV93
                            MD5:17B2C86B269267F4B810DBC51E6D793A
                            SHA1:C14E9803B1D7DFBE027BE258957E23D7240C1625
                            SHA-256:1EFA16D52D508905C4DBBDE4F450AE4511572E20DFC2AC930623C307410CB735
                            SHA-512:B57B92283117554D2F7EF7E85613501F8EB3619980260CE427EAF443729417409BF8C6FA6FB4E1599BFD6EF0B3AC51955CA5CDCB63E9A7B9D680C960FE6545EC
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):307784
                            Entropy (8bit):6.541340621340083
                            Encrypted:false
                            SSDEEP:6144:Pue+OpwoajoJ/cLr6eNI0A2kg79zge/ceeE1+v:3DWhS5g72veeU+v
                            MD5:84FFBDBA0110417D41CECC2E90471C0B
                            SHA1:3BD410023FAAB616BD19316FC7DA4CF8061843E0
                            SHA-256:4C46A3280A95DA909745B05317CC39ABF3C631F79F127F191F1E5AE202A636C9
                            SHA-512:FA4B33C8848F4A31D8ABF850997C2311B246EE0103A28A23A688F8FD8DBB2621AB7272DA1CE0C8447F6E8BF4ED97A007599CCBA36A431E5E0CD2BB4E5768FEF7
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):97920
                            Entropy (8bit):6.434533395747017
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrC8zKAtCz72I/Q/RPTO5piDDFwzS:zr8WDrC8uFvgy5piDD6zS
                            MD5:B35E1DBEB6DE3D98F0D02D5FE062688A
                            SHA1:F4C8399B000865937C933ED4D3F7443A6395136A
                            SHA-256:BD9D62FD719401FAE645118FBB811EEFA626A2E796FAAF41FF43AE971C46F9C2
                            SHA-512:D61B9DE832AD9E160B108640E372DB887D32A4B6CA62652E04410BE0DA0859B79E76FA48B5DB95FFD4A8FFC786D7BC3AC1ECC1964CB3D03385BB2A2AFD923818
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1994448
                            Entropy (8bit):6.5494262482330186
                            Encrypted:false
                            SSDEEP:49152:7l8U9+tiqfG7C+5I6ZOX0Bh4MdDHc/EBRXXZUABfmcQ:7l8+++7hOXODHc/EdQ
                            MD5:611A0196619175CA423FC87C3C2B0D17
                            SHA1:426524B4E733928688F2CA5E61E110D9BA5E98EA
                            SHA-256:EA42CCC4A3105C8D1081D6803C17D7F898F8AE86AFAE34BB3718B15CE1087D55
                            SHA-512:6C130A7C935B867353F7E77D0C84BC3F3EE0176ED2327D60969838C409ADC51B2C3B00AC449EFED7327DCFB07007C3D02ED708D2D37837BCB754F25CC60CE7B4
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):275872
                            Entropy (8bit):4.230454715080273
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCj6gJJRaCAd1uhNRu7z3zHt4s+zbCtbCc0xXNmi9RHYOqEWu:zr8WDrCj6gxe7z3OzY+9jTYbE+la
                            MD5:22141258122C8809D46DA57222A24EEE
                            SHA1:CC72AAA1EA2A67D33DA8538B31089041F666B8AF
                            SHA-256:7259EFF7EA95C215CEFE5961BD9F4B7387836AE18722ADC9E075552AC20CD23F
                            SHA-512:33BE388FFD3654417966295BF29141550D23DFC1A9832565AE50D488C2C0FD0078E69862CBB2B105A491EED02009B40FEC16EE498BADD06F4D2BB5B18D2CEA5B
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):751520
                            Entropy (8bit):6.5225913014857735
                            Encrypted:false
                            SSDEEP:12288:DccV8BFJ0kz4uP9V6wY2M48aVNfffNfYRweSat8UVNfffNfRtAUUn4lDW7f5sBzl:DOFJbl/6r2M48aVNfffNfWVNfffNfDw+
                            MD5:5FB2510E2322EB38DBE1414EB158EF02
                            SHA1:974C5E74E4D9CBEB1A1BFBA2348E13659578BC38
                            SHA-256:7BEA8CDAEEEAB13F9E3C82D520AFD1C8F33A34B519D1FF6B62628DD5C3D9974C
                            SHA-512:066195CBFFE4C2EE4D8E39D0C1D7F58A8E54388F22BFF619CCC0E1CD2BCF350A8D81D254C6045F6506EC33F3CB7ACE2C3CA7E77DD05DD05AD6B18F87BB457359
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):182712
                            Entropy (8bit):6.321044292407141
                            Encrypted:false
                            SSDEEP:3072:zr8WDrC3DbGpEPwVH+lMCNy0GEVVS1ikLrDdevXqHai8MBEL4:Pu3XSSwVgvfkhvzHcWEM
                            MD5:D6A43031983F75E73D90D8F8F6EE65F3
                            SHA1:891DE44CFCE6AC6BC790C766971D94872E8A5073
                            SHA-256:28BDD891C54357A87F38A2BF6705BC1B2B6989B5BD3BF4CA750829FBD7FA2B51
                            SHA-512:0A96059DE916DC162D297D78AC26B8FAB136E475E2A622CF736E84FCEFAE57C2861D24121E6B87FA70F25401BC8870BB9F2434DFFF77B70E396AE3775DDB2416
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):5174360
                            Entropy (8bit):7.263145839410475
                            Encrypted:false
                            SSDEEP:49152:v/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPp:RtLK3BDhtvS0Hpe4zbpaAKQkroGIz
                            MD5:24FC272DC719890D04C1E6804B0E3D70
                            SHA1:8806FFAF77CC4AC229326C83A05472FD7CBB422D
                            SHA-256:4400C0D026FD13A51AE0CF1154B2A165BD488EBBC7B1FE8BE9649D72D13DA4AB
                            SHA-512:F0D1B9E257B95883AE5F259D749CCAD6B1CF51DD229F602731F377786E161A62784D4F6B96C6535E412761E8D1154B8449A77D05DF8890F2561FBDE5A9D62F38
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):139712
                            Entropy (8bit):6.519874180004667
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCGU5adWAKmzUccnzkVBgEuKjj0WWtPPoI:Put+EjzCg+j6P3
                            MD5:7939D58529E97846AD3CE93D63C2778B
                            SHA1:36E2D3DAF36C2D0208971A66DAA273B627D43D9E
                            SHA-256:131DB672352CDE0AB0154F4E5EE0FD28F93494F5D35FE9572BE2C6BE29467838
                            SHA-512:05D79A0F03D4087C970B5E4EA7B08AFAA3C86EB8B8CB4E5F3658DB71CC2DAD969351A1B37FF5384513132846B7B9F022AA5863D02245FBDBE32E4609E3729C9E
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):380368
                            Entropy (8bit):6.674833575620702
                            Encrypted:false
                            SSDEEP:6144:PulzgSb/029S2P/7nzGxFrRN0r0ivCZci1FXiO8DaS4wwE0CBlFJmcx:Xw/2q/roN7ivCZci1FC74wdBlFYU
                            MD5:10DAF38B33648DB8EC4CAF569EFB8325
                            SHA1:D226C4CB3EAC2BBB40C7070DF3360DA6087EF85D
                            SHA-256:3ED456CAFC1F681A4823411C4F931DB89A14DD1F4C439814E3C69780F489FB33
                            SHA-512:8D0975F6C992DEA085532A41B8542D44CBA540DF7BABF1F81E1EF5A5CFA2CCBA010264B2E96F92CFBFF0A8EEEF18BA90CEC3A0639999FBEBF98EFC4188BD24DC
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1269696
                            Entropy (8bit):3.7496395278811394
                            Encrypted:false
                            SSDEEP:6144:PuTvk8/0NhFYAddenZhUhTNnLUrh+9nTGLljX4wuSzVF:C4wXF
                            MD5:622DF9CBD4454B7D31D93A8FF26986A7
                            SHA1:D9B343BDE5D6038757BD9D3FC3A1DB5D44FCC406
                            SHA-256:1BC8B5224D1EC7C1A84FE6BE3D1FC2584C4407F4776BE701311B5F59CC6B2F72
                            SHA-512:CB62A86DF9A944F1BA87FEB86CCBB4C8FE34518F5701B513FC0C837E37E9E0F3D2BCB392FAC866C30D6AED8DFF4B65789134FDFA21B62A049FA701C2BBD86272
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):266648
                            Entropy (8bit):4.185481008908313
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCyRaCAd1uhNRuiazvhzpwtWhz7I3EWwwrwYx6RPWdn6ysl4a:zr8WDrCgezzvhF1h3wEWwwbx6ksl4D
                            MD5:63852098CCC25D5425C739E6CAD65F4E
                            SHA1:DE0C1A4DCA860867D769B155909B5B26323FE00E
                            SHA-256:1DF1BE777988330F8D3E437175CA8B9D1CF4AB2C6328EA700013A5A0D766715A
                            SHA-512:E6893FD4B8D212754383C86CF493242C8A15408742FF6DBD01A8B6B056EE6F6C359E6E87ABD63628FB54D3719B4C0C9731CA7712C7C78D0CDE7E1231BF814081
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):757232
                            Entropy (8bit):6.507776342309189
                            Encrypted:false
                            SSDEEP:12288:U4tuuLntIMDXw5vde5EFf1Pmbd3lSz3dfp1Swf5M0blmFKuJOJZM30j:7tFDKMg4iX3djfy0blmFlme30
                            MD5:C5B5E0CF099BE7D3739C3229560233AA
                            SHA1:4806FF225942F85F309C05DFB4C401F051E479F1
                            SHA-256:3ACE3886E313B08D4E9F9920047272B140FE7DE8CC65F68C2461F52FAB6ABC70
                            SHA-512:4356ED0B8AEB195FF8CA1C4C48EC0B129B720FC573EA6D02CB01943F9F0301F1FD5FB43071DDBEC3E5EC5228158AFFBB40A1E97659BA0B86E29EE77CA75550A2
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):619944
                            Entropy (8bit):6.637875601699727
                            Encrypted:false
                            SSDEEP:12288:NM/Of/Bboj+clWnIKgrP6TFPLNWuX4Pemn3oi8ky9Q8WSe/aSqizuO1qukdQAPnQ:u8JgryFPLNWuX40RulAPn1OcnGVNfffl
                            MD5:7A16124F85B72495EE1FE9F639B9231C
                            SHA1:6BEC7715F9FBA90EA72176E9211A7D2B66CD2711
                            SHA-256:6EC71D7BD6697603174EF482893A6AB891B7C056F407AB7071C4C05B905D3360
                            SHA-512:55B7DE7FF27C529E2A13E37C8A5973592865D19FF493F01C6413F6D2921EB08A6225614A9B1A0CF9701397EFF8917C1DB84C3789A915FBDBDC0ACF9BC63ABA17
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):150416
                            Entropy (8bit):6.494866167569868
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCsQPtLW7twRxI5mc5TNN3AsdVgNwihwT3RqEM6ZOfHXb42:PusQMzhdV0nh4Hof7
                            MD5:B09DEFF61F6F9FE863E15CCEDDC41BD3
                            SHA1:A0E6EF8B3C816C2D588E9E77D08B96D3D0CB097D
                            SHA-256:2009879148C3ED6E84842B5B6FADE5C90796432F9661AEAB1F984707131A8421
                            SHA-512:08009C92E6B4E652CD6516DCE9A4E88329A7A95C8F423C224FB15B983F1F3E8B239C7FDCAF0A567DE409756B1F813099DF1F5EA26B1B1D6B66D852A2716DE79E
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):306048
                            Entropy (8bit):6.581428218746521
                            Encrypted:false
                            SSDEEP:6144:Pug872jsLuLnPo2TTHswP2TGz3FUCHySYNu:/+2jsLuT3MfTGW5
                            MD5:5AA294CA5D5316224ECDB8A8AC9D9ACE
                            SHA1:6BB45B320A6A5DC78A082D9109E0D17EEF34DC56
                            SHA-256:3392949F3912C9BC7AA7F766D41DAB5CCF7897F0A7E764616C40BB88CA8A4727
                            SHA-512:5799D021A5B58CAA3D6B7A9E0D7B8F6DCAF1886BF4EC6E1BF6FE30C18D475A5F9384323064854BBC2E4B0AF7DFB1D7A7AC0FFC8D079DA3923C8BFE330F3F5D87
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):108448
                            Entropy (8bit):6.041379910770017
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCWweqz1lezmtJwzojsKyyJFGgHZ//rHzb:zr8WDrCSqzXe0wSyyJFD//Hb
                            MD5:F8D9ABB1B7F268C598623F479012D0DD
                            SHA1:E79F3937B827EAB37E03C3D6083541641491E701
                            SHA-256:FD6A12A515BC65DD8D8E133E4FAF4E60A4BF4F0ADC27E7CC200A200206FA7603
                            SHA-512:0E7F482B286860CC322E8E9ABB8BFAA6C9A4C335D443F7EF0349EAF8696514CBE06D0743FBC1181FB45E6FB07E23647DD95B7362829E76DE97BF6071DE12EE31
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):662600
                            Entropy (8bit):5.99949921629127
                            Encrypted:false
                            SSDEEP:12288:hpo/FEVciSJJtH4PoR6moWEBfQLxZPhEx7xgtV2hv4tkYUK2tlIqR7lmNK/IKrtK:UFEWi4JtH4PoRfoFIxZPk0NKbB0R
                            MD5:972F426D9B56B37005FDABC7D334747B
                            SHA1:140458C19EDCD7C4B75586BB4DBA5930D5693DC5
                            SHA-256:5052A0F40917AF50A319DD1BC4C39A62289A0723645AEF4A0DC8DBA0DF0391D9
                            SHA-512:A4D3E9EC84C8111423CCD978081A2E95C268A177801F6B3E8F81965BE709F1F062C035A774BF9C7A706FAB67F988D3E88FC87E233C449D0179545A569EAC9DA8
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):260560
                            Entropy (8bit):5.442716114061443
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCl4ZAh7ULoQdHBjw8Q2pFj4+W1ISYpksZmRohnonRBfTjzJEthEWV:PulPfQdhMuj4VM8imPjGthEWV
                            MD5:1C9E01BBA5F422C56C9F336EB663411A
                            SHA1:51AF077DD40C9407BBF10ECF3C8CBF438A0FE69F
                            SHA-256:64397891801142AE1DADB7B7E7C9D72624BCE616EA76E21938ABFD415CF2BB54
                            SHA-512:F1B54EFC6744DE37E2849B0B9E69551ADFA42E8E10B73FAA0409619BBC03C0D48077C103D055CB78EB8744EC2D621EA216BEA7E8376CC36C123954BB8A00573F
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4316200
                            Entropy (8bit):3.94944151526215
                            Encrypted:false
                            SSDEEP:98304:TYN3nsBQ5ghvEyqf/whWovz9hRJ5RbisrbdsPO9jXs:kN3nsBcghvEyqf/whxz9hRJ5Rbisrbdg
                            MD5:E5177F2BA7BED625FE6BBB862B03EB35
                            SHA1:87CEAE25884C255AAFFB0C1B6DF701A6F9810A92
                            SHA-256:12716752239EBC7E1E307ACB193F28C25064AA32881A8BA1F89A722CDF7B516D
                            SHA-512:DAD65683DA42933F1D7AF62235C261E20A4197B865546186127DF1A56B63657F7F9333E179B00F5948AB6CA73F6ACE241E0FCCDB5D93A793457D586DE11C8445
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):124056
                            Entropy (8bit):5.717272734704383
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCCwu7mzj9zNtP9zNps8Q:zr8WDrCCLmzj9P95psb
                            MD5:69A2BD4BD404C78D413DAD66D32597C3
                            SHA1:7663FEFC203E918AA0A6618A4548B273E4AA2893
                            SHA-256:5AEAF364B4159E6603DCC5AC220765A83033E62679405C8141A4C209F89BDF6F
                            SHA-512:913C45F67F749ECAC269FBCEBDDAB2A274F274DC7FE0376FEB92C8438493FC9B8B528C48962C27B05710C8D1B48E22300002A9D7075D8FD3DEA1680C0772E9B9
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):358336
                            Entropy (8bit):4.510772603696019
                            Encrypted:false
                            SSDEEP:6144:PuEyUkKOEEIK128d2VKjw0EYsfZJnPmTuJjac2a51lHpLszc/kzY56Y:Rx/B/kib
                            MD5:827D7E2C0648A1E8647744C90DDC13B1
                            SHA1:94CF03EBCDEAECECF5A4438471AD452C8FBD1699
                            SHA-256:AD4CE68BE5E3737235F7A3D3F6516B6EBF04209AA5BF2A1E929FA7FAB5F78460
                            SHA-512:41C3A9FD99483B67E99E53BA7A706B6AD3F95268F09CE15932DB08CD42ECA01AFD6D05B5FBF2947A3BAE2D01EC9D629B9C269A5B67B34853FDB83FA40FC84581
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):763032
                            Entropy (8bit):4.114589316949574
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCcwRnjnzhCiXXXXXX1AzZwAazTwdOLxN1IHO:PucwRnj7XXXXXXSzuz8OZ
                            MD5:F898708BB5A98C216A5BDC4D8AB55F31
                            SHA1:22F8606DFCC66EAA9348FCBE454AD077C1D6BD48
                            SHA-256:9660432E007E774265D438B48100B8D6F0A98DC028D0208720FF7A76C72EA115
                            SHA-512:2518C501205897BF611DD43A462AE4F689E1C1587BD2F5F15B33CDB63CFB367A402FB4BB61FFE7A7EC23AC564DA601060011AE6B82CDB8D2E565D14F7C72505F
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):895120
                            Entropy (8bit):2.964304827256967
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCgfCEq7tOxIfMFzCEpAm/4rx7z1arf+9:PuJz8w
                            MD5:02B9A3A76F77E057424B70187B54E8BE
                            SHA1:3A659E76872EE3E20BA10F11D291D0BAC6EE0F66
                            SHA-256:7B044969828A96DC142FFEDEB7922A876C4CC5CB4DC073C5CA47B868D7315C4B
                            SHA-512:26D9CC3CA41BF1AA592A914DB7BDC82D7761962D7AECA6BDFC38047B39D6E1081484B5A90C009DE01D41F9CA45E54570B15AF6F10BD7E9CFD985F42B3ACF6E6E
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1082008
                            Entropy (8bit):3.7732979147875136
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
                            MD5:9139C2A0B4A37763278B42FA33970AD6
                            SHA1:4667B3983C739687FC50DF651F1633E1EC2DBCFF
                            SHA-256:EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
                            SHA-512:E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):105440
                            Entropy (8bit):6.077342901333925
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCqjhzxwKehzgt5t1D:zr8WDrCMhLehEthD
                            MD5:3041D08F176DA6C15446B54A11BA7772
                            SHA1:474A99A64B75751BBD04B10E7F7F2D9D43F12E6E
                            SHA-256:3E6EB6EE327A6054BA3BE5F55F3481FE3436AB3CF0F0D6FE99976472CDD02631
                            SHA-512:216E38ACBCAC94F24144566415DFB6EBC94A16E93B44E1F45B79D982523B8F4A6A2FC1AD5843C336998D30F2EBD39ACE559F93EAD1AEE696A81032CB5641202D
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):537536
                            Entropy (8bit):4.966282092151679
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCXPMMRMMMmMMMvMMMwMMMNMMMWMMM3MMsewVOOMzMMvMMOMMMJMM2MMQMe:PuGwVR6V7byjUWAZyVVdz8eEdGo
                            MD5:565FEA50A9BDB9B4C1A88FB65316D097
                            SHA1:D98406308D5B48AB1AC35E2E866D0F1A30E37442
                            SHA-256:93A7BDC3118E56C0F2EA0CDD7718D4A7F7165B6FF6A1A4EC7912946B35DA1DB8
                            SHA-512:7C0DBBC3880E747EF11EEF454173A959F98045110BC0A851DDF1405B8DFC18A1B6F1D2321271C67B8815647698AB8754EB9C0DF226ABA598060B78580A1BE299
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1271952
                            Entropy (8bit):4.08276153361242
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCf3ppPpNpDpspp/pCp0pmppdpspppRppMpLp0ppppbpQp2pphpSpXpQppt:PuIKQSNdhnSzv
                            MD5:4F7B544E82176A6591B213634C9DCBBC
                            SHA1:EAB0382F33BD32FBF05351F750014EB814CDFC07
                            SHA-256:3E8E1E8C74AC39D6663C089A3FADE84F9852F70325981F037E9CA111036448CA
                            SHA-512:C339CC8DA7001494E3D2855632837408784412412630507E52A165AB42FCE29CF0D0115D3C3475ED231B2E4A14025464FC6DA85F4AD3227822B6855117D7C604
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4099760
                            Entropy (8bit):3.713997893400007
                            Encrypted:false
                            SSDEEP:12288:4BKs7fvZIFpCYVIVN2mGsb8HtVLaHw3j4cLbUBRjLFP29DyZbT9gb/m06aCzE6h9:4BKszX0FjOeblHiled/k
                            MD5:F777DDC00A55A21C9EB06E98E7AC1FB7
                            SHA1:3D24E1306438328C2FCD56503AB52D156D00B020
                            SHA-256:A7704DFE959C26840C5ACC9EFE246597A8135A07BB111EDCA18C6863242EE7CE
                            SHA-512:44C0CA654A679E30A20EB7ECF7E104CDD53C72C84E175B0CABEEF8E1226CF204DDEBE800990E1F77FA1E9C8D5FF8977FC3052F7056C96A1335E22E96BFC01983
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1273488
                            Entropy (8bit):4.318016696735314
                            Encrypted:false
                            SSDEEP:3072:zr8WDrC56bZt+ATS583ONo4aezJ8ZfqiA:Pu56bZtazB
                            MD5:8014D7B281477BA8D20CF01253894A75
                            SHA1:847240AFA115E972C2115BF02965C89013BFEB8D
                            SHA-256:D78C4FE0CB9E9552A8073F6F60F5CE2D1BC9306855FF52788B8DC542C62C56B0
                            SHA-512:F66439985974204855DC81E3E43C9CECD19914DE11C72BB6EFD5CB0BC824198F0904ED5CC33975C45A02BDF0EABB979594B1A0CD793EF77A99C507CDB4F423F9
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):165528
                            Entropy (8bit):5.871724669624193
                            Encrypted:false
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCCwu7mzj9zNtP9zNps8FOxqjQ+P04wsZLnDrC:zr8WDrCCLmzj9P95ps0r8WDrC
                            MD5:23FC2F23AB65464382AAADFE99B39AFA
                            SHA1:353563CCD8A2DDAC1DA56CEBAEC4F60EE9930240
                            SHA-256:2EC9EA7CB400F87510A5452E613C4EFD5B729956AE2DC60B345AC2AEC93ED03B
                            SHA-512:1B71ABDCB62E216A50491DA7F0E90097D4BB7079374CBD9DDD3E10DD1F4EDF41153B973278C6F503ACC91FAD4850086003DDAB186AFBC376593947F8B1A4D6F7
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):2970664
                            Entropy (8bit):3.852513127476973
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCbKd0qVmvzC1SvXKo3NzbsZ6DdIAZcbEcofUnpfRII8Lp9qgN3WJp0Rf5F:PuO/V/CfDhNG5sMXjjzmEPoL
                            MD5:7AF0A120B754A36602AC1A7F2B3C66D1
                            SHA1:D7870589638553E4D6DDD2E96F47CE3257CA4386
                            SHA-256:548A4FDDCBEEF643B1CEA7FEA80E10EF7A98342223AA0D03E2D3F0E090732FA3
                            SHA-512:9673C807E0C42B9C96E7A2EDE5B905E113B1C3A9C082FEB06AF7AA507238F35B4A376DCDB78711AB59A71845AA85C8B6A0ACEC24FF1EA0C08D0DA5AAAE1A5851
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3531712
                            Entropy (8bit):3.7796637413670093
                            Encrypted:false
                            SSDEEP:6144:Pu8sSR7PYKzz38YwZItvsDu7DbDhRAUzHW:5PYmLWSDBy
                            MD5:6DC25D566989B3C8B314D0A51CE264BB
                            SHA1:91A91837034A68BC5327132381D4A060B96B80AC
                            SHA-256:7B0D191A69BA4A30A5F9BA4914F61B4514B30507467858E595353E158E20B62C
                            SHA-512:213F26AC7407CDC444968465B5F2153DBF4D0B1113ECFFC7CBD936BCD4D0F1B024C5EB294EB1630D986BC022726F622950B8187304385FB81CA234E0E6D6D9A4
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4319272
                            Entropy (8bit):3.812301874725472
                            Encrypted:false
                            SSDEEP:6144:PuEmRfvlTZY/C3ul0ywb/uXMo+YJ7M41zXLWIB:3+6M+595B
                            MD5:FB10E76D72E74609F207999494FFEEC1
                            SHA1:9AE189189878E6B4E84FC1EA6BD6CC861E25BD68
                            SHA-256:1594E068581C29E6422B82053DC5D2F1E805E190E7B12F9EFE8BE6C2D6E8E4DA
                            SHA-512:78F4F601BB7E5B5696B615B66F701DAF6DE2E984C19D502207A786D5E6784E5D3C7474D05EE282227EB19EDA91A5BCEF3698B0F02FB0630003BAF88AE75C2136
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1082008
                            Entropy (8bit):3.7732979147875136
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
                            MD5:9139C2A0B4A37763278B42FA33970AD6
                            SHA1:4667B3983C739687FC50DF651F1633E1EC2DBCFF
                            SHA-256:EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
                            SHA-512:E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1082008
                            Entropy (8bit):3.7732979147875136
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
                            MD5:9139C2A0B4A37763278B42FA33970AD6
                            SHA1:4667B3983C739687FC50DF651F1633E1EC2DBCFF
                            SHA-256:EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
                            SHA-512:E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1082008
                            Entropy (8bit):3.7732979147875136
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
                            MD5:9139C2A0B4A37763278B42FA33970AD6
                            SHA1:4667B3983C739687FC50DF651F1633E1EC2DBCFF
                            SHA-256:EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
                            SHA-512:E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1082008
                            Entropy (8bit):3.7732979147875136
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
                            MD5:9139C2A0B4A37763278B42FA33970AD6
                            SHA1:4667B3983C739687FC50DF651F1633E1EC2DBCFF
                            SHA-256:EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
                            SHA-512:E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):582184
                            Entropy (8bit):6.398834596152969
                            Encrypted:false
                            SSDEEP:6144:Pu0LWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEh+vMKC239YUFgBdQ/:PLxT8DhyiLduCe/lSpn6zOvYUFg4/
                            MD5:897450E53986279D2B04BA53B52BDDD8
                            SHA1:94C242D856D91F902792EF4B390A65847321632F
                            SHA-256:07648CB2CA34B1C0F75971AE97F941AB50AE25F76429AFD4CBF1895B0269D24E
                            SHA-512:72A40CC08748BBAEE3E5B06EFA0F123F2C20A793B5862473EB972CA68F39474A89D4BF9DD0250321DC32D80AD8ADE6A0D52CCE978B5DC0AD1421E6213DA42C98
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3837992
                            Entropy (8bit):6.444733046079261
                            Encrypted:false
                            SSDEEP:49152:BB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EK:NHzorVmr2FkRpdJYolA
                            MD5:32890A1EABD25D9DAFC948F5146EE430
                            SHA1:228A82E420134C823B26445D3124DEA5575E68B4
                            SHA-256:3701476504BE77805D33A9E809A5D42C10170D5342C9D6DD2B546EB8D44F9005
                            SHA-512:9B1B651AFB2C5DAFA5D3A0D48ADE18F90BC370F183C0884F21C1EC2454F015DEEFF627F091AD1C73341EEDD2F5C7D291DF2CAB0E6B23A8C5F52E2DE2DD3E0C6A
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):161832
                            Entropy (8bit):6.14756500825813
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCJ2VSd2ga8KActASiZAkXS1xU5M3XgcoT0cs4qIm6Y6:PuYVSktVjv3Xg5T0FIY6
                            MD5:04EF9F4C747D7E6688BA9F35B8E3D8BA
                            SHA1:24E64BAC23BC510711460C2B33130FF4C1CDCE05
                            SHA-256:3D1421240FCFD07D5084ED9D4B33A5DFFADE81CE7912EE0BE4A2E4437857B642
                            SHA-512:BA8C839D6CA820B5DA5E1864564355EDB1628811B34FDFAAF54C0505D2971892C6CE3783FF4F2DA8BEC0A346BE733570BF50CD86B2726249AAF3DA611470B993
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1827880
                            Entropy (8bit):6.540156971587151
                            Encrypted:false
                            SSDEEP:24576:nhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmasGvP0:nhDdVrQ95RW0Y9HyWQXE/09Val0GE
                            MD5:879742EC86106257BEA934DBE9B820B4
                            SHA1:2D0D374FE06464FE3DEF4C6025BF2C5246572C03
                            SHA-256:8AFF66C49C009D187109D8B38F826731B88C832B976767C41F73EA4C7972CF2C
                            SHA-512:B7DD56A683CFB81DE96408F4D973EF9EB8201E5A2C574954487E152945D87CBCD5CF81D9567B09378E7737FA47B31AB29DCD03BE846DABAF164E3530639FCE36
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1297448
                            Entropy (8bit):6.513926743108373
                            Encrypted:false
                            SSDEEP:12288:3doA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfouDMA+nkSddSDBDIq:370E0ZCQZMip6Rrt9RoctGfmdd0
                            MD5:C46EECCF6FAE76F11358D0E43965681C
                            SHA1:9ED2788370B6F5B476C7E6000058BE7D5EBEDA6E
                            SHA-256:5804894F3F60DA262589131E6B7A1CEA7D5B1023993ABBAD2253C12526914D8E
                            SHA-512:C36F36F16CFE7AA0A39353F45931B3B64D7E1168C8DCF61FB7A116612CB24A54E281D4D616EC21D6117118B03A0F03AEF8EFD91CFD5483EB6B6776C7A50EFED9
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4251688
                            Entropy (8bit):6.506317829104403
                            Encrypted:false
                            SSDEEP:49152:bpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:QehFLvTQDpB5oSOmlBl
                            MD5:6D080AAFAA8CE83776195B5B124103FF
                            SHA1:8C8809935FA73EB7A18FBD8023B0636765DA9C09
                            SHA-256:6AF714C0C52FE584E9B4E9EF39D4DE723C509BF9082476BA3C5B97DCB2D3E4F3
                            SHA-512:F7C81889032AFFD9BF288A4B34ECD026B9EC6E5BF74D3D4EFF229029D63B33B26CD0B178AD95FD6BE728414882678F8E36C0C1373D21A32367E9508CCCE7EB25
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1319976
                            Entropy (8bit):6.503786677710061
                            Encrypted:false
                            SSDEEP:12288:Uyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:UiD2VmA1YXQHwlklb8boUuWPg2gX
                            MD5:9CF33C2C22730E0C3C7F65154ABFD0A7
                            SHA1:7ED4EB14D0A8174B75E4C5F0B06B4DB54F53429F
                            SHA-256:FA5E80F107D15EA38675A3A544DA56AA245DB5421D64A162ECB4C159A6CBE229
                            SHA-512:CD21A5AB79A0DDCE0F88C57D3E8E4B56C093B12E6CD74DF3AA234D1EB2C8C1D7E4412083836D102B5E4BB545177EC58D5E8FC21216DAB8AEC92D0D3F02026FAC
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):2327080
                            Entropy (8bit):6.530984368082779
                            Encrypted:false
                            SSDEEP:24576:yfD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPHkkkkkkkBoIeAz:yfD3zO9ZhBGlopzM3HRNr00z
                            MD5:3332CF2E4E55A3382BC000AD04399C84
                            SHA1:88E1C5B851AB8F57E50EE2F9AFEDF3CE828FA19E
                            SHA-256:780A8D096F70BC6FDEEEF05A22C1C943E64C2A3CBE33C6F3600504606D4FCBBB
                            SHA-512:1CE56E69DB2CA020CCCC036B5F0FC93156F2352420B5F7E3F551230D478AF5470657F81617B45CB32DF98EF9DCBF5254BEB16DC75F43186ECFF2D71740A772B4
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3790800
                            Entropy (8bit):6.537629939786787
                            Encrypted:false
                            SSDEEP:49152:GTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl9YPhe:ZI72LvkrCpbxJRoIMx
                            MD5:391A248273BFC2C0361AE5DFE61F6D1B
                            SHA1:0BD38C25FE4CC60BCB67ABC8E7407F0135E61FD1
                            SHA-256:AEF2E2B2AE1722A9D53DF0A40DD3B126AE40DEBB5176C150DA67AA72392AD6DE
                            SHA-512:B5F345FE14835806C1273DFC6C9C1E993D9EF469E8D146BB466816748A8F432362734B72D9BB79848C2C50AE103273FF723E865C649A53D6D1130A8DEB2003DA
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1535528
                            Entropy (8bit):6.517119310826715
                            Encrypted:false
                            SSDEEP:12288:+406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwohMA+nkXZnHC:HW9Jml9mmijZiMnF+ZxmQWcbLw8Vi
                            MD5:20628DE11335D9E9C180E82B8DA8C6F4
                            SHA1:3214ED9228E71E72D86A3F9ECFB0F3B7A8AEAE8B
                            SHA-256:1A1CC93F0239D3A342B27EF97020EF7DCC522BE9A8EEC0220C52B69E098EACCD
                            SHA-512:138B4E13BFDC8ED20854432609FFC90852DF667507D7C0DA77D4F817A32A55D084CEEA30184D9DE444DA5A949665532F021E01BF30D261803DBF31E18BA6A8FE
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1273384
                            Entropy (8bit):6.515185633103735
                            Encrypted:false
                            SSDEEP:12288:u5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:uwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                            MD5:DA3D6D82C0A5DAB32AD539A41B2292C9
                            SHA1:69A16AE6620EBC4E3AB589A77C3875332CD9EFDD
                            SHA-256:B68881B7F63772E7D7002EF6ADFE43870760808167260F1FE2578808F47F67ED
                            SHA-512:E75F6C20E0BE447C014874769E9037946DFBD602602AE6A1D5D197504FF5F13D5C6FABA3A93E0658E8B70A66B37790D500DF03D8FA6CA01A21FB08F461F1E74E
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4251688
                            Entropy (8bit):6.506317829104403
                            Encrypted:false
                            SSDEEP:49152:bpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:QehFLvTQDpB5oSOmlBl
                            MD5:6D080AAFAA8CE83776195B5B124103FF
                            SHA1:8C8809935FA73EB7A18FBD8023B0636765DA9C09
                            SHA-256:6AF714C0C52FE584E9B4E9EF39D4DE723C509BF9082476BA3C5B97DCB2D3E4F3
                            SHA-512:F7C81889032AFFD9BF288A4B34ECD026B9EC6E5BF74D3D4EFF229029D63B33B26CD0B178AD95FD6BE728414882678F8E36C0C1373D21A32367E9508CCCE7EB25
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1319976
                            Entropy (8bit):6.503786677710061
                            Encrypted:false
                            SSDEEP:12288:Uyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:UiD2VmA1YXQHwlklb8boUuWPg2gX
                            MD5:9CF33C2C22730E0C3C7F65154ABFD0A7
                            SHA1:7ED4EB14D0A8174B75E4C5F0B06B4DB54F53429F
                            SHA-256:FA5E80F107D15EA38675A3A544DA56AA245DB5421D64A162ECB4C159A6CBE229
                            SHA-512:CD21A5AB79A0DDCE0F88C57D3E8E4B56C093B12E6CD74DF3AA234D1EB2C8C1D7E4412083836D102B5E4BB545177EC58D5E8FC21216DAB8AEC92D0D3F02026FAC
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1273384
                            Entropy (8bit):6.515185633103735
                            Encrypted:false
                            SSDEEP:12288:u5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:uwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                            MD5:DA3D6D82C0A5DAB32AD539A41B2292C9
                            SHA1:69A16AE6620EBC4E3AB589A77C3875332CD9EFDD
                            SHA-256:B68881B7F63772E7D7002EF6ADFE43870760808167260F1FE2578808F47F67ED
                            SHA-512:E75F6C20E0BE447C014874769E9037946DFBD602602AE6A1D5D197504FF5F13D5C6FABA3A93E0658E8B70A66B37790D500DF03D8FA6CA01A21FB08F461F1E74E
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):225232
                            Entropy (8bit):5.9169842072110015
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCFcxiNNpCPPQPg2cluc/Xswbz8cz3quKoNX1gd:PuFcwVz4B8c37KoNX1q
                            MD5:B50DDBDB05BF0BB57476EA6C5A032B2D
                            SHA1:75D97A80167D3AB18ECA1B1A990B894F691584B2
                            SHA-256:5074A5357D42806C87926B169CD558E653349DF7E44354EC85460C0A2C95C50B
                            SHA-512:FA6DBD13E3E85C5098B6A866E7F399AECDCD4FDD53ED3F60F9EE20F8ABC156F2F272B155B5BCD79F4424E89C8045094560575CBA622327D6661A4947D7D35D46
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):247760
                            Entropy (8bit):5.766587112108476
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCQW4l/DReos0gXf+EvC6C36eCWdMuoB+ISzBqUGxNtvKAbFP3cSEt0phcf:Puml/DRfkTC3dM7B+mCivAT
                            MD5:886E05881670C2B29D17DF6823B38A66
                            SHA1:4CB79B5F1DA8FE8079518B65FFFDB99EB0A3D76F
                            SHA-256:AEEB4BAAD144DB01611C82FA0D8F0029F3EF777101740829E7F6D8D453E31D6D
                            SHA-512:9FFF6FA38B694ABC945F515A78CFA793D6AB8E7977A2973A5B69265A965DFC76C6A77D48366D5A98EB4D4460A878BE02C95C828066E42FB3F4F64CCD30D93987
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):142288
                            Entropy (8bit):6.418539700023223
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCs684ePKoTB+IvoAewtxUff8aohGme+YDfYz8FrR7:PuQrTB+AleYIkifYUF
                            MD5:3856508A91D399E375B350B0C1423FFD
                            SHA1:9747673D2FAF4EC499A05B3DFB80431029C17507
                            SHA-256:B7E5B278ECB57EDBF3C121517B5CBE0B37C29D7A1F9BE1E121776C59B39F3E37
                            SHA-512:77037E2A7F8A466D85F3A5CD2C19DA8D9795297BACA6477D8B39C29D7CBAE8641D6CE300F59035A674F749002B79199211C2955936AEB4DA0C7C6CDAB8636A1D
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):259024
                            Entropy (8bit):6.086004749509324
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCTXEV0tle+5IbvBCMmNginHy8lZoY46Mu/rLogrlKq9YXI35EvMl:PuTUVwleMITTmNv1ohWsqYI354I
                            MD5:C37E3B17146D3DF38E578862AEA8C6AC
                            SHA1:4587242D000A11BF98779F074BB15989A9E57AC2
                            SHA-256:FE9F873C55826F1C1CA88289966923B9B6FB330C2B46261B682584711B0A35D8
                            SHA-512:D28917D093AF944094FF56D5712CC0AC9BBCE3337A524E9B95487510CF5ACD2608EA7914CCA920CA9BE5AA7F6CA808B920AEE6D596ECD74DB3B2551BC77047D2
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):305120
                            Entropy (8bit):6.411066493542914
                            Encrypted:false
                            SSDEEP:6144:PumFKucTm3RhMfoSG5dCd7hjAOe9UmXY2Gh++CgBlPMoX:vKucTm3RhMfoSBjA9U2Yxh+Zgb7X
                            MD5:A44E4ED52DB101B90FC40FBD77EE5813
                            SHA1:E1EA013D66084E842EE75CDF1A20F2C5C7C1D920
                            SHA-256:A107A456D15142E351FA622010D0F75EDD8E331C147DF974A5EF1D8889700749
                            SHA-512:30EBA6D8ECA2E67D40DA256558E758EE5A457E40E2D4A1CA1FFA175E063B6983F23210E35F7BA857E0F87A550511C8C5AE7F748D90B37F847432DC60B6916C0F
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):142288
                            Entropy (8bit):6.419211340608754
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCDaivqozB+IvcZ4wrZU+l/8xoAm2+YDfYz8GrR/:PujzB+Aw4CZNr2fYLl
                            MD5:66668951BA49BF63140B9DC5384B12FF
                            SHA1:864CF0FC89B1EC2FC0F7F86231001C606D95C626
                            SHA-256:316FB2C43692DD48BF49D92F62393E1FEF23A024776398E25B5B08F2CB7601F0
                            SHA-512:523138612680231D11AAC37F70C649334D8070D263DFA87A6DE9863C5C0A4E0AD6805F02EA29ABB99645CF55A3312B9101C0B06935F416BA5F33BFD8BC42E930
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1640416
                            Entropy (8bit):7.91251877420056
                            Encrypted:false
                            SSDEEP:24576:dwy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUG:Cy53w24gQu3TPZ2psFkiSqwozX
                            MD5:352C6224D8440DF99EC9BCB6D1205994
                            SHA1:6E0D04A6F207B83B385F09F43E1C1AA4519399A6
                            SHA-256:5F579E51C94992CFD86C111D09F84E328F373073903E51D7C02AC77697D682EF
                            SHA-512:9175FB5E4524C95C706C4147B700155BD551842F2890D737C635DF8B684585AAFF2E41EC2B81BA0BA941ADCDB51BFA9DAE09C2440E4B5EAEA9524462F0ADF08A
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):144866
                            Entropy (8bit):6.2324558335577
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCkRD5b0qZ7y4jem7y6tkNRCywDw1DiJkuKUY:PuGD5lZ7y4j9KT4DteUY
                            MD5:D709786C68534D0465D77BDE302F7065
                            SHA1:6E113BCB0876FDDDC39B31D1F364AC1C3B0F9B40
                            SHA-256:8F98C63531C25555C4ED421DC87B670C763690A82E9B2D76A59D2233AC500636
                            SHA-512:47295791D6181ABB9F777E85ADE7425A34C497A5E4E5B483104DE6105D9CE49D9FD7A342BE5B469528176DB4E63D0A5117F9E6C969B999B7F87FE1076DB14B86
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):280480
                            Entropy (8bit):6.382752729567392
                            Encrypted:false
                            SSDEEP:6144:Pu6Pr2vXzrEbslNp/JNsJKQl0GkRAqVNf0O3:7DQXRVTZu0GP+ZR
                            MD5:25156B6B2ACFE0D4284F3842C0F1FD9F
                            SHA1:C3C3387E29A3C045104FBA65357B73D36CB72F96
                            SHA-256:1F32EEC314E0AEE4B61FAEE41B8D2D882AA49E3D49906E2F91FD842C574D2E17
                            SHA-512:77B19A7D771681CC8AF1456013761626620EBCA8B336BD728ACE88B67E7E8D20812918BB588B5D06EF1E722607442ACECAF0BCD2274C912520F3125517157ECC
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\ProgramData\Java Update Checker (64 bit).exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):44544
                            Entropy (8bit):5.640595045558621
                            Encrypted:false
                            SSDEEP:768:V68rPcT5+tkzOGvo08WuFZ4hJF5PC9O9+68OMh43/OLnM9:o8r8ItiOeF894Fc9U+68OMmonM9
                            MD5:F3B2776EE93CFCAAFC72385378A22B31
                            SHA1:59BC68BBE3ED4936C1747B0762156D6053947562
                            SHA-256:087F7D0BF82588ECF5FA53545F7DD03CD72F3D4E729DA7FD9490488BA4D42AB7
                            SHA-512:68D273EB968DF3BD6F9A8740EAAB5379B0D40C0BBAC60DC809568F57844D0F8B2FC815535AF5736B242DFEF3FCDA8203BB990E85311C3C46243F0C6B1934AD0D
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\Java Update Checker (64 bit).exe, Author: Joe Security
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Java Update Checker (64 bit).exe, Author: Joe Security
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Java Update Checker (64 bit).exe, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Java Update Checker (64 bit).exe, Author: ditekSHen
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.uf................................ ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......|]..$Z............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                            C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4473576
                            Entropy (8bit):6.5697251244545924
                            Encrypted:false
                            SSDEEP:98304:9kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:9kkCqaE68eV+0y8E6L1
                            MD5:A0E84CEDA4163F189BE5349FD432B1CB
                            SHA1:204335080CD8BA8D46E52DFB29F1461D7BF84CA1
                            SHA-256:9A8C97840B4745ABA6BE44CAE7DE9EC0E7960AE31E52DFDE4ACCB1C24B6C4DA7
                            SHA-512:BE941C507F9A607087E96CDBA94358F4882BA231CC08E6AAE8480301A5FF82940630134F9DB780B9527F43DD83ABE5D4868759854D2517A6D6A87A26903FCC9F
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):501656
                            Entropy (8bit):6.316687804131066
                            Encrypted:false
                            SSDEEP:12288:mLH18t6x1hjaNHBlfBVDZS82JninSFVlDW:mLOwxyNHBVEHRiSFVlDW
                            MD5:EE696711CF9AC80FC9EFBB26B76ABCFE
                            SHA1:A2E66B1A8970B93B055B783F1FE600A5EA861690
                            SHA-256:9DA9F59CB0DF8F42679E524FDF590843F68D1413BB1F36335B361245F5FD7170
                            SHA-512:5A6E226B94364E8F0312D8DE64192A5343EB5E370BC5E10F373458C871A25ABE7520E55AD68279FD215820CABEDADDE4ACA9A01071370B980B62A0126AAB2A94
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1637776
                            Entropy (8bit):6.316076233282021
                            Encrypted:false
                            SSDEEP:24576:z7Z1jyzcKSmKsvwMZJ1XBsn/gu2bRC6dulyyn2WdXM6cWlLIJ:/Z1tKTwMZJ1XBsn/UC6dugWA
                            MD5:2E0AE929AA0C46D1850BD2064954D911
                            SHA1:C27307CF87ABAA9CB17C869583BEC5DBB57A3C41
                            SHA-256:BB21F5661BC8569FBAD37E05E000529EA09A93DF9CE906AC798B6FF87C39DB52
                            SHA-512:6F79861A391A35B7634EA05FD37B28ECEA234FE91AC44B3F2DD365F49C9338AA43D5EF40B80588343E7C1B05D2B358F9516F2696F6DB1E4D9D8EA87CBFADB1E1
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):224632
                            Entropy (8bit):5.620193770987743
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCvFtCsHjgU7HOg6KTe/+EypudsD22QnSUEhydebz41:Pu9tx0SA+EySaQKeUz41
                            MD5:96A64BD0E265640FFAFD214049708702
                            SHA1:DA525339352A6F40A51DD61FE17149EC37E69C61
                            SHA-256:4E88BCEBE61AFD28AD1EC55523F1656CA98F02806531CEFFCA55F2598674CFFA
                            SHA-512:EA63C18E5AB547A7F76C6BD2F721296B400E2D6FE89C45DFD8DFAB86A794D171A44487CAB0C8DC2328F9DC92C239BB1E2BF55D7C903791EF341BD88FEAE28FB0
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):431336
                            Entropy (8bit):5.901379876199201
                            Encrypted:false
                            SSDEEP:6144:PuYzBRUKCBTwZVr2miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVV+:jzBRnCBOrsBOBf
                            MD5:E7C3CF515AE2F8559EB6E76D748D667F
                            SHA1:265615DC51ACBDE842A9A012D03732AA4BF9DDE9
                            SHA-256:A2CAC1656374C752299952716F9021B3E15497166FA936A1BAD6AB7C39FE7F8A
                            SHA-512:9034265306CF0A5D467C652FEAE1AD6FB4798B527A8C58EED576137582EBF6F24DD25D9EC9D977C93A489E749F1F1A20503B508C168CC9C54419AEDA9B044458
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):175160
                            Entropy (8bit):5.99132731187077
                            Encrypted:false
                            SSDEEP:3072:zr8WDrC2/VpSIcnsHKTe8LnZCA5OfkQAm95kQOJeqx6u:Pu2tkIpdA5OfzDUeqx6u
                            MD5:C41D1423579C9814533D2E30DA685786
                            SHA1:B8AE1B9A8EA125CFA003E1404F44F825F3EFA4AE
                            SHA-256:BEE3417F4A10BA18D5DDF56EF7D3AF8597164CE62C74D4E979E09BAD6C7D6509
                            SHA-512:52DC28327704F55153CB10ADB7686D5469698D07ECF6E03B223F8DE2C32DF5296BA7E0190E37A58ECCA264C1B045CF7CA1F2AE35F15BA4F43B51D92961F7F90E
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3162480
                            Entropy (8bit):6.468488558909844
                            Encrypted:false
                            SSDEEP:49152:vnW4jqFRZega3xejvY7GQOx4K1fm15FKqO7t78Ity6fod76lmlW8U:ms3OBj4UmOH
                            MD5:3A5E520F6C98AFDEA3D5D2D92483C739
                            SHA1:A578D0612B92D4E3D3C913B06BE977EDFA7ACC20
                            SHA-256:BE77D2388C60AB0610D2B49BF1883F24B40C33C767160FBF178F2EF3EA3834AE
                            SHA-512:A3451E0C8CAF184343F68D29406D95BFBDE38F03C8AD0FFC4EDED0B3F4942ACE98D17189C574364730A7BF0F249808371175063312A00F9D85EABB61A5657673
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1309408
                            Entropy (8bit):6.49550103750245
                            Encrypted:false
                            SSDEEP:24576:9+sGOL9NLM3r4Viwj6KLqGua43loEeUFmwv:94AA4eGua43lgUFrv
                            MD5:EAD6386843778A730062C698AA030740
                            SHA1:F24C8F0717004F67681BC64DACD4187A98D596B2
                            SHA-256:D932B4622D4D9A52924CB1540B483EF7163D67263A0E0EBA11504B73295B8D80
                            SHA-512:0E7641E940526213DFD1627CC80852FE8DC6D9ED3582E30FF355DD56978794B850081082FE7B798152D8AE0E437212471C3C615714FF9CE1DC87434235716516
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):922944
                            Entropy (8bit):6.460885615415187
                            Encrypted:false
                            SSDEEP:12288:R9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+poPCcqyt4:n/BrnYuqFcL3pQ+pDX
                            MD5:F0BF9ADF513239520A14EB785BDD5886
                            SHA1:F1915F5400458CA477B5E90DE9A2C5C4DDC132CB
                            SHA-256:AC67389D5DA5FC3A99576D5832BEC09D66B41E751A15B1B53349A3003EF14DFE
                            SHA-512:13CC35E7344418CF48E95525F351585652B9A499FF674DE766AED5D7B35F93F60FA9639AF011E0FCEB5F63AD895EDDBE0054EFE98922811BBE6206E52197AF82
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):692064
                            Entropy (8bit):7.194014407923939
                            Encrypted:false
                            SSDEEP:12288:IskY7gjcjhVIEhqgM7bWvcsi6aVUfIy+U40vy3W/ceKSHMsiFyY6XNmnMwJ:IsZgjS1hqgSC/izkfFjymk4HM5yJwMK
                            MD5:449FF18CECF6F5F51192A3B2DED55D19
                            SHA1:344C9315CC65A9A8B57B7CA713EDDCFC00BD7A93
                            SHA-256:0F891BFC3F74490937A0A339092EC8515409EC972B0EE12A7F3A21EA039CD706
                            SHA-512:474720A4D8E0E992343DE1A897072C9062A5149E4F235013A28DF8C1DBA19020EA894231C1AAB7F5B3C041FD67CF3B2A26E5B25C7D6901FB4B0BEFCCB57957B4
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:modified
                            Size (bytes):2232
                            Entropy (8bit):5.379540626579189
                            Encrypted:false
                            SSDEEP:48:CWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZvUyus:CLHyIFKL3IZ2KRH9OugMs
                            MD5:23450A46792AFFD8750A4B615EDF293A
                            SHA1:8C80653AF36247160450BEE1C06B0241BF533A64
                            SHA-256:FF17BC055E69CC9D7597033831C6CB2230595D9BB0BFBD9328BFA97A14BFC7B1
                            SHA-512:136EBA843D66B3A6879518504655DC6B154705EC6284D7F04BCE1599831117435C4A27092D025F123D542A4405CF1103AC60E793EF9A37491350FD78C9D420D6
                            Malicious:false
                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                            C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):44544
                            Entropy (8bit):5.640595045558621
                            Encrypted:false
                            SSDEEP:768:V68rPcT5+tkzOGvo08WuFZ4hJF5PC9O9+68OMh43/OLnM9:o8r8ItiOeF894Fc9U+68OMmonM9
                            MD5:F3B2776EE93CFCAAFC72385378A22B31
                            SHA1:59BC68BBE3ED4936C1747B0762156D6053947562
                            SHA-256:087F7D0BF82588ECF5FA53545F7DD03CD72F3D4E729DA7FD9490488BA4D42AB7
                            SHA-512:68D273EB968DF3BD6F9A8740EAAB5379B0D40C0BBAC60DC809568F57844D0F8B2FC815535AF5736B242DFEF3FCDA8203BB990E85311C3C46243F0C6B1934AD0D
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, Author: Joe Security
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, Author: Joe Security
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, Author: ditekSHen
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.uf................................ ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......|]..$Z............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                            C:\Users\user\AppData\Local\Temp\Log.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):29
                            Entropy (8bit):3.598349098128234
                            Encrypted:false
                            SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                            MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                            SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                            SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                            SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                            Malicious:false
                            Preview:....### explorer ###..[WIN]r

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dgcwg1i.vnc.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50vx02cd.eem.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amsqfrnz.fuc.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asrgtdci.hha.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bc0tav1y.mtk.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bddcrqrm.du0.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0pu4h1b.fny.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgql5vgl.ayc.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfdwqriy.rhw.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gx24ozpp.xuq.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5qkafn2.jia.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3kygkb5.llx.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgqptdb2.zhu.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t04zexdm.tjt.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4ne050n.4kb.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnpzu4sq.arx.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\chrome.exe

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):182272
                            Entropy (8bit):6.778841629892176
                            Encrypted:false
                            SSDEEP:3072:zr8WDrCe7WLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHqZLWfp2KkvL5kdnQB:PueqmCtnRPF9cCGr/uH0gkSdQB
                            MD5:D307A8D049BC1C09C5C3B972F3609FD3
                            SHA1:D84D853F3BD3E3DADFE2CB5E4A294B83780A3F3D
                            SHA-256:C8FB712D11C1F2AE2BC71F58C2D859B0F2F45AA9ED88F6C9F42E89217D03DF48
                            SHA-512:7D3DE68A9DC7AD364B0E8A37F8A56E556FF774537FDF93AF869BEA4CD14DDD3C0205BD74FBDD66FCDAB5F1FA6E9D5F10F3C8C66D99BF5235109DE51975A2BF7F
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\tmp5023.tmp

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:data
                            Category:modified
                            Size (bytes):8
                            Entropy (8bit):3.0
                            Encrypted:false
                            SSDEEP:3:2:2
                            MD5:578DB632345128A32742DB6670C315CC
                            SHA1:E692D7033653AB8E41E451D4A88811202D4241D9
                            SHA-256:C06755370EC01019F0F56FB481912B97E55B8C3410E9528CB096F48B88028386
                            SHA-512:65693863CC7CE2BA5DA440BEDAACA3E10FFA08543A5252CB0C097379AA7A3EE7BD3373857F4FD75EC9B5644B4383F2FE2CFD3EACB16DEAB2F75DC6F3FD8FB758
                            Malicious:false
                            Preview:.v....&A

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8YRMCFYJIVPKXNDBK2UV.temp

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.731594285412682
                            Encrypted:false
                            SSDEEP:96:8J333CxH5EkvhkvCCtJBKjJLmHHsKjJLmHHt:8J3yZAHKjJL5KjJLi
                            MD5:C95F8C02BB7BB73752C08674D3380325
                            SHA1:DC568C33EF527AFABFD18D922CA551B8D5009235
                            SHA-256:3CE476E2A1F17376EA68E31E3165426A852D662150EFAAB3547E290335470366
                            SHA-512:C8BE8B8756F6E27FD59D46FAA4C58832ED8C01E8818ECC35F18990A942E7C1BA3060D804123C91EC48CCF5E92055918601FB25A66547A428371B48553BDE7AE0
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......p;......y;.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Xd&...........................%..A.p.p.D.a.t.a...B.V.1......Xb&..Roaming.@......CW.^.Xb&..........................pt..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Xf&..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`...........................L(.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9OOQ23IIUS1X33VJB442.temp

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.729191650107404
                            Encrypted:false
                            SSDEEP:96:FJCy3CGR5EkvhkvCCtJBKjJLmHHsKjJLmHHt:FJCOPAHKjJL5KjJLi
                            MD5:4DFCF8DF9A1D5317AE2EBE0F82525AB7
                            SHA1:D5135A4579BF27A44AFC79C94A13BE12897A2AA5
                            SHA-256:4D22D1E710455B64E3645FB26BC00B2D8F7706FB9908B3B06574B65EC6DD5CCB
                            SHA-512:789E03FEEA855991DA18F9396158AEF0EFEF0BCAB4597C9BACD9F530AE617C5CFDB2205178DD7834DFEE6B7EDEA1EAE651F78F31A75AB1324D61D49ED5D2F189
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......p;....B..;.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Xd&...........................%..A.p.p.D.a.t.a...B.V.1......Xb&..Roaming.@......CW.^.Xb&..........................pt..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Xf&..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^.Xj&...........................L(.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^.Xj&....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^.Xj&....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^.Xj&..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F3XZIQ40AJJWSYMEXA52.temp

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.7302292078171475
                            Encrypted:false
                            SSDEEP:96:GJCy3CGR5EkvhkvCCtJBKjJLmHHsKjJLmHHt:GJCOPAHKjJL5KjJLi
                            MD5:A52FF2B99005AF99BE8BF4C98FD537C0
                            SHA1:8872F09756A0FD852A057EA6AA8C5C5B6E5F88E3
                            SHA-256:02A79CA830C5C5FDB673DD8381014ADF0CACBF39E92A4FE85973055FEC02490F
                            SHA-512:6D961E29C9141A54A5D814666EEAADD008B184F822CA83931DDBE6A0C27A1D78B0D1CDC2B6EB97C6DA3EE52C3DD239DF266DE9ADF708965053C3076B32F03220
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......p;.......;.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Xd&...........................%..A.p.p.D.a.t.a...B.V.1......Xb&..Roaming.@......CW.^.Xb&..........................pt..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Xf&..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^.Xj&...........................L(.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^.Xj&....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^.Xj&....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^.Xj&..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XB96MGLYWA6BGN5DOIIZ.temp

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.7282961671368344
                            Encrypted:false
                            SSDEEP:96:UJCy3CGR5EkvhkvCCtJBKjJLmHHsKjJLmHHt:UJCOPAHKjJL5KjJLi
                            MD5:D93906CBFA84FB4FEA599BA372B394E5
                            SHA1:4F3BDF9B4EF51836C170A6C0C2CA5C21B1CED913
                            SHA-256:CD88B770A85D748DA96F444B9EB7FB1ADDD8ED7133460FD12594DA0D605726F0
                            SHA-512:F186A047AF4CDC50E454BBBA18C8231C3D86C8231DC65A5D6F18AB1F02DA22B75D1B7A35A8749C1880961077E8C3326245872A44F295ABA053A25B0204FC56A5
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......p;...S.F.;.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Xd&...........................%..A.p.p.D.a.t.a...B.V.1......Xb&..Roaming.@......CW.^.Xb&..........................pt..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Xf&..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^.Xj&...........................L(.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^.Xj&....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^.Xj&....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^.Xj&..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.731594285412682
                            Encrypted:false
                            SSDEEP:96:8J333CxH5EkvhkvCCtJBKjJLmHHsKjJLmHHt:8J3yZAHKjJL5KjJLi
                            MD5:C95F8C02BB7BB73752C08674D3380325
                            SHA1:DC568C33EF527AFABFD18D922CA551B8D5009235
                            SHA-256:3CE476E2A1F17376EA68E31E3165426A852D662150EFAAB3547E290335470366
                            SHA-512:C8BE8B8756F6E27FD59D46FAA4C58832ED8C01E8818ECC35F18990A942E7C1BA3060D804123C91EC48CCF5E92055918601FB25A66547A428371B48553BDE7AE0
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......p;......y;.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Xd&...........................%..A.p.p.D.a.t.a...B.V.1......Xb&..Roaming.@......CW.^.Xb&..........................pt..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Xf&..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`...........................L(.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3ebb05.TMP (copy)

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.731594285412682
                            Encrypted:false
                            SSDEEP:96:8J333CxH5EkvhkvCCtJBKjJLmHHsKjJLmHHt:8J3yZAHKjJL5KjJLi
                            MD5:C95F8C02BB7BB73752C08674D3380325
                            SHA1:DC568C33EF527AFABFD18D922CA551B8D5009235
                            SHA-256:3CE476E2A1F17376EA68E31E3165426A852D662150EFAAB3547E290335470366
                            SHA-512:C8BE8B8756F6E27FD59D46FAA4C58832ED8C01E8818ECC35F18990A942E7C1BA3060D804123C91EC48CCF5E92055918601FB25A66547A428371B48553BDE7AE0
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......p;......y;.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Xd&...........................%..A.p.p.D.a.t.a...B.V.1......Xb&..Roaming.@......CW.^.Xb&..........................pt..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Xf&..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`...........................L(.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3ebde3.TMP (copy)

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.731594285412682
                            Encrypted:false
                            SSDEEP:96:8J333CxH5EkvhkvCCtJBKjJLmHHsKjJLmHHt:8J3yZAHKjJL5KjJLi
                            MD5:C95F8C02BB7BB73752C08674D3380325
                            SHA1:DC568C33EF527AFABFD18D922CA551B8D5009235
                            SHA-256:3CE476E2A1F17376EA68E31E3165426A852D662150EFAAB3547E290335470366
                            SHA-512:C8BE8B8756F6E27FD59D46FAA4C58832ED8C01E8818ECC35F18990A942E7C1BA3060D804123C91EC48CCF5E92055918601FB25A66547A428371B48553BDE7AE0
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......p;......y;.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Xd&...........................%..A.p.p.D.a.t.a...B.V.1......Xb&..Roaming.@......CW.^.Xb&..........................pt..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Xf&..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`...........................L(.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3ebfb8.TMP (copy)

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.731594285412682
                            Encrypted:false
                            SSDEEP:96:8J333CxH5EkvhkvCCtJBKjJLmHHsKjJLmHHt:8J3yZAHKjJL5KjJLi
                            MD5:C95F8C02BB7BB73752C08674D3380325
                            SHA1:DC568C33EF527AFABFD18D922CA551B8D5009235
                            SHA-256:3CE476E2A1F17376EA68E31E3165426A852D662150EFAAB3547E290335470366
                            SHA-512:C8BE8B8756F6E27FD59D46FAA4C58832ED8C01E8818ECC35F18990A942E7C1BA3060D804123C91EC48CCF5E92055918601FB25A66547A428371B48553BDE7AE0
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......p;......y;.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Xd&...........................%..A.p.p.D.a.t.a...B.V.1......Xb&..Roaming.@......CW.^.Xb&..........................pt..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Xf&..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`...........................L(.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jul 2 03:52:04 2024, mtime=Tue Jul 2 03:52:04 2024, atime=Tue Jul 2 03:52:04 2024, length=44544, window=hide
                            Category:dropped
                            Size (bytes):770
                            Entropy (8bit):4.665365056685493
                            Encrypted:false
                            SSDEEP:12:8nA0cfE+ecfILprjDujAplgCHGbwjDdG2HxHIBmV:8A7h4VjeA3+wjhG2RoBm
                            MD5:6C3F23B4E7935D27A5C0E3B55C2B6E1E
                            SHA1:F44863E113BC5B36E0125B7575776AC36900B79E
                            SHA-256:4F0FB622EE7B418A6DBB13AF1B75CCD5D48ECEFFC3035DDA1861D169D21559AD
                            SHA-512:01E85AE221B3C6B67362FCF3CC4221F33672C3AD10AD6735457F52339597465F921A7B1C3FBB6E0578C4F9BE59147C69DF95DBB6099B26B258CE2545154F4AA5
                            Malicious:false
                            Preview:L..................F.... .....;......;......;................................P.O. .:i.....+00.../C:\...................`.1......Xb&. PROGRA~3..H......O.I.Xb&....g........................P.r.o.g.r.a.m.D.a.t.a.......2......X.& JAVAUP~1.EXE..r.......X.&.X.&.............................J.a.v.a. .U.p.d.a.t.e. .C.h.e.c.k.e.r. .(.6.4. .b.i.t.)...e.x.e.......^...............-.......]...........#B.......C:\ProgramData\Java Update Checker (64 bit).exe..G.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.J.a.v.a. .U.p.d.a.t.e. .C.h.e.c.k.e.r. .(.6.4. .b.i.t.)...e.x.e.`.......X.......301389...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                            C:\Windows\directx.sys

                            Download File
                            Process:C:\Windows\svchost.com
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):59
                            Entropy (8bit):4.539234152262855
                            Encrypted:false
                            SSDEEP:3:oXeqNjMJJLNov:oXe2jInov
                            MD5:9E06CBAEA528ED37C8D88CB88A27A9FF
                            SHA1:8C6863473EDBBE39D692EDE22A57D09076BD40E1
                            SHA-256:FB23916EF2EF95CABF567D35D79DE3209BD357967BBE1AAC618B684D06F4AD36
                            SHA-512:B9EA6E2EF1E35BE7EE1E2782452FF4419787792299B30CFD7ADF9B37DC6D92D3E6EC36040E6320822E405C7FAFE7F79D05975B8430AF113041D1726A9BF90754
                            Malicious:true
                            Preview:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe..

                            C:\Windows\svchost.com

                            Download File
                            Process:C:\Users\user\Desktop\java_update.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):41472
                            Entropy (8bit):6.4097860883906606
                            Encrypted:false
                            SSDEEP:768:nyxqjQl/EMQt4Oei7RwsHxKANM0nDhlzOQdJ:yxqjQ+P04wsZLnDrC
                            MD5:ED452C704A8E8F1F9926340D4E79C150
                            SHA1:E84970E8BA4A50E572521E506DF8D5B90C4A448F
                            SHA-256:F0E5D4A21C4A7D8E82A6D3F5D4488170554DB199C3AC10613C023621700E1021
                            SHA-512:01635130B44FC4DF2848B713E710D91489B02B2AC2DB99C932FA92A7782AAAF5622A13C91783469F6EA6DD864434ADF8CB1E2B0EB4A82E365D02578C02DD19F3
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.319328938470087
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.29%
                            • Win32 Executable (generic) a (10002005/4) 49.25%
                            • Win32 Executable Borland Delphi 6 (262906/60) 1.29%
                            • Win32 Executable Delphi generic (14689/80) 0.07%
                            • Windows Screen Saver (13104/52) 0.06%
                            File name:java_update.exe
                            File size:86'016 bytes
                            MD5:bc4206081a6f4206dc5b63948b05ef4b
                            SHA1:4e48607de38ccb23ed81c1d19c8884fec2863ce9
                            SHA256:b771a64bbfce8232710851ea13f5408cc28133ac0537ff1309c749ce85f42633
                            SHA512:651d1c96fe86ff46b797694c68521f8dc46291ccb7d60f3b9ec5c06ab7bdb857ffb61cdc4483ae7f1fe44c5b51ad1f096afa3182c66931e3bc7ae5ea07065475
                            SSDEEP:1536:yxqjQ+P04wsZLnDrCynM9aR8r8ItiOeF894Fc9U+68OMm:zr8WDrCwM9Ms8ItiOj94Fc9UMOM
                            TLSH:78838E69BB924532D1FE2FFC5C3252010736BA132E2787AF19E45C9A1E3A7C54908BD6
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:4df4f2f2d0d8f845

                            Static PE Info

                            General

                            Entrypoint:0x408178
                            Entrypoint Section:CODE
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                            DLL Characteristics:
                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:9f4693fc0c511135129493f2161d1e86

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFE0h
                            xor eax, eax
                            mov dword ptr [ebp-20h], eax
                            mov dword ptr [ebp-18h], eax
                            mov dword ptr [ebp-1Ch], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004080E8h
                            call 00007FDFE8BD0313h
                            xor eax, eax
                            push ebp
                            push 004082B4h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            mov eax, 004091A8h
                            mov ecx, 0000000Bh
                            mov edx, 0000000Bh
                            call 00007FDFE8BD34ADh
                            mov eax, 004091B4h
                            mov ecx, 00000009h
                            mov edx, 00000009h
                            call 00007FDFE8BD3499h
                            mov eax, 004091C0h
                            mov ecx, 00000003h
                            mov edx, 00000003h
                            call 00007FDFE8BD3485h
                            mov eax, 004091DCh
                            mov ecx, 00000003h
                            mov edx, 00000003h
                            call 00007FDFE8BD3471h
                            mov eax, dword ptr [00409210h]
                            mov ecx, 0000000Bh
                            mov edx, 0000000Bh
                            call 00007FDFE8BD345Dh
                            call 00007FDFE8BD34B4h
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007FDFE8BD0D4Eh
                            mov eax, dword ptr [ebp-14h]
                            call 00007FDFE8BD12E2h
                            cmp eax, 0000A200h
                            jle 00007FDFE8BD4597h
                            call 00007FDFE8BD3A32h
                            call 00007FDFE8BD4289h
                            mov eax, 004091C4h
                            mov ecx, 00000003h
                            mov edx, 00000003h

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x150000x864.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1400.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x5cc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x170000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            CODE0x10000x72c00x740057df3a5615ac3f00c33b7f1f6f46d36aFalse0.6197804418103449data6.521149320889011IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            DATA0x90000x2180x4007ffc3168a7f3103634abdf3a768ed128False0.3623046875data3.1516983405583385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            BSS0xa0000xa8990x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0x150000x8640xa006e7a45521bfca94f1e506361f70e7261False0.37421875data4.173859768945439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .tls0x160000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0x170000x180x2007e6c0f4f4435abc870eb550d5072bad6False0.05078125data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                            .reloc0x180000x5cc0x6002f4536f51417a33d5e7cc1d66b1ca51eFalse0.8333333333333334data6.433117350337874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                            .rsrc0x190000x14000x14009011ee73a9c03d3d145a55b8465c34faFalse0.16796875data4.600646607779606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x191500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4264RussianRussia0.11163227016885553
                            RT_RCDATA0x1a1f80x10data1.5
                            RT_RCDATA0x1a2080xacdata1.063953488372093
                            RT_GROUP_ICON0x1a2b40x14dataRussianRussia1.1

                            Imports

                            DLLImport
                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                            user32.dllGetKeyboardType, MessageBoxA
                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                            oleaut32.dllSysFreeString, SysReAllocStringLen
                            kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                            advapi32.dllRegSetValueExA, RegOpenKeyExA, RegCloseKey
                            kernel32.dllWriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
                            gdi32.dllStretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
                            user32.dllReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
                            shell32.dllShellExecuteA, ExtractIconA

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            RussianRussia

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 2, 2024 06:51:18.144488096 CEST4973080192.168.2.4208.95.112.1
                            Jul 2, 2024 06:51:18.149413109 CEST8049730208.95.112.1192.168.2.4
                            Jul 2, 2024 06:51:18.149507999 CEST4973080192.168.2.4208.95.112.1
                            Jul 2, 2024 06:51:18.150172949 CEST4973080192.168.2.4208.95.112.1
                            Jul 2, 2024 06:51:18.154997110 CEST8049730208.95.112.1192.168.2.4
                            Jul 2, 2024 06:51:18.639070034 CEST8049730208.95.112.1192.168.2.4
                            Jul 2, 2024 06:51:18.690820932 CEST4973080192.168.2.4208.95.112.1
                            Jul 2, 2024 06:52:00.535567999 CEST8049730208.95.112.1192.168.2.4
                            Jul 2, 2024 06:52:00.535655022 CEST4973080192.168.2.4208.95.112.1
                            Jul 2, 2024 06:52:06.532145023 CEST497376666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:06.536946058 CEST66664973745.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:06.537017107 CEST497376666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:06.776359081 CEST497376666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:06.781155109 CEST66664973745.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:08.723500013 CEST66664973745.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:08.725070953 CEST497376666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:10.806524992 CEST497376666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:10.811295986 CEST66664973745.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:10.817276955 CEST497396666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:10.822171926 CEST66664973945.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:10.822345018 CEST497396666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:10.978821039 CEST497396666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:10.983757973 CEST66664973945.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:13.031369925 CEST66664973945.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:13.031466007 CEST497396666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:15.771249056 CEST497396666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:15.772811890 CEST497406666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:15.776109934 CEST66664973945.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:15.777645111 CEST66664974045.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:15.777713060 CEST497406666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:15.813261032 CEST497406666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:15.819128990 CEST66664974045.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:17.939472914 CEST66664974045.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:17.941766024 CEST497406666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:19.394067049 CEST497406666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:19.395018101 CEST497416666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:19.399159908 CEST66664974045.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:19.400142908 CEST66664974145.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:19.400336981 CEST497416666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:19.419106960 CEST497416666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:19.424320936 CEST66664974145.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:21.562216043 CEST66664974145.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:21.562385082 CEST497416666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:22.690941095 CEST497416666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:22.692004919 CEST497426666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:22.908677101 CEST66664974145.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:22.908689022 CEST66664974245.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:22.908792019 CEST497426666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:22.924191952 CEST497426666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:22.929845095 CEST66664974245.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:25.079169035 CEST66664974245.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:25.079298019 CEST497426666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:27.315947056 CEST497426666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:27.316917896 CEST497436666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:27.321373940 CEST66664974245.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:27.323157072 CEST66664974345.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:27.323230028 CEST497436666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:27.338589907 CEST497436666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:27.343637943 CEST66664974345.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:29.531079054 CEST66664974345.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:29.533394098 CEST497436666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:30.644049883 CEST497436666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:30.644911051 CEST497446666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:30.648838043 CEST66664974345.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:30.649709940 CEST66664974445.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:30.649811029 CEST497446666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:30.665082932 CEST497446666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:30.669934988 CEST66664974445.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:32.814225912 CEST66664974445.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:32.814282894 CEST497446666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:35.706614017 CEST497446666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:35.707808971 CEST497456666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:35.711446047 CEST66664974445.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:35.712642908 CEST66664974545.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:35.712744951 CEST497456666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:35.727613926 CEST497456666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:35.732537985 CEST66664974545.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:40.109162092 CEST66664974545.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:40.109319925 CEST497456666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:40.334827900 CEST497456666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:40.339821100 CEST66664974545.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:40.341375113 CEST497466666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:40.346221924 CEST66664974645.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:40.346311092 CEST497466666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:40.360861063 CEST497466666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:40.365901947 CEST66664974645.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:42.558176994 CEST66664974645.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:42.561821938 CEST497466666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:44.472374916 CEST497466666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:44.473319054 CEST497476666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:44.477286100 CEST66664974645.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:44.478131056 CEST66664974745.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:44.478189945 CEST497476666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:44.495620966 CEST497476666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:44.500426054 CEST66664974745.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:46.641911983 CEST66664974745.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:46.642082930 CEST497476666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:47.081559896 CEST497476666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:47.082659006 CEST497486666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:47.086366892 CEST66664974745.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:47.087377071 CEST66664974845.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:47.087536097 CEST497486666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:47.103235960 CEST497486666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:47.107950926 CEST66664974845.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:49.253952026 CEST66664974845.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:49.254057884 CEST497486666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:50.191121101 CEST497486666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:50.191926956 CEST497496666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:50.196513891 CEST66664974845.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:50.196854115 CEST66664974945.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:50.196933031 CEST497496666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:50.211756945 CEST497496666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:50.216773033 CEST66664974945.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:52.359527111 CEST66664974945.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:52.359589100 CEST497496666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:54.784835100 CEST497496666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:54.785893917 CEST497506666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:54.789756060 CEST66664974945.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:54.790813923 CEST66664975045.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:54.790882111 CEST497506666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:54.808573008 CEST497506666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:54.814235926 CEST66664975045.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:56.995887995 CEST66664975045.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:56.996033907 CEST497506666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:58.019395113 CEST497506666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:58.021394014 CEST497516666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:58.024257898 CEST66664975045.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:58.026268959 CEST66664975145.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:58.026352882 CEST497516666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:58.042597055 CEST497516666192.168.2.445.141.26.232
                            Jul 2, 2024 06:52:58.047455072 CEST66664975145.141.26.232192.168.2.4
                            Jul 2, 2024 06:52:58.857058048 CEST4973080192.168.2.4208.95.112.1
                            Jul 2, 2024 06:52:58.861968994 CEST8049730208.95.112.1192.168.2.4
                            Jul 2, 2024 06:53:00.205622911 CEST66664975145.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:00.205713987 CEST497516666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:00.722565889 CEST497516666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:00.724149942 CEST497526666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:00.727428913 CEST66664975145.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:00.728966951 CEST66664975245.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:00.729078054 CEST497526666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:00.747364998 CEST497526666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:00.752120018 CEST66664975245.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:02.958622932 CEST66664975245.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:02.958731890 CEST497526666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:02.987857103 CEST497526666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:02.989463091 CEST497536666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:02.992739916 CEST66664975245.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:02.994652987 CEST66664975345.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:02.994735003 CEST497536666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:03.023190975 CEST497536666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:03.029110909 CEST66664975345.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:05.180977106 CEST66664975345.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:05.181256056 CEST497536666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:05.191168070 CEST497536666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:05.192446947 CEST497546666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:05.196281910 CEST66664975345.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:05.197707891 CEST66664975445.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:05.197797060 CEST497546666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:05.213443995 CEST497546666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:05.218765020 CEST66664975445.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:07.359483957 CEST66664975445.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:07.359673023 CEST497546666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:07.503464937 CEST497546666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:07.504342079 CEST497556666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:07.508280993 CEST66664975445.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:07.509185076 CEST66664975545.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:07.509294987 CEST497556666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:07.543386936 CEST497556666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:07.548129082 CEST66664975545.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:09.673053026 CEST66664975545.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:09.675503016 CEST497556666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:09.675614119 CEST497556666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:09.677843094 CEST497566666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:09.681566954 CEST66664975545.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:09.682591915 CEST66664975645.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:09.682663918 CEST497566666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:09.696898937 CEST497566666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:09.701667070 CEST66664975645.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:11.895418882 CEST66664975645.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:11.895507097 CEST497566666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:15.145741940 CEST497566666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:15.147099018 CEST497576666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:15.150677919 CEST66664975645.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:15.151875973 CEST66664975745.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:15.152004004 CEST497576666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:15.284455061 CEST497576666192.168.2.445.141.26.232
                            Jul 2, 2024 06:53:15.295897007 CEST66664975745.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:17.313330889 CEST66664975745.141.26.232192.168.2.4
                            Jul 2, 2024 06:53:17.313553095 CEST497576666192.168.2.445.141.26.232

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 2, 2024 06:51:18.104108095 CEST5073753192.168.2.41.1.1.1
                            Jul 2, 2024 06:51:18.111254930 CEST53507371.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jul 2, 2024 06:51:18.104108095 CEST192.168.2.41.1.1.10x54e6Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 2, 2024 06:51:18.111254930 CEST1.1.1.1192.168.2.40x54e6No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • ip-api.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449730208.95.112.1801800C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe
                            TimestampBytes transferredDirectionData
                            Jul 2, 2024 06:51:18.150172949 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Jul 2, 2024 06:51:18.639070034 CEST175INHTTP/1.1 200 OK
                            Date: Tue, 02 Jul 2024 04:51:18 GMT
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 6
                            Access-Control-Allow-Origin: *
                            X-Ttl: 60
                            X-Rl: 44
                            Data Raw: 66 61 6c 73 65 0a
                            Data Ascii: false


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:00:51:10
                            Start date:02/07/2024
                            Path:C:\Users\user\Desktop\java_update.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\java_update.exe"
                            Imagebase:0x400000
                            File size:86'016 bytes
                            MD5 hash:BC4206081A6F4206DC5B63948B05EF4B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:00:51:10
                            Start date:02/07/2024
                            Path:C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe"
                            Imagebase:0xe60000
                            File size:44'544 bytes
                            MD5 hash:F3B2776EE93CFCAAFC72385378A22B31
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, Author: Joe Security
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, Author: Joe Security
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, Author: ditekSHen
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:2
                            Start time:00:51:17
                            Start date:02/07/2024
                            Path:C:\Windows\svchost.com
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
                            Imagebase:0x400000
                            File size:41'472 bytes
                            MD5 hash:ED452C704A8E8F1F9926340D4E79C150
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:00:51:17
                            Start date:02/07/2024
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
                            Imagebase:0xc40000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:00:51:18
                            Start date:02/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:00:52:02
                            Start date:02/07/2024
                            Path:C:\Windows\svchost.com
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
                            Imagebase:0x400000
                            File size:41'472 bytes
                            MD5 hash:ED452C704A8E8F1F9926340D4E79C150
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:11
                            Start time:00:52:02
                            Start date:02/07/2024
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
                            Imagebase:0xc40000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:00:52:02
                            Start date:02/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:13
                            Start time:00:52:03
                            Start date:02/07/2024
                            Path:C:\Windows\svchost.com
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                            Imagebase:0x400000
                            File size:41'472 bytes
                            MD5 hash:ED452C704A8E8F1F9926340D4E79C150
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:14
                            Start time:00:52:03
                            Start date:02/07/2024
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                            Imagebase:0xc40000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:15
                            Start time:00:52:03
                            Start date:02/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:16
                            Start time:00:52:03
                            Start date:02/07/2024
                            Path:C:\Windows\svchost.com
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
                            Imagebase:0x400000
                            File size:41'472 bytes
                            MD5 hash:ED452C704A8E8F1F9926340D4E79C150
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:17
                            Start time:00:52:03
                            Start date:02/07/2024
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
                            Imagebase:0xc40000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:18
                            Start time:00:52:03
                            Start date:02/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Executed Functions

                              Function 00007FFD9B890610 Relevance: 2.0, Strings: 1, Instructions: 764COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2984833935.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: CAN_^
                              • API String ID: 0-3098826533
                              • Opcode ID: 5b318fc5afa9903887514c24f777762a615fa04ec80a01a0f4f1eefb4c6f9e73
                              • Instruction ID: c4ef4557fc9f9747d8fa62aa2ee2a772faa81b4661daf41631400dcac52dd978
                              • Opcode Fuzzy Hash: 5b318fc5afa9903887514c24f777762a615fa04ec80a01a0f4f1eefb4c6f9e73
                              • Instruction Fuzzy Hash: AA32F921B2DA494FEB98FB7898696BD77D2FF9C304F440179E05EC32D6DE28A8418741
                              Function 00007FFD9B896E61 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.2984833935.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: 9adb561895159337b6e4927efe38ab9521f7cec6fac444e051662239572b5762
                              • Instruction ID: 4f6dc86794664768ff22038d5d6ebfd2dd1eb50cd84f6c5081368c174b899857
                              • Opcode Fuzzy Hash: 9adb561895159337b6e4927efe38ab9521f7cec6fac444e051662239572b5762
                              • Instruction Fuzzy Hash: 0931023190875C8FCB58DF58C846BE97BE0FF69321F0542ABD489D7292DB34A846CB91
                              Function 00007FFD9B8958B6 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.2984833935.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37666652461ee72406dd4970ecc29e38d5ca01651c51e36eb7370ea5221f11a7
                              • Instruction ID: ad75a98cff3e15a352833f52901809b7245c8eef31752e3ed0db05145874423c
                              • Opcode Fuzzy Hash: 37666652461ee72406dd4970ecc29e38d5ca01651c51e36eb7370ea5221f11a7
                              • Instruction Fuzzy Hash: 4EF1A530A09B8D8FEFA8DF28C8657E93BD1FF58310F04426AE85DC7295DB3499458B81
                              Function 00007FFD9B896662 Relevance: .5, Instructions: 460COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.2984833935.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 317b67baa6ebea35941e2ed00beb9979e7e351b3a095b110427cd13c36399b98
                              • Instruction ID: b94b41bae059c0084a62721d331ce5bb1781aae2b8cb1e7667d85bdb0581547a
                              • Opcode Fuzzy Hash: 317b67baa6ebea35941e2ed00beb9979e7e351b3a095b110427cd13c36399b98
                              • Instruction Fuzzy Hash: 83E1C570A09A4D8FEFA8DF28C8657F93BE1EF58350F04426ED84DC7295CE7499418B81
                              Function 00007FFD9B891771 Relevance: .4, Instructions: 397COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.2984833935.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b0110988eed809afdcf6a143461aab1c979ca328eab416396fa4f5cdd47c0e2
                              • Instruction ID: cc9ecd51949faa0647a885d076344b2ba18711a0a6ff5e579f90b97af49c0f7a
                              • Opcode Fuzzy Hash: 2b0110988eed809afdcf6a143461aab1c979ca328eab416396fa4f5cdd47c0e2
                              • Instruction Fuzzy Hash: 80C1A561F1D9495FEF98F76888757B97AD2EF9C300F05017AE05EC32E6DE28A9024741
                              Function 00007FFD9B8983B2 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.2984833935.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: 09e70891458ea1a649fd4324317a22a52054f706a67c4abcfef7c172f0d594bd
                              • Instruction ID: cde75be45714b8c1ff1032ac9c9c1e761eedc12b92bc40ccd4a2eeff30d1f4df
                              • Opcode Fuzzy Hash: 09e70891458ea1a649fd4324317a22a52054f706a67c4abcfef7c172f0d594bd
                              • Instruction Fuzzy Hash: 9E512A72A0DA4D4FEB28DBAC98256B97FE1EF59311F14017FD059C31A3DA24B9428781
                              Function 00007FFD9B898A0D Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.2984833935.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                              Similarity
                              • API ID: CriticalProcess
                              • String ID:
                              • API String ID: 2695349919-0
                              • Opcode ID: b7546c925fa7b98c46efe9d4e8b7cb63d6124ab42924cd60a20e514210666316
                              • Instruction ID: 7c0d5500e27a59e0095408ace68e663592e95f8536fc7e7df6c62e0fee5a4430
                              • Opcode Fuzzy Hash: b7546c925fa7b98c46efe9d4e8b7cb63d6124ab42924cd60a20e514210666316
                              • Instruction Fuzzy Hash: 4841033190C7598FCB18DFA8D845AE97BF0FF56311F04426EE09AC3692CB746846CB91
                              Function 00007FFD9B898F58 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.2984833935.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: 1c135800c8b7654adfe1b52eacc0fda85133fc6a5517cdb686b3e56b50f2cd33
                              • Instruction ID: f791b3a001138b0f7554f4d74520362b8c620fbfce45a4e1be0d3386fee1f2de
                              • Opcode Fuzzy Hash: 1c135800c8b7654adfe1b52eacc0fda85133fc6a5517cdb686b3e56b50f2cd33
                              • Instruction Fuzzy Hash: 08310931A1CA4D4FEB1CDB6C98166F97BE1EF59321F00027ED059C3292DE64A85287C1
                              Function 00007FFD9B8983C0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.2984833935.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: 298564660e7137381c7638bb3ec9cc4cb52065372d843fd1e7dc40d1b263d8c8
                              • Instruction ID: 77a94391ecfcb211e0bae0d8798c686d1b9becd63c39d25dcb8548d5d90eef04
                              • Opcode Fuzzy Hash: 298564660e7137381c7638bb3ec9cc4cb52065372d843fd1e7dc40d1b263d8c8
                              • Instruction Fuzzy Hash: 7B310931A0CA4C4FEB1CEF5CD8156B97BE1EB59311F00427ED059D3292DA70A8428781

                              Executed Functions

                              Function 051DB470 Relevance: .3, Instructions: 261COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e4117673af490a365b3b4ffdf564651d11d09b1e4c8a43ad0084b6cddd562b79
                              • Instruction ID: 26ba1b38dbb443f5fdf19e9b9ecf61dd08365ebad8e0db2df54931e6aafa20b1
                              • Opcode Fuzzy Hash: e4117673af490a365b3b4ffdf564651d11d09b1e4c8a43ad0084b6cddd562b79
                              • Instruction Fuzzy Hash: B99191B0F006185BDB19EFB48A506AEBBF6EFC4600B44891ED506AF394DF346D058BE5
                              Function 051DB490 Relevance: .3, Instructions: 252COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ae4fb8321c4880ac05d9cb2028ee15a2ebd3a9c782e81c1fe36b9087b1392f8
                              • Instruction ID: 14425f1580aab056222f65e1a39ba089f1dffdae9e9be67d3cbc37c0bc00e9b1
                              • Opcode Fuzzy Hash: 5ae4fb8321c4880ac05d9cb2028ee15a2ebd3a9c782e81c1fe36b9087b1392f8
                              • Instruction Fuzzy Hash: DE9180B0F006185BDB19EFB58A506AFB7F6EFC4600B40891ED506AB394DF346D058BE5
                              Function 07C43CE8 Relevance: 5.6, Strings: 4, Instructions: 578COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$4'fq$4'fq
                              • API String ID: 0-359900465
                              • Opcode ID: f8e5df52befbefd062ebb4e756470ae30e3edd46eac581b1b000d6c5e1f69944
                              • Instruction ID: 5b350d50e6293b38a85091a14d2237bfef80f2edbbd7ab5cbdf1d3ce7931eba4
                              • Opcode Fuzzy Hash: f8e5df52befbefd062ebb4e756470ae30e3edd46eac581b1b000d6c5e1f69944
                              • Instruction Fuzzy Hash: F01248B1B142929FCB199BBD885176ABBF29FC1314F2480AAD505DF681DF31CE41C7A1
                              Function 08D97858 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.1938743046.0000000008D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D90000, based on PE: false
                              Similarity
                              • API ID: ThreadToken
                              • String ID:
                              • API String ID: 3254676861-0
                              • Opcode ID: d76737da3601c0d2c89fdd518492610b3e9950f926ff38823a8604a9e3e21642
                              • Instruction ID: 1d1edea074c520492593dab9496643a9304d3e0d2f6190661923680e9679b4b7
                              • Opcode Fuzzy Hash: d76737da3601c0d2c89fdd518492610b3e9950f926ff38823a8604a9e3e21642
                              • Instruction Fuzzy Hash: EE1155B19002488FCB10CF9AC884B9EFFF8EF88324F24845AE458A7310C774A944CBA5
                              Function 08D97860 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.1938743046.0000000008D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D90000, based on PE: false
                              Similarity
                              • API ID: ThreadToken
                              • String ID:
                              • API String ID: 3254676861-0
                              • Opcode ID: 7793bddac8c54eba26d827852e78bde96857c945730d0b1cb8be19e884b61ce3
                              • Instruction ID: 9ba5ff6f98466c544f45a1d3ccf4996cda2a6aa62c178f18f64b6376e6c1c2e7
                              • Opcode Fuzzy Hash: 7793bddac8c54eba26d827852e78bde96857c945730d0b1cb8be19e884b61ce3
                              • Instruction Fuzzy Hash: 1E1122B19002488FCB10CF9AC984B9EFBF8EF88324F24841AD419A7350D774A944CBA5
                              Function 051D6FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: (jq
                              • API String ID: 0-3225323518
                              • Opcode ID: 1fc05d256ea9c4002e8759da516a2b5fd6451c5015b91c0276805979a0170c21
                              • Instruction ID: f59085da47be2c647dc29be5ca644593a9e77595b4a024ad253a27e1bcc869c5
                              • Opcode Fuzzy Hash: 1fc05d256ea9c4002e8759da516a2b5fd6451c5015b91c0276805979a0170c21
                              • Instruction Fuzzy Hash: 5E411A34B142048FDB19DF68C4A8BAEBBF2EF8E315F145499E446AB391CB359D01CB61
                              Function 051DAF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: (&fq
                              • API String ID: 0-1822945044
                              • Opcode ID: f362dad6ff19066f2ba5a628f55525e183483661d6a459f05ddb1fdc36eb58f4
                              • Instruction ID: cca14f7966c96dbe48b422c9f9d7d71cb181c2b371919479430dc2e45406c464
                              • Opcode Fuzzy Hash: f362dad6ff19066f2ba5a628f55525e183483661d6a459f05ddb1fdc36eb58f4
                              • Instruction Fuzzy Hash: 06219C71A042588FCB14DFAED840B9EFBF5EF89220F14846AD519E7340CB799905CBA5
                              Function 07C417B8 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d6d5a039530f28c02525bfb6ec0f68f9a9964af20761f9f1fb337febc7d760a
                              • Instruction ID: b724b803da07309b851c29681e735952e112e2cc06ad0f28592e701a94c3833f
                              • Opcode Fuzzy Hash: 7d6d5a039530f28c02525bfb6ec0f68f9a9964af20761f9f1fb337febc7d760a
                              • Instruction Fuzzy Hash: 69B119B2B0421A9FCB159F79C8807AABBE6AF85211F1CC07AD585CB251DB31DD81C7A1
                              Function 051D29F0 Relevance: .2, Instructions: 209COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d893a6565e3f99aad28c5367634631111de60c8bfc7ad2625ee19b2ed570ac7e
                              • Instruction ID: 9624af0cb5352c95009f9afcb546b7eb97f55a9306f9b45959b51be9a46ef131
                              • Opcode Fuzzy Hash: d893a6565e3f99aad28c5367634631111de60c8bfc7ad2625ee19b2ed570ac7e
                              • Instruction Fuzzy Hash: CA916A74A046099FCB15CF59C4989BEFBB1FF88310B248669D825AB3A5C735FC51CBA0
                              Function 051D7740 Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31a2026b50c6230f939420599a9efb8bd70e5315eb4cbd19ccfa475f0a95be2c
                              • Instruction ID: 9724855ded53acd6a8ad5981546bc63219ee51520821aa69e097818141e82dcb
                              • Opcode Fuzzy Hash: 31a2026b50c6230f939420599a9efb8bd70e5315eb4cbd19ccfa475f0a95be2c
                              • Instruction Fuzzy Hash: 81519F353042059FD715DBB9D844B2BB7E6FFC9215B15886AD506CB391DB31EC01CBA0
                              Function 051DBAC0 Relevance: .2, Instructions: 155COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ed9283d4271b38aef018595097375ad3b216b6350fab3441181a92520b5c911
                              • Instruction ID: f0e1d9925291c2cfa55c39a8f25872acda341494f9fbf679a5c3c9de698ae607
                              • Opcode Fuzzy Hash: 5ed9283d4271b38aef018595097375ad3b216b6350fab3441181a92520b5c911
                              • Instruction Fuzzy Hash: CB61F771E042499FDB14CFA9D584A9DFBF1FF88310F158529E809AB354EB34AC45CB60
                              Function 051DBAB0 Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31363bead856e3e7f6f3d1b96bbe12e0bcac72a48ca27e8b3832056490d4cb8d
                              • Instruction ID: 5c6396e7cf56f6df86e2964a3637b42cd09e486d5f0116c87ddcc5a607f26d61
                              • Opcode Fuzzy Hash: 31363bead856e3e7f6f3d1b96bbe12e0bcac72a48ca27e8b3832056490d4cb8d
                              • Instruction Fuzzy Hash: 81510771E042489FCB54CFA9D584A9DFBF1FF88310F158569E80AAB355EB34A845CF60
                              Function 07C43CCC Relevance: .1, Instructions: 121COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 68c07c5023988dc850f6a66630f3462c64d5ead601e0733f02680c85152cdd42
                              • Instruction ID: e50dcd5f5719706a010618c615612a337164e56daeebea3197a038f18e33cb45
                              • Opcode Fuzzy Hash: 68c07c5023988dc850f6a66630f3462c64d5ead601e0733f02680c85152cdd42
                              • Instruction Fuzzy Hash: 2541F4F1A21282DFCB25CF69C58076A7BF2AFC1214F1480A5D804EF692C734DA45CBA5
                              Function 07C42907 Relevance: .1, Instructions: 116COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c56c9da8f38c26906119eb4951820a6e4a133cf297d3ff45456380ec21658dbc
                              • Instruction ID: c76734d1f6b2fd019b76f8b15a67d198f92119bb6e47cfe0b1cdd348ce869dbc
                              • Opcode Fuzzy Hash: c56c9da8f38c26906119eb4951820a6e4a133cf297d3ff45456380ec21658dbc
                              • Instruction Fuzzy Hash: 05316AF27142129FCB259BACC88277ABBE2FFD5215F14807AE5418B651CE31CD42C762
                              Function 051D2B00 Relevance: .1, Instructions: 108COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f27d33daad0b58d4073ae87b4e59b590fce4e4a32b3a9ccdbf55f7ad12dfb075
                              • Instruction ID: 0efa70d1eff4049b61cbd0c0000d93bf6ed8f158dea0e2b42986274c504e45e8
                              • Opcode Fuzzy Hash: f27d33daad0b58d4073ae87b4e59b590fce4e4a32b3a9ccdbf55f7ad12dfb075
                              • Instruction Fuzzy Hash: 9C4106B4A006099FCB05CF59C4989BEFBB1FF48310B158569D826AB364C776FC51CBA0
                              Function 051DC388 Relevance: .1, Instructions: 101COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 07c2f095c8931c72624e7049b17f369cf62cb5ff169caf36e437ed6114daa0bd
                              • Instruction ID: 0424894a0a565a03963f578baa08ebeaa48a8a11d87667275fc4038efaefadcd
                              • Opcode Fuzzy Hash: 07c2f095c8931c72624e7049b17f369cf62cb5ff169caf36e437ed6114daa0bd
                              • Instruction Fuzzy Hash: 3D316F313006019FD719EB68E894B6AB796EBC4215F008A39E609CB391DF71AC45CBE1
                              Function 051D6FD1 Relevance: .1, Instructions: 95COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f04547e91aaa866a4717ba7a3e215babaf8d545c062ab65ee655b356e72daa9
                              • Instruction ID: b15cc025dc2e4c81badcd5e07d8ce06a79e8346f895b5b4963520b253f8ed855
                              • Opcode Fuzzy Hash: 6f04547e91aaa866a4717ba7a3e215babaf8d545c062ab65ee655b356e72daa9
                              • Instruction Fuzzy Hash: 11311D34A042158FCB15CF68C498AAEBBF2FF8E315F1490A9E446AB391DB71DC01CB61
                              Function 051DAE60 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f8f9ee5110d3da270da14589fbda638bd1f407c88f6e0c98d39aef0f250e318
                              • Instruction ID: e339f06ccc7ad8a6dae12e8a906cbd116716f8608dbe38f5403eff8dec9c0966
                              • Opcode Fuzzy Hash: 1f8f9ee5110d3da270da14589fbda638bd1f407c88f6e0c98d39aef0f250e318
                              • Instruction Fuzzy Hash: 7D313C70E002099FDB18DFB9D494AAEBBF6EF89310F158069E505EB351EB749C41CBA1
                              Function 051DAE70 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 67ce611bfb0bb714a0c07113c6ac268528a1c684635b174ccbb43d0f2f48b153
                              • Instruction ID: 1d86ee91862348d9984443fd1524c368557b8530fe505c2dc00cbaa96e3e834a
                              • Opcode Fuzzy Hash: 67ce611bfb0bb714a0c07113c6ac268528a1c684635b174ccbb43d0f2f48b153
                              • Instruction Fuzzy Hash: 89312870B002099FDB18DFB9D594BAEBBF6EF88310F148069E505EB351EB749C418BA1
                              Function 051DE049 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 880fc0d4fac728f16d89fb5df8b3fb26d35d726cadcb62d433a9a7113b9998a1
                              • Instruction ID: a616166ef8d4c57dadd3d5d953f8477897444d6aa8846d51b2afedf9158670be
                              • Opcode Fuzzy Hash: 880fc0d4fac728f16d89fb5df8b3fb26d35d726cadcb62d433a9a7113b9998a1
                              • Instruction Fuzzy Hash: C3315C74B00205CFCB14DF68D498A9EBBF6EF89215F044569D806EB391DF74AC85CBA0
                              Function 051DAD28 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f8a6f1f8c112a6f2603baafdd1042a95e0d979e705338a8118b953c74295097
                              • Instruction ID: a1d0fdf8cf2bf5e8aa4bfe44e31f9016f7e0ac01c29a3bd52ddba753cad9e6f0
                              • Opcode Fuzzy Hash: 6f8a6f1f8c112a6f2603baafdd1042a95e0d979e705338a8118b953c74295097
                              • Instruction Fuzzy Hash: 353170B0B002059FDB04EFA4D954BAE7BB6EF84301F118469D514AF3A5DB78AD41CFA0
                              Function 051DE058 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e9db65c13a35f7b3961e06309ca57f13a3b370814dff874dc57b1d89cd8cb42
                              • Instruction ID: 49d88a6176636fe84293fa847354cb8213d8707f9e90a1c49bf94f459830f255
                              • Opcode Fuzzy Hash: 2e9db65c13a35f7b3961e06309ca57f13a3b370814dff874dc57b1d89cd8cb42
                              • Instruction Fuzzy Hash: 80311874B002048FCB14DF69D4A8A9EBBF6FF88215F148569D406EB391DF74AC85CBA1
                              Function 051DAD38 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b68494358bf69715dd4c77c5f89f9ddcf321b4ab8402a8960fb3d3dc9002677
                              • Instruction ID: d446f2fc5a930b2e0c36ff594a9ecc18ce4036bfffdb3267a5d263f977eaccae
                              • Opcode Fuzzy Hash: 0b68494358bf69715dd4c77c5f89f9ddcf321b4ab8402a8960fb3d3dc9002677
                              • Instruction Fuzzy Hash: BE3193B0F002099FDB04EFA4D954AAFB7B7EF84301F118469D514AB394DB38AD018FA0
                              Function 04D3F3D8 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1909274904.0000000004D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7ea180a954dab6826d959d2bb7f8709569830a27b815efd456a1f77d2f39758
                              • Instruction ID: 3601220f63528ee484b5a8d6273726436ad8d2d89d71eea427654e2c46f1ddf9
                              • Opcode Fuzzy Hash: f7ea180a954dab6826d959d2bb7f8709569830a27b815efd456a1f77d2f39758
                              • Instruction Fuzzy Hash: BE212472A04204EFCF05CF14D9C0B26BB65FB88314F24C5ADE9490A256C736E856CBA1
                              Function 051D93F0 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e5607278d396ef715e57ccbc59c6c6adcb209b371a749cc3f98376551c80a173
                              • Instruction ID: b0157c23a71dddf901a19e7bb68795b38b9a63b9fa80cb4712b02ada72a83faa
                              • Opcode Fuzzy Hash: e5607278d396ef715e57ccbc59c6c6adcb209b371a749cc3f98376551c80a173
                              • Instruction Fuzzy Hash: BD317C709057848EDB60CF6AC18879AFFF2EF89310F28845AD84D9B216D7745845CB61
                              Function 04D3F02C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1909274904.0000000004D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ccdfad7a9df4155982586894bcd3f73adae979c644cb88e331b89c84fc47909a
                              • Instruction ID: 05ecc3cae817b95de9f9ae180816b2d5cb5de98c9a1a5ecfcbc0e251a500392f
                              • Opcode Fuzzy Hash: ccdfad7a9df4155982586894bcd3f73adae979c644cb88e331b89c84fc47909a
                              • Instruction Fuzzy Hash: 292129B5B04248DFCB14DF28D9C0B26BFA5FB84315F24C56DEA494B246C736E846CB61
                              Function 07C42784 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8def8d4b436fdf5a5057563f6b629cd0b4cf36d5fc00b84bfb126a1710a3c0c3
                              • Instruction ID: d0c42b43b8ed8ff3ec85ab5ee3b0df0dc607506683ccba86df2d8b122e13e012
                              • Opcode Fuzzy Hash: 8def8d4b436fdf5a5057563f6b629cd0b4cf36d5fc00b84bfb126a1710a3c0c3
                              • Instruction Fuzzy Hash: 5521F2B2710104AFCB55ABA9C482B6A7BE2BF89321F14C069F9059F651CF30DD41C762
                              Function 051D9400 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b319da5912d3bdfb389a987795f5b93c1a74f38c9e8bcc1b1bcdba9819c47c8
                              • Instruction ID: 53c9d453e296775f0a38997bfd60a9d718a8e4f88b12fee78fa762684563a910
                              • Opcode Fuzzy Hash: 7b319da5912d3bdfb389a987795f5b93c1a74f38c9e8bcc1b1bcdba9819c47c8
                              • Instruction Fuzzy Hash: E8218BB0A057448EDB60CF6AC58879AFBF2FF88324F28C42ED80D97245D7746881CB61
                              Function 07C4197D Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6038b0034aae2fd1882ca50e2533ed0b103df2dbe7b15596eb9dc0ddeb9ef471
                              • Instruction ID: d8fd9ea13c08673c58b52eb0c7d876755438b27af97c3062e6540f58638c707f
                              • Opcode Fuzzy Hash: 6038b0034aae2fd1882ca50e2533ed0b103df2dbe7b15596eb9dc0ddeb9ef471
                              • Instruction Fuzzy Hash: EF21B7F2A1025EDFDB11DF59C981BA6BBF1EF55211F0841A6D5448B112D730DAC0CBA1
                              Function 051D767C Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37ae4b75d45e2f73bbe79fd482ec01bdb574f4f6325890b7b18b5347ae6df69e
                              • Instruction ID: a3c089fd41df1e83b19bf93cecece6d1187b9974787f3599b27c783cf31e74c9
                              • Opcode Fuzzy Hash: 37ae4b75d45e2f73bbe79fd482ec01bdb574f4f6325890b7b18b5347ae6df69e
                              • Instruction Fuzzy Hash: 62112B79B001188FDB04DBA8E840AEEB7F6FBC8225B0440A5E909DB750DB35DC02CBA1
                              Function 07C41990 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5fe0fe66093cc4809cce0d4068671f4969f886355004e10a22c8928240b61265
                              • Instruction ID: 4f74afb608c278f77f2f530de8cf02b905361c7c386e7d07632a2778a34c9ed1
                              • Opcode Fuzzy Hash: 5fe0fe66093cc4809cce0d4068671f4969f886355004e10a22c8928240b61265
                              • Instruction Fuzzy Hash: A911A3F2A1021EDFCB20CF5AC984B6ABBF1EF55311F088166DA8887211D730DAC1CB91
                              Function 04D3F3D3 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1909274904.0000000004D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be74a17fb63a4b295aebf0da70e16f91e6eb6b8077f3fb367c89b7e6cbf95772
                              • Instruction ID: 68470129bda32dc64f54e85c5b4b4d8fe84356c70bb4744a9ba9bfb728f3815a
                              • Opcode Fuzzy Hash: be74a17fb63a4b295aebf0da70e16f91e6eb6b8077f3fb367c89b7e6cbf95772
                              • Instruction Fuzzy Hash: 95219D76904244DFCF06CF10D9C4B16BF72FB88314F24C5ADD9494A656C33AD46ACB91
                              Function 051DC343 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0e5b08c92a2db051fcd73c59b5020631ec3d93e21480f40b45fc6293d9b39926
                              • Instruction ID: 7aaaa00f95b7e13f099fee1d40ad16bfeccc99b49750f0469285fce4ee3200ce
                              • Opcode Fuzzy Hash: 0e5b08c92a2db051fcd73c59b5020631ec3d93e21480f40b45fc6293d9b39926
                              • Instruction Fuzzy Hash: 41115B3620E3D11FD3179738A864B9ABFB0AF43254F0A40EBC885CB1A3D925480AD3A1
                              Function 051DDD0F Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9122e0ef561ccce086d4d1c1a27a37487fd7353cba57923932eb75f0c49763d5
                              • Instruction ID: 8e82039ff861c94de7f9672ef9852918ed2a3e42fb53fbe78e660225ca88899f
                              • Opcode Fuzzy Hash: 9122e0ef561ccce086d4d1c1a27a37487fd7353cba57923932eb75f0c49763d5
                              • Instruction Fuzzy Hash: 62012835704644ABCB16976DA81059AFFB7DFCA22170584BAD809DB381DF359C06C7F1
                              Function 04D3F027 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1909274904.0000000004D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 017a2a123cc2ae16247d9edb68537b2b429a05ed78f0934748aabd982f12fa69
                              • Instruction ID: 0857434df2d93de336dc54fb310be58a8023415634d1df40e8a54f5bbe3d17bf
                              • Opcode Fuzzy Hash: 017a2a123cc2ae16247d9edb68537b2b429a05ed78f0934748aabd982f12fa69
                              • Instruction Fuzzy Hash: FC11EF75A04284CFCB11CF24D5C0B15FFA2FB84318F28C6AED9494B656C33AE44ACB61
                              Function 051DBCE0 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec91be42ceaf7e5bea231187b4eb391effb94eafac61236afaf2ebbdaf807909
                              • Instruction ID: b71c0bd7247554c3b9777b6ad1d5615c56735bb045782c8e98b7baca0d173f83
                              • Opcode Fuzzy Hash: ec91be42ceaf7e5bea231187b4eb391effb94eafac61236afaf2ebbdaf807909
                              • Instruction Fuzzy Hash: 9B0122312087448FD715CB79D594A95BFF0EF06210F1848EED44ACB6A2CB21EC45CB10
                              Function 051DDC98 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a804e863545b4ecdd73ca647eb17d868545a76432ecf8a4b5b32f9fc829b9129
                              • Instruction ID: 344e9c0ca6c022759290abc943c7173f60f72d780aa2abb623a5892b5cc1fcf6
                              • Opcode Fuzzy Hash: a804e863545b4ecdd73ca647eb17d868545a76432ecf8a4b5b32f9fc829b9129
                              • Instruction Fuzzy Hash: E3110574204754CFC728DF79D08185ABBF6EF8921972489ADD08A8B7A0DB36EC41CB50
                              Function 051DDF20 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 187835b9d5bc541352f1f50deacea4010d32b0d45f7e4e77a0d971074981b286
                              • Instruction ID: 577abd3e5b5ba16976bac90aefdbfe7123a90592fe2719be78043dddb90ec66b
                              • Opcode Fuzzy Hash: 187835b9d5bc541352f1f50deacea4010d32b0d45f7e4e77a0d971074981b286
                              • Instruction Fuzzy Hash: 2C0152357012149FCB219B74E808AAEBBF5FB89315F14447DE51AD3242DB329911DB91
                              Function 051DDD60 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 305880481a3f36275838348973f318590f6dd75e5e70dec600838bce4a44061e
                              • Instruction ID: 7d28445926d8160c4c817807c0894e40b507f258656db03f3d79fd9727a5641f
                              • Opcode Fuzzy Hash: 305880481a3f36275838348973f318590f6dd75e5e70dec600838bce4a44061e
                              • Instruction Fuzzy Hash: 9B01F9367091949FC71AC778F4516E8FFA19F89224B0684EDDC4ADB392C7315806CBB0
                              Function 051DBF10 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a50561bef30a3615e5452478ff19c6cb8a88f5259939cdbdb2a21e3f74439958
                              • Instruction ID: 2242fe36e4b444fc89f3a9709c48b0efd252db33d680f2a7852bc05d7d60e419
                              • Opcode Fuzzy Hash: a50561bef30a3615e5452478ff19c6cb8a88f5259939cdbdb2a21e3f74439958
                              • Instruction Fuzzy Hash: 7701A93130D3955FD70286795C54ABBBFE9DF8661071545ABF885C7262CAB0CD04CB60
                              Function 04D3D01D Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1909274904.0000000004D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0778e9026b2dff1dda48ccb826a5399b8104452877660142722d001eb7c0d08f
                              • Instruction ID: 1f1a64f7d15cacf5890eb1e2e2599ee126b97c0540bf05deb116aac63fc8bcf1
                              • Opcode Fuzzy Hash: 0778e9026b2dff1dda48ccb826a5399b8104452877660142722d001eb7c0d08f
                              • Instruction Fuzzy Hash: 23012B716043409AE7204F25EDC0B67BF98EF41B25F18C41AED484B142D678E941CFB1
                              Function 04D3D005 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1909274904.0000000004D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6d07361e6b47874c4014beec0518dd28881d4ab55e00cf55c58d5cf9c36bfd88
                              • Instruction ID: 6e5e2295eedae16943ed3d0a6a609b188036834d62b01ead21c8e7cc1e5556c0
                              • Opcode Fuzzy Hash: 6d07361e6b47874c4014beec0518dd28881d4ab55e00cf55c58d5cf9c36bfd88
                              • Instruction Fuzzy Hash: 1B01926110E3C05FE7128B259D94B52BFB4EF43625F1CC0CBD9888F1A3C2689849CB72
                              Function 051DC4C0 Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e55f783727edacba6aaafaa83a373a1f6d46d729d2167a2565795b6dde667d23
                              • Instruction ID: 5e3008a3abf4b95564c8b40e708aec60ba0f5195ef413f4f5233135506d3b1ef
                              • Opcode Fuzzy Hash: e55f783727edacba6aaafaa83a373a1f6d46d729d2167a2565795b6dde667d23
                              • Instruction Fuzzy Hash: 56F0F4712053855FC302AB38958096ABBA5DFC225A7058ABDD54ACF262CB256C09CBA0
                              Function 051D90D8 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 062fdb24e9276d6aeb7ccf57244aa9660f9d8a182bb02e3bf1460d3d61e8c52d
                              • Instruction ID: ea450776a0bedcf00f5a493528ec68446b000863245a3caf8f2079bc98543ca5
                              • Opcode Fuzzy Hash: 062fdb24e9276d6aeb7ccf57244aa9660f9d8a182bb02e3bf1460d3d61e8c52d
                              • Instruction Fuzzy Hash: 53F0C835A082449FE3165B74C01839B7FA1EFC2319F15449ACD458B296CF392C0ACBB1
                              Function 051DCB52 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16b927c6a36c36798410ea6e26f349d32c34ac6f38e9d2ddebfcd005234aa750
                              • Instruction ID: 4fc8ec614b0458bfe261d3e513fdee24de20a9158bc6c03554719433568b75ba
                              • Opcode Fuzzy Hash: 16b927c6a36c36798410ea6e26f349d32c34ac6f38e9d2ddebfcd005234aa750
                              • Instruction Fuzzy Hash: 05F0B43120A3C05FC317A73D989155D7FA6DEC31617194AAED48ADF9A2CE281C0AC7B1
                              Function 04D3D9A7 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1909274904.0000000004D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 05541b4e9ec254db8cfa8e7f3a1339e7f9ae972aa2511972e8d789bd966114ec
                              • Instruction ID: e7a155e9a09c3fb1e661584458a52e8dd4973c1ac7d26eb91f12e30dee4dcfaf
                              • Opcode Fuzzy Hash: 05541b4e9ec254db8cfa8e7f3a1339e7f9ae972aa2511972e8d789bd966114ec
                              • Instruction Fuzzy Hash: 05F0F976600600AF97608F0AD985C23FBA9EFD5774719C55AE84A4B612D671FC42CFB0
                              Function 051DDEC1 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 004884211e13d8c3f3628f730f118df38a2dee3158e855fd17e448d616b083b1
                              • Instruction ID: 2b21021eec1680abb0e1faceb94098e624fecec5d7148bbdfac46e03e1b2ea44
                              • Opcode Fuzzy Hash: 004884211e13d8c3f3628f730f118df38a2dee3158e855fd17e448d616b083b1
                              • Instruction Fuzzy Hash: 54F067353092818FC3028B2CE054A6ABFF2AFCB21531904DAE885CF362CA60CC06CB60
                              Function 04D3D998 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1909274904.0000000004D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f027bef7669cd17f412d61a762f4c3374411d9a115bdecd5f8a4a7190e8f75ed
                              • Instruction ID: fff8837692f68d363372bb8390154af3497796941009c196b7afddc6cdac9275
                              • Opcode Fuzzy Hash: f027bef7669cd17f412d61a762f4c3374411d9a115bdecd5f8a4a7190e8f75ed
                              • Instruction Fuzzy Hash: 04F0F975100A80AFD765CF06CD85D23BBBAEB85664B198489E84A4B722D631FC42CFA0
                              Function 051D7968 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5f00c17d78fd9dbc5eab37201216d392435128054f544e4122cbe8fde9f17607
                              • Instruction ID: 88fd6f6a4c54f576f13637e9db84abca99c14211ddd444d8b526eb18a48c2659
                              • Opcode Fuzzy Hash: 5f00c17d78fd9dbc5eab37201216d392435128054f544e4122cbe8fde9f17607
                              • Instruction Fuzzy Hash: 83F0A7727006149FC7149B59E884A7FB7FAEB88271B00092DE109C7340DF30AC4287B0
                              Function 051D7967 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b3bb36ad2703466a83313df972f30847d273de20390d9fc7ce3a4dd26994c2b
                              • Instruction ID: 9b656f6a80c8b8987717a7d0160c44c5d624464ed745666c5dc5d0ee5ab1b3e7
                              • Opcode Fuzzy Hash: 8b3bb36ad2703466a83313df972f30847d273de20390d9fc7ce3a4dd26994c2b
                              • Instruction Fuzzy Hash: FBF082727006149FC7259B69A884A7FBBF6EB88261B00092DE14AD7650CF709C4287B0
                              Function 051DC4D0 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13dc23026992f06b1cb691e54389384fd8ba82261401292a41417d72ab79e9c3
                              • Instruction ID: dfc444c039925616a41e2407fb8a5d41c3dabfd579896ba3a275a8119a53c14b
                              • Opcode Fuzzy Hash: 13dc23026992f06b1cb691e54389384fd8ba82261401292a41417d72ab79e9c3
                              • Instruction Fuzzy Hash: 28F082713002046BC305EB69D98095BB7A6EFC165A7408A3DD60A9B750DF75BC0587F0
                              Function 051D7697 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82f6d27b4d956c6b31a43603c94ec94d7e215ee9ff42615cc363c33af913f544
                              • Instruction ID: 3b0837ce2cee4f8b520840acd0ab5c51bb0a28680c1f6256659ed6ea740f3d66
                              • Opcode Fuzzy Hash: 82f6d27b4d956c6b31a43603c94ec94d7e215ee9ff42615cc363c33af913f544
                              • Instruction Fuzzy Hash: 23F0A0397001048FDB00DBAC9840BAABBE3FBC86517058159E909CB350EF65DC028BE1
                              Function 051D9158 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c55a43380ef00ad0520ba931b94214be0ef83c41826f72d2b049b7930dbb6397
                              • Instruction ID: 541ae7f3669dbccc18a4ea451a498c96e671132f3fb882c997e07ef041f301bd
                              • Opcode Fuzzy Hash: c55a43380ef00ad0520ba931b94214be0ef83c41826f72d2b049b7930dbb6397
                              • Instruction Fuzzy Hash: D9F054316067408FD7629B78D5A839A7FF1EF46214F05489AD999C7292CB342885CB60
                              Function 051D90E8 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a24ce66b2729c82895fdbe36de9aaae77cf68f8c772d4232eb3b8aa7b003121e
                              • Instruction ID: b4be395b65f9d326e331c63b4aaf90f9939582b4bc62f90d712022af8f75d08d
                              • Opcode Fuzzy Hash: a24ce66b2729c82895fdbe36de9aaae77cf68f8c772d4232eb3b8aa7b003121e
                              • Instruction Fuzzy Hash: 60F027357001045BE300AB65C0183ABB796DBC0319F10812ACA0947389CF393805C7F0
                              Function 051DDED0 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cf0ff10f366a5f6f7aeecb592fd820d3d62234fcecb3cf20a415e62703d226e6
                              • Instruction ID: 2a1ae04daf0caec445d145dd20a49613d66f2e65b0c75a7a474a991921a5b626
                              • Opcode Fuzzy Hash: cf0ff10f366a5f6f7aeecb592fd820d3d62234fcecb3cf20a415e62703d226e6
                              • Instruction Fuzzy Hash: F5E06D353001108F82109B1DD444C26F7EAEFCE61131500A9E545CB320CB61DC018B90
                              Function 051DC33F Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 46efd9b7c9f84e3c7c41b1360bd9e0ce55cbe96cfbb4fe1f3990f7217d4b86d3
                              • Instruction ID: 0afc96c905eb8bea961acf7397e2d3bcce5b2604ac9bfb86f7a98e00d561c5a7
                              • Opcode Fuzzy Hash: 46efd9b7c9f84e3c7c41b1360bd9e0ce55cbe96cfbb4fe1f3990f7217d4b86d3
                              • Instruction Fuzzy Hash: 27E0D8377052106FD324D67AA494EBBE7E6EFD9364F18443ED90AC7392EE618C02C660
                              Function 051DAF88 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 71b6d55330cf07769b1d144314bd58e2419a6fe15ec8af3fc6aaa02134223d49
                              • Instruction ID: 9a43aa6d180d219087db1a81a75f8f615321a3b2a1223c2dc8a6cfcffd93bac3
                              • Opcode Fuzzy Hash: 71b6d55330cf07769b1d144314bd58e2419a6fe15ec8af3fc6aaa02134223d49
                              • Instruction Fuzzy Hash: 35E0923130D3D54BC71782295420169FF738EC352470944F6E885CF293DE158C0683A0
                              Function 051DCB68 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fea9b6bdf77017f7b7d84c0c99d928c527fa20a2e2df2d7dd30cb82c15839505
                              • Instruction ID: d3a22ef3dc276ccd4aa55909594c03266600a9ff610b79435c732fb654418f54
                              • Opcode Fuzzy Hash: fea9b6bdf77017f7b7d84c0c99d928c527fa20a2e2df2d7dd30cb82c15839505
                              • Instruction Fuzzy Hash: D7E0DF313002002B8228B76EACC182EB68EDFC5262354883DE60E9BA50DE386C0553F0
                              Function 051D9168 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c89ac1a88828448ecc9bdb820eb95f36568dea4ec72d5bf5e203349ad2485aa
                              • Instruction ID: 8fd5dea6d1d01212b72b241544b3298d191db1bbc8881f15cb2e2ab46cc78ebb
                              • Opcode Fuzzy Hash: 2c89ac1a88828448ecc9bdb820eb95f36568dea4ec72d5bf5e203349ad2485aa
                              • Instruction Fuzzy Hash: 21F06D70A003048BD3609BB8E49C79ABBE5FB44321F00482DD50EC3340DB3968808BA0
                              Function 051D9549 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e683a744e59e1705e4b66139b3a157ed8388e118e3c161ff779f2f4de411199e
                              • Instruction ID: 6771b865d90a327c14aa594797cab334ec9915aa3ebbd3fb1ee85d29fd3fd1fd
                              • Opcode Fuzzy Hash: e683a744e59e1705e4b66139b3a157ed8388e118e3c161ff779f2f4de411199e
                              • Instruction Fuzzy Hash: FBE05E277011212B8A5865FA1848BBAE9DB9FC54E57050136DE0ACB342EF54CC0B83F1
                              Function 051D8978 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0679fc3edc9eb4a3c513b7ce0e8760756c11d776e8df781eb93dbca6fc0a57a2
                              • Instruction ID: 268e220cd0dc82e841cd3b637cb205dfd28ac4ae336175fc8e9354ce8a8af623
                              • Opcode Fuzzy Hash: 0679fc3edc9eb4a3c513b7ce0e8760756c11d776e8df781eb93dbca6fc0a57a2
                              • Instruction Fuzzy Hash: E7E07D3530421457CB0E3774A50C2EE7A56EBC4726F04052FD60AC3342CFB82C1193E9
                              Function 051D8973 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7d4236be9d14bfc81afa4be2b4d62c6132571d425433ad770880db6871f6aad
                              • Instruction ID: 00dfa2daae063585e4bc99840498ffff9e42661beeff43faca61d39986bfa349
                              • Opcode Fuzzy Hash: f7d4236be9d14bfc81afa4be2b4d62c6132571d425433ad770880db6871f6aad
                              • Instruction Fuzzy Hash: 73E0D83570011187DB0A2774A14C2BE7662EBC4326F04052FD916C3245CF7818519395
                              Function 051D9550 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0556478a3ba7aa40b576416954e1daeba65b191c7d774e40913db06ba0747362
                              • Instruction ID: 58b622955c95f00e174d2c1d9916d8975725b9577b7a3ef28d36ed8d2a39e111
                              • Opcode Fuzzy Hash: 0556478a3ba7aa40b576416954e1daeba65b191c7d774e40913db06ba0747362
                              • Instruction Fuzzy Hash: 88D09E1675512527895461FA1858BBBE1CE8EC54E574501369E4AC7246EF44DC0683F1
                              Function 051DDD20 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f95ad578affc245619c180601e5a12e0c899accf46522d8fb3fdc12ba8f47d05
                              • Instruction ID: a6e1d8f91434dcb2b1d80a8b86034874866d6626e5c14e640494b61002abf377
                              • Opcode Fuzzy Hash: f95ad578affc245619c180601e5a12e0c899accf46522d8fb3fdc12ba8f47d05
                              • Instruction Fuzzy Hash: 4BE0C271300A145B8625B66EB81085FB7EBEFC46723504A6EE409C7380DF68EC0247F5
                              Function 051DDD70 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                              • Instruction ID: 9216f04e42444bf8936b4a7f0fc0de4c7e5449cbfb4e7aa4e1ce32ce2a58712a
                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                              • Instruction Fuzzy Hash: 74E08C32B00018A78B18D6A9E8514E9FBAADBCC220F05847ED90AA7340DB32695687A1
                              Function 051DC580 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f91cffb83f64c84dfa1694ed8c7b63de196f902c072adccb240448b957591824
                              • Instruction ID: c9aa081c4b77682621977038b02f390fb6c76037bdb93c49b0f38d59b33ab6fc
                              • Opcode Fuzzy Hash: f91cffb83f64c84dfa1694ed8c7b63de196f902c072adccb240448b957591824
                              • Instruction Fuzzy Hash: D5E0C2323042606F8325EB6CA814028BFB5EBDE66230400BFE609C7392EE259C058BF1
                              Function 051D8739 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f65e278b70918d55e3f0ad01e244c90ccb7540a31232933b3323418ec5387aeb
                              • Instruction ID: 9a64e5b4a4b4504f5b1ee26af2d1f6092811e9937f49bfe33b8d25f191894910
                              • Opcode Fuzzy Hash: f65e278b70918d55e3f0ad01e244c90ccb7540a31232933b3323418ec5387aeb
                              • Instruction Fuzzy Hash: EAE01231805249CFCB1ABB74D8055A9BF30EE02302B0105ADD95696192DB310A4ACB91
                              Function 051D8800 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c46cc4bbf1988b5f5cd2af4ff33fcd8126d7fdeef4f801129135b345af2c6c5
                              • Instruction ID: 4559134c6261ba4a83ff2f5f8f68f2ded3ad32db48c3a864665915582012b790
                              • Opcode Fuzzy Hash: 5c46cc4bbf1988b5f5cd2af4ff33fcd8126d7fdeef4f801129135b345af2c6c5
                              • Instruction Fuzzy Hash: 60E0DF31A0828B9FC71ADB74E58526EBFB0EF06205B0049E8DD849B282DB300841CF80
                              Function 051DC590 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 50a9ccb76ca8a1bb6e550b25878c1fa324e63aff440d037e99dac092459cc49d
                              • Instruction ID: 15761ae6398683c33adc4781e55944e8d66006b4a89d89d801d944ac192450cb
                              • Opcode Fuzzy Hash: 50a9ccb76ca8a1bb6e550b25878c1fa324e63aff440d037e99dac092459cc49d
                              • Instruction Fuzzy Hash: 90D0C7357001247B4264E75DB515559B7D9DBDD563304043EEA0DC3341FE61AC0597F5
                              Function 051DF460 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fad975a7e2870ec12dff83bfb811b422cb059e93d23a9e26c1316e0ec7222e85
                              • Instruction ID: 74442c731d2524ee4e7fb11096e8c81c89bc50419846694c4f9381415e41b74e
                              • Opcode Fuzzy Hash: fad975a7e2870ec12dff83bfb811b422cb059e93d23a9e26c1316e0ec7222e85
                              • Instruction Fuzzy Hash: F6E04F70E012469F8790DFBCC48456DFFF0EB48200B1084EED909D7311EB318A02CB91
                              Function 051DF470 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                              • Instruction ID: 453ca6f902b6dbe83dea82dbe1aadfc6b16583cfaf0df6e8976a6a8ffbadec87
                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                              • Instruction Fuzzy Hash: 99D067B0D042099F8794EFADC94156EFBF4EB48200F6085AA8919E7301E7329A12CBD1
                              Function 051D8748 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e23458abd4c2b395d2df2365c28a3013aaa06d4930156fcab635cc2fccfec8d
                              • Instruction ID: 219d1c9cde35822e1889e1ac7cf573ab79ea1ef6835f0fcff3b857f4fce0addc
                              • Opcode Fuzzy Hash: 6e23458abd4c2b395d2df2365c28a3013aaa06d4930156fcab635cc2fccfec8d
                              • Instruction Fuzzy Hash: 08D067318041099BCB58FBA5EC5A4BDFB74FA14302F40456DD92762192EB315A5ACAC5
                              Function 051D8810 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 01743ca6cf12e46092cc2e173c0dfd8d859e1fc306b3dd54d6513ec361883cec
                              • Instruction ID: bd2e4d2534d3caefabb2b42c08030b1420aaed97aa090cde73693601c2a8e055
                              • Opcode Fuzzy Hash: 01743ca6cf12e46092cc2e173c0dfd8d859e1fc306b3dd54d6513ec361883cec
                              • Instruction Fuzzy Hash: C5D01730A0820A9BCB28EFA4E84686EBBB5EB44302F004669DE4993340EB306941CBC1
                              Function 051D7932 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b65a560ae71884131c8e8b02e21ac7d64e4a230b63d38c6273a7815e4f69f9a
                              • Instruction ID: c7b6f98234431c61d6964600b70169b8c488f7be11cb39c54583efa9732cffbf
                              • Opcode Fuzzy Hash: 0b65a560ae71884131c8e8b02e21ac7d64e4a230b63d38c6273a7815e4f69f9a
                              • Instruction Fuzzy Hash: 46D0A93000E3C49FC7238F3890948083F309E0312931900DEC88A8F1B3CAB28408CB13
                              Function 051D7940 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 062fddb0f61f08a2ab4b2d5917cba8d8867c9a611c79fd483227fef5d84dd873
                              • Instruction ID: f578146356ed77fd1d0357e4630438b11f77cea0714777187a655da3075d7a2e
                              • Opcode Fuzzy Hash: 062fddb0f61f08a2ab4b2d5917cba8d8867c9a611c79fd483227fef5d84dd873
                              • Instruction Fuzzy Hash: B0B0923114870C8FC2586F75A444914732DAB4061538004A8E80E0A2A68F76E885CA44
                              Function 051D7EB0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac0b6129d2cad280059d7153c1c9523f65dc079d92fe07144af2b3cf9c58b915
                              • Instruction ID: 0294c527557f4d4ef564cee270d8889893792a2053db36ba20e289648446fda2
                              • Opcode Fuzzy Hash: ac0b6129d2cad280059d7153c1c9523f65dc079d92fe07144af2b3cf9c58b915
                              • Instruction Fuzzy Hash: B1900236B1821147BF1DDB7545595392A7757C2201308C46A5103C1044CD3444929544

                              Non-executed Functions

                              Function 07C40FDD Relevance: 17.8, Strings: 14, Instructions: 294COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: fkq$`Qfq$`Qfq$`Qfq$`Qfq$tPfq$tPfq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
                              • API String ID: 0-897512475
                              • Opcode ID: e098579230d3bca7e533c717a463f9043dd60c4d9f995f81e729cea2d80c978e
                              • Instruction ID: 842da96ed96efd273d2818662f84e30efd347a25c3753a7ba00e3bd8886a6ce4
                              • Opcode Fuzzy Hash: e098579230d3bca7e533c717a463f9043dd60c4d9f995f81e729cea2d80c978e
                              • Instruction Fuzzy Hash: 3AB1D7B161024EDFCB24DF69C8846AB7BF2BF45351F188465E8819B281CB31DDD1CBA1
                              Function 07C43928 Relevance: 10.3, Strings: 8, Instructions: 319COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq
                              • API String ID: 0-3165298016
                              • Opcode ID: d0ebdc70f35c6067fb08b55a756135c22a7297651ab8f967ae9b9a9ff3365979
                              • Instruction ID: 18212717b8baed069525b5f8e878f4204fe7cb08e826c771e3ff4c71c6d1a07e
                              • Opcode Fuzzy Hash: d0ebdc70f35c6067fb08b55a756135c22a7297651ab8f967ae9b9a9ff3365979
                              • Instruction Fuzzy Hash: 52A158B27043969FCB249BB9C881767BBF6AFC2210F14806BD945EB291DB35CD41C761
                              Function 07C41BE0 Relevance: 7.9, Strings: 6, Instructions: 400COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$4'fq$4'fq$tPfq$tPfq
                              • API String ID: 0-3815971827
                              • Opcode ID: 8864d9cccc653a7401ef03f322580dc41beae86d9d52e6a5b3e9ea4010a278e5
                              • Instruction ID: 8932b362498a8e4bb39354fc918effd8fd721a858c857bcd729a7ba3d6b2b406
                              • Opcode Fuzzy Hash: 8864d9cccc653a7401ef03f322580dc41beae86d9d52e6a5b3e9ea4010a278e5
                              • Instruction Fuzzy Hash: 57D128B1B0420A9FCB258FA9948576BBBF6EFC5310F18807BD5958B251DB31C982C7A1
                              Function 07C40488 Relevance: 6.7, Strings: 5, Instructions: 485COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: fkq$4'fq$4'fq$4'fq$4'fq
                              • API String ID: 0-1499809691
                              • Opcode ID: 3bbff232881824f7fe6fe4b99cb855284062cc852961e4b119a66debf48e42f1
                              • Instruction ID: 99c600bb498e92f2f657bb097f06122913788d126a0515effad53bbbfa7dc77a
                              • Opcode Fuzzy Hash: 3bbff232881824f7fe6fe4b99cb855284062cc852961e4b119a66debf48e42f1
                              • Instruction Fuzzy Hash: 0DF169B1B442519FC7159BB99851BAABBE2EFC2210F1480FBD645CB642DB31CD81C7E2
                              Function 07C43678 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$$fq$$fq$$fq
                              • API String ID: 0-3759051638
                              • Opcode ID: 329263029cd90e9c11f6a379e6d738a996a380bdf9118d747c7082a04822b229
                              • Instruction ID: d2b0a63a52b8e8829fe83ec57264675a1513a7ab0c8c79fb5b799563fd4ced23
                              • Opcode Fuzzy Hash: 329263029cd90e9c11f6a379e6d738a996a380bdf9118d747c7082a04822b229
                              • Instruction Fuzzy Hash: 50515AF1B043869FCB249ABAC440767FBB6BFC2210F24806BD585DB681DB35C985C7A1
                              Function 07C45BF8 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$4'fq$4'fq
                              • API String ID: 0-359900465
                              • Opcode ID: b9cb443882dd10ec890e286cf0602ce69eaba76b7c904daec825b730c1f924af
                              • Instruction ID: 79e95b0027a70c6720705fe3f4896de0158fb389bf9fa63d4ef15a9772ca180f
                              • Opcode Fuzzy Hash: b9cb443882dd10ec890e286cf0602ce69eaba76b7c904daec825b730c1f924af
                              • Instruction Fuzzy Hash: 1C9167B1B002169FCB248F7DA45176ABBE2AFC2210F14847AD505CF641DB35CD61C7E2
                              Function 051D7A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: 5aae229dd3d88f7f5fbf2bb2267a75f89fac46f8b6424c3160f31c8c288e9153
                              • Instruction ID: c8947960468ab683e3ee2e97f0cdb8174b64feb84ebd64f03d6eebafcf42b1e9
                              • Opcode Fuzzy Hash: 5aae229dd3d88f7f5fbf2bb2267a75f89fac46f8b6424c3160f31c8c288e9153
                              • Instruction Fuzzy Hash: C2B19774E002099FDB54DFA9D990A9EFBF2FF48304F108629E819AB355DB34A945CF90
                              Function 051D7A2F Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: c6c712de7387e6c7e4b4b692f60e4c56d0f14161aff2e7286344334da2ddc7ff
                              • Instruction ID: 0602e64feead9d7756c2cc02721bd31733cd7c882cfaf6aeaf4d67b404957fd6
                              • Opcode Fuzzy Hash: c6c712de7387e6c7e4b4b692f60e4c56d0f14161aff2e7286344334da2ddc7ff
                              • Instruction Fuzzy Hash: 13B1A874E002099FDB54DFA9D990A9EFBF2FF48304F108629E819AB355DB34A945CF90
                              Function 051D7210 Relevance: 5.2, Strings: 4, Instructions: 187COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1910322651.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: c280395e49c04e2c9dd9b127aba6259df38a20d1dc61345af167010af2033874
                              • Instruction ID: 145708efdb131ea0ec088e95fa84f5b8fe958fefb2987ef0a1294efe161a8a15
                              • Opcode Fuzzy Hash: c280395e49c04e2c9dd9b127aba6259df38a20d1dc61345af167010af2033874
                              • Instruction Fuzzy Hash: DD916474E012199FDB54DFA9D590A9DFBF2FF48300F108629D819AB354D734A945CF90
                              Function 07C45798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: $fq$$fq$$fq$$fq
                              • API String ID: 0-2113499236
                              • Opcode ID: 08941a58029b333bb2290ae4ef94871a7f84fbf7422f3a5d7f0a6e888b73ade9
                              • Instruction ID: 01c19df8216421c5e9e2bd225774aadb9ebbbb70088b454a1fd23f9caf87ebbf
                              • Opcode Fuzzy Hash: 08941a58029b333bb2290ae4ef94871a7f84fbf7422f3a5d7f0a6e888b73ade9
                              • Instruction Fuzzy Hash: 2B2168B2720316ABDB34597EA881B37BBDBABC0715F24803AA505CB681DE75C9508361
                              Function 07C40308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1931601384.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$$fq$$fq
                              • API String ID: 0-2206495126
                              • Opcode ID: 4976fb6b68981aaff7b0a22871a17b30f9314d7b7cc32399659b5656a28b9c7a
                              • Instruction ID: 0a13ffac38e44e8a982a14aa8fc1d88ca41d9e5970052bf20523cfe66036763d
                              • Opcode Fuzzy Hash: 4976fb6b68981aaff7b0a22871a17b30f9314d7b7cc32399659b5656a28b9c7a
                              • Instruction Fuzzy Hash: 710126A171D3814FC7270B7818212667FB6AFC355071A40DBD1C0CBA93CD198D8687A7

                              Executed Functions

                              Function 050FB470 Relevance: .3, Instructions: 265COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c992eba58fc9ed520df8cbe6a2ff1e042b0a4c8d5f7f59c3ce6fc26355d596
                              • Instruction ID: eb70361f77d4425f6cd8b91d015e8f72dd10e49b3480d271adcc2491e3be2f97
                              • Opcode Fuzzy Hash: f4c992eba58fc9ed520df8cbe6a2ff1e042b0a4c8d5f7f59c3ce6fc26355d596
                              • Instruction Fuzzy Hash: 4B91B071F007089BDB19DFB49A506AE7BF2EFC4600B44892ED506AB358DF34AD058BD5
                              Function 050FB490 Relevance: .3, Instructions: 252COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0a0a761e256d4a540a3fdb20bf377c51debbae7459489aeeb59f9da2652cf09c
                              • Instruction ID: 42f11b547fce1d61cd065b1087143437c0362c43b63305ab390d35baf99db812
                              • Opcode Fuzzy Hash: 0a0a761e256d4a540a3fdb20bf377c51debbae7459489aeeb59f9da2652cf09c
                              • Instruction Fuzzy Hash: 9891AF71F007089BDB19EFB499406AEBBF6EFC4600B44892ED506AB358DF346D058BD5
                              Function 08D37C64 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2363282070.0000000008D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D30000, based on PE: false
                              Similarity
                              • API ID: ThreadToken
                              • String ID:
                              • API String ID: 3254676861-0
                              • Opcode ID: 5a14097d2e3ffa0a323efb6f716f898b352e67e4eabbe60611687e0cc002f5e0
                              • Instruction ID: 8a1f50bab969a44c75024da49e795a8bf41e5d03abb8221a0920894e678f3f42
                              • Opcode Fuzzy Hash: 5a14097d2e3ffa0a323efb6f716f898b352e67e4eabbe60611687e0cc002f5e0
                              • Instruction Fuzzy Hash: A81113B59006498FCB20DF9AD984B9EFFF4EF88324F24841AD419A7350C7B4A944CFA1
                              Function 08D37C68 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2363282070.0000000008D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D30000, based on PE: false
                              Similarity
                              • API ID: ThreadToken
                              • String ID:
                              • API String ID: 3254676861-0
                              • Opcode ID: 69e0e1adaac7a183b2ef48d4d4a10da47a5a4800ed71e00d10022fb5a192dfbe
                              • Instruction ID: 6094b2546b21e546be2fb52d8e258d0b1d083534d2263451f65aead8c224c856
                              • Opcode Fuzzy Hash: 69e0e1adaac7a183b2ef48d4d4a10da47a5a4800ed71e00d10022fb5a192dfbe
                              • Instruction Fuzzy Hash: 1A1136B19002098FCB20DF9AC984B9EFBF8EF88324F24841AD418A7350C774A944CFA5
                              Function 050F6FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: (jq
                              • API String ID: 0-3225323518
                              • Opcode ID: 7f730122a20b7612e7bfad295affbfb4720f2a8d06452acea062e0402f2ef64e
                              • Instruction ID: 8b056d2f50eb741918650fa3e90a4389a147b63223e62539c276bd370b3ef5df
                              • Opcode Fuzzy Hash: 7f730122a20b7612e7bfad295affbfb4720f2a8d06452acea062e0402f2ef64e
                              • Instruction Fuzzy Hash: C0413C34A04204CFDB54DF68D498AAEBBF2EF8E311F1484A9E502AB791DE35DC01CB61
                              Function 050FAF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: (&fq
                              • API String ID: 0-1822945044
                              • Opcode ID: 53f3cb05208ba483c796a939e62052000f246a0e7f095059f74598d63bd04004
                              • Instruction ID: a3af14af1a40761bdfc8224d3c18e05c9e41355284ff76eb62d2235715a1e0bb
                              • Opcode Fuzzy Hash: 53f3cb05208ba483c796a939e62052000f246a0e7f095059f74598d63bd04004
                              • Instruction Fuzzy Hash: 9521E071A042588FCB14DFAEE440BAEBBF5EF88320F14802AD519E7340CA759805CBE5
                              Function 050F7728 Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 92cfd3b3f30d8da2839363d3fadef7572c308b0f2a0f4d5966bafe63b89f5925
                              • Instruction ID: ee2b12a4135f72208128d8028a4f001d236ac7ef07202eca2215ecadb1b3008d
                              • Opcode Fuzzy Hash: 92cfd3b3f30d8da2839363d3fadef7572c308b0f2a0f4d5966bafe63b89f5925
                              • Instruction Fuzzy Hash: F8519E347042059FD744DB78E884A6E7BE6FFC9214B1484A9D609CB752EB75EC02CBA2
                              Function 050FBAC0 Relevance: .2, Instructions: 155COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb460289b49ae923a401a9f1ebfb1ea9470fa237905c752ec26c7b3922ae99d0
                              • Instruction ID: affaf6b4352b502e3990c7259f45680a02ec5a23e1246b41b6a35349ca287b35
                              • Opcode Fuzzy Hash: eb460289b49ae923a401a9f1ebfb1ea9470fa237905c752ec26c7b3922ae99d0
                              • Instruction Fuzzy Hash: FC611871E002089FCB54DFA9D984A9DBBF1FF88314F14812AE909AB354DB34A841CFA0
                              Function 050FBAB0 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0257fb75c2e5541b4ebd525ef95d6cfff9d04578dbcaf2f7d867fabd0ff5e77b
                              • Instruction ID: f165be05e11132d414648dc83e9304058c761d34c10f6952a312991fcd6cea89
                              • Opcode Fuzzy Hash: 0257fb75c2e5541b4ebd525ef95d6cfff9d04578dbcaf2f7d867fabd0ff5e77b
                              • Instruction Fuzzy Hash: 38512971E012489FCB54CFA9D584A9DBBF1FF88314F148069E909AB355DB34A845CFA0
                              Function 07BE271F Relevance: .1, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2349745698.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 22333b0507d0fb790d900549b73c4980cc1d441983409b44d537c0ad134ce82e
                              • Instruction ID: aa54fa7a456d63c21b50e06e2296d7e8ddfde6055b7acf4f7e2cdd50bb1aa290
                              • Opcode Fuzzy Hash: 22333b0507d0fb790d900549b73c4980cc1d441983409b44d537c0ad134ce82e
                              • Instruction Fuzzy Hash: F24115F6700606DFEB149AA884456EABBEDFF85221F1480FAE9069B741DB31CC81C761
                              Function 050F2B10 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4dad3ee8e3a8c3aad33ef042f7bb3702f36732370bb7af0f577dd1b8f52e28aa
                              • Instruction ID: dc6e1a6af23c774ddc2772fadcf4a4cf43d55e0f9854a31504a60e9b20b2beb9
                              • Opcode Fuzzy Hash: 4dad3ee8e3a8c3aad33ef042f7bb3702f36732370bb7af0f577dd1b8f52e28aa
                              • Instruction Fuzzy Hash: 59412874A006069FCB05CF59C8989BEFBB1FF48314B158199D915AB764C736FC51CBA0
                              Function 050F2B0F Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e197a5fd82b860a3149aab21b112dc35045cc6cb81a61a6ab143acac9f9d99b4
                              • Instruction ID: 6ba42c566d5a42affaa875153ecd59e9155685a14739624be8b48ebf2f021c4c
                              • Opcode Fuzzy Hash: e197a5fd82b860a3149aab21b112dc35045cc6cb81a61a6ab143acac9f9d99b4
                              • Instruction Fuzzy Hash: 364105B8A005069FCB05CF59D4989BEFBB1FF48314B158269D916AB764C732FC51CBA0
                              Function 050FC388 Relevance: .1, Instructions: 101COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d43f75fe8cda6deb4e3910ca8957d504d98cba259044a6c3201c15d45a7c1e5e
                              • Instruction ID: fc3038ea6610a0b42b330386ea12d81b5ee97d4f1fe2132bd4dcfd0cc84fc088
                              • Opcode Fuzzy Hash: d43f75fe8cda6deb4e3910ca8957d504d98cba259044a6c3201c15d45a7c1e5e
                              • Instruction Fuzzy Hash: C0319C313002019FD709EB78E894B9EB7A2FBD4211F048529E60ACB355DF70AC458BA1
                              Function 050F6FB9 Relevance: .1, Instructions: 98COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c7bea24d613a7cfaf1f9c3dc8a6a359cba284ea725a048218270f32c172c7b77
                              • Instruction ID: dc39946aac75951e2d613277b27a6df98ee8c1604c017e32a5c6fdfb90acb4ab
                              • Opcode Fuzzy Hash: c7bea24d613a7cfaf1f9c3dc8a6a359cba284ea725a048218270f32c172c7b77
                              • Instruction Fuzzy Hash: F5313A34A04205CFDB14CF64D598AAEBBF2FF8E314F1480A8E502AB751DA76DC01CB61
                              Function 050FAE60 Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a5d5b462c061fc3f37f3b4cbb7b449060e970ec85dad5c41f32b7acc78dcda9
                              • Instruction ID: fe9611d99cb22fd9baa161c3ff5c7db5b36965146773261c3cff6dc1ed86b400
                              • Opcode Fuzzy Hash: 9a5d5b462c061fc3f37f3b4cbb7b449060e970ec85dad5c41f32b7acc78dcda9
                              • Instruction Fuzzy Hash: 9A314F70F002099BDB44DFB9E494AEEBBF6EF89310F148029E509EB755EB349C458B61
                              Function 050FAD28 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 27fba821d8d27dbb4bebdc3c12750ad0f5fdba5c52db3d58e0fac0cd957d649c
                              • Instruction ID: 401cf852aacf33cb14f20ecbe2bc21f7a2fde52682c0ce112cb7801ee055e37b
                              • Opcode Fuzzy Hash: 27fba821d8d27dbb4bebdc3c12750ad0f5fdba5c52db3d58e0fac0cd957d649c
                              • Instruction Fuzzy Hash: 1931B470A042099FDB00EBB4E894ABE7BF2EF84300F1184ADD605AB395DA35AD008F61
                              Function 050FDCD9 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3b3803115907619aaf99e090b7e65bf10666519d4aba1b1febeaec4d2ec681ac
                              • Instruction ID: 85e134a095f9b6bcff1068e657a972640753400a195fb5cc56a8f554716b1450
                              • Opcode Fuzzy Hash: 3b3803115907619aaf99e090b7e65bf10666519d4aba1b1febeaec4d2ec681ac
                              • Instruction Fuzzy Hash: 6131E9B2E086445FDB16CBA8E444BFD7FF3BF89304F1884AAC506AB656DB715841CB60
                              Function 050FAE70 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea0e8c01bab008cc831c75c1564cc390d8da72155ed79cafc971e7a7f06f2e2e
                              • Instruction ID: df86cc4c74cd0f6079ebcc44b680caf37cf9fb4df0c0e7be4b49ae25b0e4bb07
                              • Opcode Fuzzy Hash: ea0e8c01bab008cc831c75c1564cc390d8da72155ed79cafc971e7a7f06f2e2e
                              • Instruction Fuzzy Hash: 07312A70F002099FDB44DFA9D494BAEBAF6EF88310F148029E509EB754EB749C458B61
                              Function 050F93F0 Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 878cd2f5096a1c2a4a96e2f7199021735ae39bd3e6afac78126d72fed3d53c3c
                              • Instruction ID: 13b5577278263385fd5eb96372ecb7cec6dd3894615907bbf31ff4409b91a751
                              • Opcode Fuzzy Hash: 878cd2f5096a1c2a4a96e2f7199021735ae39bd3e6afac78126d72fed3d53c3c
                              • Instruction Fuzzy Hash: 8F31BE709053848EDBA0CF6AE088B9EBFF2FF98310F28C85DC94D9B615C6746445CB61
                              Function 050FD220 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0279e6fb4afb24e39b9b1225c35f41e72f30b409d597a967361b374913a75dfd
                              • Instruction ID: ec6712ed36d9a43da9e00e0af84d8f0d9498aacda379e6d1748286446c231969
                              • Opcode Fuzzy Hash: 0279e6fb4afb24e39b9b1225c35f41e72f30b409d597a967361b374913a75dfd
                              • Instruction Fuzzy Hash: 2721DB71A042449FCB05DB78E480A9DBBF1FF86214B04C9AED04A8B752CB35E905DB91
                              Function 050FD270 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: de117f835ee5c7817c9f8219de242a4fd865e8ec51451e09fb09ffa2ddc213c5
                              • Instruction ID: 5062c2ec82ede2bd0d02ea92229b0ee621b724462558b282aca3914e31403c24
                              • Opcode Fuzzy Hash: de117f835ee5c7817c9f8219de242a4fd865e8ec51451e09fb09ffa2ddc213c5
                              • Instruction Fuzzy Hash: B721AD712042449FCB55CB79E480A5EBBE2FF8A214744C9AEE545CF751CB31EC06DBA1
                              Function 050FAD38 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13a4a6cc32acd5b6147f53f9828cd21f813b9e77925436b32ba69beb7d3e5162
                              • Instruction ID: c32f5fb7514f70f0ba71cb3224fffeb8dd0148c97333dfda695d0baf3b7077b1
                              • Opcode Fuzzy Hash: 13a4a6cc32acd5b6147f53f9828cd21f813b9e77925436b32ba69beb7d3e5162
                              • Instruction Fuzzy Hash: 463121B4E002099FDB04EFA4D898BBE77B6EF84300F51946DD615AB394DA35AD418FA0
                              Function 04BCF3D8 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284356523.0000000004BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57df32b3ef8a8d0ee888540d84000194f522fb3cd27c3ac1b66e4cfe6eca1978
                              • Instruction ID: 9908875b6fff66e3017013db6e4aa0a3203817e7083ec1fcdb6bd1bf79500e1d
                              • Opcode Fuzzy Hash: 57df32b3ef8a8d0ee888540d84000194f522fb3cd27c3ac1b66e4cfe6eca1978
                              • Instruction Fuzzy Hash: 1A21C1B5604200EFCF05CF58D9C0B26BB66FB88314F24C5EDE9094A296C73AE456DBA1
                              Function 04BCF02C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284356523.0000000004BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98941c22d13f532330e2b23ceec9986d3b91543b66763c97f4e527f0aa155516
                              • Instruction ID: 369ecb964691dea87b9c1db02fcd26814b35839868618da0bfbde223b18a0f3f
                              • Opcode Fuzzy Hash: 98941c22d13f532330e2b23ceec9986d3b91543b66763c97f4e527f0aa155516
                              • Instruction Fuzzy Hash: D221F575604240DFCB14CF24D9C0B26BB66FB84714F24C5EDDA0A4B296C336E446CA61
                              Function 050F9400 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 243c0cf8f2291f63261c0c79372b62056a68959781b01fe6980dec68329792b8
                              • Instruction ID: 27143abf399e1c8824b312e838ad81d6d5ad8bb43ae0c61b34ebec993243244a
                              • Opcode Fuzzy Hash: 243c0cf8f2291f63261c0c79372b62056a68959781b01fe6980dec68329792b8
                              • Instruction Fuzzy Hash: 75217CB09057448EDBA0CF6AD088B9EFBF6FF98314F28C41ED91D97245D6746441CB61
                              Function 050FD280 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98da49fb2ca61cfbfa6e624aa4b5b4f79574f3d0531c1c30fd8fd88234840c79
                              • Instruction ID: dcd59099706e2a688ee61ce164e4d7a8addc5ebceb88b00562c5a27f4d2ba7ff
                              • Opcode Fuzzy Hash: 98da49fb2ca61cfbfa6e624aa4b5b4f79574f3d0531c1c30fd8fd88234840c79
                              • Instruction Fuzzy Hash: 232168713042049FCB14DB79E880A5EBBE6FF8A218B40C96DE50ACB755DB35EC01CBA1
                              Function 050F7664 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3bd07090af08147b9731ab0022ef8caf984caf81ed004c2e09a46cb5174bb1f2
                              • Instruction ID: fc72285a4ea329e1dc2ec680a5501c62ef0a92b7edc6aba7bf30288b80f17b69
                              • Opcode Fuzzy Hash: 3bd07090af08147b9731ab0022ef8caf984caf81ed004c2e09a46cb5174bb1f2
                              • Instruction Fuzzy Hash: 9A110D757001188FCB04DBACE880AEEB7F6FBCC215B0440A9EA09DB755DB35DD129B91
                              Function 07BE294B Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2349745698.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8fdf3690cf9eaf079f4c6939b35a37ffcfafc14f43cf333318c2cb943a693712
                              • Instruction ID: 8672f3304ac1e3737ed19cc332f7ef35e47fb9f00082842f6695afdd9f07403b
                              • Opcode Fuzzy Hash: 8fdf3690cf9eaf079f4c6939b35a37ffcfafc14f43cf333318c2cb943a693712
                              • Instruction Fuzzy Hash: AE1104F2740245AFD714A7AC8441BAEBFEAAF89211F0450A9E6049B652DF309C468766
                              Function 04BCF3D3 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284356523.0000000004BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b08ff234030906854a45bb6b6e9e44c3427253070cceed9887b7ee92b27ed2b2
                              • Instruction ID: b41bfdd385dc2fab5f571051f94958f3397507ac80f7b8682567552f00bd31e1
                              • Opcode Fuzzy Hash: b08ff234030906854a45bb6b6e9e44c3427253070cceed9887b7ee92b27ed2b2
                              • Instruction Fuzzy Hash: 6C218C76504240DFCB06CF14D9C4B26BF72FB88314F24C5EDE9494A696C33AD46ACBA1
                              Function 050FBCE0 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 73740ddad44b8a8c1db8d234a016827297cb8c8ca7301dbbd0b3caf3075cc24f
                              • Instruction ID: 94138f71043df1dadd404ce81f62942ef489b2e2080a22c1fe23bb880f1dadfb
                              • Opcode Fuzzy Hash: 73740ddad44b8a8c1db8d234a016827297cb8c8ca7301dbbd0b3caf3075cc24f
                              • Instruction Fuzzy Hash: 2311E1312087448FDB24DB39E494AAA7FE1BF45210F1484EEE14EC7AA2DA31E845CB41
                              Function 04BCF027 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284356523.0000000004BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d1047b0845297ecd245ca1d03b98feea0c0f4fe4553aa178a32f5244b1bc5266
                              • Instruction ID: 5d29b54a592ac4a349d596d7d5210b4f837028af62ac28e4867cc67d808e9a7c
                              • Opcode Fuzzy Hash: d1047b0845297ecd245ca1d03b98feea0c0f4fe4553aa178a32f5244b1bc5266
                              • Instruction Fuzzy Hash: 5311DD75504280CFCB15CF24D5C0B25BFA2FB84318F24C6EED9494B696C33AE44ACB62
                              Function 07BE3E11 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2349745698.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 95b311e4b7ef170a18c576a1574724a1bf11fd6c37ff9bd073c2fdd5bbe3feb7
                              • Instruction ID: b5e8abdd0b293b7a5200994f237d27e8dba888591a778393d311dcf3df433daf
                              • Opcode Fuzzy Hash: 95b311e4b7ef170a18c576a1574724a1bf11fd6c37ff9bd073c2fdd5bbe3feb7
                              • Instruction Fuzzy Hash: 1D01F7F2B0426197D32126BC481256E7B968FD1724B1409E9CD119F78ADF348D8383E7
                              Function 050FE100 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d01130e206b5ae312db66424c53184b852ff0eaea801139763bc1cb78dfae50
                              • Instruction ID: c2dcef37a438fefd8e18ea1d692d21ad13d887aa2502a41cc4a15df7016da8a0
                              • Opcode Fuzzy Hash: 2d01130e206b5ae312db66424c53184b852ff0eaea801139763bc1cb78dfae50
                              • Instruction Fuzzy Hash: 93111735204750CFC768DF39D48085ABBF6EF8931972489ADD48A8B7A0DB36E841CB50
                              Function 050FDE98 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1eae12ba87f96f49a53325a4e17476641f93a718671e32c81db20f4c9d1748af
                              • Instruction ID: f427e27d5175409b4c01fbb6f2484f1858f898a4757538a9fdf5503618fa3ae3
                              • Opcode Fuzzy Hash: 1eae12ba87f96f49a53325a4e17476641f93a718671e32c81db20f4c9d1748af
                              • Instruction Fuzzy Hash: AE015236B012149FCB159F74E808AEEBBF6FB89315F14806DE91AD3342DB315911CB91
                              Function 050FDC88 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3eac1ab44ab242cb32c7ce68d4e41ce5a170d4eb7e6c6b74e8c4fcf882f3a34
                              • Instruction ID: 4644bcb246b30152b99d6251bdc64211323ead1c6dc904c7b416c84970d71728
                              • Opcode Fuzzy Hash: a3eac1ab44ab242cb32c7ce68d4e41ce5a170d4eb7e6c6b74e8c4fcf882f3a34
                              • Instruction Fuzzy Hash: B9F08B373056056BCB256619B8108FE3FAEEAC53B13000057E609CBE42DA24880043F2
                              Function 04BCD01D Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284356523.0000000004BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f79e68a43468516c5c98f3d3bbd9ac771e09ba6646bd2ad8418cae3f5c1e8cb0
                              • Instruction ID: 9766a6ee772a415cad2162bde15d31aed1722f3a8613f317f243da1af6bf4fbc
                              • Opcode Fuzzy Hash: f79e68a43468516c5c98f3d3bbd9ac771e09ba6646bd2ad8418cae3f5c1e8cb0
                              • Instruction Fuzzy Hash: 0901F2755083049AE7208E3DECD0B67BFDCDF41324F08C4AEED494B282D679A842C6B1
                              Function 04BCD005 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284356523.0000000004BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 47ba0e345093a1ee4a5082d4030de092b20c6824d8ff75636ae8106837705e9b
                              • Instruction ID: 354147a31a54ba6411b1c689a71482bed722f5ae06f21be7babe0275ee8d0e1b
                              • Opcode Fuzzy Hash: 47ba0e345093a1ee4a5082d4030de092b20c6824d8ff75636ae8106837705e9b
                              • Instruction Fuzzy Hash: 94019E7100D3805FD7128B299C94B62BFA8EF42224F1880EBE9888F193C2696C45C772
                              Function 050FBF10 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 209f30ddf5f0aac251011c0d867eb6d1478dc0d083febd28726c434b3b5263ec
                              • Instruction ID: c5436941c1a8fbddab46d1008f6fb3375ed9ff77d930690b41634c93691adaee
                              • Opcode Fuzzy Hash: 209f30ddf5f0aac251011c0d867eb6d1478dc0d083febd28726c434b3b5263ec
                              • Instruction Fuzzy Hash: F1F0C8313093A16FD7114A69AC5497B7FE9EF86550B04406BF944C7762CA70CD048B60
                              Function 050F90D8 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a237f73b884e30a3fa70ab7a9497e6db888b3d647d44b6bd5829a586b6fe7ab5
                              • Instruction ID: 371a63190e48610b758b02aa360be3e5098ddcfbc016517082f20e38e0604f8e
                              • Opcode Fuzzy Hash: a237f73b884e30a3fa70ab7a9497e6db888b3d647d44b6bd5829a586b6fe7ab5
                              • Instruction Fuzzy Hash: 310149766042009FE3116B78D0483EF3BA5DFC1314F50C0AAD6148B356CE356906C7B0
                              Function 050F7940 Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6aa44b51aa6f260973c0870710f4a4f4c4c931da746d0f75d7363b9ef3df3efd
                              • Instruction ID: 52b4373312cca67ae3a1302781b054c731fc48de463b8b21f7c0007de861c45a
                              • Opcode Fuzzy Hash: 6aa44b51aa6f260973c0870710f4a4f4c4c931da746d0f75d7363b9ef3df3efd
                              • Instruction Fuzzy Hash: 37F0463130A3446FC3019764E8449AF7BF5EF89121B04089EE149C7751DE705C44C361
                              Function 04BCD993 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284356523.0000000004BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ba1b3e1ea652fd1bec8f6318c56edecf08b5fe6614d87cfda3642b42e59aa07d
                              • Instruction ID: d9ec548a5bb33c75116ede6d43639baf75487b469f06bdfcbaf95028bfc3ae6d
                              • Opcode Fuzzy Hash: ba1b3e1ea652fd1bec8f6318c56edecf08b5fe6614d87cfda3642b42e59aa07d
                              • Instruction Fuzzy Hash: 8EF0F97A600604AF9720CF0AD984C27FBADEBD4770755C5AEE84A4B711D671FC41CAA0
                              Function 050FDE38 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a87398b17c6f31885503fc3d61cef3628a3a3d5002bddfc862c5d35dea30519a
                              • Instruction ID: 3dbfc8b35660fe3985b1534f15530ce19d11e3cafe3a741dc9fa0341b57a101a
                              • Opcode Fuzzy Hash: a87398b17c6f31885503fc3d61cef3628a3a3d5002bddfc862c5d35dea30519a
                              • Instruction Fuzzy Hash: 01F05E353082404FC3009F29E894C7ABBF6AFDA75931910A9E695CB736DA61DC01DB90
                              Function 050F9158 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5f53116b7471dc5a287ed1e1433f8a411ef6d3aa4e9fa3135ce6e1343a30a366
                              • Instruction ID: 339840dfbb1a2cfbb74dc51b803f813990bfe03304d9d491fbce66cc6ecbce5c
                              • Opcode Fuzzy Hash: 5f53116b7471dc5a287ed1e1433f8a411ef6d3aa4e9fa3135ce6e1343a30a366
                              • Instruction Fuzzy Hash: 11F030759053045BD7609B78E4AC39E7FE5FB42310F4888ADD649C7292DB3568818750
                              Function 050F7950 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 812f478e0576777b30ac8d3a8b4c0580ed4a96a68d27257b28748d0b06fa583e
                              • Instruction ID: 953df21b3e7b7386f67ce01dadb858e0f4813ebebef07c9301208356f34ef960
                              • Opcode Fuzzy Hash: 812f478e0576777b30ac8d3a8b4c0580ed4a96a68d27257b28748d0b06fa583e
                              • Instruction Fuzzy Hash: F0F0A772704714AFD7149A69EC84ABF77EAEB88261B00092DE10ED3750DF30AD4187A1
                              Function 04BCD984 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284356523.0000000004BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 438194c10203e38af0b5aade1426cc958fcdbf8fc8d3a21502150079b6e25f7e
                              • Instruction ID: 19851ea6524727506d7e500359cc0747e733637e7e83ee4f52ad63037af3f544
                              • Opcode Fuzzy Hash: 438194c10203e38af0b5aade1426cc958fcdbf8fc8d3a21502150079b6e25f7e
                              • Instruction Fuzzy Hash: 64F0F979100640AFD725CF06C984D23BBB9EB95664B19859DE85A4B752C671FC02CBA0
                              Function 050F767F Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 49e415dc1b96aafcb8bfac15bcb3e0c2fb96bc8987a64ce7769b6fcb14d1568f
                              • Instruction ID: baebcc8095b30d09e71e4a6d349c0504f66e0779f3c446005c05e767326b6a6f
                              • Opcode Fuzzy Hash: 49e415dc1b96aafcb8bfac15bcb3e0c2fb96bc8987a64ce7769b6fcb14d1568f
                              • Instruction Fuzzy Hash: B4F030757001188FDB009BADB840AAEB7E2FBCD6557154159EA09CB714DF25DC124B92
                              Function 050F90E8 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70495744b3780cdd7b7eb89f70f3f3adee562fb886983c21d114a85e14a3f0fb
                              • Instruction ID: 7b1bbea6bf46f3d6dff7219596b58c1158b9d8ba050af1aa90241195734908a7
                              • Opcode Fuzzy Hash: 70495744b3780cdd7b7eb89f70f3f3adee562fb886983c21d114a85e14a3f0fb
                              • Instruction Fuzzy Hash: 64F0E2716002048BE300AB79D0487EB77A6DFC0319F50C16ECA1947389CE3A2841CBF0
                              Function 050FDE48 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94f9c99840731fce3db22965725a21092f2a736c03c7f84fbb361e4d692ace8a
                              • Instruction ID: 6dce09d2d0915e40faf4fc50b0659b6bfc02a59fe9e444360a19a2e85c5a4319
                              • Opcode Fuzzy Hash: 94f9c99840731fce3db22965725a21092f2a736c03c7f84fbb361e4d692ace8a
                              • Instruction Fuzzy Hash: 48E0E5363001148F8310AF1DE498C2AB7FAEFCE76571900AAE649CB725DA71EC01DB90
                              Function 050FAF88 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8143243a068ea1839798517680a40699289bb74cec9ac6bfb788c34734a86139
                              • Instruction ID: dd2d979ba51dd521933293f2231c63c2438afab6867677f2eaa6502520a00827
                              • Opcode Fuzzy Hash: 8143243a068ea1839798517680a40699289bb74cec9ac6bfb788c34734a86139
                              • Instruction Fuzzy Hash: 6BE0D86170C3922BCB1A816D7C155BEABA746D702030840B6A34CCFB46DC15880A83A0
                              Function 050F9549 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3445326bafb742e0a44c7cbf73f595ac4ab1dff19b1b0c6ddba08c6a5027b22e
                              • Instruction ID: a05afa8327e028799d3d7697335229b40e934ff2f2567ccdd2c044ee419ae1ba
                              • Opcode Fuzzy Hash: 3445326bafb742e0a44c7cbf73f595ac4ab1dff19b1b0c6ddba08c6a5027b22e
                              • Instruction Fuzzy Hash: E7E0C2127020A557465960FB3808BFFB5CA8DF58A9B494235DB09C7B47EC21CC0243F1
                              Function 050F8973 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b38d194ae9451f6208063dd71b899646524cfd588701e701aaea2cd926a6b85
                              • Instruction ID: f7d562349867600446739f4db9b0d95f221c1343cb092060e17706f575b43d2e
                              • Opcode Fuzzy Hash: 7b38d194ae9451f6208063dd71b899646524cfd588701e701aaea2cd926a6b85
                              • Instruction Fuzzy Hash: 88E0D83571471597CB092B75A41C2EE7AB6EBC4725F04C02EEA0A83346CF766902C3D5
                              Function 050F8739 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a078b525aca1d1c5f67b39ef58770a25b21bca7d8c95bc73c9bc3481cac63172
                              • Instruction ID: 65fb5dcfdf4c87aa8b68411ece341f1217ac134f18b0bd79a8fc10587f69a1e2
                              • Opcode Fuzzy Hash: a078b525aca1d1c5f67b39ef58770a25b21bca7d8c95bc73c9bc3481cac63172
                              • Instruction Fuzzy Hash: DEE09230915309CBCF05EBB8E5496FD7F70EE11200B0081ADD652E2546DA20F58BCB81
                              Function 050F9168 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e22b32caffad2c52c956cf86e8212f2fef14ece1048a01b6c31c0df74867e27a
                              • Instruction ID: 2cd0bc82c81f357dbf6a22d6e450ae42589d4c1df601667b0cb036354428f3e7
                              • Opcode Fuzzy Hash: e22b32caffad2c52c956cf86e8212f2fef14ece1048a01b6c31c0df74867e27a
                              • Instruction Fuzzy Hash: C1F06D709013044BD3649FB8E49C7DA7BE5FB44310F04846DD61EC3341DB3578818B90
                              Function 050F8978 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bdf297b4bd02a7164a9942b3ca09e0a0b1ac8094ad033f571b3961f219d5308f
                              • Instruction ID: 603c361de987423c2da71dc432c54e600fb56d2d45b8f3d731601231f6fe44cb
                              • Opcode Fuzzy Hash: bdf297b4bd02a7164a9942b3ca09e0a0b1ac8094ad033f571b3961f219d5308f
                              • Instruction Fuzzy Hash: 05E0DF3530471197CB092778A41C2EE7AA6EBC4725F04802ED60A8338ACF7A280283D9
                              Function 050F9550 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30274b75b331d22a4236e54d19961497e742091c88658c6c870d63a58db87161
                              • Instruction ID: d14f44586f69212195b6212e9c89558efb50f3b795915dff1305415bdacc5f2a
                              • Opcode Fuzzy Hash: 30274b75b331d22a4236e54d19961497e742091c88658c6c870d63a58db87161
                              • Instruction Fuzzy Hash: 8ED0A71270212517059470FF38047FFA1CF8EE48A5B454136DB09C3B82ED60CC0103F1
                              Function 050FDC98 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b4103bb1579596632f8d2867e8fd5e51d86dd3eb9069b0fc3cf224bf9700c31
                              • Instruction ID: 88846a978f60536ad5fa69dcba26a7d924047ca2ff9df8dc799facf798dd6f83
                              • Opcode Fuzzy Hash: 8b4103bb1579596632f8d2867e8fd5e51d86dd3eb9069b0fc3cf224bf9700c31
                              • Instruction Fuzzy Hash: 0CE0C233700715578215A62EB81089F77EBEFC4671354842EE149CB740EF64EC0147D5
                              Function 050FDCE8 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                              • Instruction ID: 63bad4999b6e6540e8f8199020fc833314c670512bf429cd0142fb7ee9798ca4
                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                              • Instruction Fuzzy Hash: CFE08632B10014978B08DA59E4104EDFBAADBCC220F04807ADA0AA7740DA32591587E1
                              Function 050F8800 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9134b3d3b4db4dbc2b3433270930a1273de04d71dd024a0e05282b08e9d7a817
                              • Instruction ID: 6fd4229b376bfad00865db418ee0119cb8b2bb58837d3e74df6cd391672c462d
                              • Opcode Fuzzy Hash: 9134b3d3b4db4dbc2b3433270930a1273de04d71dd024a0e05282b08e9d7a817
                              • Instruction Fuzzy Hash: 74E06530E1870A9BCB149B68F54A5EDBBB1AF55204F00C068EE4497A4ADA30A947CBC0
                              Function 050FF460 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff6499386e5e615f74e387dff0accbe4e8f3fbc3d7cf9323abf5b62d7fdba477
                              • Instruction ID: 224f7e5fdd9706ceedeb76bb410592f6e397fa29c78543c3582ebcaf6e43f467
                              • Opcode Fuzzy Hash: ff6499386e5e615f74e387dff0accbe4e8f3fbc3d7cf9323abf5b62d7fdba477
                              • Instruction Fuzzy Hash: 2FE01A70E0014B8F8780DFBC89811ADFFF0AB49200B1484AA8958D3601E6324641CB80
                              Function 050FF470 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                              • Instruction ID: 8812801062e423863bb41fe3f44ffb093cf870aa8eac59d9c3aeddbf7daca5bf
                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                              • Instruction Fuzzy Hash: 39D067B0D0420A9F8780EFADD94156EFBF4EB48200F6085AA8919E7301E7329A12CBD1
                              Function 050F8748 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8896d074d15c52c806f060a288af4bc6b31ad132590a126a89296d411f5bf5f6
                              • Instruction ID: 7b7ceed405f0dace2bed1bcef56ef7fb8f07c24767f60b8f9b16f8f1fe7d59f9
                              • Opcode Fuzzy Hash: 8896d074d15c52c806f060a288af4bc6b31ad132590a126a89296d411f5bf5f6
                              • Instruction Fuzzy Hash: E7D01730815209CBCB08EBA4E81A4FDBB34FB10301F41816DEA1752196EA303A8BCBC0
                              Function 050F8810 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a35ffe42564e15bff32144d54e34546f15656891c0f68f6eb4b75aa5d157ac6
                              • Instruction ID: d8e561cf6d48dfb2dd084f9c350a3d4211ac076c50ca2ca9e321da4fd1df03b0
                              • Opcode Fuzzy Hash: 6a35ffe42564e15bff32144d54e34546f15656891c0f68f6eb4b75aa5d157ac6
                              • Instruction Fuzzy Hash: CED0123091930ADB8704DF64E4494ADBBB5EB44201F008159DA4593345E6306941CFC5
                              Function 050F7E90 Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 53cd7f79b0f6d6d160fd776cd6aaa6e1e5e3e0afbaa573b2c4761e3d9868389c
                              • Instruction ID: 930f42712603d02cdff3ad1515ef31fe32eb8bbe255162ed8ad0f2014c2ab3a5
                              • Opcode Fuzzy Hash: 53cd7f79b0f6d6d160fd776cd6aaa6e1e5e3e0afbaa573b2c4761e3d9868389c
                              • Instruction Fuzzy Hash: 65C04C1944FBCC5FD303122A4D611456F30154301474F11DA8584CF963D5495809CF52
                              Function 050F7920 Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6980d68484a2c5b268075cdf21c7527191d74767b3e64c0c919bdea37b41999d
                              • Instruction ID: 2e590b147845bf3fc241580ca3927c6877dd653f138fa755fe24948309429567
                              • Opcode Fuzzy Hash: 6980d68484a2c5b268075cdf21c7527191d74767b3e64c0c919bdea37b41999d
                              • Instruction Fuzzy Hash: CDC08C3404A388AFCB259B38D16889C3F34EF01124B1104DCE80A0FAB3CAB2C086EF02
                              Function 050F7928 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 08326cdb19c0de95cacc406bbffcd3e6266a734eea5409cbfd2f6cb3394a7c7c
                              • Instruction ID: bf1268fa5398e1533294ed8c520947b42d530e57cd0d7c95084d288fd40c07a0
                              • Opcode Fuzzy Hash: 08326cdb19c0de95cacc406bbffcd3e6266a734eea5409cbfd2f6cb3394a7c7c
                              • Instruction Fuzzy Hash: 06B0923014570C9FC2486F75A418814772DEB4061578004A8E80E0B3B69E76E885CA44

                              Non-executed Functions

                              Function 07BE1BE0 Relevance: 10.4, Strings: 8, Instructions: 393COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2349745698.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$4'fq$4'fq$84l$84l$tPfq$tPfq
                              • API String ID: 0-3912604311
                              • Opcode ID: 5180473b01344092758673126e74e1db17df12963129297646483ce34f895711
                              • Instruction ID: 304d4d0497fbc282ac0e699f46e003cf895b8a2d53130c6c978efc6beeea7f22
                              • Opcode Fuzzy Hash: 5180473b01344092758673126e74e1db17df12963129297646483ce34f895711
                              • Instruction Fuzzy Hash: 9CD1F8F1B0420E8FDB259BAD94516AABBBAEF85311F28C0EBD515CB351DB31C881C791
                              Function 07BE3928 Relevance: 10.3, Strings: 8, Instructions: 311COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2349745698.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq
                              • API String ID: 0-3165298016
                              • Opcode ID: 5ea1cd231d6ea6c90ff6fb41254082f82fcc932344d52bb235976040ca3a7895
                              • Instruction ID: 18fa8c4147d9b52317709b1120a1357cdcfc5e337d9cab9f8a65bbdc0b296b73
                              • Opcode Fuzzy Hash: 5ea1cd231d6ea6c90ff6fb41254082f82fcc932344d52bb235976040ca3a7895
                              • Instruction Fuzzy Hash: 56A128F67043159FE7249B79884176BBBEAEFC5310F1480AAE946CB391CB35D881C751
                              Function 050FEBB8 Relevance: 10.1, Strings: 8, Instructions: 148COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: ,jq$0omp$$fq$$fq$$fq$$fq$$fq$$fq
                              • API String ID: 0-3782670052
                              • Opcode ID: e483ab09baff2a8857340245c9ef23450e4f44ec6dc12d0036529f2ad2ffd5a4
                              • Instruction ID: d2072444f1e6ec0e0a4c4b7a7f9b7216f8453ad786b20f210aca8efe43168b97
                              • Opcode Fuzzy Hash: e483ab09baff2a8857340245c9ef23450e4f44ec6dc12d0036529f2ad2ffd5a4
                              • Instruction Fuzzy Hash: F84186603049048FCBA9DB79E49593D3BEB7B8DB5431004AAE262CBFB2DE10CC419792
                              Function 050FEDE8 Relevance: 9.2, Strings: 7, Instructions: 453COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 0omp$0omp$0omp$`Qfq$$fq$$fq$$fq
                              • API String ID: 0-4019838557
                              • Opcode ID: cd55474db0cc719c8ea0fcaa105e99f4edf59c234afb199bb2f888fc8a414de9
                              • Instruction ID: 700e49236e2f053bf94c7242bf93a2c92407bfe4c047ce97d82a683b73e74828
                              • Opcode Fuzzy Hash: cd55474db0cc719c8ea0fcaa105e99f4edf59c234afb199bb2f888fc8a414de9
                              • Instruction Fuzzy Hash: C2E119307101118FDBA4AB7DA45463E77EBAFC9B14B2944AADA06DF7A1DF30CC418791
                              Function 07BE0488 Relevance: 6.7, Strings: 5, Instructions: 491COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2349745698.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: fkq$4'fq$4'fq$4'fq$4'fq
                              • API String ID: 0-1499809691
                              • Opcode ID: a9c2c3522abbcf0fe047d702c707643ad086cbd70271fac4098891928770e8a7
                              • Instruction ID: 97b5bfbca4557860b20b1da2c11fc3e538eb6199e2ef932011d8f7c0e9af3911
                              • Opcode Fuzzy Hash: a9c2c3522abbcf0fe047d702c707643ad086cbd70271fac4098891928770e8a7
                              • Instruction Fuzzy Hash: C1F135F17042169FE714ABBC941176ABBA6EFC1211F2480BBD905CB391DB71D882C7A2
                              Function 050F7A09 Relevance: 5.2, Strings: 4, Instructions: 239COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: 1da875361468abdac8e4457df1bb274ec97c14ff8108d21f40e7781b1f14f375
                              • Instruction ID: f8b9bb555259333393b812b65752084df89f7307eecc97963ebcb9926aa8c4fa
                              • Opcode Fuzzy Hash: 1da875361468abdac8e4457df1bb274ec97c14ff8108d21f40e7781b1f14f375
                              • Instruction Fuzzy Hash: A3B1C774E002099FDB54DFA9D990A9DFBF2FF88304F108629E819AB304DB30A945CF91
                              Function 050F7A18 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: 98da7cebe5de3b16f8db036abd30b72f886beca7a1fa79c1ebf4173403c501c1
                              • Instruction ID: 70485bed054ce575841291672645706dbdd3928903413a6d02430b07b97b25fd
                              • Opcode Fuzzy Hash: 98da7cebe5de3b16f8db036abd30b72f886beca7a1fa79c1ebf4173403c501c1
                              • Instruction Fuzzy Hash: 2CB1A574E002099FDB54DFA9D990A9DFBF2FF88304F109629E819AB314DB30A945CF91
                              Function 050F71E8 Relevance: 5.2, Strings: 4, Instructions: 193COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2284905282.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: 397cbe7850d7853eb1e308be4890816d1481b170ef47dd5f0b8f889b9f51f3a5
                              • Instruction ID: cc20e859728e264ed450b5822bcd6fe30805cc13e94647d3cbab3e1d25f51e81
                              • Opcode Fuzzy Hash: 397cbe7850d7853eb1e308be4890816d1481b170ef47dd5f0b8f889b9f51f3a5
                              • Instruction Fuzzy Hash: 4C918374E012199FDB54DFA9D990A9DFBF2FF48304F10862AD919AB304DB30A945CF91
                              Function 07BE5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2349745698.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: $fq$$fq$$fq$$fq
                              • API String ID: 0-2113499236
                              • Opcode ID: b093871b5ab3df3ec1bae5a88439a8e07a68fbf771aaac8e3dd247531e4890a4
                              • Instruction ID: 883fb5e73974b9c7f22f1e554256df985a617654e0f70505d9681dfc152d2d7a
                              • Opcode Fuzzy Hash: b093871b5ab3df3ec1bae5a88439a8e07a68fbf771aaac8e3dd247531e4890a4
                              • Instruction Fuzzy Hash: 742101F5700202ABEB345A6A8C05B27B7DFAFC1719F24847AE945CB381DF75C8518362
                              Function 07BE0308 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2349745698.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$$fq$$fq
                              • API String ID: 0-2206495126
                              • Opcode ID: 4e5eb56a6df0b52baf14bfa0b34a7a98ffffe97a00f9083161cae855e6a81fec
                              • Instruction ID: 3ee2e82c6bbcf4bd9456a19e33d98f55eba9ef9940b748b390dafad67313ef5c
                              • Opcode Fuzzy Hash: 4e5eb56a6df0b52baf14bfa0b34a7a98ffffe97a00f9083161cae855e6a81fec
                              • Instruction Fuzzy Hash: DD0128B170D6815FE72A636858202666FBB5FC7250B2D00EBC081DB7D2CE688C468767

                              Executed Functions

                              Function 0521B490 Relevance: .3, Instructions: 259COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 400d7d47758679ed6fa5515e7226438c25c497f983b5c1e3f202204cc72ba0a0
                              • Instruction ID: 83f0ca014d3bd07c44fbb0d7323af61f0e394882de5b786052e84be8c2fbec23
                              • Opcode Fuzzy Hash: 400d7d47758679ed6fa5515e7226438c25c497f983b5c1e3f202204cc72ba0a0
                              • Instruction Fuzzy Hash: FA916B70F006149BDB19EFB48A50AAEBBF6EFC4600B40892DD906AB364DF746D058BD5
                              Function 0521B4A0 Relevance: .3, Instructions: 252COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ff408ff3703473268cf40bcece32dd8698ab1935797e3eec4d64e766cb38b7b
                              • Instruction ID: 195fa51c28b20a84412dc52ddfd18bc711caf8adcbf4899d12e88d70db898f72
                              • Opcode Fuzzy Hash: 5ff408ff3703473268cf40bcece32dd8698ab1935797e3eec4d64e766cb38b7b
                              • Instruction Fuzzy Hash: 1D917B70F006149BDB19EFB48A50AAEBBF7EFC4600B40892DD906AB364DF746D058BD5
                              Function 07AC2308 Relevance: 22.8, Strings: 17, Instructions: 1520COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2359510356.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$tPfq$tPfq$tPfq$tPfq$tPfq$tPfq$$fq$$fq$$fq
                              • API String ID: 0-1290167525
                              • Opcode ID: 2d025a0843b9b251620c6238381d572c181a52deb93aa578693de346efd0e6ff
                              • Instruction ID: 66dc318b757986d8d7bd7d9f33535de51d40e336301adf699a6fb86b16cece1d
                              • Opcode Fuzzy Hash: 2d025a0843b9b251620c6238381d572c181a52deb93aa578693de346efd0e6ff
                              • Instruction Fuzzy Hash: D2B248B1B04206AFCB25DB7C84417AABBF5BFC5210F1480BED925DB691DB35D881C7A2
                              Function 07AC3CE8 Relevance: 5.6, Strings: 4, Instructions: 582COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2359510356.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$4'fq$4'fq
                              • API String ID: 0-359900465
                              • Opcode ID: 18bd46baf2e9f1dc78158cf667cc8d41f466a900b36f7984f064e26c1fc6ddd5
                              • Instruction ID: ccfa5b09967e4f7f3e8af54b60a956ee2a351cc6d5bb6135473cd92ccc94d618
                              • Opcode Fuzzy Hash: 18bd46baf2e9f1dc78158cf667cc8d41f466a900b36f7984f064e26c1fc6ddd5
                              • Instruction Fuzzy Hash: 831248B1B04241AFCB15DBAC841176ABFF29FC5210F14C4AED925CB652DB35DC82C7A6
                              Function 08C16420 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                              Download Yara Rule
                              APIs
                              • SetThreadToken.KERNELBASE(F0DC086C), ref: 08C1648A
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2368351138.0000000008C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C10000, based on PE: false
                              Similarity
                              • API ID: ThreadToken
                              • String ID:
                              • API String ID: 3254676861-0
                              • Opcode ID: 02616dd0be51f74084cfde254eb6cb39dafda31c7696232475cd012724486f82
                              • Instruction ID: e93ae6b621e74ebab61c5b8464dc8a7d8759f8c0bf7e29fb0a7d639349f89217
                              • Opcode Fuzzy Hash: 02616dd0be51f74084cfde254eb6cb39dafda31c7696232475cd012724486f82
                              • Instruction Fuzzy Hash: 361113B19002088FDB10DF9AC884B9EFFF9EF88324F24845AD419A7350D775A944CBA4
                              Function 08C16428 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                              Download Yara Rule
                              APIs
                              • SetThreadToken.KERNELBASE(F0DC086C), ref: 08C1648A
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2368351138.0000000008C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C10000, based on PE: false
                              Similarity
                              • API ID: ThreadToken
                              • String ID:
                              • API String ID: 3254676861-0
                              • Opcode ID: 15bc90ac043510928d36454d957f0ecc715f6e043a6f948c855f86ed0865375c
                              • Instruction ID: eaaadb74b7d30407d15222c39a461bc79b3e59f1e46686c4bccbdee0f95abe91
                              • Opcode Fuzzy Hash: 15bc90ac043510928d36454d957f0ecc715f6e043a6f948c855f86ed0865375c
                              • Instruction Fuzzy Hash: 431133B19002088FDB10CF9AC884B9EFBF8EF88324F24845AD419A7350C775A944CFA4
                              Function 05216FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: (jq
                              • API String ID: 0-3225323518
                              • Opcode ID: 768c027fcda0c45b187071ff0bb58344534efbce05247e6d5c7c9680c61e250c
                              • Instruction ID: 71a575ef35ca13aa881738757a357c41c3ec99459eb962fe46616397cd7f52e1
                              • Opcode Fuzzy Hash: 768c027fcda0c45b187071ff0bb58344534efbce05247e6d5c7c9680c61e250c
                              • Instruction Fuzzy Hash: B4413C34B142058FDB14DB69C458AAEBBF2EFCD311F189498E806AB391CB35DC01CB65
                              Function 0521AFA8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: (&fq
                              • API String ID: 0-1822945044
                              • Opcode ID: c65f064b159940bf418d6d48f14779717c1ab34d58392924c0fd4fccad79ac4b
                              • Instruction ID: 056f91308a8f43b510308235f0ee8bfc351c3b89341e565fb05c56d22fe8c014
                              • Opcode Fuzzy Hash: c65f064b159940bf418d6d48f14779717c1ab34d58392924c0fd4fccad79ac4b
                              • Instruction Fuzzy Hash: 1721AE71A042588FCB14DFAED444BAFBFF6EF88320F24846ED419E7340CA7599058BA5
                              Function 07AC17B8 Relevance: .3, Instructions: 334COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2359510356.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7052173619034a4c48cf62a195e7bee0a255459344a897e0562c4f309840fe61
                              • Instruction ID: c15762aed05f58b7b396cd8a71ea254ff68f5ea0becba8c7447de4f289d764e2
                              • Opcode Fuzzy Hash: 7052173619034a4c48cf62a195e7bee0a255459344a897e0562c4f309840fe61
                              • Instruction Fuzzy Hash: 61B108F1B0424AAFCB14DB7DC4406AABBE6AFC6211F18C0AED525CB252DB31D951C7A1
                              Function 052129F0 Relevance: .2, Instructions: 208COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f5b24160679a55357b7070aef6be7e1102361e8e64117fd88e70eb951756285b
                              • Instruction ID: 768c14fbb46a465d773303a274afcdb4f9b96e96282b8daaf6be9c49f6c58bdd
                              • Opcode Fuzzy Hash: f5b24160679a55357b7070aef6be7e1102361e8e64117fd88e70eb951756285b
                              • Instruction Fuzzy Hash: 88916974A00205DFCB15CF59C494ABEFBB5FF88310B248669E919AB3A4C735EC51CBA4
                              Function 05217740 Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb88be794587e9c55bb4dab0b16aba1ab1624488045ca75a2f80cc97a3801e3c
                              • Instruction ID: 0b6a03cd227649f8c618d90bbfb1034b48e2b614e14293c56ebe5b4c4668bfe4
                              • Opcode Fuzzy Hash: bb88be794587e9c55bb4dab0b16aba1ab1624488045ca75a2f80cc97a3801e3c
                              • Instruction Fuzzy Hash: 2A51CF303142069FD704DB79D844A2B7BE6FFC9215B1944AAD909CB352DF31EC02D7A0
                              Function 0521BAD0 Relevance: .2, Instructions: 155COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 27914bdcd222a648a88490adf736d720a823214072fa3c920c146298e710517a
                              • Instruction ID: 6e33861d22f2e9cd59a75fad4312f6570a9337ba88a2de8d00e7fb4c1c8d9bc8
                              • Opcode Fuzzy Hash: 27914bdcd222a648a88490adf736d720a823214072fa3c920c146298e710517a
                              • Instruction Fuzzy Hash: EB611771E10249DFCB14CFA9C584A9EBBF2FF98314F14812AE809AB351DB709C41CB54
                              Function 0521BAC0 Relevance: .2, Instructions: 150COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30ee429bec9aed292457d9f74017da2a6eb3f410a739b8a67ab735752939a5a5
                              • Instruction ID: db3026a1d96df8577174899c76c059879796b54de59aaa008977d2ad8ca4c13b
                              • Opcode Fuzzy Hash: 30ee429bec9aed292457d9f74017da2a6eb3f410a739b8a67ab735752939a5a5
                              • Instruction Fuzzy Hash: E7511571E10248DFCB14DFA9D584A9EBBF2FF98314F15806AE809AB365EB709841CB54
                              Function 07AC3CCC Relevance: .1, Instructions: 120COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2359510356.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7cdeca1bf5043edd9f87a7905dd3d9714b422003b8c2ac72696bf33cdece0fd1
                              • Instruction ID: 2331c0b93f8e7fe68b85390b9a63f8272e2e00aac560faca1b67f762c457e8f2
                              • Opcode Fuzzy Hash: 7cdeca1bf5043edd9f87a7905dd3d9714b422003b8c2ac72696bf33cdece0fd1
                              • Instruction Fuzzy Hash: 4B4115F1A00202FBCF21CB68C541AAA7BF69FC1604F04C4ADD8209B256D735EC86C7A7
                              Function 05216FB0 Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f98871120335d6c1b3043c69ea77608e5797c479143d108452abf4cd008353c3
                              • Instruction ID: e7663a7f7af9c7458bf1f129e28dfdc80f04130bba2e8f1c9cef4ca08584bd3e
                              • Opcode Fuzzy Hash: f98871120335d6c1b3043c69ea77608e5797c479143d108452abf4cd008353c3
                              • Instruction Fuzzy Hash: 8E4160346182558FCB15CF69D4589AEBFF2EF8E210F1880A9D846EB392CB31DC41CB65
                              Function 05212B00 Relevance: .1, Instructions: 107COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c26be74f871b8679cba06be7f6ab690372dad81229a407f6373ab9412d54c209
                              • Instruction ID: e7ab13cb410a3b1492861fda16b1dc52b1db8106398a459b739ebd38ee1749db
                              • Opcode Fuzzy Hash: c26be74f871b8679cba06be7f6ab690372dad81229a407f6373ab9412d54c209
                              • Instruction Fuzzy Hash: EF4156B4A10105DFCB09CF59C198ABEFBB5FF48310B158259D91AAB364C732ED51CB94
                              Function 0521C398 Relevance: .1, Instructions: 101COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8bd04f5b38e04b58814e4e06e2831a468d5b014ecf37e2012dfa3c481029c79a
                              • Instruction ID: 164418a05ff0c714840dcfb1cbc340c78f56995ba625933e29fcc72623625ef2
                              • Opcode Fuzzy Hash: 8bd04f5b38e04b58814e4e06e2831a468d5b014ecf37e2012dfa3c481029c79a
                              • Instruction Fuzzy Hash: AB31A0313006019FD709EB78E884BAAB797EFD4215F048639E50ACB361DF71AC85CBA1
                              Function 0521AE70 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 000c7f1b1513fa11bb6efe3c6aff260b8f4e00f55414d9b46a82ee6f94e6c4d8
                              • Instruction ID: e4f39db295b28462d6fad51782141fa9a0b577c3b782c0a5f6d32c410617bf3c
                              • Opcode Fuzzy Hash: 000c7f1b1513fa11bb6efe3c6aff260b8f4e00f55414d9b46a82ee6f94e6c4d8
                              • Instruction Fuzzy Hash: CC317070E112099FDB09DFA9C494AAEBBF2EF89314F118029E905EB351EF348C418B94
                              Function 0521AE80 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db6205fb028e6f0a5a1e26a538131f620a40cd35edb99cb9ee5b549e6923b232
                              • Instruction ID: f419152fe843be3082c2e62add111914948666eefd90342e10875d4851004ac1
                              • Opcode Fuzzy Hash: db6205fb028e6f0a5a1e26a538131f620a40cd35edb99cb9ee5b549e6923b232
                              • Instruction Fuzzy Hash: B7317C70B112099FDB05DFA9C494BAEBBF2EF88314F108029E905EB351EB749C418B98
                              Function 0521AD38 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 200b81fa82bee338987d9c33aefd634be7bb4a88ee79ee5463e9326645b73db6
                              • Instruction ID: ca0480361c8cddee56d48225f5218f8215ef273a837cbadd963ad43ca5a1739c
                              • Opcode Fuzzy Hash: 200b81fa82bee338987d9c33aefd634be7bb4a88ee79ee5463e9326645b73db6
                              • Instruction Fuzzy Hash: DC3190B0A002459FDB05EFA4D898AAE7BB3EF84301F1184A9C515AB3A5CB799D01CF90
                              Function 0521E051 Relevance: .1, Instructions: 81COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b2c335d6e0588bef680d14df4c6527f3a80ec3f78311216dd8781d54dc55df0
                              • Instruction ID: 4b880f61e2242d3cda8fa59b81dd2264d3bc11cf1fd2948e9820817d0e94248b
                              • Opcode Fuzzy Hash: 2b2c335d6e0588bef680d14df4c6527f3a80ec3f78311216dd8781d54dc55df0
                              • Instruction Fuzzy Hash: 35316D74B002058FCB14DF69D498AAEBBF6FF88314F158469D806EB361DB70AC81CB91
                              Function 0521E060 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96321f3fa37ed8eea6b0cab9d1629c3488659b8f49b62eec9af9bec2b9ddb64a
                              • Instruction ID: 5c26fff6df426193de67b16754704d1c6c5e0c2dfa4e51f289cf7a7db4b48568
                              • Opcode Fuzzy Hash: 96321f3fa37ed8eea6b0cab9d1629c3488659b8f49b62eec9af9bec2b9ddb64a
                              • Instruction Fuzzy Hash: 0D316B74B002058FCB14DF69D498AAEBBF6FF88214F058469D806EB350DF71AC41CB94
                              Function 0521AD48 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b653ed5d9cef7fad97ecd71cdce8d4799187ef95ca85808e8d6dbb3188769927
                              • Instruction ID: 80a3eb85a000df61c16a09181b39e94e7da82f7aeed237a74d3e2d8648fc842b
                              • Opcode Fuzzy Hash: b653ed5d9cef7fad97ecd71cdce8d4799187ef95ca85808e8d6dbb3188769927
                              • Instruction Fuzzy Hash: 773161B0A002099FEB04EFA4D894AAF7BB3EF84301F118469D515AB3A4DB75AD418F94
                              Function 04C3F3D8 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2285184438.0000000004C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f8497459b165f8b78f9936f39b68496334fd1a8d0eba8db1e0f928544f802323
                              • Instruction ID: bf021a7c619359425696cca8adef92a9cc9806cb1c187bffe0c03df2abca19a2
                              • Opcode Fuzzy Hash: f8497459b165f8b78f9936f39b68496334fd1a8d0eba8db1e0f928544f802323
                              • Instruction Fuzzy Hash: 5B21F475A04200EFCF05CF14D9C0B26BB66FB88315F24C9ADE9494A256C336E856DBA1
                              Function 052193F8 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 25e8b6e340387b35ab5faa02074fee3ab1fb04898a86422c0c65d32ec4b066b6
                              • Instruction ID: e6adaad8a46724d86b200e9236141d6d38e5d855498e966dd176daf6841a6b7d
                              • Opcode Fuzzy Hash: 25e8b6e340387b35ab5faa02074fee3ab1fb04898a86422c0c65d32ec4b066b6
                              • Instruction Fuzzy Hash: F731A9709153449EDB60CF6AD08879AFFF2FF98324F28C46EC84DAB201C6746480CB65
                              Function 04C3F02C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2285184438.0000000004C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c0e431229b36e0777785eb13316d250dfb6dce05caa264ee1437489a65ee1b34
                              • Instruction ID: 8da04b06c46c8258f4f48d9e4897a96fc9f01ce299c48b17d7c2690ffbb4e7c3
                              • Opcode Fuzzy Hash: c0e431229b36e0777785eb13316d250dfb6dce05caa264ee1437489a65ee1b34
                              • Instruction Fuzzy Hash: EE2129B5A04244DFDB14DF28D9C0B26BF66FB84315F24CD6DEA4A4B246C336E846CB61
                              Function 05219408 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4fd0a1b2200c02fedd543b6e12b337349ac8a4041d90e799f203a0ea02211f21
                              • Instruction ID: 68de3b1b2cc07852dca401eaab17d4b694f4d8d29a17d33bbe74cf482a57e739
                              • Opcode Fuzzy Hash: 4fd0a1b2200c02fedd543b6e12b337349ac8a4041d90e799f203a0ea02211f21
                              • Instruction Fuzzy Hash: 44219AB09153449EEB60CF6AC08879AFBF2FF98324F28C02ED81DA7205D7746480CB64
                              Function 0521767C Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 721706d5cf3f6d7168f65b9fdae32c41253bfc983505b430155004f5a37f1771
                              • Instruction ID: 7d963e16c4cc37274559d2141efac2adc7d93beaaa1b3112036e0de146bf892f
                              • Opcode Fuzzy Hash: 721706d5cf3f6d7168f65b9fdae32c41253bfc983505b430155004f5a37f1771
                              • Instruction Fuzzy Hash: 97112B79B001198FCB04DBA8E8409EE77F6FFC8225B0440A5E909DB361DB34DD019B90
                              Function 04C3F3D3 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2285184438.0000000004C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b08ff234030906854a45bb6b6e9e44c3427253070cceed9887b7ee92b27ed2b2
                              • Instruction ID: d3285227568b0614dde2b37129d1ebd224251618e94a44f14c600341e84ada3f
                              • Opcode Fuzzy Hash: b08ff234030906854a45bb6b6e9e44c3427253070cceed9887b7ee92b27ed2b2
                              • Instruction Fuzzy Hash: C6218C76904240DFCB06CF10D9C4B16BF72FB88314F24C9ADE9494A656C33AD56ACF91
                              Function 04C3F027 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2285184438.0000000004C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d1047b0845297ecd245ca1d03b98feea0c0f4fe4553aa178a32f5244b1bc5266
                              • Instruction ID: 5c0e23d1b2141c066f354d5802796aab804521d9c64a2d47c7fb0026d53b3b5c
                              • Opcode Fuzzy Hash: d1047b0845297ecd245ca1d03b98feea0c0f4fe4553aa178a32f5244b1bc5266
                              • Instruction Fuzzy Hash: 0911EF79904280CFDB11CF24D5C0B15FFA2FB84318F24CAAED9494B656C33AE54ACB61
                              Function 0521BCF0 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 180b0f63206ab32266441e9b9b918c3e99bf6749f1e1cdc7067cf90228bc75ad
                              • Instruction ID: f107739370a192e9e2937f146ee72576aa381b742a018358c0ac1bba35e49e4d
                              • Opcode Fuzzy Hash: 180b0f63206ab32266441e9b9b918c3e99bf6749f1e1cdc7067cf90228bc75ad
                              • Instruction Fuzzy Hash: B20122312087848FC718DB75D594AAABFF5EF46210F1888EED48ECB6A2CA20EC44C700
                              Function 0521DCA0 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97b59a33c11d757becf0ab32dbf265869a0542c6031aedc136c7fa4908dd2f6e
                              • Instruction ID: 2dd3e801feb693620a1c2507f942fdd6ab319e4b2492976d17fd55c01b39b285
                              • Opcode Fuzzy Hash: 97b59a33c11d757becf0ab32dbf265869a0542c6031aedc136c7fa4908dd2f6e
                              • Instruction Fuzzy Hash: B3111735204750CFC728DF39D09085ABBF6EF8A31972089ADD48A8B7A0DB36E941CB50
                              Function 0521DF28 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c97e783f393260186d2f7cf386bcede1b5c3d1e803a5b55d527c9f5152c10c27
                              • Instruction ID: 1140b232825e9a5b89a1126e8de82f4a6aa91ef172a52fce861dff8e49c6c6ee
                              • Opcode Fuzzy Hash: c97e783f393260186d2f7cf386bcede1b5c3d1e803a5b55d527c9f5152c10c27
                              • Instruction Fuzzy Hash: 54018035B002148FCB119F74E848AAEBBF6FB89219B00406DE51A93242DB31A911CB90
                              Function 04C3D005 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2285184438.0000000004C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 60d9071033d9c9cf1dee14cd73aec1b78b84328da5de6ad1acbe06a6724eed8d
                              • Instruction ID: b05f5cb280f3470b8c620ec8ce11f97e8d78ea3d6123f9349696dc05a5889e9f
                              • Opcode Fuzzy Hash: 60d9071033d9c9cf1dee14cd73aec1b78b84328da5de6ad1acbe06a6724eed8d
                              • Instruction Fuzzy Hash: A6019E6100E3C09EE7128B25D894B52BFB4EF43624F08C0DBE8898F1E3C2695849C772
                              Function 04C3D01D Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2285184438.0000000004C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8943ad03b813632f5d344037d2b0523a45cc8c47e498421774276c4a566d0828
                              • Instruction ID: 2c03059bbe7c2aeb42cabb6150fd3299b740bd41b30d0b016f7827d89a0509fa
                              • Opcode Fuzzy Hash: 8943ad03b813632f5d344037d2b0523a45cc8c47e498421774276c4a566d0828
                              • Instruction Fuzzy Hash: 33012B715043009AE7104F26ECC0B67BFD9DF41B25F0CC41AFD4A4B182C679A941C6B1
                              Function 0521BF20 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16482623b9ab6ce4d42d4ea4066d8f6a87cc8640961003d6cb248db5c4ba0ea4
                              • Instruction ID: 1add446f1dcaf6e506ce566098d0edbd4f9fbabaf4b8610ea9f581e3fd69dba8
                              • Opcode Fuzzy Hash: 16482623b9ab6ce4d42d4ea4066d8f6a87cc8640961003d6cb248db5c4ba0ea4
                              • Instruction Fuzzy Hash: 53F0A43531D3915FD7018A799C549777FEAEF8622071945ABF484C7362C970CC048760
                              Function 05217958 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4b76c80066b9c2e4ba0fb99336635457153427640eb4e5db3904527e2f18ee1
                              • Instruction ID: 013748c6e787eeec664e0bb54cbd0c5599d6c6ceb78b83b4785d1773cca5f765
                              • Opcode Fuzzy Hash: f4b76c80066b9c2e4ba0fb99336635457153427640eb4e5db3904527e2f18ee1
                              • Instruction Fuzzy Hash: D8F028303092945FC7129768E884D6F7FF5EF8916170405AEE449CB6A2CF649C4587A1
                              Function 052190E0 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0854dcd0193a1107ee7a6f88353955f675bbfda768e5626880b0e4012701efb9
                              • Instruction ID: 574098aa3267fc0251929066be5bea2a571fdc42fd8bfd98313eeb5959edcb4b
                              • Opcode Fuzzy Hash: 0854dcd0193a1107ee7a6f88353955f675bbfda768e5626880b0e4012701efb9
                              • Instruction Fuzzy Hash: D2F0C231B082444BD301AF65D0583ABBFA6DFC2219F15819AC9498B396CE792C06CBE1
                              Function 04C3D9A7 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2285184438.0000000004C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4fa5a338a09a24758283fa2a780f1bb96b5e63d2f6c3ce21d43deba7a412c133
                              • Instruction ID: 52752c0226a6c2317215ef779c732dea44dc7b0882b0334ad4acfa8187702574
                              • Opcode Fuzzy Hash: 4fa5a338a09a24758283fa2a780f1bb96b5e63d2f6c3ce21d43deba7a412c133
                              • Instruction Fuzzy Hash: A7F0F976600600AFD720CF0AD985C23FBBAEBD4774719C59AE84A4B652C671FC41CAA0
                              Function 0521DEC9 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c589058d3520bb35f537bd44ae504b668e6b7976c3cb21de97bcae77aa5a00cf
                              • Instruction ID: 911474d4d3bf20c5ca986330a26e87d17371138049d1b3fe1db10a794e32dbd3
                              • Opcode Fuzzy Hash: c589058d3520bb35f537bd44ae504b668e6b7976c3cb21de97bcae77aa5a00cf
                              • Instruction Fuzzy Hash: B1F034353152928F87118B2DD498C66BBF6AFDA21932945AAE48ACF332CA61DC018790
                              Function 05219160 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b747f19893f3f5c87b80f8ebee86254f7fed2651fdc2bdf8e370a2158116384
                              • Instruction ID: b1d7d8ff06ebb4ea7d63a7ba80bd445dc661b5c8f161d75360d9d0c8c84681cb
                              • Opcode Fuzzy Hash: 8b747f19893f3f5c87b80f8ebee86254f7fed2651fdc2bdf8e370a2158116384
                              • Instruction Fuzzy Hash: 08F054706093444FDB619B78D4AC3967FE5EF02218F1448AED94DC7252DB756880C7A1
                              Function 05217968 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 691621fc7cf40e6ad8a6686a3e68421d875be91a4cfad8e77ae4de57e7869acb
                              • Instruction ID: d0cc2e543b7f637edc16217d393f9626c1aa5d638a74a3f324cfcfa108fdc430
                              • Opcode Fuzzy Hash: 691621fc7cf40e6ad8a6686a3e68421d875be91a4cfad8e77ae4de57e7869acb
                              • Instruction Fuzzy Hash: 80F0A7717006149FC714A759E884A6F77EAEBC8261B00092DE50EC3751DF34AC4187A4
                              Function 04C3D998 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2285184438.0000000004C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4dc115e986e08418eddcac8aa5674ab0dd17d75bb38bd1f6bc0bf224123254b1
                              • Instruction ID: dee8b1d23343e7b8ae949a9335c5c1541617fbe052b4e1007e90ba4fb22065a9
                              • Opcode Fuzzy Hash: 4dc115e986e08418eddcac8aa5674ab0dd17d75bb38bd1f6bc0bf224123254b1
                              • Instruction Fuzzy Hash: 95F0F975100780AFD725CF06C985D23BBBAEB85664B198499E85A5B752C671FC02CB60
                              Function 0521DD17 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 109ff495d0c42d1c2bc328e082269fdb0e41324603e827f8c38793cb5439e415
                              • Instruction ID: 8eb2b53f381a4e9a731364404544e1d2b42a044f11f2db2d82dd46234ff40661
                              • Opcode Fuzzy Hash: 109ff495d0c42d1c2bc328e082269fdb0e41324603e827f8c38793cb5439e415
                              • Instruction Fuzzy Hash: C5F0E531206A919BC317932C78548AF7FE79EC3125314429EE446DB212DEA49C0687E6
                              Function 05217697 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9441bed7c3bf4b8d9eb2a2e2574c6d463de91463836029de07ab3cc3588fd51f
                              • Instruction ID: 43e43f854d8b9d03a613a9237a091ad848e759140e0e2757db551ba4c24be825
                              • Opcode Fuzzy Hash: 9441bed7c3bf4b8d9eb2a2e2574c6d463de91463836029de07ab3cc3588fd51f
                              • Instruction Fuzzy Hash: C2F0A0397001098FCB10DBAD9840AAA7BE2FFD97557194195E90DCB320DF24DC028B91
                              Function 052190F0 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9bc86fe2f74eb599a2a372dacfdcb49e0478fbed600a1b96bafa4c0dca2ffe70
                              • Instruction ID: 21e78404375b4f125b11fc680c5b133b09da0a880c1f75dad2e35c17f39b810d
                              • Opcode Fuzzy Hash: 9bc86fe2f74eb599a2a372dacfdcb49e0478fbed600a1b96bafa4c0dca2ffe70
                              • Instruction Fuzzy Hash: 00F0A071B042048BE304AFB9D0587ABBBE7DFC5319F11812AC90A47399CE7A6945CBE1
                              Function 0521DED8 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b89611981090fd0f118f7c3ca3d7a8562492d5506a59c56ea0673ca461e8b9b6
                              • Instruction ID: 6a7b095ae84d8ad6fe71d897cb541e57ec9b5305201262a1a187093069eb8646
                              • Opcode Fuzzy Hash: b89611981090fd0f118f7c3ca3d7a8562492d5506a59c56ea0673ca461e8b9b6
                              • Instruction Fuzzy Hash: BFE0E5353101128F86109B1ED498C26B7FAEFDE62936904AAF94ACF325DA61EC018B94
                              Function 05219549 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6563657aff98f30260db65ca99e380cba0ea20a4f2929c5faea5ac20b9f11e41
                              • Instruction ID: 27b7937aa6e3fe8abf9667a5fbf4088e9a7555957462918ac2eb4db0ea332895
                              • Opcode Fuzzy Hash: 6563657aff98f30260db65ca99e380cba0ea20a4f2929c5faea5ac20b9f11e41
                              • Instruction Fuzzy Hash: 07E06823B252011B860D62794468177B9CECED6070B0202768D15EF2D1DC81CC0243E5
                              Function 0521DD68 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 719db7686129f318e01ed6a3358b8f8f565866dcb195005545509ef10c79a524
                              • Instruction ID: 6c116c8fde83c8a6781e167d6fdc213757088042bf5ea82cfe9cf4c8f97c214a
                              • Opcode Fuzzy Hash: 719db7686129f318e01ed6a3358b8f8f565866dcb195005545509ef10c79a524
                              • Instruction Fuzzy Hash: ABE02B31B15194DBCB09C66CE4404EEBFE3DFC9229F14C5BED8469B311C972480587D5
                              Function 0521AF98 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 792473f91cfcf238facbe1179f5c26e701e3dc7f4ef7d894b3b3eeac007068f1
                              • Instruction ID: 2a9315c7e2c915c6f0ce456bfe0d45345d8daacee9332324e38eb436fa7169a6
                              • Opcode Fuzzy Hash: 792473f91cfcf238facbe1179f5c26e701e3dc7f4ef7d894b3b3eeac007068f1
                              • Instruction Fuzzy Hash: F1E0862531D3D51B8B16553EA4605573FEB8ECB52431AC4FBE848CB216CD51CC0643E5
                              Function 05218973 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 146f25798b96ebd8335090234d4a885a0773e2421d2ccc2fc29f49c51b0c13b1
                              • Instruction ID: c19f6eed59d46e11db07a27b0aabfd25e9abcd647718f7da501d1f77f53e5ab7
                              • Opcode Fuzzy Hash: 146f25798b96ebd8335090234d4a885a0773e2421d2ccc2fc29f49c51b0c13b1
                              • Instruction Fuzzy Hash: 59E0D83570421457CB093B75D41C2AE7AA6EFC5729F05002EDB0A87345CF795941C3D9
                              Function 05219170 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b54f667149f6d91b24ea9e1d89033ffd4686eb4f60f89f5d42420ec3375bab4b
                              • Instruction ID: a382c8eb74a881ac9965fe29610f192ac5806015e026a52133f2fab505726197
                              • Opcode Fuzzy Hash: b54f667149f6d91b24ea9e1d89033ffd4686eb4f60f89f5d42420ec3375bab4b
                              • Instruction Fuzzy Hash: C6F0ED70A043045BD7649BB9D4AC79B7BE5FB44354F00582DDA5EC7350DB3968C0CB90
                              Function 05218978 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ebf180ebc2551f416b49407d68bae366a5a3d0f35e56b40ce2200e0e4baca9b1
                              • Instruction ID: f07031de022e3db4bd49e82ac8129441bd963a7131454d6c8b9bfa1eebf2ee12
                              • Opcode Fuzzy Hash: ebf180ebc2551f416b49407d68bae366a5a3d0f35e56b40ce2200e0e4baca9b1
                              • Instruction Fuzzy Hash: 82E0263530421047CB0937B8A42C2AE7ADAEBC5729F01002EDB0A83381CF78194183D9
                              Function 05219558 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 64d4b0ea23e70c0b26f667d255d676347bd916e55038986e9f5917e324ccfa4c
                              • Instruction ID: e94cbaf161ed38dc307313758b1debaf3103aa8fffe64d3953dfb70fc533dca3
                              • Opcode Fuzzy Hash: 64d4b0ea23e70c0b26f667d255d676347bd916e55038986e9f5917e324ccfa4c
                              • Instruction Fuzzy Hash: 56D0A713B212261B496C31FE18946BBF1CFCED64A1B4600369E09E7342EC80CC0103F9
                              Function 0521DD28 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c46f2007af13e051dcede04c174e132c19ea6891f664f80d8b5ac3b076ef8a4
                              • Instruction ID: 62057b042e95453e0f57dcfbf1b7d5868d492a643857691ed413c6eb513a32ae
                              • Opcode Fuzzy Hash: 0c46f2007af13e051dcede04c174e132c19ea6891f664f80d8b5ac3b076ef8a4
                              • Instruction Fuzzy Hash: 2CE0C232700615978216B71EA85089F77EBEFC5672310442EE40ACB700DF64EC0287D9
                              Function 0521DD78 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                              • Instruction ID: 526ae862017b89b228b7ce08ee78eb0adc4368b2b1377be0d91f0a6dac471325
                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                              • Instruction Fuzzy Hash: 95E08631B20018978B08D559D4104DDFBAADFCD221F04847ADD0AA7340DA72591586E9
                              Function 05218739 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7092c283da917c0876f7fd3787e1506061c20c620897385bd5bd46145267ada0
                              • Instruction ID: ff23e642232488cba1c4b478207e746acfc0bffe671ad51d3e9a6bcae0710d6e
                              • Opcode Fuzzy Hash: 7092c283da917c0876f7fd3787e1506061c20c620897385bd5bd46145267ada0
                              • Instruction Fuzzy Hash: 7DE02630C141088BCF08EBE0E8AE4FE7FB0EE14308B41429CD96382292DA700D86CBC0
                              Function 05218800 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd573f13f5ba7b2475807405e755d098d5a8fd98a7a766fa1f2684279dcf6dbc
                              • Instruction ID: b1fb5f768f2d9f5101edf68da4e195e454b1187effbc15df7f20e4b7ab407658
                              • Opcode Fuzzy Hash: bd573f13f5ba7b2475807405e755d098d5a8fd98a7a766fa1f2684279dcf6dbc
                              • Instruction Fuzzy Hash: 72E01A3090824A8B8B09EFA8E49A42ABFF1AB45208B11929DD9598B756D6701942CFC1
                              Function 0521F860 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a458c721365a8ef9566acfc07a979e34fc73491240b0f3eec30c1e46ddf0ba7b
                              • Instruction ID: 6df4a23d1c172c5a9816b9af2caaf44cc95ba22e4a0b09552906c6e72efe93fd
                              • Opcode Fuzzy Hash: a458c721365a8ef9566acfc07a979e34fc73491240b0f3eec30c1e46ddf0ba7b
                              • Instruction Fuzzy Hash: 4FE01270D44109AF8B40DFA8C84155AFBF4EF58604F64C1A9890CE7712F7329503CBD1
                              Function 0521F870 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                              • Instruction ID: 4442086e565d4f244ab2084317c4dbf802d7e55a7c9dfc96a283293ed5d699ae
                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                              • Instruction Fuzzy Hash: 5FD06270D142099F8780EFADC94156EFBF4EF58200F6085AA8919E7301F7715652CBD5
                              Function 05218748 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 17760d72fbcab7174e7aa22cedf40ac6149238f82f0a2c5f59977912f6f8e348
                              • Instruction ID: 14a03d141a433fc743e3a7e1800194178e7ced37a44a6b25cb4a4e16e456f367
                              • Opcode Fuzzy Hash: 17760d72fbcab7174e7aa22cedf40ac6149238f82f0a2c5f59977912f6f8e348
                              • Instruction Fuzzy Hash: E7D067358141098BCB0CEBA4E86B4BEBBB4FA14305F41516DDA2792291EA311A9ACAC5
                              Function 05218810 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9adf091ef231fa089317971d8c6977a1490166aad3d9611696ca63b566e07a40
                              • Instruction ID: 47aeb5fdb123f0955e5c07611397ed7728b40f7ae02d221c8575a6c59657975e
                              • Opcode Fuzzy Hash: 9adf091ef231fa089317971d8c6977a1490166aad3d9611696ca63b566e07a40
                              • Instruction Fuzzy Hash: DED01730A0820A8B8B08EFA4E49686EBBF5EB44204F004169DE0A93344EA305941CBC1
                              Function 05217932 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ccb4948ab9fc99c24239742cc1b5561cc8eda8aa2e763d59eb80cc626c15d927
                              • Instruction ID: 866d21767b3f65dbe7a2b4280be44dc101eb48bbb61548c5915cba60cb7bdad8
                              • Opcode Fuzzy Hash: ccb4948ab9fc99c24239742cc1b5561cc8eda8aa2e763d59eb80cc626c15d927
                              • Instruction Fuzzy Hash: 8CD0923418D3C99FC7178F7CA89981A3FB45E0316030904EED886DF5B7CA6A848ACB06
                              Function 05217EA0 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd8ed91599065f2ad795e9b96a684f1518e749bee9104d26d0b06709c049f6d6
                              • Instruction ID: 3a314dfdb9299f61a934b3af08a71e64d87488f67b6c6f937ed2142984525fcb
                              • Opcode Fuzzy Hash: bd8ed91599065f2ad795e9b96a684f1518e749bee9104d26d0b06709c049f6d6
                              • Instruction Fuzzy Hash: 7DC01214A0E3D00EEF03833988982027FB10A4341830E40DAC0C1CF8A3C568884AC753
                              Function 05217940 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6aa30501c3e2dd2ec425d640d9193228c52a5b25c336e8fb957694fc292623b5
                              • Instruction ID: 68b1e54a3d914aebfc3f0c05a53042321f05671b1f4ded96ce67556829d02716
                              • Opcode Fuzzy Hash: 6aa30501c3e2dd2ec425d640d9193228c52a5b25c336e8fb957694fc292623b5
                              • Instruction Fuzzy Hash: 6AB092301487088FC2486F75A444815732DAB4061538004A8E80E4A6B7CE7AE885CA44

                              Non-executed Functions

                              Function 07AC1BE0 Relevance: 10.4, Strings: 8, Instructions: 409COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2359510356.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$4'fq$4'fq$84l$84l$tPfq$tPfq
                              • API String ID: 0-3912604311
                              • Opcode ID: 6c1272b71ee782a13eb5be10acd0c8b2a5565317df5c8a9ef22a7af22e1742db
                              • Instruction ID: 89a03b1889b08b1115bf4db5a846047f0eabb1f4df9091cb3cbd3af6c76221ab
                              • Opcode Fuzzy Hash: 6c1272b71ee782a13eb5be10acd0c8b2a5565317df5c8a9ef22a7af22e1742db
                              • Instruction Fuzzy Hash: 9ED129F1B0420AAFDB25DB6CC44166ABBF6AFC5211F1480AFD5258B297DB35CC41C791
                              Function 07AC0488 Relevance: 6.7, Strings: 5, Instructions: 496COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2359510356.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: fkq$4'fq$4'fq$4'fq$4'fq
                              • API String ID: 0-1499809691
                              • Opcode ID: 7f00ae5cdfb193b7482de61ee211cd260e685f0b2419c5f940a32248d899bf66
                              • Instruction ID: a03b2b7ae63ef98c453046a33f576c7f4a3866bdee8fb756a9ca42f7c4de221c
                              • Opcode Fuzzy Hash: 7f00ae5cdfb193b7482de61ee211cd260e685f0b2419c5f940a32248d899bf66
                              • Instruction Fuzzy Hash: 24F118B1704245EFCB15DBBC881076BBBA2AFC2215F14C0BED565CB692DB359C42C7A2
                              Function 07AC3678 Relevance: 6.4, Strings: 5, Instructions: 188COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2359510356.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$$fq$$fq$$fq
                              • API String ID: 0-3759051638
                              • Opcode ID: 558e545ac78c6c841de0767c437fadd0a74986512331472cf795823d8da104e3
                              • Instruction ID: 813c13e0424ab58c79c24e54f50be9218728970f8e4041701e5aaf38b1913706
                              • Opcode Fuzzy Hash: 558e545ac78c6c841de0767c437fadd0a74986512331472cf795823d8da104e3
                              • Instruction Fuzzy Hash: 8F5125B5704206AFCF24CB798501367BBB6ABC2261F14C06FD965CB241DA35C885CBA3
                              Function 05217A21 Relevance: 5.2, Strings: 4, Instructions: 241COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: e328fed3aae62712bf8ee37eab662012e67f629e350fc5043dadf8d4a5838640
                              • Instruction ID: 993184ad26dfb3150c9a8ee140ddae2f435106e485b7c6117818cdbebb72f1b8
                              • Opcode Fuzzy Hash: e328fed3aae62712bf8ee37eab662012e67f629e350fc5043dadf8d4a5838640
                              • Instruction Fuzzy Hash: A1B1ED74E002099FDB54DFA9D980A9EFBF2FF88304F148629D819AB315DB30A945CF90
                              Function 05217A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: d872b7c67835a343a9b0a8fd0af85abedd758538f515da131780dd476d63cb2f
                              • Instruction ID: 721f4f8a62156ecffe173daf830cead0e32947e47dd02791bca9b9a0985e5d76
                              • Opcode Fuzzy Hash: d872b7c67835a343a9b0a8fd0af85abedd758538f515da131780dd476d63cb2f
                              • Instruction Fuzzy Hash: C0B1AD74E002099FDB54DFA9D580A9EFBF2FF88304F148629E819AB355DB70A945CF90
                              Function 05217220 Relevance: 5.2, Strings: 4, Instructions: 189COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2286376052.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: bd10c3e17537c0a8f202bad314b53d0ab56f9313ac73707398425901a131ccc0
                              • Instruction ID: dbf163df78a845194071f1992316f8c49a47a2159bdf6962b8fb1aabd641c655
                              • Opcode Fuzzy Hash: bd10c3e17537c0a8f202bad314b53d0ab56f9313ac73707398425901a131ccc0
                              • Instruction Fuzzy Hash: 1F917674E012199FDB54DFA9D590A9EFBF2FF88300F148629E819AB314DB30A945CF90
                              Function 07AC5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2359510356.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: $fq$$fq$$fq$$fq
                              • API String ID: 0-2113499236
                              • Opcode ID: 338edc27e2e41ce5cd918152ece4a61e40c2d43c95fc5d585e745ffb00dbdc7e
                              • Instruction ID: f179eeafa4936fea4b16e87eaa458657ccd9236aecf45b8532dfaf2c943f6655
                              • Opcode Fuzzy Hash: 338edc27e2e41ce5cd918152ece4a61e40c2d43c95fc5d585e745ffb00dbdc7e
                              • Instruction Fuzzy Hash: 7F213AB5B10206BBDB24DA7E8901727B7DA9BC0712F34443EF915CB281DD35E8918751
                              Function 07AC0308 Relevance: 5.0, Strings: 4, Instructions: 44COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.2359510356.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$$fq$$fq
                              • API String ID: 0-2206495126
                              • Opcode ID: ce9f0055a52ecf92515ce86b6d662c0608a4abff98fcb406d37e4e4f6a9ecffd
                              • Instruction ID: 8f224ff29ccebc59dda10e0eafc4afbe0e86bdf49dbfe05ee0cf047aa9afb751
                              • Opcode Fuzzy Hash: ce9f0055a52ecf92515ce86b6d662c0608a4abff98fcb406d37e4e4f6a9ecffd
                              • Instruction Fuzzy Hash: 9601F461709286AFC72A576C0C202677FB36FC2684F2941EBC460CF3A7CE198D468797

                              Executed Functions

                              Function 0521B470 Relevance: .3, Instructions: 261COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e0ac49d963b60f6319dd0b988f2789147cc7f3e5e81512f247f9a56a45c7d27
                              • Instruction ID: 668098baa999d823aa1db84420ed4ac99fdb618fa0e0e723f8c6a430b7884f60
                              • Opcode Fuzzy Hash: 9e0ac49d963b60f6319dd0b988f2789147cc7f3e5e81512f247f9a56a45c7d27
                              • Instruction Fuzzy Hash: 0691C2B1F006149BEB19DFB489506AFBBF6EFC4600B00892ED506AB394EF746D058BD5
                              Function 0521B490 Relevance: .3, Instructions: 252COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4eb2ce0d7651082542a30fdea491bf8e7bec5dd0dcee3136578607a5b81c2f36
                              • Instruction ID: 25cbce5b5b2163db9f05fead156da2f1f20c07c73fefb9c1200e76961b08b07b
                              • Opcode Fuzzy Hash: 4eb2ce0d7651082542a30fdea491bf8e7bec5dd0dcee3136578607a5b81c2f36
                              • Instruction Fuzzy Hash: 8791B1B1F006149BEB19DFB489406AFB7F6EFC4600B40892ED506AB394EF746D058BD5
                              Function 08E76A48 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000011.00000002.2364903944.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                              Similarity
                              • API ID: ThreadToken
                              • String ID:
                              • API String ID: 3254676861-0
                              • Opcode ID: 99f9ad7097f27fb92c39105fbab9e3233d20c1fa9edf6426c4e1e223a42130ac
                              • Instruction ID: 2a098089a0bada3bc3460510953ffcc9880f7addda0c3c1010f42186ac90845c
                              • Opcode Fuzzy Hash: 99f9ad7097f27fb92c39105fbab9e3233d20c1fa9edf6426c4e1e223a42130ac
                              • Instruction Fuzzy Hash: 581146B59002088FCB10CF9AC885BDEFBF4EF88324F24841AE418A7350C774A844CFA0
                              Function 08E76A50 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000011.00000002.2364903944.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                              Similarity
                              • API ID: ThreadToken
                              • String ID:
                              • API String ID: 3254676861-0
                              • Opcode ID: b27610c4d5176d140533747999f1b730a9f935e2ed8c8643d2eb2daf93838481
                              • Instruction ID: 0bbc04a607f98a78505636a4851c8b3b8d626c046aab41720154914a320246eb
                              • Opcode Fuzzy Hash: b27610c4d5176d140533747999f1b730a9f935e2ed8c8643d2eb2daf93838481
                              • Instruction Fuzzy Hash: 8411F5B59006498FDB10CF9AC885B9EFFF8EB88324F24841AD419A7350C774A944CFA1
                              Function 05216FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: (jq
                              • API String ID: 0-3225323518
                              • Opcode ID: a8a64a252b05e87ade28d4be9cdae9ecd53f20e8363f1e6a7cdf0ff10f9c14be
                              • Instruction ID: b7ce2aa21cace0218fdf65252537b6a4e6b613a0ae43cdc5558f1dfd5617f982
                              • Opcode Fuzzy Hash: a8a64a252b05e87ade28d4be9cdae9ecd53f20e8363f1e6a7cdf0ff10f9c14be
                              • Instruction Fuzzy Hash: F3412B34B142058FDB14DB68C498AAEBBF2EF9D311F184499E806AB391DF35DC41CB65
                              Function 0521AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: (&fq
                              • API String ID: 0-1822945044
                              • Opcode ID: fe2b7d3e81cd9fe34fe990236f337f12d3efd6a0f426333770ab816c5f25259b
                              • Instruction ID: 6948c98e8487c89c3998354d1f6346f2cf2484436330b8ba15e3d72d91a22e75
                              • Opcode Fuzzy Hash: fe2b7d3e81cd9fe34fe990236f337f12d3efd6a0f426333770ab816c5f25259b
                              • Instruction Fuzzy Hash: 7721AE71A042588FCB14DFAED440B9FBBF6EF88320F14846AD519E7340CB759905CBA5
                              Function 07CA2700 Relevance: .3, Instructions: 325COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2355515751.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a27069cdb1fd9474fb7d5b32605a2560b6b56f3f7c045ff48efc1b9bedcb3937
                              • Instruction ID: 6380f8bb8fa0cfe47a2008db9aabd494a98a74a3b1371cab1d89b8cd9121728b
                              • Opcode Fuzzy Hash: a27069cdb1fd9474fb7d5b32605a2560b6b56f3f7c045ff48efc1b9bedcb3937
                              • Instruction Fuzzy Hash: 4BB12AB1B00216EFCB258BB8C4857AABBF1FFC5215F0480AAD545CB651DB31DE85C7A2
                              Function 052129F0 Relevance: .2, Instructions: 209COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5a2437d1da9f2c9df5572b704e8aa187ab6704736e290aa1928a659cd2530acf
                              • Instruction ID: 883a90d8367becd757453a9b6d048af56b14d278447cf4dd399ed7fed510cdcd
                              • Opcode Fuzzy Hash: 5a2437d1da9f2c9df5572b704e8aa187ab6704736e290aa1928a659cd2530acf
                              • Instruction Fuzzy Hash: 5A916874A00209DFCB15CF59C4949BEBBF5FF88310B248669E919AB3A4C735EC51CBA4
                              Function 07CA3CE8 Relevance: .2, Instructions: 180COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2355515751.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da2e118738a5b9582eb6611e1439762f2502282c225bafba25b138f3d1b527a7
                              • Instruction ID: 5e57aa6cd47c952a4ad66a0eb0b47aff164bd7e4968944bff6c78fab9de40459
                              • Opcode Fuzzy Hash: da2e118738a5b9582eb6611e1439762f2502282c225bafba25b138f3d1b527a7
                              • Instruction Fuzzy Hash: 765135F1B10243EBCB118BBC856166BBBE29F91309F14C4A9D901CF651DB31DE82C7A2
                              Function 05217728 Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 768f33ded0c23a8679c12278e84ed0c9ff2486f787da3495f71e4b3cad585af5
                              • Instruction ID: d007eb492325b544fc77d7efce0bcd6f6d023321a973c2463b183d547a38f851
                              • Opcode Fuzzy Hash: 768f33ded0c23a8679c12278e84ed0c9ff2486f787da3495f71e4b3cad585af5
                              • Instruction Fuzzy Hash: 1251AE317142159FD714DB78D844A6BB7E6FFC9214B198569D909CB352EF31EC01CBA0
                              Function 0521BAC0 Relevance: .2, Instructions: 155COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9fc33103fb84e5f66d0b2d91c78064dc82d08c82a1b59fbd65b3a9e4997f5a26
                              • Instruction ID: 6af071f1588e3d8fd24b7efa7222c3152785121efada3ccccb484ee14ad74570
                              • Opcode Fuzzy Hash: 9fc33103fb84e5f66d0b2d91c78064dc82d08c82a1b59fbd65b3a9e4997f5a26
                              • Instruction Fuzzy Hash: EE611875E10249DFDB14CFA9C584A9DBBF2FF98310F14812AE819AB354EB70AC45CB64
                              Function 0521BAB0 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6686a29acc33ae65822105420c4f9b0730cb79a0932e76dbc29b484b19705601
                              • Instruction ID: af38ac16c0c438d044f9c1587b10eeef5306c989291bbcba0da67c2993195aea
                              • Opcode Fuzzy Hash: 6686a29acc33ae65822105420c4f9b0730cb79a0932e76dbc29b484b19705601
                              • Instruction Fuzzy Hash: 26513975E00249DFDB14CFA9C584A8EFBF2FF98310F18802AE819AB355EB709845CB54
                              Function 07CA3CCD Relevance: .1, Instructions: 125COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2355515751.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4050e112e03b7426de6b5f57c7f263affe59340142219dc3c6edf4734c7f797
                              • Instruction ID: 2fe29e98e08673f630c514eb8249acd58a5f8fd357d0623275b333ab1cae09cb
                              • Opcode Fuzzy Hash: c4050e112e03b7426de6b5f57c7f263affe59340142219dc3c6edf4734c7f797
                              • Instruction Fuzzy Hash: 534117F1A10343EFCB258F68C5A1667BBA2AF91609F0580A5D9008F652D735EE85C7A2
                              Function 05216FA0 Relevance: .1, Instructions: 108COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 34a11b54f8e7da81a89f0ad3854db3128f63ebdc9ed8434dc3a2a58e3b8bcc11
                              • Instruction ID: 17302d626a9ee65aa52c9e8521f1cd3548eae7670d4d7bc73822dd600c3d1336
                              • Opcode Fuzzy Hash: 34a11b54f8e7da81a89f0ad3854db3128f63ebdc9ed8434dc3a2a58e3b8bcc11
                              • Instruction Fuzzy Hash: 4F416F34A142058FCB15CF64C958AAEBBF2EF9E311F185099E846AB391DB31DC41CB64
                              Function 05212B00 Relevance: .1, Instructions: 108COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f6106062e2c69cbd41589a59a29cb88ec851974b25493fc4150a740e8d4a16d
                              • Instruction ID: b078427267eecb4dafa4251fe44003028173908f0ae9cb3881c366fda7cedfc8
                              • Opcode Fuzzy Hash: 0f6106062e2c69cbd41589a59a29cb88ec851974b25493fc4150a740e8d4a16d
                              • Instruction Fuzzy Hash: 504157B4A00505DFCB05CF59C098ABEFBB5FF48310B158269D919AB364C732EC51CBA4
                              Function 0521C388 Relevance: .1, Instructions: 101COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d78ee5149cb35847ee3e5a15b942ec407183f89f39f9ca696f6e73600c0c8499
                              • Instruction ID: ed74dd37186d5830823546b3e87c97dd858de862ced7b0e30b93aeaa540c0413
                              • Opcode Fuzzy Hash: d78ee5149cb35847ee3e5a15b942ec407183f89f39f9ca696f6e73600c0c8499
                              • Instruction Fuzzy Hash: F531C4313006019FD708DB78E884B9AB792EFD4314F048539E60ACB391EF70AC45C7A1
                              Function 0521AE60 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9978f7276baa1537c3acd73b5999ffce55f2142104b4cf567e3cc9ee5e2c8c2b
                              • Instruction ID: 1749c8e423a7e0d187921aa1a604df54c2b1c883ae73e748590681f0a4677d9a
                              • Opcode Fuzzy Hash: 9978f7276baa1537c3acd73b5999ffce55f2142104b4cf567e3cc9ee5e2c8c2b
                              • Instruction Fuzzy Hash: 2B319E70E112098FDB05DFB9C494AAEBBF2EF88300F148029E806EB355EB745C018B94
                              Function 07CA26F3 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2355515751.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4021ab2a8804497231127a592281197379f431619a7c2d4b45a0093f780b328
                              • Instruction ID: 95074861b7088b3a63449fd3ee2c7148d5a5c04ce45d891c6467ef4035205f85
                              • Opcode Fuzzy Hash: c4021ab2a8804497231127a592281197379f431619a7c2d4b45a0093f780b328
                              • Instruction Fuzzy Hash: 0A3184B5A00227EFDB208F69C585BA577F1FF8532AF058066E905CB251D734D784CBA1
                              Function 0521E049 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 63f979a0afa32aac0a4fcd7489bc58addae60cb78bb7808473a0aa02e8569e8b
                              • Instruction ID: cbe57015a423eeeb91ea4c0dd61466b5c7ab0a4543f5819ac7f4117b95b90827
                              • Opcode Fuzzy Hash: 63f979a0afa32aac0a4fcd7489bc58addae60cb78bb7808473a0aa02e8569e8b
                              • Instruction Fuzzy Hash: 1F310674B102058FDB14DF68D498AAEBBF6EF8D314F154469E806AB390DB71AC81CB91
                              Function 0521AE70 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d63ae7657a818107816dc5b0713d98216728b83aa4f8ace20e2808e540729fc
                              • Instruction ID: 92465131f48b28da57361b111a64aec6a046d3d36c1f03e862fc7425610f434c
                              • Opcode Fuzzy Hash: 7d63ae7657a818107816dc5b0713d98216728b83aa4f8ace20e2808e540729fc
                              • Instruction Fuzzy Hash: 67317F74F112099FDB05DFB9C494BAE7AF6EF88300F148029E906E7350EB749C418BA5
                              Function 0521AD28 Relevance: .1, Instructions: 81COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cc70b5a7992ac582b9f64e90bf00382ff4599019fb33e1f2576f42eb8e8caab9
                              • Instruction ID: c9eb184f5e46ab5ff1da89b4d11de3d45b5ae4a8e521499c41abcdd736c7018b
                              • Opcode Fuzzy Hash: cc70b5a7992ac582b9f64e90bf00382ff4599019fb33e1f2576f42eb8e8caab9
                              • Instruction Fuzzy Hash: 84318FB0F042059FEB04EFA4D898ABF7BB6EF84304F158469D515AB394DA74AD41CF60
                              Function 0521E058 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 868870ba56eb25031f3349d23257197df75c9c86710af288f5554d6b31779d6f
                              • Instruction ID: 89bf336bfcdca77e9894cb1cab87db77152f42b2cbffebcddd96fbbc616edf6f
                              • Opcode Fuzzy Hash: 868870ba56eb25031f3349d23257197df75c9c86710af288f5554d6b31779d6f
                              • Instruction Fuzzy Hash: 3C311674B102058FDB14DF68D498A9EBBF6FF88314F154429E806AB390DF71AC81CB95
                              Function 0521AD38 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ccabfdb2dc7cfa47ba0ee3ea90be4145c9246fe51d048f79e4d5877d814c7aa0
                              • Instruction ID: 72396ca7e5967c3cfaca0e0a137ffa8909d15d8ae2eaa1ab8bcfab8981ec14c9
                              • Opcode Fuzzy Hash: ccabfdb2dc7cfa47ba0ee3ea90be4145c9246fe51d048f79e4d5877d814c7aa0
                              • Instruction Fuzzy Hash: ED3130B4B002099FEB04EFA4D858AAF77B6EF84304F118469D615AB394DB75AD41CFA0
                              Function 04D7F3D8 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2290739762.0000000004D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D7D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f1d73fdea6098b32af29c2f9e4be4f8731b96ae613e356a020397bf1949b3606
                              • Instruction ID: c100fc3d1a9a844ae9a2d69dff5471ca94ed53747994c7a8e7d9c9e5987d91c3
                              • Opcode Fuzzy Hash: f1d73fdea6098b32af29c2f9e4be4f8731b96ae613e356a020397bf1949b3606
                              • Instruction Fuzzy Hash: 86213671644200EFCF15CF14D9C0B26BF66FB88318F20C5ADE9494B256D336E456CBA1
                              Function 052193F0 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da8be70c8b562f48a455e26647f03b9b6a31d81e15e404e29ec75b718d329a55
                              • Instruction ID: f750488c0e955f5f6c88365346c680adef441f5c68783beb36f09ec80f181bea
                              • Opcode Fuzzy Hash: da8be70c8b562f48a455e26647f03b9b6a31d81e15e404e29ec75b718d329a55
                              • Instruction Fuzzy Hash: 6131A9B09157848FDB60CFAAC08879ABFF2FF99310F28805ED84DAB255D6746481CB65
                              Function 04D7F02C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2290739762.0000000004D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D7D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c0f0decb608e605a0107bf2fecba61efa2e0f506dca4e87789fb89e00ee91eec
                              • Instruction ID: f15301e3ce48a779dbe8f8da12f6d5870c4de85d19970e66b107df6b613cfbb0
                              • Opcode Fuzzy Hash: c0f0decb608e605a0107bf2fecba61efa2e0f506dca4e87789fb89e00ee91eec
                              • Instruction Fuzzy Hash: A52107B5704240DFCB24DF14D9C0B26BBA5FB84314F24C56DEA4A4B346E336E446CA61
                              Function 05219400 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dee5e38c5594d6facf6a92bc83ea1a681477f732a249365af6cef1433a8e88ec
                              • Instruction ID: 167bb82f8468e6d20baa5cf2db549c8865e2febc46fb1806eff4393b8877a089
                              • Opcode Fuzzy Hash: dee5e38c5594d6facf6a92bc83ea1a681477f732a249365af6cef1433a8e88ec
                              • Instruction Fuzzy Hash: 3821AD709117448EDB60CF6AC08879AFBF2FF98314F28C01ED80DA7245C7746481CB65
                              Function 05217664 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4747952d6bc245ee0a79d5f60413c3a500156d0b577e3d983a89d05d133f8def
                              • Instruction ID: 3778eca4ed56f07c3e9808fb8a629332efef1e2d4c9c0b4e90e13ade2adb1682
                              • Opcode Fuzzy Hash: 4747952d6bc245ee0a79d5f60413c3a500156d0b577e3d983a89d05d133f8def
                              • Instruction Fuzzy Hash: 61112B767001298FCB14DBACE8409EE77F6FFC8265B0440A5E909DB354DB30EC019BA1
                              Function 04D7F3D3 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2290739762.0000000004D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D7D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b08ff234030906854a45bb6b6e9e44c3427253070cceed9887b7ee92b27ed2b2
                              • Instruction ID: 82ae3bca19a3cb63a5ef4e9d80d99689e6131320b16d6152af6f8fd7b8ac2a75
                              • Opcode Fuzzy Hash: b08ff234030906854a45bb6b6e9e44c3427253070cceed9887b7ee92b27ed2b2
                              • Instruction Fuzzy Hash: 6621CD76544240DFCF16CF10D9C0B16BF72FB88318F24C5ADE9094A656C33AD46ACB91
                              Function 0521DD0F Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e2926eb11e5f9cc86594ae948d43bf37b9a8f0d306e360f30f90a5de070ae8f
                              • Instruction ID: 7f120756669cf79b7e26a3fbf262f703d66e94329c1cdf461b22eb2e23ad2bf8
                              • Opcode Fuzzy Hash: 6e2926eb11e5f9cc86594ae948d43bf37b9a8f0d306e360f30f90a5de070ae8f
                              • Instruction Fuzzy Hash: 6601D231714114ABC7159A5D98108ABBBEBDFCA26171484ABE8099B380DE716C06C7E9
                              Function 04D7F027 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2290739762.0000000004D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D7D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d1047b0845297ecd245ca1d03b98feea0c0f4fe4553aa178a32f5244b1bc5266
                              • Instruction ID: 3d772516389e5f5efea5424498ef90f2b6f4a8c39de7d42c8523e8613d2ca196
                              • Opcode Fuzzy Hash: d1047b0845297ecd245ca1d03b98feea0c0f4fe4553aa178a32f5244b1bc5266
                              • Instruction Fuzzy Hash: A911DD75604280CFCB21CF14D5C0B15BFA2FB84318F24C6AED9094B756C33AE44ACB61
                              Function 052179AA Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f8f49d58718752b4403e33c684173c966421aea29fcde0f2ca4c6fee404fe175
                              • Instruction ID: 8731d9e8b92d063a54c75ab605b39d8ad9f9b88e8815cb4159ea65278a541d0c
                              • Opcode Fuzzy Hash: f8f49d58718752b4403e33c684173c966421aea29fcde0f2ca4c6fee404fe175
                              • Instruction Fuzzy Hash: 21012F717152049FCB11CB78E880ABF7BF9EF8A225B1405ADE88ED7201DA319C05CB64
                              Function 0521BCE0 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3986c010c3dca7168a74c927aa394c798d8245f51912f1e569e658c8a7ea9eeb
                              • Instruction ID: ff2a7cdee11f8ce2be8960bc80dbd67825b6f4f61b79532aad7bb39ee133018f
                              • Opcode Fuzzy Hash: 3986c010c3dca7168a74c927aa394c798d8245f51912f1e569e658c8a7ea9eeb
                              • Instruction Fuzzy Hash: 1B1180316083858FD718DB79D494AAA7FF5EF4A250B1484EED48ACB6A2DB31E845C740
                              Function 05212C5C Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b526a8ebf8d2d5f04da31665b80cb4687f9145f1a5323732712387d8bfb1eceb
                              • Instruction ID: 9a015a198996890f78a92bce0f19c0557334f2e140179d145b4cde52b69521b1
                              • Opcode Fuzzy Hash: b526a8ebf8d2d5f04da31665b80cb4687f9145f1a5323732712387d8bfb1eceb
                              • Instruction Fuzzy Hash: 0411083560A3949FCB03CF68D8A09EDBFB1EF4A310B0581C6D4559B2A2C7369815CB64
                              Function 0521DC98 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 545de728b226b4720324f7bb8dea88e14a030d65c8f3bbed0a4b45d113b0e96e
                              • Instruction ID: 7b302a73712c8dce6e34c8127c0e2943510426d04a9ba7e898975d41549d1c76
                              • Opcode Fuzzy Hash: 545de728b226b4720324f7bb8dea88e14a030d65c8f3bbed0a4b45d113b0e96e
                              • Instruction Fuzzy Hash: 51111735204750CFC728DF79D08185ABBF6EF8931972089ADD48A8B7A0DB36E841CB50
                              Function 0521DF20 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fa47bf06f7e850ddf71acae66c5aec9b4162b16fb8e7062802ed90fb3f471b60
                              • Instruction ID: 961b2e2d242c0cb0352fc64f4ef8d90216642f1d624edd74b984d204cee0d470
                              • Opcode Fuzzy Hash: fa47bf06f7e850ddf71acae66c5aec9b4162b16fb8e7062802ed90fb3f471b60
                              • Instruction Fuzzy Hash: 93015235B01214DFDB119B74E808AAEBBF5FF89319F14406DE51AD3292DB31A911CB91
                              Function 0521BF10 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5176cfb96702ad0cb0c9e4c6a6d5dc121ff164d6f0b0f64cca3637599647577
                              • Instruction ID: e8d22b55fa31b20fdeeba66fa3167b0695f776657b751c73203a6a923052aa1a
                              • Opcode Fuzzy Hash: d5176cfb96702ad0cb0c9e4c6a6d5dc121ff164d6f0b0f64cca3637599647577
                              • Instruction Fuzzy Hash: 2101D1313092605FD3008A698C909B77FE9EF8A61070440AAF845C73A2CA709C048760
                              Function 04D7D01D Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2290739762.0000000004D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D7D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 84295d5768cd1590b1be090bb8593d4b351d606b88530bf9f0799c1be422293a
                              • Instruction ID: 8347c8ad1c043330a0079416f08b20420e7d6215098bf0a13623cc53dddde3aa
                              • Opcode Fuzzy Hash: 84295d5768cd1590b1be090bb8593d4b351d606b88530bf9f0799c1be422293a
                              • Instruction Fuzzy Hash: 65012B716043049EE7204E25ECC0B67FF99EF41324F18D41AED484B282E679E841C7B1
                              Function 04D7D005 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2290739762.0000000004D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D7D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6eab113b08d4168e632af3fa60749169e954c14da20215158dc3c0fd7eb98cc
                              • Instruction ID: 26788ecc816ec5fa6779df8e624e149274e5b8f5b9c24066cefe5e7cde25189f
                              • Opcode Fuzzy Hash: d6eab113b08d4168e632af3fa60749169e954c14da20215158dc3c0fd7eb98cc
                              • Instruction Fuzzy Hash: 61019E7150E3C09EE7128B259894B52BFB4EF53224F1DC0DBE8888F2A3C2695849C772
                              Function 0521DD60 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1989f303536dece50d2e6a3a99c1831b2e3fd3804da86fde142e53b5991d32d
                              • Instruction ID: 8b9a94da10bd3b13dcf1738a74f1cd2701bab96e5441c8f265a2cba8bb8ba920
                              • Opcode Fuzzy Hash: e1989f303536dece50d2e6a3a99c1831b2e3fd3804da86fde142e53b5991d32d
                              • Instruction Fuzzy Hash: 20F0A932764114DFCB19D768E4504EDB7E2EFDA32571084BDD81A9B351CB715802CB84
                              Function 05217940 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce19f9d771cb1a3d06aafc6257b4a5d98299ca0068a6fdb98238a76713ca0cca
                              • Instruction ID: 305827580467a49619a3c503713b130f405c4b0948a3b3843d5b7a0c721d1910
                              • Opcode Fuzzy Hash: ce19f9d771cb1a3d06aafc6257b4a5d98299ca0068a6fdb98238a76713ca0cca
                              • Instruction Fuzzy Hash: 86F046717063005FC7118A69E8849AF7BF9EF8A221B000AAEE48EC3340DE209C458770
                              Function 052190D8 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48343767e136ddadb032dd0f2145d5d27ad0f3aefaa75caddcd2d343cccac5c8
                              • Instruction ID: 3faf0337501fc6ad52a225747bef6ace1ba2801404bff6ef8a18c7e75ad05fe0
                              • Opcode Fuzzy Hash: 48343767e136ddadb032dd0f2145d5d27ad0f3aefaa75caddcd2d343cccac5c8
                              • Instruction Fuzzy Hash: 0E0128357042008FD3059B74C0583AB3BA2EFC6318F14409EC9458F396CE353805CBA1
                              Function 04D7D9A7 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2290739762.0000000004D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D7D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b53b73790adcc2ff9aeb5c8a38fb8cac1d44ff5f06f814d57dcfcb76499335ce
                              • Instruction ID: fb031536f4e4d748b8b6b4bee999c82778da3b09f1e021d8479557826f737531
                              • Opcode Fuzzy Hash: b53b73790adcc2ff9aeb5c8a38fb8cac1d44ff5f06f814d57dcfcb76499335ce
                              • Instruction Fuzzy Hash: A5F0F976600614AF97208F0AD985C23FBAAEFD5770715C55AE84A4B712D771FC42CAA0
                              Function 0521DEC1 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6705cc398d6a3d6e27ae23961546e8fe467c40a3a20bdee709149ace3dc547d6
                              • Instruction ID: d1cad38542d0224625473ea25fb221f3c60bdade1a88550fd0b64cba3833abec
                              • Opcode Fuzzy Hash: 6705cc398d6a3d6e27ae23961546e8fe467c40a3a20bdee709149ace3dc547d6
                              • Instruction Fuzzy Hash: 62F017353192418FC715DB2DD4A48AABBF6EFDA61572940AEE48ACF372CA60DC01DB50
                              Function 04D7D998 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2290739762.0000000004D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D7D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 68a4a0209842cb5ff9e77a0461075c762be3ff36961e101a342f510d15799a8c
                              • Instruction ID: 51db84424b83c5f8c5d7a8f47c4610b300f6c0b474170b58c70deed4c8a29b6c
                              • Opcode Fuzzy Hash: 68a4a0209842cb5ff9e77a0461075c762be3ff36961e101a342f510d15799a8c
                              • Instruction Fuzzy Hash: 7BF0F976500A80AFD725CF06C985D23BBBAEFC5664B198489F89A5B712D731FC02CB60
                              Function 05217950 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ff817e3dcf6bdbe45bba0e2f2d18e7cc662b6d1dd0d6ed886cc82437452c6e0
                              • Instruction ID: 8d424dc77c383512d1b8b156159024a6b21b3e18428bf3d4e253edbc5cf30734
                              • Opcode Fuzzy Hash: 2ff817e3dcf6bdbe45bba0e2f2d18e7cc662b6d1dd0d6ed886cc82437452c6e0
                              • Instruction Fuzzy Hash: EAF0A0717007149FDB149A6AE888A6FB7FAEBC9261B00096DE54ED3340DF30AC4187A4
                              Function 0521767F Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 73d63ea7a47448b2af938b40cec0b758b4cd72f2deac3a7d3d52e6c7e858b520
                              • Instruction ID: 3fd765c5352404cf4775aff472048b80c20b56aecf84d4623d7de4ec5645ede8
                              • Opcode Fuzzy Hash: 73d63ea7a47448b2af938b40cec0b758b4cd72f2deac3a7d3d52e6c7e858b520
                              • Instruction Fuzzy Hash: 59F0A0353101298FCB109BAC98409AA7BE2FFC925570941A4E90ECB314DF20DC029B91
                              Function 05219158 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4a22de23a3eaf8da12b5d7b46b44b78b148b1b1143bef91e7f3a2acd1b9de377
                              • Instruction ID: 50b15cf3198065f52d8a48c8088ada5a77882da9549e709c7c129725e6aee992
                              • Opcode Fuzzy Hash: 4a22de23a3eaf8da12b5d7b46b44b78b148b1b1143bef91e7f3a2acd1b9de377
                              • Instruction Fuzzy Hash: CEF03A71A093408FE365DBB8D4A87AABBE1EF45314F00489ED55ACB292DB743885CB91
                              Function 052190E8 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c1ed2496157e36018f176df940425a19a3a11b98714b88a828d05b915f15f62
                              • Instruction ID: daaabfbb0959c5b0b332eec321122a42eef57ee7441a4e6204529c41114d8607
                              • Opcode Fuzzy Hash: 2c1ed2496157e36018f176df940425a19a3a11b98714b88a828d05b915f15f62
                              • Instruction Fuzzy Hash: 2FF02035B002048BE304ABA8D04C3AF77A6DFC1319F10812ADA0A87388DE3A2905CBE1
                              Function 0521DED0 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 33f79daa8cb8372402bbe546788d33979298262886d06d2e5ab56d6d539c15da
                              • Instruction ID: 86dad4eafc48cbfa49f46bb77ac1b649b5b62787aa610e904c96df7f0a6ff8f1
                              • Opcode Fuzzy Hash: 33f79daa8cb8372402bbe546788d33979298262886d06d2e5ab56d6d539c15da
                              • Instruction Fuzzy Hash: 05E065353101018F8210AB1DD488C26BBEAEFDE62272900AAE949CB320CA61EC018B94
                              Function 0521896A Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b1c69f4a512018de895c8fa53cea90f21d97f8734243abcabe22a2241b6b5
                              • Instruction ID: 01d26263a3732c3ec1ad38b38ad29a6da7209b9f66c7407c8d21b43083fa474d
                              • Opcode Fuzzy Hash: ae4b1c69f4a512018de895c8fa53cea90f21d97f8734243abcabe22a2241b6b5
                              • Instruction Fuzzy Hash: 0FF0A0357082918FD70E6B74946C2AD7BA2EFC6329B05009FD906CB2D2DF742C55C7A5
                              Function 0521AF88 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e98cb926f49b136a78b38b6637e1caa3449dca4faf3bd021f28713e874d17ffa
                              • Instruction ID: 3028254687b787b3a2a7b28d58178285687a42d35a8b375ade5b6f77d0a4da5f
                              • Opcode Fuzzy Hash: e98cb926f49b136a78b38b6637e1caa3449dca4faf3bd021f28713e874d17ffa
                              • Instruction Fuzzy Hash: D7E0922131D3D51B8716D229A860466BFB79FD752030880FAE485CF392DE12580683D4
                              Function 05219549 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dd66e2c0d3908e7d25270a36731c01141f2ec1a406ee9801111773d43fd39bfd
                              • Instruction ID: cc144d889669c692217418683f26b1bb1613fff5f262077a1e1e92764817bdc5
                              • Opcode Fuzzy Hash: dd66e2c0d3908e7d25270a36731c01141f2ec1a406ee9801111773d43fd39bfd
                              • Instruction Fuzzy Hash: 31E05B1772516227455C31FA18E46B7B5CF8DD6496B450175EE09D7341ED50CC0643F9
                              Function 05219168 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e15f8a289a7bab46d8c8c35dbdc28a711f7969361e3ba614529328165230a2f6
                              • Instruction ID: c0a52aa5d90f537a647d8ff61576125b0b1c88a6663f35f6ee169eec54bad00d
                              • Opcode Fuzzy Hash: e15f8a289a7bab46d8c8c35dbdc28a711f7969361e3ba614529328165230a2f6
                              • Instruction Fuzzy Hash: 43F0ED70A003049FE7649BB9D49C79B7BE5FB44314F00446DD95ED7380DB356880CB90
                              Function 05218978 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 33a9fbaa06a45580e45afb8d00255c184c3ca54057e455deb456b8be97fb9dca
                              • Instruction ID: 7e2ed67fd13e878b3072c1a045eef576f59853b16710d6906da00a84c589cc52
                              • Opcode Fuzzy Hash: 33a9fbaa06a45580e45afb8d00255c184c3ca54057e455deb456b8be97fb9dca
                              • Instruction Fuzzy Hash: 74E0263530421487DB0D3775A40C2AE7A96EBC4728F04002FDA0AC3381DF782C1183E9
                              Function 05219550 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 404f9f8541f17fc494815b97a0608c502a8138da42ce9aec3bbb90f6b5c0f2d5
                              • Instruction ID: 8cf16f93371a698bf3f066fd0ddab06f280c9f98baf5813c8c36d8cb704263d3
                              • Opcode Fuzzy Hash: 404f9f8541f17fc494815b97a0608c502a8138da42ce9aec3bbb90f6b5c0f2d5
                              • Instruction Fuzzy Hash: 70D05E1372212227056C31BA18986BBA1CE8ED64A2B450136EE09D3241ED50CC0203F9
                              Function 0521DD20 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 329d78274bcb24c70e78c906356a17360cb69460b3507553664a0bf25cd93157
                              • Instruction ID: beb13121089ad19ce32e659142de90ff97ee73edfade2759fbb0639371b581f3
                              • Opcode Fuzzy Hash: 329d78274bcb24c70e78c906356a17360cb69460b3507553664a0bf25cd93157
                              • Instruction Fuzzy Hash: FEE0C272300615A78326A61EA81089FB7EBEFC4671354492EE409C7380DE68EC0287E9
                              Function 0521DD70 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                              • Instruction ID: 3d60b724cdb88c77a7e5c53a3c4e575df06ea65adc14bdc6cc2f80505f058d77
                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                              • Instruction Fuzzy Hash: E7E08631B10014D78B08D599D4504D9F7E6DFCC221F04847EDD0AA7340DA7269168699
                              Function 05218739 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb99b34f4e81424620b33b935f0a8aa43b1f79de3021fa873d276d76bfe73716
                              • Instruction ID: 4be830e4222ed3c008752059844152f173da00570855047799b90716801f9571
                              • Opcode Fuzzy Hash: fb99b34f4e81424620b33b935f0a8aa43b1f79de3021fa873d276d76bfe73716
                              • Instruction Fuzzy Hash: 4EE01A30804149CFCB19EFA4E8698FABF70EB5A305B4041ADD957972D2DB301946CBC4
                              Function 0521F469 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be218e0d7292a8be005f5c0822a894ed231efcf5d062d31684421783b15574c6
                              • Instruction ID: b1c7dace96275a16daa87f8251b04637e3874904279617d05e92ba32a0c53f36
                              • Opcode Fuzzy Hash: be218e0d7292a8be005f5c0822a894ed231efcf5d062d31684421783b15574c6
                              • Instruction Fuzzy Hash: 51E0EC71D41209AF8784DFB899425AEFFF4EF59200B2085ABCD19D3202FA3296128BD1
                              Function 05218800 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3b10142ece735fed8dd9aea1d427801757dc2345d833f7aa5a385a1f6376b30a
                              • Instruction ID: 7b70f19f7f0e67f3339c2673610fd2088ffa0ce3ba7956a57591396b30a66990
                              • Opcode Fuzzy Hash: 3b10142ece735fed8dd9aea1d427801757dc2345d833f7aa5a385a1f6376b30a
                              • Instruction Fuzzy Hash: 86E01A31A092468FD758DF64E09547ABBB2EF89205B044199D9469B391EB306840CF80
                              Function 0521F470 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                              • Instruction ID: 68f20c32cf261b561700650fcef91a54a6bdbf4eeef3e67188236d76a58466bf
                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                              • Instruction Fuzzy Hash: 21D067B0D142099F8780EFADC94156EFBF4EF58200F6085AA8919E7301F7729A12CBD5
                              Function 05218748 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 83a21d2ab85e2d5ed694099e94e2a15be18b7603732db40f47e1598feac203c4
                              • Instruction ID: 3d282c5655049160e6a7b7802fc76bbaa3b34942f7f11c079dca2591f7b1bd0a
                              • Opcode Fuzzy Hash: 83a21d2ab85e2d5ed694099e94e2a15be18b7603732db40f47e1598feac203c4
                              • Instruction Fuzzy Hash: 34D067358141098BDB18EBA4E85A4FEBB74FA14305F40416DD927525D1EB311A5ACBC5
                              Function 0521791A Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66aebaf43a8ef11412caec824e92bafb11f7fac02d1c9376386ca5b7ae988605
                              • Instruction ID: 934777406297fb540791a9f599556e471131834bbf2366b33dbb5e76b831afa0
                              • Opcode Fuzzy Hash: 66aebaf43a8ef11412caec824e92bafb11f7fac02d1c9376386ca5b7ae988605
                              • Instruction Fuzzy Hash: 1ED0A93428E3808FCB064B3098998843F30EE6320930A14CED8478B6B3C6A2C40DCB12
                              Function 05218810 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5503447736cff333a3d9ec4699b02c01f8b0ff62e153a7b6202beec038609a6f
                              • Instruction ID: 48ce85447c7659084a3ccd824fd3f630c76f6ac6bf9066f3fad196c22e920e33
                              • Opcode Fuzzy Hash: 5503447736cff333a3d9ec4699b02c01f8b0ff62e153a7b6202beec038609a6f
                              • Instruction Fuzzy Hash: 74D01730A0820A8B8B18EFA4E48A87EBBB5EB44305F004169DE0A93380EB306901CFC1
                              Function 05217E90 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 77e0627c42093617b9f77fe2e15e6d2409deaba1ce821b27465d1d599ae952df
                              • Instruction ID: bbb0f7596790ae147d053346218928513acd1cdeb15f965602d1264b1567b33b
                              • Opcode Fuzzy Hash: 77e0627c42093617b9f77fe2e15e6d2409deaba1ce821b27465d1d599ae952df
                              • Instruction Fuzzy Hash: 03C02B41F2F3800FEF0282310C25104BF70446310134F13C2C840DB1A2D8148801C3A1
                              Function 05217928 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 67050f3edac70c0dacb546e821b5a0343c34016c49f6d0d3e70a4836c4f631be
                              • Instruction ID: b0362443589d6c46a9554b0012334a1297afadaaf2525fd505eb58b6ac389dac
                              • Opcode Fuzzy Hash: 67050f3edac70c0dacb546e821b5a0343c34016c49f6d0d3e70a4836c4f631be
                              • Instruction Fuzzy Hash: 3CB092311447088FC2486F76A409914732DAB4061538004E8E80E0A2A68F76E884CA44

                              Non-executed Functions

                              Function 07CA3928 Relevance: 10.3, Strings: 8, Instructions: 325COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2355515751.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq
                              • API String ID: 0-3165298016
                              • Opcode ID: 8ef9f61fb36ddb8c65e75cbb2c19c10b41168c2964e8ad7d7ddfb41234410cbd
                              • Instruction ID: e41870b77f7ed5ec75b273951dee593047ad5525ae393a8e7c2e96f151462df9
                              • Opcode Fuzzy Hash: 8ef9f61fb36ddb8c65e75cbb2c19c10b41168c2964e8ad7d7ddfb41234410cbd
                              • Instruction Fuzzy Hash: 44A19CB1704397AFC7118BB99861767BFF6AFC621AF14806BD845CB291CA31CD81C362
                              Function 0521EBB8 Relevance: 10.1, Strings: 8, Instructions: 148COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: ,jq$0omp$$fq$$fq$$fq$$fq$$fq$$fq
                              • API String ID: 0-3782670052
                              • Opcode ID: 7509d4e3f149f4cc0a0d6c18199d136deca3076d5dbd96e90af27a24a3211a94
                              • Instruction ID: 66b51c1520f0cb7ce0f8881c69fb84b617bf0e33a4eed01d5d9c9e2be7b976ac
                              • Opcode Fuzzy Hash: 7509d4e3f149f4cc0a0d6c18199d136deca3076d5dbd96e90af27a24a3211a94
                              • Instruction Fuzzy Hash: CF41C5617244058FC729AB798C9593E3FEF7F9DB8431214AADC26CB3A2DE10CC408356
                              Function 0521EDE8 Relevance: 9.2, Strings: 7, Instructions: 453COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 0omp$0omp$0omp$`Qfq$$fq$$fq$$fq
                              • API String ID: 0-4019838557
                              • Opcode ID: fc2cf66c798e4b820a5f8762414066144c7e5963768ed9890fe6ac7a8a217027
                              • Instruction ID: 0e13e1854096344aa65838a5da481e2632462ec1819b8998db7629a17fd7b2f1
                              • Opcode Fuzzy Hash: fc2cf66c798e4b820a5f8762414066144c7e5963768ed9890fe6ac7a8a217027
                              • Instruction Fuzzy Hash: CBE1F5307201118FDB14ABBD895463F77EBAFD9A14B2544AADC1ACF3A1EE70DC0187A5
                              Function 07CA1EF8 Relevance: 7.7, Strings: 6, Instructions: 180COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2355515751.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$84l$84l$tPfq$tPfq
                              • API String ID: 0-4043812814
                              • Opcode ID: 1d6458fc4e16062259fedefc103d66a6eb55ce394ed8fbdc2e0fcf520d936341
                              • Instruction ID: 2ee32a33210a33c0b04dfeee6e51b0e1b8278c2b3b4da49c40592409d7fb50c7
                              • Opcode Fuzzy Hash: 1d6458fc4e16062259fedefc103d66a6eb55ce394ed8fbdc2e0fcf520d936341
                              • Instruction Fuzzy Hash: 6A512CB1B0425BAFC7214A6D8881667FBB6AFC531AF18C0BBD6559F241CF31D941C392
                              Function 07CA4500 Relevance: 5.2, Strings: 4, Instructions: 243COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2355515751.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$tPfq$tPfq
                              • API String ID: 0-2816350295
                              • Opcode ID: b658d37b1a5f099ec8cc81a551b3545f2602cdefff950c41e780a90d4b71ae53
                              • Instruction ID: 39717725da5eb77bf73c79b206f5f877c095f3bed736823a244469af7ce8f830
                              • Opcode Fuzzy Hash: b658d37b1a5f099ec8cc81a551b3545f2602cdefff950c41e780a90d4b71ae53
                              • Instruction Fuzzy Hash: 4A713AF1B04397AFCB188B6D848176ABBE69FC631AF14C06AD509CB241DF71DA41C791
                              Function 05217A09 Relevance: 5.2, Strings: 4, Instructions: 243COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: c2d00e8b7bcf930727ac5b90dd7f99845778db1a9de1283a8962c654e52e869b
                              • Instruction ID: ec344093188b6af01147786eecf82ba59ff9ca397ed2f39beedcde371897b544
                              • Opcode Fuzzy Hash: c2d00e8b7bcf930727ac5b90dd7f99845778db1a9de1283a8962c654e52e869b
                              • Instruction Fuzzy Hash: 17B1CA74E002099FDB45DFA9D980A9EFBF2FF88304F148629D819AB354DB30A945CF90
                              Function 05217A18 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2291721802.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: `gq$`gq$`gq$`gq
                              • API String ID: 0-3352594996
                              • Opcode ID: a3b8d1fdc77a5737ee8d972d502a866659eb8e11c91829d815d54caa1e23b2af
                              • Instruction ID: 866f85c48cd6fc6aa985b73fbfaa1bb83f751e447ab3a2e12410383c601756b9
                              • Opcode Fuzzy Hash: a3b8d1fdc77a5737ee8d972d502a866659eb8e11c91829d815d54caa1e23b2af
                              • Instruction Fuzzy Hash: 67B1A974E002099FDB54DFA9D590A9EFBF2FF88304F148629E819AB354DB70A945CF90
                              Function 07CA5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2355515751.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: $fq$$fq$$fq$$fq
                              • API String ID: 0-2113499236
                              • Opcode ID: 55d6ca8f679dc68697966ec2ba58e0e9ce1f52d8eb4f6ed22d5355808f6aa4f1
                              • Instruction ID: 3214e41e2b34fcdcb29922e6ebfdde404cf0a9b019b6a4f56037874ec5f6ce46
                              • Opcode Fuzzy Hash: 55d6ca8f679dc68697966ec2ba58e0e9ce1f52d8eb4f6ed22d5355808f6aa4f1
                              • Instruction Fuzzy Hash: BA2137F2710303BBDB24997EA840727B7DAABC071AF24C42AA905DB681DE35C9518362
                              Function 07CA0321 Relevance: 5.0, Strings: 4, Instructions: 39COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000011.00000002.2355515751.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: 4'fq$4'fq$$fq$$fq
                              • API String ID: 0-2206495126
                              • Opcode ID: dc0e0c17a3c3a22bc5842706c1854e34eaf7eef15450f772ff9de4afcb001ed4
                              • Instruction ID: f2f7e4369b5b68063a555647113479eb3fe3e92af06e1822c36701fdb73a93f8
                              • Opcode Fuzzy Hash: dc0e0c17a3c3a22bc5842706c1854e34eaf7eef15450f772ff9de4afcb001ed4
                              • Instruction Fuzzy Hash: 8DF059B1B0211B67CB38156C18102BBAB97AFC16AAB24416EC4118BB80DE51CCC243D7